Databricks SP
Service Name: Databricks
Service Description: Databricks is a unified data analytics platform designed to help organizations accelerate innovation by unifying data science, engineering, and business. It provides a collaborative environment for data engineering, machine learning, and analytics.
Service Address: https://databricks.com/
Validation Type: API Auth
IP Allow list: Does not exist
Secret Access Scope: Grants programmatic access to Databricks workspaces and resources using service principal authentication.
Secret Revokement URL: https://docs.databricks.com/dev-tools/service-principals.html#manage-service-principals
Secret Example: dose1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p
Suspicious Activity Investigation Instructions:
- Check Databricks audit logs for unusual API calls or resource access
- Review workspace activity for unauthorized notebook executions
- Monitor for unusual cluster creation or job scheduling
- Check for data extraction operations or unauthorized exports
- Examine authentication logs for failed login attempts
Mitigation Instructions:
- Log into the Databricks Admin Console
- Navigate to the User Management section
- Locate the compromised service principal
- Rotate the service principal token or delete the service principal
- Review and revoke any permissions granted to the compromised service principal
- Check for and remove any jobs or notebooks created by the compromised service principal