Detects when workspace-level admin privileges are granted in Databricks via direct role assignment or membership in admin groups. This rule flags direct admin grants and additions to admins/workspace-admins groups; it does not yet resolve nested group membership, as that would require cross-event correlation. When a target principal is granted admin privileges, the detector analyzes audit logs for the 24 hours following the grant to identify privileged actions and checks for sensitive activity (e.g., cluster creation, notebook modifications, or access to sensitive data) within 6 hours after the grant. A 90-day baseline of all workspace admin grants is maintained to establish normal privilege-elevation patterns and reduce noise. If a grant targets the system-level admins group (admins), the severity is elevated to HIGH due to broad impact. The rule excludes account-level admin grants and non-workspace-context events to minimize false positives. MITRE ATT&CK mappings are TA0004:T1098 and TA0003:T1136. A correlation rule is suggested for detecting nested group resolution in future iterations.