This rule detects password change events on Databricks accounts by monitoring Databricks Audit logs. It triggers when an audit log entry has serviceName set to "accounts" and actionName set to "changePassword", using userIdentity.email to identify the affected user. The detection covers both successful (statusCode 200) and failed (statusCode 403) password change attempts, enabling visibility for legitimate password rotations as well as unauthorized resets that may follow account compromise. The rule is labeled as Info and is in Experimental status, highlighting its informational posture rather than a high-severity alert. MITRE mapping associates this with TA0006:T1098 (Credential Access / Account Discovery). The runbook advises verifying ownership of the change, correlating with prior suspicious activity (failed logins, MFA changes), and, if unauthorized, forcing a password reset and revoking active sessions. The reference points to a Databricks-specific detection repo, with tests illustrating correct and incorrect alerting criteria. This rule is designed for cloud-based Databricks environments and relies on audit events from the Databricks cloud service. Potential enhancements include adding correlation with IP anomalies, unusual login times, or MFA status to reduce false positives and improve detection of targeted credential abuse.