Detects group deletions within Databricks accounts by inspecting audit logs for removal events. The rule targets Databricks.Audit log entries where serviceName is accounts and actionName is removeGroup, indicating a potential change in access control. It acknowledges that group deletions can be legitimate cleanup but flags deletions as suspicious, elevating severity when deletions are successful. The detection references MITRE ATT&CK technique TA0040:T1531, aligning with account-related activities. The runbook suggests post-event analysis to distinguish compromised or unauthorized deletions from normal maintenance: (1) review members previously in the group within 24 hours prior to deletion, (2) assess whether the group had admin privileges or access to sensitive resources based on activity over the past 30 days, and (3) search for other deletions by the same actor in the last 30 days to identify bulk patterns. Tests simulate valid and invalid scenarios to validate the rule’s scope and service-context awareness. Overall, this rule aims to catch potential access-control dismantling in cloud-based Databricks environments, with the exception that successful deletions are considered higher-severity incidents when confirmed. There is an emphasis on contextual verification before escalation to reduce false positives from routine maintenance roles.