Detects repeated unauthorized Unity Catalog API calls from a user (e.g., 401/403 responses to getCatalog/getSchema) that exceed the configured threshold within a 60-minute dedup window. It analyzes Databricks Unity Catalog audit logs (Databricks.Audit) to count unauthorized attempts per actor, flagging when the rate surpasses the threshold (26 events/hour). The rule aims to identify reconnaissance, privilege enumeration, or unauthorized data access attempts targeting Unity Catalog resources such as catalogs, schemas, or tables. It excludes legitimate calls to unrelated Databricks services (e.g., workspace). The Runbook guides querying audit logs for unauthorized attempts in the last 24 hours, examining per-resource access patterns, and identifying other users with high unauthorized-rate activity over the past 7 days. MITRE ATT&CK mapping: T1087 (Account Discovery).