This rule monitors Databricks high-priority configuration changes by consuming Databricks audit logs. It targets changes that affect security posture, including audit logging configuration (for example enabling verbose audit logs), IP access list management, and other security-critical workspace settings (such as MFA enforcement). The rule elevates severity when a change successfully modifies high-risk settings. It uses a two-pass validation approach: (1) evaluate the 24-hour window around the change to identify whether the initiating actor has a history of those actions, establishing legitimacy, and (2) scan across all workspaces for other high-risk configuration changes in the past 7 days to identify adversarial patterns or broad compromise. The rule maps to MITRE ATT&CK techniques including Defense Evasion (T1562.008: Modify Audit Logs) and Account Discovery (T1098). The included tests illustrate expected outcomes for both legitimate and suspicious activity, such as enabling audit logs, creating or deleting IP access lists, and MFA configuration changes, while explicitly noting that audit-log disabling may be handled by a dedicated rule. Runbook steps emphasize correlating actor identity, surrounding activity, and breadth of similar changes to distinguish benign from malicious operations. In practice, this rule helps detect persistence and evasion activities that rely on tampering with security configurations in a Databricks environment, with actionable context for security responders based on the involved actor, target config key, and change category.