This rule monitors Databricks audit logs for the creation of user groups, aiming to detect both legitimate administrative setup and potential privilege escalation attempts. It analyzes Databricks.Audit events where the serviceName is accounts and the actionName is createGroup, capturing the target group from requestParams and the initiating user from userIdentity. A true alert is generated when a Group Created event is observed, as validated by the included test case. The rule includes negative tests to ensure alerts only fire for the appropriate service and action. Runbook steps advise verifying that the group creation aligns with an approved workflow, assessing whether the new group is granted admin or elevated permissions, and reviewing subsequent membership changes. The rule maps to MITRE ATT&CK technique T1136 (Create Account). References point to the Databricks-focused detection repository. This rule is labeled Experimental with Info severity, reflecting its exploratory status and informational posture.