Detects when user roles are modified or users are added to administrative groups in Databricks by monitoring Databricks Audit logs. The rule treats such changes as potential privilege escalation or account manipulation, especially when performed by privileged actors. It maps to MITRE ATT&CK technique TA0004:T1098 and is intended to help security teams identify unauthorized or anomalous administrative activity. The Runbook outlines correlating the actor responsible for the change (actor’s email) within a 24-hour window, validating subsequent usage of the modified role by the target user within 6 hours, and establishing a 90-day baseline of prior role modifications for the target user to assess anomalous behavior and establish normal baselines.