Detects successful Databricks login events that bypass Single Sign-On (SSO) by flagging non-SSO authentication paths in Databricks Audit logs. Specifically, it flags carbon-based login actions where authentication occurred via token-based methods or where an authentication_method is not present, in environments that enforce SSO. The rule targets true login events (serviceName: accounts, actionName: tokenLogin) with a 200 OK response and considers either requestParams.authentication_method == 'TOKEN' or missing authentication_method as indicators of non-SSO access. It excludes SSO logins (e.g., samlLogin with SSO methods) and non-login actions (e.g., createUser) to avoid false positives. Potential implications include credential compromise, misconfigured service accounts, or automated processes bypassing SSO for Databricks access. MITRE ATT&CK mapping is TA0001:T1078 (Valid Accounts). The Runbook recommends verifying user expectations for non-SSO usage, confirming legitimate service accounts or automation, and reviewing the authentication_method in the alert context. Tests validate scenarios such as token-based login with and without an explicit authentication_method, legitimate SSO login, failed logins, and non-login actions, ensuring the rule only alerts on true non-SSO login events. Severity is Info and the detection is labeled Experimental. Reference links and test cases are included in the rule description for reproducibility.