{"id":39698124,"url":"https://github.com/databricks-solutions/cybersec-workspace-detection-app","last_synced_at":"2026-01-18T10:18:56.453Z","repository":{"id":309892078,"uuid":"1035951308","full_name":"databricks-solutions/cybersec-workspace-detection-app","owner":"databricks-solutions","description":"Databricks System Access Audit Detections for Security Teams","archived":false,"fork":false,"pushed_at":"2025-12-11T15:53:33.000Z","size":83,"stargazers_count":1,"open_issues_count":2,"forks_count":4,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-12-12T15:15:00.787Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/databricks-solutions.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS.txt","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE.md","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-08-11T10:41:08.000Z","updated_at":"2025-10-24T16:10:03.000Z","dependencies_parsed_at":"2025-08-14T12:20:28.192Z","dependency_job_id":"650aaa0f-b472-4bb5-8482-292a3d3ecdf6","html_url":"https://github.com/databricks-solutions/cybersec-workspace-detection-app","commit_stats":null,"previous_names":["databricks-solutions/cybersec-workspace-detection-app"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/databricks-solutions/cybersec-workspace-detection-app","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/databricks-solutions%2Fcybersec-workspace-detection-app","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/databricks-solutions%2Fcybersec-workspace-detection-app/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/databricks-solutions%2Fcybersec-workspace-detection-app/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/databricks-solutions%2Fcybersec-workspace-detection-app/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/databricks-solutions","download_url":"https://codeload.github.com/databricks-solutions/cybersec-workspace-detection-app/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/databricks-solutions%2Fcybersec-workspace-detection-app/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28534316,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-18T10:13:46.436Z","status":"ssl_error","status_checked_at":"2026-01-18T10:13:11.045Z","response_time":98,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-18T10:18:56.356Z","updated_at":"2026-01-18T10:18:56.440Z","avatar_url":"https://github.com/databricks-solutions.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Databricks Workspace Detection Analytics Tool\n\nA collection of security detection notebooks for Databricks workspaces that analyze the `system.access.audit` table to identify potential security threats and suspicious activities.\n\n## Overview\n\nThis detection app provides 30+ pre-built security detection notebooks designed for security operations teams to monitor Databricks workspace activities. The detections cover various security scenarios including:\n\n- **Authentication \u0026 Access Control**: Token creation/deletion, MFA changes, SSO configuration changes\n- **User Management**: Account creation/deletion, role modifications, group changes\n- **Session Security**: Session hijacking detection, multi-device login patterns\n- **Administrative Activity**: Privilege escalation, admin activity spikes\n- **Audit \u0026 Compliance**: Verbose logging changes, audit configuration tampering\n\n## Features\n\n- **Coverage**: 30+ detection scenarios covering major security use cases\n- **Production Ready**: Designed for batch execution via Databricks workflows\n- **Configurable**: Customizable time ranges and detection parameters\n- **Audit Table Focus**: Leverages Databricks `system.access.audit` table for comprehensive visibility\n- **Unity Catalog Compatible**: Designed for Unity Catalog enabled accounts\n- **MITRE ATT\u0026CK Mapped**: Many detections include MITRE ATT\u0026CK framework mappings for threat intelligence\n\n## Detection Categories\n\n### Authentication \u0026 Identity\n- Access Token Created/Deleted\n- MFA Key Added/Deleted  \n- Non-SSO Login Detection\n- User Password Changes\n- SSO Configuration Changes\n\n### User \u0026 Group Management\n- User Account Created/Deleted\n- Group Created/Deleted\n- Principal Added/Removed from Groups\n- User Role Modifications\n\n### Session Security\n- Session Hijacking Detection (Multiple IPs/Devices)\n- High Session Count Detection\n- Frequent Login Patterns\n- Multi-Device Session Reuse\n\n### Administrative Monitoring\n- Spike in Table Admin Activity\n- Databricks Employee Logon Detection\n- Verbose Audit Logging Disabled\n\n### Network \u0026 Access Control\n- Attempted Logon from Denied IP\n- Token Scanning Activity Detection\n\n### Data Exfiltration \u0026 Movement\n- Potential Data Movement via SQL Queries\n- Potential Data Movement via Workspace Downloads\n- Potential Data Movement via Explicit Credentials\n\n### Configuration \u0026 Policy Monitoring\n- High Priority Configuration Changes\n- Workspace-Level Configuration Changes\n- Account-Level Configuration Changes\n\n### Secrets \u0026 Credential Management\n- Secret Scanning Activity Detection\n- Admin User Account Changes\n\n## Enhanced Detection Capabilities\n\nThe latest version includes advanced detection scenarios that go beyond basic audit monitoring:\n\n- **Data Exfiltration Detection**: Identifies potential data movement attempts using SQL queries, workspace downloads, and explicit credentials\n- **Configuration Tampering**: Monitors for unauthorized changes to security-critical workspace and account configurations\n- **Secret Enumeration**: Detects reconnaissance activities targeting secret scopes and credential harvesting\n- **Admin Privilege Escalation**: Tracks administrative privilege changes and group membership modifications\n- **Comprehensive Coverage**: Integrates both `system.access.audit` and `system.query.history` tables for complete visibility\n\n## Installation\n\n### Prerequisites\n- Databricks workspace with Unity Catalog enabled\n- Access to `system.access.audit` table\n- Appropriate permissions to create and run workflows\n\n### Setup\n1. **Import the Repo**: Add the detection notebooks to your Databricks workspace. ([Documentation](https://docs.databricks.com/aws/en/repos/git-operations-with-repos#clone-a-repo-connected-to-a-remote-git-repository))\n2. **Configure Workflows**: Set up Databricks workflows for each detection\n3. **Adjust Parameters**: Modify start/end times and detection parameters as needed\n4. **Schedule Execution**: Configure trigger schedules matching your lookback periods\n\n### Configuration Notes\n- Detection searches rely on access to the audit table\n- Designed for batch mode execution using workflows\n- Ensure trigger schedules match lookback periods for full coverage\n- Avoid duplicate events by properly configuring execution intervals\n\n## Usage\n\n### Running Individual Detections\nEach detection notebook can be run independently with configurable time parameters:\n\n```python\n# Example: Run access token detection for last 24 hours\nresult = access_token_created(\n    earliest=\"2025-01-01T00:00:00\",\n    latest=\"2025-01-02T00:00:00\"\n)\n```\n\n### Workflow Integration\nDetections are designed to be integrated into Databricks workflows for automated security monitoring:\n\n1. **Batch Processing**: Run detections on scheduled intervals\n2. **Alert Generation**: Output results to detection or alerts tables\n3. **Ad-hoc Analysis**: Generate dataframes for manual investigation\n\n### Output Formats\n- **DataFrame Output**: Structured data for further analysis\n- **Standardized Schema**: Consistent column naming across all detections\n- **Audit Trail**: Complete event details with timestamps and metadata\n\n## Architecture\n\n### Core Components\n- **Detection Notebooks**: Individual security detection logic\n- **Common Library**: Shared utilities and enrichment functions\n- **Audit Table Integration**: Direct queries against `system.access.audit`\n\n### Dependencies\n- **PySpark**: Core data processing framework\n- **GeoIP2**: IP address geolocation capabilities\n- **NetAddr**: IP address manipulation utilities\n\n## How to get help\n\nDatabricks support doesn't cover this content. For questions or bugs, please open a GitHub issue and the team will help on a best effort basis.\n\n\n## License\n\n\u0026copy; 2025 Databricks, Inc. All rights reserved. The source in this notebook is provided subject to the Databricks License [https://databricks.com/db-license-source]. All included or referenced third party libraries are subject to the licenses set forth below.\n\n| library                                | description             | license    | source                                              |\n|----------------------------------------|-------------------------|------------|-----------------------------------------------------|\n| geoip2                                 | IP address geolocation | Apache 2.0 | https://github.com/maxmind/GeoIP2-python          |\n| netaddr                                | IP address manipulation| BSD        | https://github.com/netaddr/netaddr                 |\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdatabricks-solutions%2Fcybersec-workspace-detection-app","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdatabricks-solutions%2Fcybersec-workspace-detection-app","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdatabricks-solutions%2Fcybersec-workspace-detection-app/lists"}