Detects Databricks workspace login attempts blocked by explicit IP denial policies. The rule fires on Databricks Audit events where actionName is IpAccessDenied and a sourceIPAddress is present, while excluding benign noise from known service agents (e.g., Databricks-Runtime) or telemetry-related requests (path '/telemetry/events'). Although the attempt is blocked, it may indicate reconnaissance or credential-stuffing activity, warranting further investigation. The rule maps to MITRE ATT&CK technique T1078 (Valid Accounts) under TA0001 to contextualize an initial access vector and to aid detection tuning. The alert is classified with Severity Info to indicate potential unauthorized access attempts without implying successful compromise. Runbook highlights how to enrich signals and assess risk in the surrounding timeframe. Reference implementation and tests are provided for validation.