This morning, Databricks announced Lakewatch, their new, open agentic SIEM, available in Private Preview. Built directly on the Lakehouse, Lakewatch brings AI-powered detection, investigation, and response to the same environment where enterprise data already lives. For security teams already operating in Databricks, it's a significant shift in what's possible.
What makes an agentic SIEM exceptional is the quality of data behind it. Obsidian bolsters Lakewatch with the best possible view of your SaaS and AI application security.
Because Obsidian's entire data pipeline runs natively on Databricks and is integrated via Delta Sharing, Obsidian's normalized SaaS and AI app telemetry flows directly into Lakewatch without any additional configuration. Identity posture signals, OAuth risk, non-human identity activity, and agentic behavior — all of it available in Lakewatch from day one. The result is an AI SIEM that sees inside your SaaS layer, not just around it.
Obsidian is named in today's Databricks launch PR as a founding member of the Open Security Lakehouse Ecosystem, one of a select group of security vendors whose data is natively available in Lakewatch from day one. Read on for a breakdown of how the integration works, what data it surfaces, and what security teams can accomplish with it.
What is Delta Sharing?
Delta Sharing is an open-source protocol that enables teams to access live data across platforms without copying or exporting it. Rather than moving data between systems, recipients authenticate via secure credentials — either a bearer token or identity-provider federation — to query shared data directly from the source. This eliminates ingress/egress costs and removes the data duplication risks that typically accompany cross-platform pipelines. Built-in controls including fine-grained access permissions, governed sharing, and full audit trails ensure that access is both fast and accountable.
The architectural advantage of being built on Databricks
Most vendor integrations connect finished products after the fact. Obsidian's data pipeline — from ingestion and normalization through analytics and modeling — runs natively on the Databricks Lakehouse. Delta Sharing exposes Obsidian's normalized security dataset directly into your workspace with no translation layer and no time lag, so security teams can surface and act on anomalies the moment they arise.
Query all your Lakehouse and Obsidian insights using Lakewatch
Lakewatch is where this comes together operationally. Security teams can enrich Lakewatch's native detections with Obsidian's SaaS and AI app telemetry — identity posture signals, OAuth risk, non-human identity activity, agentic behavior — correlated against the cloud, endpoint, and IdP data already in the Lakehouse. The result is an agentic SIEM that sees inside your SaaS layer, not just around it.
Immediate data value and use cases
Obsidian’s data arrives fully normalized and pre-correlated in your Databricks environment, ready to be queried. These datasets include:
- User activity and session telemetry across SaaS platforms
- Identity posture and privilege signals
- Threat alerts and behavioral anomalies
- OAuth token usage and third-party integration risk
- Audit logs and compliance-relevant control evidence
- AI and SaaS supply chain risk data
- AI agent behaviors, API usage, and agentic workflow activity
Your team can immediately run queries, join with internal data from other security tools, build dashboards, or train ML models — all with minimal manual overhead. The result is a data foundation that security, compliance, and data science teams can put to work immediately.
Here are the use cases it unlocks:
1. Advanced Threat Hunting
Legacy SIEMs struggle with the questions that matter most in modern SaaS environments: Which OAuth tokens are being misused? Where is lateral movement occurring across SaaS-to-SaaS integrations? Which non-human identities are behaving anomalously? With Obsidian's data in Databricks, analysts can join app signals with cloud logs, endpoint and XDR telemetry, IdP data, and SIEM feeds already in the Lakehouse, answering those questions at scale, on fresh data, without waiting for imports.
2. Continuous Compliance and Audit Evidence
Regulated organizations can't rely on point-in-time screenshots or manual exports to satisfy auditors. With Obsidian's posture and audit log tables queryable directly in Databricks, compliance teams can generate continuous, queryable control evidence — proving who had access to what, what policies were in effect on a given date, and how posture has trended over time.
This is the shift from reactive audit prep to always-on compliance operations.
3. Faster Incident Response
When a SaaS-related incident occurs, speed matters. Having Obsidian's detailed activity logs and threat signals already in Databricks means responders can pivot immediately: pulling correlated data across SaaS artifacts, identity events, and other Lakehouse sources without requesting exports from separate vendor portals or waiting for data to be provisioned.
4. AI Agent Governance
As organizations deploy LLMs, agentic workflows, and AI-driven automations, the risk surface expands well beyond human users. Obsidian's non-human identity (NHI) framing gives teams visibility into which AI agents exist, what they can access, and how they're behaving — all surfaced via Delta Sharing directly into the Databricks environment where AI teams are already working.
5. ML-Driven Detection Engineering
With Obsidian's normalized historical SaaS and AI activity available in Databricks, data science and security engineering teams can build anomaly detection models, train classifiers on behavioral baselines, or apply their own ML and LLM tooling directly to the dataset. No data replication in a separate environment or extra manual work needed.
Better together: Delta Sharing with Obsidian
Modern breaches don't wait. In an environment where SaaS sprawl, non-human identities, and agentic AI are expanding the attack surface faster than teams can track, the difference between detection and breach often comes down to data access: how fast, how complete, and how actionable.
By combining Obsidian's normalized SaaS and AI app context with the analytics power of Databricks, security teams get a unified, always-fresh view of their environment without the overhead of pipelines, exports, or duplicated storage. The data is already there. The queries are already possible. The only thing that changes is how quickly your team can act.
Eliminated friction means governed, queryable SaaS intelligence — delivered where your team already works. No ETL to maintain. No stale exports to reconcile. No duplicated storage costs. Just an easy connection.
Explore our integration on the Databricks Marketplace, or reach out to the Obsidian team to see it in action.
