This rule detects when a single user accesses five or more distinct Databricks workspaces within a rolling 24-hour window by analyzing Databricks audit logs. Access to multiple workspaces in a short period can indicate lateral movement, reconnaissance, or credential compromise. The threshold is 5 distinct workspaces (deduplicated per user) to reduce noise from routine activity. The alert is linked to MITRE ATT&CK technique TA0008 T1021 (Lateral Movement). The Runbook suggests verifying normal baselines over 7 days, checking for unusual actions across workspaces (e.g., data downloads, permission changes), and extending analysis to the user across the past 30 days to establish baseline behavior. Environments with Databricks audit logging, identity management controls, and cloud logs can leverage this rule to surface suspicious cross-workspace access. The rule is experimental with medium severity and a dedup window of 1440 minutes to balance alert volume. Tests demonstrate that a user login across multiple workspaces yields a true result, whereas system/service accounts that do not represent a normal user do not trigger.