Enhanced security monitoring

This article describes the enhanced security monitoring feature and how to configure it on your Databricks workspace or account.

Enhanced security monitoring overview

Databricks enhanced security monitoring provides an enhanced hardened disk image and additional security monitoring agents that generate log rows that you can review using audit logs.

The security enhancements apply only to compute resources in the classic compute plane, such as clusters and non-serverless SQL warehouses.

Serverless compute plane resources, such as serverless SQL warehouses, do not have extra monitoring when enhanced security monitoring is enabled.

Enhanced security monitoring includes:

• An enhanced hardened operating system image based on Ubuntu Advantage.

  Ubuntu Advantage is a package of enterprise security and support for open source infrastructure and applications that includes the following:

  • A CIS Level 1 hardened image.
  • FIPS 140 validated encryption modules.

• Antivirus and file integrity monitoring agents that generate logs that you can review.

Monitoring agents in Databricks compute plane images

While enhanced security monitoring enabled, there are additional security monitoring agents, including two agents that are pre-installed in the enhanced compute plane image. You cannot disable the monitoring agents that are in the enhanced compute plane disk image.

Monitoring agent	Location	Description	How to get output
File integrity monitoring	Enhanced compute plane image	Monitors for file integrity and security boundary violations. This monitor agent runs on the worker VM in your cluster.	Enable the audit log system table and review logs for new rows.
Antivirus and malware detection	Enhanced compute plane image	Scans the filesystem for viruses daily. This monitor agent runs on the VMs in your compute resources such as clusters and pro or classic SQL warehouses. The antivirus and malware detection agent scans the entire host OS filesystem and the Databricks Runtime container filesystem. Anything outside the cluster VMs is outside of its scanning scope.	Enable the audit log system table and review logs for new rows.
Vulnerability scanning	Scanning happens in representative images in the Databricks environments.	Scans the container host (VM) for certain known vulnerabilities and Common Vulnerabilities and Exposures (CVEs).	Emailed to Databricks workspace admins.

To get the latest versions of monitoring agents, you can restart your clusters. If your workspace uses automatic cluster update, by default clusters restart if needed during the scheduled maintenance windows. If the compliance security profile is enabled on a workspace, automatic cluster update is permanently enabled on that workspace.

File integrity monitoring

The enhanced compute plane image includes a file integrity monitoring service that provides runtime visibility and threat detection for compute resources (cluster workers) in the classic compute plane in your workspace.

The file integrity monitor output is generated within your audit logs, which you can access with system tables. See Monitor account activity with system tables. For the JSON schema for new auditable events that are specific to file integrity monitoring, see File integrity monitoring events.

important

It is your responsibility to review these logs. Databricks may, in its sole discretion, review these logs but does not make a commitment to do so. If the agent detects a malicious activity, it is your responsibility to triage these events and open a support ticket with Databricks if the resolution or remediation requires an action by Databricks. Databricks may take action on the basis of these logs, including suspending or terminating the resources, but does not make any commitment to do so.

Antivirus and malware detection

The enhanced compute plane image includes an antivirus engine for detecting trojans, viruses, malware, and other malicious threats. The antivirus monitor scans the entire host OS filesystem and the Databricks Runtime container filesystem. Anything outside the cluster VMs is outside of its scanning scope.

The antivirus monitor output is generated within audit logs, which you can access with system tables. For the JSON schema for new auditable events that are specific to antivirus monitoring, see Antivirus monitoring events.

When a new virtual machine image is built, updated signature files are included within it.

important

It is your responsibility to review these logs. Databricks may, in its sole discretion, review these logs but does not make a commitment to do so. If the agent detects a malicious activity, it is your responsibility to triage these events and open a support ticket with Databricks if the resolution or remediation requires an action by Databricks. Databricks may take action on the basis of these logs, including suspending or terminating the resources, but does not make any commitment to do so.

When a new AMI image is built, updated signature files are included within the new AMI image.

Vulnerability scanning

A vulnerability monitor agent performs vulnerability scans of the container host (VM) for certain known CVEs. The scanning happens in representative images in the Databricks environments. Vulnerability scan reports are emailed to all workspace admins when Databricks releases new AMI disk images.

When vulnerabilities are found with this agent, Databricks tracks them against its Vulnerability Management SLA and releases an updated image when available.

Management and upgrade of monitoring agents

The additional monitoring agents that are on the disk images used for the compute resources in the classic compute plane are part of the standard Databricks process for upgrading systems:

• The classic compute plane base disk image (AMI) is owned, managed, and patched by Databricks.
• Databricks delivers and applies security patches by releasing new AMI disk images. The delivery schedule depends on new functionality and the SLA for discovered vulnerabilities. Typical delivery is every two to four weeks.
• The base operating system for the compute plane is Ubuntu Advantage.
• Databricks clusters and pro or classic SQL warehouses are ephemeral by default. Upon launch, clusters and pro or classic SQL warehouses use the latest available base image. Older versions that may have security vulnerabilities are unavailable for new clusters.
  • You are responsible for restarting clusters (using the UI or API) regularly to ensure they use the latest patched host VM images.

Monitor agent termination

If a monitor agent on the worker VM is found to be not running due to crash or other termination, the system will attempt to restart the agent.

Data retention policy for monitor agent data

If you configured audit log delivery, monitoring logs are sent to the audit log system table or your audit log delivery bucket. Retention, ingestion, and analysis of these logs is your responsibility.

Vulnerability scanning reports and logs are retained for at least one year by Databricks.

Enable Databricks enhanced security monitoring

• Your Databricks workspace must be on the Enterprise pricing tier.
• Your Databricks account must include the Enhanced Security and Compliance add-on. For details, see the pricing page.

To enable the enhanced security monitoring directly on a workspace, see Enable enhanced security and compliance features on an existing workspace.

You can also set an account-level default for new workspaces to enable enhanced security monitoring initially. Alternatively, you can set an account-level default to enable the compliance security profile, which automatically enables enhanced security monitoring. See Set account-level defaults for all new workspaces.

Updates may take up to six hours to propagate to all environments and to downstream systems like billing. Workloads that are actively running continue with the settings that were active at the time of starting the cluster or other compute resource, and new settings will start applying the next time these workloads are started.