Detects repeated secret access in Databricks Audit logs to identify potential credential harvesting or secret enumeration. The rule monitors Databricks.Audit events, focusing on the secrets service (e.g., action getSecret) and typical requestParams such as scope and key. If an actor triggers 10 or more secret retrievals within a 60-minute window (Threshold: 10, DedupPeriodMinutes: 60), the rule fires as Medium severity and is labeled Experimental. The rule aligns with MITRE ATT&CK technique T1555 (Credential from Password Stores), under subtechniques related to credential access. The Runbook recommends: (1) querying secret access by the user over the past 24 hours to identify patterns, (2) checking whether accessed secrets were used in API calls or notebook executions within the next 6 hours to establish intent, and (3) computing high secret access rates across the past 7 days to establish a baseline. The Tests demonstrate both expected positive secret access events and negative (system account) access, illustrating practical alert conditions. Overall, it serves as an early-warning for potential credential leakage or improper secret enumeration in Databricks environments, particularly in cloud-based workspaces where secret scopes (e.g., production-keys) may be misused or exfiltrated.