Detects TruffleHog scanning activity in Databricks by monitoring audit events that indicate secret access attempts (e.g., getSecret actions) initiated during a TruffleHog run. The rule flags potential credential harvesting when a user or service triggers secret-related actions in Databricks and originate from an external source IP, elevating such events to HIGH severity. Triage logic includes correlating secret-access events within a 24-hour window around the trigger, verifying the sourceIP against known security-scanning tools or unusual geolocations, and scanning for additional unusual secret-access patterns from the same IP or user over the prior 7 days. MITRE ATT&CK mappings provided: TA0006:T1552 and TA0009:T1213. A reference to the detector implementation is included. The rule is labeled Experimental and relies on Databricks Audit logs to identify suspicious secret-access activity, with explicit emphasis on external IPs as high-risk indicators.