Detects modifications to global initialization scripts that Databricks runs on all clusters at startup. The rule monitors creation, updates, and deletions of the globalInitScripts service via Databricks Audit logs, enabling detection of persistence mechanisms or malicious code diffusion across clusters. It correlates script changes with potential downstream activity (e.g., new clusters provisioned within six hours) and looks for coordinated script changes across multiple workspaces within the past week. The rule is labeled as Experimental with Info severity. MITRE ATT&CK mappings include TA0003:T1037 (Boot or Logon Initialization Scripts) and TA0002:T1059 (Command and Scripting Interpreter). Runbook steps guide analysts to query audit logs for changes in the last 30 days, correlate with cluster provisioning, and identify broader coordination patterns over seven days. The rule emphasizes monitoring all script creations, updates, and deletions to prevent persistence or broad execution of malicious code across environments. The SummaryAttributes focus on actor, script_name, and action for concise incident triage. Tests describe typical creation, update, and deletion events versus a non-matching service event to validate alerting scope.