Detects addition or deletion of MFA keys on Databricks accounts by analyzing Databricks Audit (accounts service) events. MFA key deletion may indicate an attacker attempting to weaken account security, while unexpected additions may indicate enrollment of attacker-controlled authenticators. The rule triggers on mfaAddKey and mfaDeleteKey actions from the accounts service and is scoped to Databricks Accounts API; it should not alert on actions in the workspace service or non-MFA-related logins. Runbook prompts validation of actor intent, checks for replacement or enrollment upon key changes, and guides remediation assessment for potential compromise. References an external detection app for implementation details.