Detects creation of legacy Databricks mount points by analyzing Databricks audit logs for mount operations (serviceName: dbfs, actionName: mount). Mount points under /mnt map external storage (e.g., S3, ADLS) into Databricks and can bypass Unity Catalog external locations and ACLs, creating potential access-control bypass risk. The rule focuses on identifying the anti-pattern of mounting external data sources via legacy mechanisms and treats such events as indicators of potential misuse or misconfigurations. It ties events to the actor, the mount_point, and workspace_id, and includes a runbook for retrospective and baseline analysis. The MITRE ATT&CK mappings provided are TA0009:T1074 and TA0008:T1021. Tests simulate legitimate and suspicious mount scenarios and verify that mount creation is detected while unmount or non-mount actions do not trigger false positives. The rule is marked Experimental with Info severity, and supports further investigations such as cross-workspace baselining and short-term access checks after mount creation.