Detects repeated unauthorized Databricks Unity Catalog data access attempts by a single user using Unity Catalog audit logs. The rule targets failed credential generations (for tables, volumes, or paths) and Delta Sharing access denials, aggregating events by actor within a 60-minute dedup window and triggering when the count exceeds the threshold of 16 (i.e., more than 15 unauthorized attempts in an hour). For context, it queries relevant data in the past 24 hours to identify which data assets were targeted (tables, volumes, or shares) and also surfaces other users exhibiting high unauthorized data request rates over the past 7 days. A dedup period of 60 minutes reduces alert storms. MITRE ATT&CK mapping TA0009:T1530 is applied to categorize the technique as data access from information repositories. The Runbook guides investigators to: (1) query Unity Catalog audit logs for all data access attempts by the user in the past 24 hours, (2) identify the specific assets accessed, and (3) identify other users with elevated unauthorized access patterns in the past 7 days. The Tests illustrate plausible unauthorized scenarios (e.g., 403/401 responses during credential generation or Delta Sharing access denial) and false positives (e.g., successful credential generation or unrelated service logins).