Skip to main content

FAQ

Welcome to the SAT Frequently Asked Questions. Click on any question to expand and view the answer.

SAT Deployment and Support

The Security Assessment Tool (SAT) is not officially supported by Databricks. It is provided as-is under the Databricks License, with no guarantees or Service Level Agreements (SLAs). Please do not open support tickets for issues related to SAT. Instead, report any problems or feature requests by creating a GitHub Issue on the project's repository. Issues will be reviewed as time permits. All third-party libraries referenced are subject to their respective licenses.

Currently, SAT is a self-service tool which is developed and maintained by the Databricks field team. If you encounter any issues, please contact your Databricks account team and submit a GitHub issue on the project's repository.

SAT needs to be deployed in one of your Databricks workspaces and run as a workflow. You can trigger the SAT installation process from any machine (preferably Linux) where the Databricks CLI and other prerequisites are available, installed and configured.

SAT is frequently updated and the latest versions are made available in the official GitHub repository. SAT deployments do not automatically update on their own. To upgrade or update SAT deployments in your environment, you will need to perform the update manually. This design decision is by choice, so that customers have full control on the upgrade process of SAT.

SAT is meant to be a read-only analysis tool - it does not make changes to your workspace or account configurations.

There are diagnostic notebooks available to help you verify if your SAT setup has the necessary configurations, permissions, and network paths to run the REST API calls. Please use "Workspace → Applications → SAT/TF → Files → Notebooks → Diagnosis" to find the appropriate notebook for your cloud provider.

If the service principal configured for SAT has access to any workspaces in the account or subscription, SAT will automatically collect data from those workspaces. To include or exclude workspaces, simply add or remove the service principal from the desired workspaces and rerun the initialization job to update SAT's workspace list.

To stop assessing a workspace, you can re-run the initializer. This will mark the workspace connection test as failed, and it will no longer be included in future assessments. Alternatively, you can run the removal step to manually remove the workspace from SAT.

It is likely that the dashboard cached the workspaces in the pulldown. You can go to the SQL view of your workspace → Queries → find workspace_ids query and run it. This process should refresh the cache and you should have the new workspaces in the pull-down.

A single SAT deployment in AWS can monitor all workspaces within the same AWS account. Similarly, a single SAT deployment in Azure can monitor all workspaces within the same Azure subscription. Monitoring workspaces across multiple cloud platforms with a single SAT deployment is currently not supported.

A single SAT deployment in AWS can monitor all workspaces — regardless of region — within the same AWS account. Similarly, a single SAT deployment in Azure can monitor all workspaces across any region within the same Azure subscription.

This is not currently supported. SAT is a security monitoring tool designed specifically for Databricks workspaces. However, you can use the provided export notebook to extract SAT results, which may be used with other tools as needed.

SAT is compatible with AWS GovCloud for the Civilian Shard. DoD Shard compatibility will be coming soon.

SAT Checks

We are continuously improving SAT, with most checks aligned to security best practices. However, not all recommendations are included — some are cloud-specific, and others cannot be automated due to the lack of supporting REST APIs.

The severity levels in the SAT report reflect our general assessment of the potential impact of each check, helping most customers prioritize remediation—starting with those marked as High severity. However, individual organizations should evaluate the relevance of each finding and adjust prioritization based on their specific security requirements.

Yes, this is possible. To modify the security best practices checked by SAT, follow the optional step: Navigate to Workspace → Applications → SAT/TF → Files → Notebooks → Setup → 7. update_sat_check_configuration. Use this notebook to enable or disable checks, and adjust evaluation and alert configuration values. You can update this configuration at any time, and all subsequent analyses will reflect your changes.

SAT Reports

Please review the SAT report with your business stakeholders, administrators, security team and auditors. Assess your organizational security requirements carefully before making changes based on the report - not all deviations require mitigation. Some recommendations may have cost implications, and some of the security recommendations may have dependency limitations. Always thoroughly review the associated feature documentation before modifying your security configurations.

There are a few checks that rely on self-assessment due to the lack of REST APIs to automatically check them. Please go to "Workspace → Applications → SAT → Files → self_assessment_checks.yaml" and ensure the 'enabled' values reflect your environment for the listed manual checks with either true or false. SAT will automatically check the rest of the configurations. Rerun the SAT jobs.