From 3b27271e688cb025c97fee623d9ea50b01d24be7 Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Wed, 29 Oct 2025 13:12:42 +0530 Subject: [PATCH 1/5] Update cid-redirects.json --- cid-redirects.json | 1 + 1 file changed, 1 insertion(+) diff --git a/cid-redirects.json b/cid-redirects.json index b95f64ede3..63898d4ef2 100644 --- a/cid-redirects.json +++ b/cid-redirects.json @@ -2958,6 +2958,7 @@ "/docs/integrations/microsoft-azure/microsoft-entra-id-protection/": "/docs/integrations/microsoft-azure/azure-security-microsoft-entra-id-protection", "/cid/1113": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/databricks-audit-source/", "/cid/1117": "/docs/integrations/saas-cloud/chatgpt-compliance", + "/cid/1118": "/docs/integrations/saas-cloud/databricks-audit", "/Cloud_SIEM_Enterprise": "/docs/cse", "/Cloud_SIEM_Enterprise/Administration": "/docs/cse/administration", "/Cloud_SIEM_Enterprise/Administration/Cloud_SIEM_Enterprise_Feature_Update_(2022)": "/docs/cse/administration", From 6f782e50ad6c469290545cff5368141b06dc8519 Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Fri, 31 Oct 2025 09:32:54 +0530 Subject: [PATCH 2/5] Databricks Audit (apps) --- blog-service/2025-10-31-apps.md | 12 ++ .../product-list/product-list-a-l.md | 2 +- .../saas-cloud/databricks-audit.md | 171 ++++++++++++++++++ docs/integrations/saas-cloud/index.md | 6 + sidebars.ts | 1 + 5 files changed, 191 insertions(+), 1 deletion(-) create mode 100644 blog-service/2025-10-31-apps.md create mode 100644 docs/integrations/saas-cloud/databricks-audit.md diff --git a/blog-service/2025-10-31-apps.md b/blog-service/2025-10-31-apps.md new file mode 100644 index 0000000000..135979670e --- /dev/null +++ b/blog-service/2025-10-31-apps.md @@ -0,0 +1,12 @@ +--- +title: Databricks Audit (Apps) +image: https://assets-www.sumologic.com/company-logos/_800x418_crop_center-center_82_none/SumoLogic_Preview_600x600.jpg?mtime=1617040082 +keywords: + - apps + - databricks-audit +hide_table_of_contents: true +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +We're excited to introduce the new Sumo Logic app for Databricks Audit. This app helps identify potential threats, highlights key trends, and strengthens the overall security posture of your Databricks environment by analyzing the Databricks audit logs. [Learn more](/docs/integrations/saas-cloud/databricks-audit/). \ No newline at end of file diff --git a/docs/integrations/product-list/product-list-a-l.md b/docs/integrations/product-list/product-list-a-l.md index e1f56a0758..2c3b6bea96 100644 --- a/docs/integrations/product-list/product-list-a-l.md +++ b/docs/integrations/product-list/product-list-a-l.md @@ -186,7 +186,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [ | :-- | :-- | :-- | | Thumbnail icon | [DarkOwl](https://www.darkowl.com/) | Automation integration: [DarkOwl](/docs/platform-services/automation-service/app-central/integrations/darkowl/) | | Thumbnail icon | [Darktrace](https://darktrace.com/) | Automation integration: [Darktrace](/docs/platform-services/automation-service/app-central/integrations/darktrace/)
Cloud SIEM integration: [Darktrace](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/91f4544f-6118-4bdc-8b30-01f045d20e4c.md) | -| Thumbnail icon | [Databricks](https://www.databricks.com/) | Collector: [Databricks Audit Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/databricks-audit-source/) | +| Thumbnail icon | [Databricks](https://www.databricks.com/) | App: [Databricks Audit](/docs/integrations/saas-cloud/databricks-audit)
Collector: [Databricks Audit Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/databricks-audit-source/) | | Thumbnail icon | [Datadog](https://www.datadoghq.com/) | App: [Datadog](/docs/integrations/saas-cloud/datadog/)
Webhook: [Webhook Connection for Datadog](/docs/alerts/webhook-connections/datadog/) | | Thumbnail icon | [Dataminr](https://www.dataminr.com/) | Cloud SIEM integration: [Dataminr](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/0019f757-3674-4688-9d6c-063366cfcfa9.md)
Partner integration: [Dataminr Pulse for Sumo Logic](https://github.com/SumoLogic/sumologic-public-partner-apps/tree/master/DataminrPulse) | | Thumbnail icon | [Datto](https://www.datto.com/) | Automated integration: [Datto RMM](/docs/platform-services/automation-service/app-central/integrations/datto-rmm/)
Cloud SIEM integration: [Datto](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/1E4721C4-DC98-456D-B0DF-80365924683A.md) | diff --git a/docs/integrations/saas-cloud/databricks-audit.md b/docs/integrations/saas-cloud/databricks-audit.md new file mode 100644 index 0000000000..3626e728ae --- /dev/null +++ b/docs/integrations/saas-cloud/databricks-audit.md @@ -0,0 +1,171 @@ +--- +id: databricks-audit +title: Databricks Audit +sidebar_label: Databricks Audit +description: The Databricks Audit app for Sumo Logic provides insights into your organization's cybersecurity practices to strengthen security. +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +thumbnail icon + +The Sumo Logic app for Databricks Audit provides insights into your organization's security analytics. It provides real-time visibility into user activity, administrative operations, and security-related events across Databricks workspaces, empowering security and compliance teams to quickly detect, investigate, and respond to suspicious behavior. + +By ingesting Databricks audit logs, the app enables detection of potential threats such as unauthorized access attempts, privilege escalations, and anomalous job or login activities. Preconfigured dashboards highlight user access trends, critical configuration changes, error patterns, and high-risk operations, helping analysts proactively identify emerging threats and compliance risks. + +With rich visualizations and detailed event insights, the app enhances oversight of sensitive data access and strengthens the overall security posture of Databricks environments. + +:::info +This app includes [built-in monitors](#databricks-audit-monitors). For details on creating custom monitors, refer to [Create monitors for Databricks Audit app](#create-monitors-for-databricks-audit-app). +::: + +## Log types + +This app uses Sumo Logic’s [Databricks Audit source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/databricks-audit-source/) to collect the [audit logs](https://docs.databricks.com/api/workspace/statementexecution/executestatement) from the Databricks Audit platform. + +## Sample log messages + +
+Audit Log + +```json +{ + "account_id":"83860f25-7194-4d0c-a304-8902b05c4b0e", + "action_name":"tokenLogin", + "audit_level":"WORKSPACE_LEVEL", + "event_date":"2025-10-23", + "event_id":"3dd93080-f90f-3ea4-8870-6b7527b77393", + "event_time":"2025-10-23T09:11:56.509Z", + "identity_metadata":"{\"run_by\":null,\"run_as\":null,\"acting_resource\":null}", + "request_id":"46e37143-8bb4-45ec-a63e-1eefe3d716bc", + "request_params":"{\"user\":\"ddb92362-81fa-4f41-b5d3-e5a747e0b2f5\",\"tokenId\":\"33846778b496e5a557f17ade5b0fe2e4afce8e4c90378fc130c5537c9042a94c\",\"authenticationMethod\":\"API_INT_PAT_TOKEN\"}", + "response":"{\"status_code\":\"200\",\"error_message\":null,\"result\":null}", + "service_name":"accounts", + "session_id":null, + "source_ip_address":"10.251.166.254", + "user_agent":"Apache-HttpClient/4.5.14 (Java/17.0.15) Databricks-Service/driver DBHttpClient/v2RawClient", + "user_identity":"{\"email\":\"ddb92362-81fa-4f41-b5d3-e5a747e0b2f5\",\"subject_name\":null}", + "version":"2.0", + "workspace_id":"4150696479394378" +} +``` +
+ +## Sample queries + +```sql title="Total Alerts" +_sourceCategory="Labs/DatabricksAudit" +| json "action_name", "audit_level", "event_time", "response", "service_name", "source_ip_address", "user_identity", "workspace_id" as action_name, audit_level, event_time, response, service_name, ip_address, user_identity, workspace_id nodrop +| json field=response "status_code", "result", "error_message" as status_code, result, error_message nodrop +| json field=user_identity "email" as email_id nodrop + +// global filters +| where email_id matches "{{email_id}}" +| where action_name matches "{{action_name}}" +| where audit_level matches "{{audit_level}}" +| where service_name matches "{{service_name}}" +| where ip_address matches "{{ip_address}}" +| where status_code matches "{{response_code}}" + +// panel specific +| where !isNull(email_id) +| count by email_id +| count +``` + +```sql title="API Response Code" +_sourceCategory="Labs/DatabricksAudit" +| json "action_name", "audit_level", "event_time", "response", "service_name", "source_ip_address", "user_identity", "workspace_id" as action_name, audit_level, event_time, response, service_name, ip_address, user_identity, workspace_id nodrop +| json field=response "status_code", "result", "error_message" as status_code, result, error_message nodrop +| json field=request_params "authenticationMethod" as authentication_method nodrop +| json field=user_identity "email" as email_id nodrop + +// global filters +| where email_id matches "{{email_id}}" +| where action_name matches "{{action_name}}" +| where audit_level matches "{{audit_level}}" +| where service_name matches "{{service_name}}" +| where ip_address matches "{{ip_address}}" +| where status_code matches "{{response_code}}" + +// panel specific +| where !isBlank(event_id) and !isBlank(status_code) +| count by event_id ,status_code +| count as frequency by status_code +| sort by frequency, status_code +``` + +## Collection configuration and app installation + +import CollectionConfiguration from '../../reuse/apps/collection-configuration.md'; + + + +:::important +Use the [Cloud-to-Cloud Integration for Databricks Audit](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/databricks-audit-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Databricks Audit app is properly integrated and configured to collect and analyze your Databricks Audit data. +::: + +### Create a new collector and install the app + +import AppCollectionOPtion1 from '../../reuse/apps/app-collection-option-1.md'; + + + +### Use an existing collector and install the app + +import AppCollectionOPtion2 from '../../reuse/apps/app-collection-option-2.md'; + + + +### Use an existing source and install the app + +import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md'; + + + +## Viewing the Databricks Audit dashboards​​ + +import ViewDashboards from '../../reuse/apps/view-dashboards.md'; + + + +### Overview + +The **Databricks Audit - Overview** dashboard provides a comprehensive view of user activity, workspace operations, and security event trends across your Databricks environment. It delivers instant visibility into key metrics such as total users, total workspaces, and audit level distribution, helping teams quickly understand usage patterns and organizational structure. + +The dashboard tracks login activity and failed login attempts over time, allowing for rapid detection of authentication anomalies and potential security risks. Panels highlight the most active services and actions, along with a detailed audit summary, supporting effective monitoring of operational events and risk assessment. + +By consolidating these critical insights, the dashboard enables security and compliance teams to detect unusual behaviors, investigate incidents, and proactively strengthen the security of their Databricks workspaces.
Databricks-Audit-Overview + +### Security Overview + +The **Databricks Audit - Security Overview** dashboard provides targeted insights into key security events and potential risk exposures across your Databricks environment. It enables proactive detection of suspicious activity by visualizing failed API calls over time, authentication method usage, and API response codes that may indicate unauthorized access attempts or configuration issues. + +Security teams can easily track trends in failed authentications and API errors, investigate root causes, and identify patterns that signal emerging threats or compliance violations. The dashboard also includes a geographic overview of audit activities, highlighting events originating from embargoed or high-risk regions to help monitor potential data exfiltration or policy breaches. + +By consolidating these critical security indicators, including summaries of failed API attempts and geographic context, the dashboard empowers teams to rapidly investigate incidents, respond to evolving risks, and maintain strong security and compliance across all Databricks workspaces.
Databricks-Audit-Security + +## Create monitors for Databricks Audit app + +import CreateMonitors from '../../reuse/apps/create-monitors.md'; + + + +### Databricks Audit monitors + +| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | +|:--|:--|:--|:--| +| `Databricks Audits - Audits from Embargoed Geo Locations` | This alert is triggered when audit logs are generated from sanctioned or embargoed regions, helping maintain compliance with legal and regulatory requirements. | Critical | Count > 0 | +| `Users with Failed Login` | This alert is triggered when a user has more than three failed login attempts, supporting early detection of potential unauthorized access attempts. | Critical | Count > 3 | + +## Upgrading the Databricks Audit app (Optional) + +import AppUpdate from '../../reuse/apps/app-update.md'; + + + +## Uninstalling the Databricks Audit app (Optional) + +import AppUninstall from '../../reuse/apps/app-uninstall.md'; + + \ No newline at end of file diff --git a/docs/integrations/saas-cloud/index.md b/docs/integrations/saas-cloud/index.md index bdfdc40c00..520a92cfab 100644 --- a/docs/integrations/saas-cloud/index.md +++ b/docs/integrations/saas-cloud/index.md @@ -183,6 +183,12 @@ Learn about the Sumo Logic apps for SaaS and Cloud applications.

Gather information about your organization's cybersecurity practices to strengthen security.

+
+
+ icon

Databricks Audit

 +

Analyze your organization's security practices to identify emerging threats and compliance risks.

+
+
Thumbnail icon

Digital Guardian ARC

 diff --git a/sidebars.ts b/sidebars.ts index 226857622d..173fae3190 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -2576,6 +2576,7 @@ integrations: [ 'integrations/saas-cloud/crowdstrike-fdr-host-inventory', 'integrations/saas-cloud/crowdstrike-spotlight', 'integrations/saas-cloud/cyberark-audit', + 'integrations/saas-cloud/databricks-audit', 'integrations/saas-cloud/datadog', 'integrations/saas-cloud/digital-guardian-arc', 'integrations/saas-cloud/docusign', From 1682367a74f3ab62e2d16a0c245febebc59c1beb Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Fri, 31 Oct 2025 11:01:11 +0530 Subject: [PATCH 3/5] Update docs/integrations/saas-cloud/databricks-audit.md --- docs/integrations/saas-cloud/databricks-audit.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/integrations/saas-cloud/databricks-audit.md b/docs/integrations/saas-cloud/databricks-audit.md index 3626e728ae..fa8aae888e 100644 --- a/docs/integrations/saas-cloud/databricks-audit.md +++ b/docs/integrations/saas-cloud/databricks-audit.md @@ -155,7 +155,7 @@ import CreateMonitors from '../../reuse/apps/create-monitors.md'; | Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | |:--|:--|:--|:--| -| `Databricks Audits - Audits from Embargoed Geo Locations` | This alert is triggered when audit logs are generated from sanctioned or embargoed regions, helping maintain compliance with legal and regulatory requirements. | Critical | Count > 0 | +| `Databricks Audits - Audits from Embargoed Geo Locations` | This alert is triggered when audit logs are generated from sanctioned or embargoed regions, helping you to maintain compliance with legal and regulatory requirements. | Critical | Count > 0 | | `Users with Failed Login` | This alert is triggered when a user has more than three failed login attempts, supporting early detection of potential unauthorized access attempts. | Critical | Count > 3 | ## Upgrading the Databricks Audit app (Optional) From 24b286758435e40ae3eabdde2c0565955a91c9e2 Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Fri, 31 Oct 2025 11:01:18 +0530 Subject: [PATCH 4/5] Update docs/integrations/saas-cloud/databricks-audit.md --- docs/integrations/saas-cloud/databricks-audit.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/integrations/saas-cloud/databricks-audit.md b/docs/integrations/saas-cloud/databricks-audit.md index fa8aae888e..4d3458ccb8 100644 --- a/docs/integrations/saas-cloud/databricks-audit.md +++ b/docs/integrations/saas-cloud/databricks-audit.md @@ -156,7 +156,7 @@ import CreateMonitors from '../../reuse/apps/create-monitors.md'; | Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | |:--|:--|:--|:--| | `Databricks Audits - Audits from Embargoed Geo Locations` | This alert is triggered when audit logs are generated from sanctioned or embargoed regions, helping you to maintain compliance with legal and regulatory requirements. | Critical | Count > 0 | -| `Users with Failed Login` | This alert is triggered when a user has more than three failed login attempts, supporting early detection of potential unauthorized access attempts. | Critical | Count > 3 | +| `Users with Failed Login` | This alert is triggered when there are more than three failed login attempts, supporting you to early detect the potential unauthorized access attempts. | Critical | Count > 3 | ## Upgrading the Databricks Audit app (Optional) From 215ad63ca601f001752948cce1368ff25e8985c9 Mon Sep 17 00:00:00 2001 From: Jagadisha V Date: Fri, 31 Oct 2025 17:14:21 +0530 Subject: [PATCH 5/5] file name change to resolve the conflict --- .../{2025-10-31-apps.md => 2025-10-31-apps-databricks-audit.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename blog-service/{2025-10-31-apps.md => 2025-10-31-apps-databricks-audit.md} (100%) diff --git a/blog-service/2025-10-31-apps.md b/blog-service/2025-10-31-apps-databricks-audit.md similarity index 100% rename from blog-service/2025-10-31-apps.md rename to blog-service/2025-10-31-apps-databricks-audit.md