Detects account-level configuration changes in Databricks by analyzing audit logs (Databricks.Audit) for actions that modify global settings across all workspaces, including account settings, metastore configurations, and SSO/provider configurations. The rule focuses on account-wide changes (as opposed to workspace-scoped edits) and raises when modifications could impact the entire account. It supports triage with a runbook: query audit logs for the actor’s account-level changes within the 24-hour window around the event, assess whether the change affected multiple workspaces based on activity in the following 6 hours, and review the past 30 days for recurring account-level configuration changes to identify patterns. The tests illustrate true positives for account-level updates (e.g., updateAccountSettings on accounts; create on ssoConfigBackend) and true negatives for workspace-level edits or non-config actions (e.g., login). The rule maps to MITRE ATT&CK TA0003:T1098 (Account Manipulation) to aid detection of unauthorized admin configuration changes and employs the provided runbook and reference for incident response and investigation guidance.