Detects changes to Databricks workspace-level configurations by analyzing Databricks audit logs for actions that modify workspace settings (e.g., workspace configuration edits and updates to workspace settings). The rule focuses on changes that affect a single workspace, such as cluster configurations, notebook settings, and workspace-specific security controls, and intentionally excludes account-level changes and non-config actions. It uses correlation and baseline checks to assess whether changes coincide with altered behavior or activity patterns in the 6 hours following a change and reviews 30 days of history to establish a baseline. The rule maps to MITRE ATT&CK TA0003:T1098 (Account Manipulation) as a persistence-relevant technique, reflecting how misconfigurations can enable lasting access or capability changes within a workspace.