Detects high-volume destructive actions by a single Databricks user within a 24-hour window by analyzing Databricks Audit logs (Databricks.Audit). It targets Unity Catalog destructive operations such as deleteTable, dropSchema and trashNotebook. When a single actor exceeds the configured Threshold (50 actions) within the DedupPeriodMinutes window, the rule flags potential data destruction, ransomware, or insider-threat activity. The detection focuses on destructive intents and excludes benign activities (e.g., undeleteTable or non-destructive actions like createTable). It uses actor identity (userIdentity.email) as the primary signal and correlates frequent destructive operations to identify compromised or malicious usage. The rule is mapped to MITRE ATT&CK TA0040:T1485 (Impact). Runbook includes querying past 7 days of delete actions for the user to identify patterns, checking recoverability/backups, and establishing baselines by analyzing other users with high deletion rates in the past 30 days. Reference and tests illustrate typical destructive events (deleteTable, dropSchema, trashNotebook) and non-destructive or system actions to minimize false positives.