Detects potential privilege escalation in Databricks by flagging high-volume permission modifications performed by a single user. When a user executes 25 or more permission-related actions within an hour (across account, workspace, and Unity Catalog), an alert is triggered. The rule ingests Databricks Audit logs, correlates permission-modification events (e.g., addPrincipalToGroup, grant, updatePermissions, changeOwner) with subsequent privilege- or access-changing actions by the same actor, and uses a 60-minute deduplication window to reduce noise. It maps to MITRE ATT&CK TA0004 T1078 (Valid Accounts) and assigns high severity. Runbook steps include querying 24 hours of permission changes by the actor, verifying immediate privilege-related actions following changes, and identifying other users with elevated permission-modification rates over the past 7 days. Tests simulate privilege-related actions and negative cases to validate detections.