This detection rule flags generation of Databricks Personal Access Tokens (PATs) whose lifetime exceeds 72 hours. Long-lived tokens increase the risk of credential theft and unauthorized access if the token is compromised. Severity is adjusted by token lifetime: tokens >72 hours are considered suspicious, with MEDIUM severity for lifetimes >90 days and HIGH for lifetimes >1 year. Detection relies on auditing Databricks audit logs to identify token-generation events by a user within the last 30 days, capturing the tokenExpirationTime and user identity. It then correlates whether the newly created token was used for API calls within 24 hours of creation, and surveys other tokens with lifetimes >72 hours generated in the prior 90 days to establish a baseline and potential pattern. The rule maps to MITRE ATT&CK techniques for Credential Access (TA0006:T1550) and Account Discovery (TA0003:T1098). The Runbook provides practical steps to investigate: (1) query audit logs for token generation events by the user in the last 30 days to spot patterns, (2) verify token usage in the 24 hours after creation, (3) enumerate other long-lifetime tokens created in the prior 90 days to understand baseline behavior. Tests demonstrate expected vs. false-positive scenarios including tokens with 7-day and 100-day lifetimes (true), a 24-hour lifetime (false), and unrelated actions (false). References include the audit-logs resource link for queries and alerts. This rule complements general credential hygiene and access control by highlighting risks associated with non-expiring or long-duration Databricks tokens and guiding rapid containment and remediation actions.