Databricks SSO Configuration Changed detects changes to single sign-on (SSO) settings by monitoring Databricks Audit logs for events related to the ssoConfigBackend service. The rule triggers on create or update actions that modify the SSO configuration (e.g., enabling a provider, switching providers). Both successful changes and unauthorized attempts are surfaced: successful changes are considered lower-priority events that may warrant normal operations, but when a change is successfully applied the rule implies elevation to MEDIUM severity per policy; failed or unauthorized changes (such as HTTP 403) are treated as potential tampering or misconfiguration. The rule is aligned with MITRE ATT&CK TA0006 T1556 (Credential Access) to identify anomalies in authentication configuration. The runbook suggests validating audit events around the change, checking for new sign-ins using the new configuration, and looking for authentication failures or unusual login patterns in the 24 hours following the change. Tests simulate create/update events on ssoConfigBackend and ensure only the correct service triggers, while other services (e.g., accounts) do not.