This rule detects usage of the deprecated Databricks installLibraryOnAllClusters action by auditing Databricks audit logs. Installing a library on all clusters across a workspace is high-risk because it propagates potentially unreviewed libraries to every cluster, increasing blast radius and the chance of supply chain risk or compromised code. The rule triggers when an audit log shows serviceName 'clusters' and actionName 'installLibraryOnAllClusters'. It captures details such as workspaceId, the userIdentity (email), sourceIPAddress, and requestParams (library coordinates for pypi or maven). It then correlates with notebook or job execution within the 24 hours following installation and aggregates installations by the same user over the past 30 days to identify patterns. The Runbook outlines querying audit logs for installation details, validating any post-install usage, and scanning for repeat installations by the same actor. The rule is tied to MITRE ATT&CK techniques TA0002:T1203 and TA0003:T1543, indicating potential privilege escalation and manipulation/creation of system processes through broad library deployment. Tests demonstrate positive and negative cases: a positive test where a suspicious PyPI package is installed on all clusters, a positive test for a Maven library installation, a negative test for a normal per-cluster install, and a negative test for an uninstall action. The rule’s severity is Medium and it is associated with Databricks, Execution, and Persistence context, with a reference to external queries/alerts for implementation.