This rule detects revocation events of Databricks access tokens by monitoring Databricks Audit logs for revokeDbToken actions. A revocation typically indicates credential rotation, but it can also signal an attacker attempting to remove traces after misuse of a token. The detection focuses on audit events where the accounts service revokes a token (revokeDbToken) associated with a user identity, and includes context such as the tokenId and the response status. The rule maps to MITRE ATT&CK TA0005 (Indicator Removal on Host: T1070) to highlight potential evasion activity. Tests demonstrate positive alerts when the accounts service revokes a token, and negative tests when unrelated services or actions occur. Runbooks emphasize validating authorization, checking for recent token creation or unusual IPs, and investigating preceding suspicious activity linked to the token. Correlation with token usage patterns and user behavior helps reduce false positives. When triggered, respond with token rotation, audit the token’s scope and privileges, and investigate for any unauthorized access.