Detects when a Databricks employee successfully logs into a workspace using GENIE_AUTH authentication. The rule is designed to provide visibility into legitimate support/maintenance access and to surface potential misuse by correlating login events with known authorized activity. It targets audit logs where the login action (serviceName: accounts, actionName: login) has userIdentity.email identifying a Databricks employee, and requestParams.authentication_method equals GENIE_AUTH with a successful response (statusCode 200). The rule maps to MITRE ATT&CK technique T1078 (Valid Accounts) to highlight account-based access. Runbook steps include querying audit logs for actions by the employee within a 24-hour window around the alert, verifying any open support cases or maintenance windows, and inspecting the employee’s login history over the past 30 days to identify patterns or anomalies.