This rule detects credential abuse against Databricks by monitoring Audit logs for repeated failed login attempts by a single user within a 60-minute window. When five or more login failures occur within the window (deduplicated per 60 minutes), the rule triggers, indicating potential credential stuffing, brute force, or use of compromised credentials. The detection focuses on login events (e.g., samlLogin, jwtLogin, standard login) and surfaces the user, source IP, and login action to aid triage. It maps to MITRE ATT&CK techniques T1110 (Brute Force / Credential Stuffing) and T1078 (Valid Accounts). The included tests demonstrate failed logins from the same source and contrasting successful or unrelated actions to calibrate false positives. The Runbook calls for contextual analysis around the alert (six-hour window), checking whether source IPs align with VPNs/proxies or unusual geographies, and verifying if subsequent logins occur from different IPs, which could indicate account compromise.