This rule detects Databricks account-level administrator privilege grants by observing audit events that directly assign admin rights, change account ownership, or add principals to the account-admins group. It differentiates between account-wide admin actions and workspace-level or non-admin group changes to reduce noise. When an account-level admin grant occurs, the rule raises a Medium baseline alert, with a higher priority if the grant results in elevated access or is unusual in frequency (as noted by the included tests and runbook guidance). The rule references MITRE ATT&CK techniques TA0004:T1098 (Privilege Escalation / Account Manipulation) and TA0003:T1136 (Create/Modify Account) to frame the tactic and technique. Runbook guidance includes: (1) query audit logs for account-level admin actions by the target principal within 24 hours of the grant, (2) assess whether the principal accessed multiple workspaces or performed bulk operations within 6 hours, and (3) review all account-admin grants in the past 90 days to detect unusual patterns or escalation chains. The included tests illustrate positive and negative cases (e.g., Set Account Admin Success should alert; workspace-level admin grants and removals should not). Overall, the rule aims to detect unauthorized elevation of privileges within Databricks to support rapid investigation and containment of privilege misuse or abuse across workspaces.