This rule detects deletions of user accounts within a Databricks workspace by inspecting Databricks audit logs for an accounts service action named delete where the requestParams.targetUserName is specified. A successful deletion (e.g., response statusCode 200) indicates a legitimate offboarding flow, but can also signal abuse if performed by a compromised user or insider. The rule is labeled Experimental with a Low baseline severity, but the description notes that successful deletions should be elevated to HIGH severity in practice due to potential impact. The detections rely on audit log fields such as serviceName (accounts), actionName (delete), and requestParams.targetUserName, ensuring the event originates from the accounts service and includes a target user. It excludes events from other services (e.g., workspace) or deletions lacking a targetUserName or appropriate action. Runbook steps guide analysis around the actor’s activity before deletion (48-hour window), potential privilege escalation or suspicious behavior in the prior 7 days, and bulk deletion patterns by the same actor over 30 days. Reference data shows the rule maps to MITRE ATT&CK TA0040:T1531, indicating an accounting/identity-related technique. Tests illustrate valid detections (Successful User Deletion with targetUserName and 200 status) and negative cases (failed deletion, wrong service, deletion without user context, or a non-delete action), confirming the rule’s intent to focus on account deletions in Databricks audit logs.