Detects when principals (users or service principals) are removed from groups in Databricks accounts by analyzing audit logs. The rule flags potentially suspicious group membership removals, which could indicate credential misuse, insider threats, or compromised accounts. It correlates Databricks audit events for removePrincipalFromGroup, capturing the actor identity, the target user, and the target group. It includes a runbook workflow: (1) query audit logs for group membership changes by the actor in the last 24 hours around the event, (2) verify if the removed principal had active sessions or API calls in the prior hour, and (3) search for similar removals in the past 30 days to identify patterns. It maps to MITRE ATT&CK TA0003:T1098 and includes tests to validate detection under valid scenarios and to ignore unrelated actions.