Enhanced security monitoring

This article describes the enhanced security monitoring feature and how to configure it on your Azure Databricks workspace or account.

If you enable this feature, you are be charged for the Enhanced Security and Compliance add-on as described on the pricing page.

Enhanced security monitoring overview

Azure Databricks enhanced security monitoring provides an enhanced hardened disk image and additional security monitoring agents that generate log rows that you can review using diagnostic logs.

The security enhancements apply only to compute resources in the classic compute plane, such as clusters and non-serverless SQL warehouses.

Serverless compute plane resources, such as serverless SQL warehouses, do not have extra monitoring when enhanced security monitoring is enabled.

Note

Most Azure instance types are supported, but generation 2 (Gen2) and Arm64-based virtual machines are unsupported. Azure Databricks does not allow starting compute with those instance types when enhanced security monitoring is enabled.

Enhanced security monitoring includes:

  • An enhanced hardened operating system image based on Ubuntu Advantage.

    Ubuntu Advantage is a package of enterprise security and support for open source infrastructure and applications that includes a CIS Level 1 hardened image.

  • Antivirus monitoring agent that generate logs that you can review.

  • File integrity monitoring agent that generate logs that you can review.

Monitoring agents in Azure Databricks compute plane images

While enhanced security monitoring enabled, there are additional security monitoring agents, including two agents that are pre-installed in the enhanced compute plane image. You cannot disable the monitoring agents that are in the enhanced compute plane disk image.

Monitoring agent Location Description How to get output
File integrity monitoring Enhanced compute plane image Monitors for file integrity and security boundary violations. This monitor agent runs on the worker VM in your cluster. Enable the audit log system table and review logs for new rows.
Antivirus and malware detection Enhanced compute plane image Scans the filesystem for viruses daily. This monitor agent runs on the VMs in your compute resources such as clusters and pro or classic SQL warehouses. The antivirus and malware detection agent scans the entire host OS filesystem and the Databricks Runtime container filesystem. Anything outside the cluster VMs is outside of its scanning scope. Enable the audit log system table and review logs for new rows.
Vulnerability scanning Scanning happens in representative images in the Azure Databricks environments. Scans the container host (VM) for certain known vulnerabilities and Common Vulnerabilities and Exposures (CVEs). Emailed to Azure Databricks workspace admins.

To get the latest versions of monitoring agents, you can restart your clusters. If your workspace uses automatic cluster update, by default clusters restart if needed during the scheduled maintenance windows. If the compliance security profile is enabled on a workspace, automatic cluster update is permanently enabled on that workspace.

File integrity monitoring

The enhanced compute plane image includes a file integrity monitoring service that provides runtime visibility and threat detection for compute resources (cluster workers) in the classic compute plane in your workspace.

The file integrity monitor output is generated within your audit logs, which you can access with system tables. See Monitor account activity with system tables. For the JSON schema for new auditable events that are specific to file integrity monitoring, see File integrity monitoring events.

Important

It is your responsibility to review these logs. Databricks may, in its sole discretion, review these logs but does not make a commitment to do so. If the agent detects a malicious activity, it is your responsibility to triage these events and open a support ticket with Databricks if the resolution or remediation requires an action by Databricks. Databricks may take action on the basis of these logs, including suspending or terminating the resources, but does not make any commitment to do so.

Antivirus and malware detection

The enhanced compute plane image includes an antivirus engine for detecting trojans, viruses, malware, and other malicious threats. The antivirus monitor scans the entire host OS filesystem and the Databricks Runtime container filesystem. Anything outside the cluster VMs is outside of its scanning scope.

The antivirus monitor output is generated within audit logs, which you can access with system tables. For the JSON schema for new auditable events that are specific to antivirus monitoring, see Antivirus monitoring events.

When a new virtual machine image is built, updated signature files are included within it.

Important

It is your responsibility to review these logs. Databricks may, in its sole discretion, review these logs but does not make a commitment to do so. If the agent detects a malicious activity, it is your responsibility to triage these events and open a support ticket with Databricks if the resolution or remediation requires an action by Databricks. Databricks may take action on the basis of these logs, including suspending or terminating the resources, but does not make any commitment to do so.

When a new AMI image is built, updated signature files are included within the new AMI image.

Vulnerability scanning

A vulnerability monitor agent performs vulnerability scans of the container host (VM) for certain known CVEs. The scanning happens in representative images in the Azure Databricks environments. Vulnerability scan reports are emailed to all workspace admins when Azure Databricks releases new AMI disk images.

When vulnerabilities are found with this agent, Databricks tracks them against its Vulnerability Management SLA and releases an updated image when available.

Management and upgrade of monitoring agents

The additional monitoring agents that are on the disk images used for the compute resources in the classic compute plane are part of the standard Azure Databricks process for upgrading systems:

  • The classic compute plane base disk image (AMI) is owned, managed, and patched by Databricks.
  • Databricks delivers and applies security patches by releasing new AMI disk images. The delivery schedule depends on new functionality and the SLA for discovered vulnerabilities. Typical delivery is every two to four weeks.
  • The base operating system for the compute plane is Ubuntu Advantage.
  • Azure Databricks clusters and pro or classic SQL warehouses are ephemeral by default. Upon launch, clusters and pro or classic SQL warehouses use the latest available base image. Older versions that may have security vulnerabilities are unavailable for new clusters.
    • You are responsible for restarting clusters (using the UI or API) regularly to ensure they use the latest patched host VM images.

Monitor agent termination

If a monitor agent on the worker VM is found to be not running due to crash or other termination, the system will attempt to restart the agent.

Data retention policy for monitor agent data

Monitoring logs are sent to the audit log system table your own storage in your Azure subscription if you configured diagnostic logs. Retention, ingestion, and analysis of these logs is your responsibility.

Vulnerability scanning reports and logs are retained for at least one year by Databricks.

Enable Azure Databricks enhanced security monitoring

  • Your Azure Databricks workspace must be on the Premium plan.

To enable enhanced security monitoring on a workspace, see Enable enhanced security and compliance features using the Azure portal.

Updates may take up to six hours to propagate to all environments and to downstream systems like billing. Workloads that are actively running continue with the settings that were active at the time of starting the cluster or other compute resource, and new settings will start applying the next time these workloads are started.