Detects high-volume downloads from the Databricks control plane indicating potential data exfiltration. It analyzes Databricks Audit logs for download actions (including query results, notebooks, and models) performed by users. A detector trigger fires when the count of download actions in a deduplicated 60-minute window exceeds a threshold of 21. The rule maps to MITRE ATT&CK TA0010:T1567 (Exfiltration). It is labeled Medium severity and currently Experimental. The Runbook recommends auditing the last 24 hours of download activity for total volume, assessing whether the downloaded data contains sensitive classifications or PII within a 6-hour window around the alert, and establishing a baseline by reviewing the past 30 days of activity. A test example shows a Preview Results Download event (service: sql, action: downloadPreviewResults, userIdentity: {email}, response: {statusCode: 200}). The rule is supported by a Databricks Audit log data source and is tagged for detection of exfiltration patterns.