This rule detects when verbose audit logging is disabled in a Databricks workspace by monitoring workspace configuration edits that toggle the enableVerboseAuditLogs flag to false. It maps to MITRE ATT&CK technique TA0005:T1562.008 (Impair Defenses: Disable or Modify Audit Logging). The detector flags occurrences where an actor (identified by userIdentity.email) changes the workspaceConfKeys enableVerboseAuditLogs to false, with attention to the originating source IP and request details. The Runbook guidance: (1) query audit logs for actions by the actor within ±6 hours of the disable event, (2) examine the 24-hour window around the change for suspicious data access, deletion, or privilege escalation, and (3) search the previous 7 days for other high-risk configuration changes by the same actor. The rule emphasizes elevated risk when a legitimate admin disables verbose logging, as it reduces visibility into security-relevant events, and escalates successful disables to CRITICAL severity. Included are test scenarios illustrating both successful and failed attempts, as well as false positives for non-matching keys, different services, or enabling logging. The detection hinges on Databricks audit logs, focusing on fields such as actor (userIdentity.email), source IP, requestParams (workspaceConfKeys and workspaceConfValues), and response status. Summary attributes to surface during investigations include the actor, source_ip, and config_status. This rule supports rapid detection of defensive evasion in cloud-based analytics environments and complements follow-up triage and containment activities.