Detects when Databricks Unity Catalog metastore admin privileges are granted, either via direct metastore ownership changes or by adding a principal to metastore-admin groups. Metastore admins have extensive control over data access and governance policies, so unauthorized elevation can enable data exfiltration or policy circumvention. The rule correlates Unity Catalog/Audit logs showing ownership changes (updateMetastore with a new owner) or additions to privileged groups (addPrincipalToGroup to metastore-admins or addPrincipalsToGroup to unity-catalog-admins). It aims to identify privilege escalation involving metastore administration and Unity Catalog governance. Key detection logic includes: monitoring for ownership transfers and membership additions to admin groups, emphasizing events within Databricks Aduit logs (Databricks.Audit). The MITRE ATT&CK mapping aligns with Account Discovery (T1098) via privileged account changes. Runbooks guide immediate validation, while tests illustrate expected positive and negative matches to validate detections over time (e.g., 90-day window) and post-privilege access window (6 hours).