Remediation

From Azure Portal

Enable diagnostic logging for Azure Databricks

1. Navigate to your Azure Databricks workspace.

2. In the left-hand menu, select Monitoring > Diagnostic settings.

3. Click + Add diagnostic setting.

4. Under Category details, select the log categories you wish to capture, such as AuditLogs, Clusters, Notebooks, and Jobs.

5. Choose a destination for the logs:

   • Log Analytics workspace: For advanced querying and monitoring.
   • Storage account: For long-term retention.
   • Event Hub: For integration with third-party systems.

6. Provide a Name for the diagnostic setting.

7. Click Save.

Implement log retention policies

1. Navigate to your Log Analytics workspace.
2. Under General, select Usage and estimated costs.
3. Click Data Retention.
4. Adjust the retention period slider to the desired number of days (up to 730 days).
5. Click OK.

Monitor logs for anomalies

1. Navigate to Azure Monitor.
2. Select Alerts > + New alert rule.
3. Under Scope, specify the Databricks resource.
4. Define Condition based on log queries that identify anomalies (e.g. unauthorized access attempts).
5. Configure Actions to notify stakeholders or trigger automated responses.
6. Provide an Alert rule name and description.
7. Click Create alert rule.

From Azure CLI

Enable diagnostic logging for Azure Databricks:

az monitor diagnostic-settings create --name "DatabricksLogging" --resource <databricks-resource-id> --logs '[{"category": "AuditLogs", "enabled": true}, {"category": "Clusters", "enabled": true}, {"category": "Notebooks", "enabled": true}, {"category": "Jobs", "enabled": true}]' --workspace <log-analytics-id>

Implement log retention policies:

az monitor log-analytics workspace update --resource-group <resource-group> --name <log-analytics-name> --retention-time 365

Monitor logs for anomalies:

az monitor activity-log alert create --name "DatabricksAnomalyAlert" --resource-group <resource-group> --scopes <databricks-resource-id> --condition "contains 'UnauthorizedAccess'"