Audit log reference
Note
This feature requires the Premium plan.
This article provides you with a comprehensive reference of available audit log services and events. By understanding which events are logged in the audit logs, your enterprise can monitor detailed Databricks usage patterns in your account.
The easiest way to access and query your account’s audit logs is by using system tables (Public Preview).
If you’d like to configure a regular log delivery, see Configure audit log delivery.
Audit log services
The following services and their events are logged by default in audit logs.
Workspace-level services
Workspace-level audit logs are available for these services:
Service name |
Description |
---|---|
Events related to accounts, users, groups, and IP access lists. |
|
Events related to AI/BI Genie spaces. |
|
Events related to cluster policies. |
|
Events related to clusters. |
|
Events related to AI/BI dashboard use. |
|
Events related to Databricks SQL use. |
|
Events related to DBFS. |
|
Events related to Delta Live Table pipelines. |
|
Events related to the Databricks Feature Store. |
|
Events related to file management, which includes interacting with files using the Files API or in the volumes UI. |
|
Events related to workspace access by support personnel. These events are not related AI/BI Genie spaces. |
|
Events related to Git credentials for Databricks Git folders. See also |
|
Events related to global init scripts. |
|
Events related to account and workspace groups. |
|
Events related to IAM role permissions. |
|
Events related to file uploads. |
|
Events related to pools. |
|
Events related to jobs. |
|
Events related to data lineage. |
|
Events related to consumer actions in Databricks Marketplace. |
|
Events related to provider actions in Databricks Marketplace. |
|
Events related to ML Flow artifacts with ACLs. |
|
Events related to ML Flow experiments. |
|
Events related to the model registry. |
|
Events related to notebooks. |
|
Events related to Partner Connect. |
|
Events related to adding a removing GitHub Credentials. |
|
Events related to Databricks Git folders. See also |
|
Events related to secrets. |
|
Events related to the legacy Hive metastore table access control. |
|
Events related to SSH access. |
|
Events related to the web terminal feature. |
|
Events related to workspaces. |
Account-level services
Account-level audit logs are available for these services:
Service name |
Description |
---|---|
Actions related to billable usage access in the account console. |
|
Actions related to account-level access and identity management. |
|
Actions related to account-level access control rules. |
|
Actions performed in the account console. |
|
Log delivery configuration for such as billable usage or audit logs. |
|
Actions performed in Unity Catalog. This also includes Delta Sharing events, see Delta Sharing events. |
Audit log example schema
In Databricks, audit logs output events in a JSON format. The serviceName
and actionName
properties identify the event. The naming convention follows the Databricks REST API.
The following example is for a createMetastoreAssignment
event.
{
"version":"2.0",
"auditLevel":"ACCOUNT_LEVEL",
"timestamp":1629775584891,
"orgId":"3049056262456431186970",
"shardName":"test-shard",
"accountId":"77636e6d-ac57-484f-9302-f7922285b9a5",
"sourceIPAddress":"10.2.91.100",
"userAgent":"curl/7.64.1",
"sessionId":"f836a03a-d360-4792-b081-baba525324312",
"userIdentity":{
"email":"crampton.rods@email.com",
"subjectName":null
},
"serviceName":"unityCatalog",
"actionName":"createMetastoreAssignment",
"requestId":"ServiceMain-da7fa5878f40002",
"requestParams":{
"workspace_id":"30490590956351435170",
"metastore_id":"abc123456-8398-4c25-91bb-b000b08739c7",
"default_catalog_name":"main"
},
"response":{
"statusCode":200,
"errorMessage":null,
"result":null
},
"MAX_LOG_MESSAGE_LENGTH":16384
}
Audit log schema considerations
If actions take a long time, the request and response are logged separately but the request and response pair have the same
requestId
.Automated actions, such as resizing a cluster due to autoscaling or launching a job due to scheduling, are performed by the user
System-User
.The
requestParams
field is subject to truncation. If the size of its JSON representation exceeds 100 KB, values are truncated and the string... truncated
is appended to truncated entries. In rare cases where a truncated map is still larger than 100 KB, a singleTRUNCATED
key with an empty value is present instead.
Account events
The following are accounts
events logged at the workspace level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
A user is reactivated after being deactivated. See Deactivate users in workspace. |
|
|
|
A user is added to a Databricks workspace. |
|
|
|
A user is added to a workspace-level group. |
|
|
|
A user’s Databricks SQL permissions are changed. |
|
|
|
Permissions to a workspace are changed. |
|
|
|
When permissions on a token are changed. |
|
|
|
A user’s account password is changed. |
|
|
|
A user’s account password is changed. |
|
|
|
When a service principal’s permissions are changed. |
|
|
|
A workspace-level group is created. |
|
|
|
An IP access list is added to the workspace. |
|
|
|
A user is deactivated in the workspace. See Deactivate users in workspace. |
|
|
|
A user is deleted from the Databricks workspace. |
|
|
|
An IP access list is deleted from the workspace. |
|
|
|
A user runs a garbage collect command on expired tokens. |
|
|
|
A user logs in to their workspace through the GCP browser workflow. |
|
|
|
When someone generates a token from User Settings or when the service generates the token. |
|
|
|
A user attempts to connect to the service through a denied IP. |
|
|
|
|
|
|
|
User logs into Databricks using a JWT. |
|
|
|
User logs into the workspace. |
|
|
|
User logs out of the workspace. |
|
|
|
When the current number of non-expired tokens exceeds the token quota |
|
|
|
A user is revoked of workspace admin permissions. |
|
|
|
A group is removed from the workspace. |
|
|
|
A user is removed from a group. |
|
|
|
A user’s account password is changed. |
|
|
|
A user’s token is dropped from a workspace. Can be triggered by a user being removed from the Databricks account. |
|
|
|
User logs in to Databricks through SAML SSO. |
|
|
|
A user is granted account admin permissions. |
|
|
|
A user logs into Databricks using a token. |
|
|
|
An IP access list is changed. |
|
|
|
An account admin updates a user’s account. |
|
|
|
When a user validates their email after account creation. |
|
AI/BI Genie events
The following are aibiGenie
events logged at the workspace level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
A user creates a new Genie space. The |
|
|
|
A user accesses the Genie space. |
|
|
|
A user updates the settings of a Genie space. Possible settings include the title, description, warehouse, tables, and sample questions. |
|
|
|
A Genie space is moved to trash. |
|
|
|
A user clones a Genie space. |
|
|
|
A user creates a new conversation thread in the Genie space. |
|
|
|
A user opens the list of conversations in the Genie space. |
|
|
|
A user opens a conversation thread in the Genie space. |
|
|
|
A user updates a conversation thread’s title. |
|
|
|
A user deletes a conversation thread in the Genie space. |
|
|
|
A user with CAN MANAGE permissions accesses the Genie space’s history, which includes messages submitted by all users. |
|
|
|
A user with at least CAN VIEW permissions accesses the Genie space’s history and views their own previously submitted messages. |
|
|
|
A user retrieves the full query results (up to ~1GB in size). |
|
|
|
Genie retrieves the query results associated with a conversation message. |
|
|
|
A user updates and reruns a query in a message. |
|
|
|
A user submits a new message to the Genie space. |
|
|
|
A user accesses a message in the Genie space. |
|
|
|
A user deletes an existing message. |
|
|
|
A user regenerates a Genie response to an existing message. |
|
|
|
A user updates an attribute of a message in the Genie space. For example, they might request a review or edit the SQL in the response. |
|
|
|
A user updates feedback to a Genie answer. |
|
|
|
Genie executes generated SQL to return query results, including refresh data actions. |
|
|
|
A user cancels a message before Genie finishes responding. |
|
|
|
A user creates an instruction for a Genie space. |
|
|
|
A user navigates to the Instructions tab or the Data tab. |
|
|
|
A user updates an instruction for a Genie space. |
|
|
|
A user deletes an instruction for a Genie space. |
|
|
|
A user updates the default sample questions for the space. |
|
|
|
A user creates a sample question or benchmark question. |
|
|
|
A user deletes a sample question or benchmark question. |
|
|
|
A user accesses the list of sample questions or benchmark questions in a space. This is logged whenever users open a new chat, view benchmarks, or add sample questions. |
|
|
|
A user updates a sample question or benchmark question. |
|
|
|
Genie creates an evaluation result for a specific question in an evaluation run. |
|
|
|
A user accesses the results for a specific question in an evaluation run. |
|
|
|
A user accesses the query results for a specific question in an evaluation run. |
|
|
|
A user updates their evaluation result for a specific question. |
|
|
|
A user creates a new evaluation run. |
|
|
|
A user accesses the list of results for an evaluation run. |
|
|
|
A user accesses the list of all evaluation runs. |
|
|
|
A user adds a feedback comment to a conversation message. |
|
|
|
A user accesses a list of the feedback comments from a space. |
|
|
|
A user deletes a feedback comment added to a conversation message. |
|
Clusters events
The following are cluster
events logged at the workspace level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
A user changes the cluster ACL. |
|
|
|
A user creates a cluster. |
|
|
|
Results from cluster creation. In conjunction with |
|
|
|
A cluster is terminated. |
|
|
|
Results from cluster termination. In conjunction with |
|
|
|
A user makes changes to cluster settings. This logs all changes except for changes in cluster size or autoscaling behavior. |
|
|
|
A cluster is deleted from the UI. |
|
|
|
Cluster resizes. This is logged on running clusters where the only property that changes is either the cluster size or autoscaling behavior. |
|
|
|
Results from cluster resize. In conjunction with |
|
|
|
A user restarts a running cluster. |
|
|
|
Results from cluster restart. In conjunction with |
|
|
|
A user starts a cluster. |
|
|
|
Results from cluster start. In conjunction with |
|
Cluster libraries events
The following are clusterLibraries
events logged at the workspace level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
User installs a library on a cluster. |
|
|
|
User uninstalls a library on a cluster. |
|
|
|
A workspace admin schedules a library to install on all cluster. |
|
|
|
A workspace admin removes a library from the list to install on all clusters. |
|
Cluster policy events
The following are clusterPolicies
events logged at the workspace level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
A user created a cluster policy. |
|
|
|
A user edited a cluster policy. |
|
|
|
A user deleted a cluster policy. |
|
|
|
A workspace admin changes permissions for a cluster policy. |
|
Dashboards events
The following are dashboards
events logged at the workspace level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
A user accesses the draft version of a dashboard either by viewing it in the UI or requesting the dashboard definition using the API. Only workspace users can access the draft version of a dashboard. |
|
|
|
A user accesses the published version of a dashboard by viewing in the UI or requesting the dashboard definition using the API. Includes activity from both workspace users and account users. Excludes receiving a PDF snapshot of a dashboard using scheduled email. |
|
|
|
A user executes a query from a dashboard. |
|
|
|
A user cancels a query from a dashboard. |
|
|
|
A user receives the results of a query from a dashboard. |
|
|
|
A PDF snapshot of a dashboard is sent through a scheduled email. The request parameters values depend on the type of recipient. For a Databricks notification destination, only the |
|
|
|
A user accesses details of a draft dashboard, such as datasets and widgets. |
|
|
|
A user creates a new AI/BI dashboard using the UI or API. |
|
|
|
A user makes an update to an AI/BI dashboard using the UI or API. |
|
|
|
A user clones an AI/BI dashboard. |
|
|
|
A user publishes an AI/BI dashboard with or without embedded credentials using the UI or API. |
|
|
|
A user unpublishes a published AI/BI dashboard using the UI or API. |
|
|
|
A user moves an AI/BI dashboard to the trash using the UI or API. |
|
|
|
A user restores an AI/BI dashboard from the trash. |
|
|
|
A user migrates a DBSQL dashboard to an AI/BI dashboard. |
|
|
|
A user creates an email subscription schedule. |
|
|
|
A user makes an update to an AI/BI dashboard’s schedule. |
|
|
|
A user deletes an AI/BI dashboard’s schedule. |
|
|
|
A user subscribes an email destination to an AI/BI dashboard schedule. |
|
|
|
A user deletes an email destination from an AI/BI dashboard schedule. |
|
Databricks SQL events
The following are databrickssql
events logged at the workspace level.
Note
If you manage your SQL warehouses using the legacy SQL endpoints API, your SQL warehouse audit events will have different action names. See SQL endpoint logs.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
A widget is added to a dashboard. |
|
|
|
A query execution is cancelled from the SQL editor UI. This does not include cancellations that originate from the Query History UI or Databricks SQL Execution API. |
|
|
|
A warehouse manager updates permissions on a SQL warehouse. |
|
|
|
A user updates permissions on an object. |
|
|
|
A user clones a dashboard. |
|
|
|
Only in verbose audit logs. Generated when a command is submitted to a SQL warehouse, regardless of origin of the request. |
|
|
|
Only in verbose audit logs. Generated when a command on a SQL warehouse completes or is canceled, regardless of the origin of the cancellation request. |
|
|
|
A user creates an alert. |
|
|
|
A workspace admin creates a notification destination. |
|
|
|
A user creates a dashboard. |
|
|
|
A user creates a data preview dashboard. |
|
|
|
A user with the cluster create entitlement creates a SQL warehouse. |
|
|
|
A user creates a new query. |
|
|
|
A user creates a query draft. |
|
|
|
A user creates a query snippet. |
|
|
|
A user creates a sample dashboard. |
|
|
|
A user generates a visualization using the SQL editor. Excludes default results tables and visualizations in notebooks that utilize SQL warehouses. |
|
|
|
A user deletes an alert either from the alert interface or through API. Excludes deletions from the file browser UI. |
|
|
|
A workspace admin deletes a notification destination. |
|
|
|
A user deletes a dashboard either from the dashboard interface or through API. Excludes deletion via the file browser UI. |
|
|
|
A user deletes a dashboard widget. |
|
|
|
A warehouse manager deletes a SQL warehouse. |
|
|
|
A user deletes a query, either from the query interface or through API. Excludes deletion via the file browser UI. |
|
|
|
A user deletes a query draft. |
|
|
|
A user deletes a query snippet. |
|
|
|
A user deletes a visualization from a query in the SQL Editor. |
|
|
|
A user downloads a query result from the SQL Editor. Excludes downloads from dashboards. |
|
|
|
A warehouse manager makes edits to a SQL warehouse. |
|
|
|
Generated by one of the following:
|
|
|
|
A user runs a saved query. |
|
|
|
Generated by any event that executes a query such that a dashboard panel refreshes. Some examples of applicable events include:
|
|
|
|
A user favorites a dashboard. |
|
|
|
A user favorites a query. |
|
|
|
A user clones a query. |
|
|
|
A user opens the query listing page or calls the list query API. |
|
|
|
A user moves an alert to the trash. |
|
|
|
A user moves a dashboard to the trash. |
|
|
|
A user moves a query to the trash. |
|
|
|
A user restores an alert from the trash. |
|
|
|
A user restores a dashboard from the trash. |
|
|
|
A user restores a query from the trash. |
|
|
|
A warehouse manager sets the configuration for a SQL warehouse. |
|
|
|
A user requests a snapshot of a dashboard. Includes scheduled dashboard snapshots. |
|
|
|
A SQL warehouse is started. |
|
|
|
A warehouse manager stops a SQL warehouse. Excludes autostopped warehouses. |
|
|
|
A workspace admin transfers the ownership of a dashboard, query, or alert to an active user through the transfer object ownership API. Ownership transfer done through the UI or update APIs is not captured by this audit log event. |
|
|
|
A user removes a dashboard from their favorites. |
|
|
|
A user removes a query from their favorites. |
|
|
|
A user makes updates to an alert. |
|
|
|
A workspace admin makes an update to a notification destination. |
|
|
|
A user makes an update to a dashboard widget. Excludes changes to axis scales. Examples of applicable updates include:
|
|
|
|
A user makes an update to a dashboard property. Excludes changes to schedules and subscriptions. Examples of applicable updates include:
|
|
|
|
A workspace admin makes updates to the workspace’s SQL settings. |
|
|
|
A user makes an update to a query. |
|
|
|
A user makes an update to a query draft. |
|
|
|
A user makes an update to a query snippet. |
|
|
|
A user updates a visualization from either the SQL Editor or the dashboard. |
|
DBFS events
The following tables include dbfs
events logged at the workspace level.
There are two types of DBFS events: API calls and operational events.
DBFS API events
The following DBFS audit events are only logged when written through the DBFS REST API.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
User appends a block of data to the stream. This is used in conjunction with dbfs/create to stream data to DBFS. |
|
|
|
User opens a stream to write a file to DBFs. |
|
|
|
User deletes the file or directory from DBFs. |
|
|
|
User creates a new DBFS directory. |
|
|
|
User moves a file from one location to another location within DBFs. |
|
|
|
User uploads a file through the use of multipart form post to DBFs. |
|
Delta pipelines events
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
A user changes permissions on a pipeline. |
|
|
|
A user creates a Delta Live Tables pipeline. |
|
|
|
A user deletes a Delta Live Tables pipeline. |
|
|
|
A user edits a Delta Live Tables pipeline. |
|
|
|
A user restarts a Delta Live Tables pipeline. |
|
|
|
A user stops a Delta Live Tables pipeline. |
|
Feature store events
The following featureStore
events are logged at the workspace level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
A consumer is added to the feature store. |
|
|
|
A data source is added to a feature table. |
|
|
|
A producer is added to a feature table. |
|
|
|
Permissions are changed in a feature table. |
|
|
|
A feature table is created. |
|
|
|
Features are created in a feature table. |
|
|
|
A feature table is deleted. |
|
|
|
Tags are deleted from a feature table. |
|
|
|
A user makes a call to get the consumers in a feature table. |
|
|
|
A user makes a call to get feature tables. |
|
|
|
A user makes a call to get feature table IDs. |
|
|
|
A user makes a call to get features. |
|
|
|
A user makes a call to get Model Serving metadata. |
|
|
|
A user makes a call to get online store details. |
|
|
|
A user makes a call to get tags for a feature table. |
|
|
|
A feature table is published. |
|
|
|
A user searches for feature tables. |
|
|
|
Tags are added to a feature table. |
|
|
|
A feature table is updated. |
|
Files events
The following filesystem
events are logged at the workspace level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
User downloads a file using the Files API or the volumes UI. |
|
|
|
User uploads a file using the Files API or the volumes UI. |
|
|
|
User deletes a file using the Files API or the volumes UI. |
|
|
|
User gets information about a file using the Files API or the volumes UI. |
|
Genie events
The following genie
events are logged at the workspace level.
Note
This service is unrelated to AI/BI Genie spaces. See AI/BI Genie events.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
A Databricks personnel is authorized to access a customer environment. |
|
Git credential events
The following gitCredentials
events are logged at the workspace level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
A user gets a git credentials. |
|
|
|
A user lists all git credentials |
none |
|
|
A user deletes a git credential. |
|
|
|
A user updates a git credential. |
|
|
|
A user creates a git credential. |
|
Global init scripts events
The following globalInitScripts
events are logged at the workspace level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
A workspace admin creates a global initialization script. |
|
|
|
A workspace admin updates a global initialization script. |
|
|
|
A workspace admin deletes a global initialization script. |
|
Groups events
The following groups
events are logged at the workspace level. These actions are related to legacy ACL groups. For actions related to account- and workspace-level groups, see Account events and Account-level account events.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
An admin adds a user to a group. |
|
|
|
An admin creates a group. |
|
|
|
An admin views group members. |
|
|
|
An admin views a list of groups |
none |
|
|
An admin views inherited groups |
none |
|
|
An admin removes a group. |
|
IAM role events
The following iamRole
event is logged at the workspace level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
A workspace admin changes permissions for an IAM role. |
|
Ingestion events
The following ingestion
event is logged at the workspace level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
A user uploads a file to their Databricks workspace. |
|
Instance pool events
The following instancePools
events are logged at the workspace level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
A user changes an instance pool’s permissions. |
|
|
|
A user creates an instance pool. |
|
|
|
A user deletes an instance pool. |
|
|
|
A user edits an instance pool. |
|
Job events
The following jobs
events are logged at the workspace level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
A job run is cancelled. |
|
|
|
A user cancels all runs on a job. |
|
|
|
A user updates permissions on a job. |
|
|
|
A user creates a job. |
|
|
|
A user deletes a job. |
|
|
|
A user deletes a job run. |
|
|
|
A user makes an API call to get a run output. |
|
|
|
A user repairs a job run. |
|
|
|
A job is reset. |
|
|
|
A user requests the change of a job’s permissions. |
|
|
|
Available when verbose audit logs are enabled. Emitted after a command in a notebook is executed by a job run. A command corresponds to a cell in a notebook. |
|
|
|
A job run fails. |
|
|
|
A user triggers an on-demand job run. |
|
|
|
Emitted when a job run starts after validation and cluster creation. The request parameters emitted from this event depend on the type of tasks in the job. In addition to the parameters listed, they can include:
|
|
|
|
A job run is successful. |
|
|
|
A job schedule is triggered automatically according to its schedule or trigger. |
|
|
|
A webhook is sent either when the job begins, completes, or fails. |
|
|
|
A user sets values for a task. |
|
|
|
A user submits a one-time run via the API. |
|
|
|
A user edits a job’s settings. |
|
Lineage tracking events
The following lineageTracking
events are logged at the workspace level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
A user accesses the list of the upstream or downstream columns of a column. |
|
|
|
A user accesses the list of the upstream or downstream securables of a securable. |
|
|
|
A user accesses the list of entities (notebooks, jobs, etc.) that write to or read a securable. |
|
|
|
A user gets the column lineages for a table and its column. |
|
|
|
A user gets the upstream and downstream lineages of a table. |
|
|
|
A user gets the upstream and downstream table lineages of a job. |
|
|
|
A user gets the upstream and downstream securables and entities (notebooks, jobs, etc.) of a function. |
|
|
|
A user gets the upstream and downstream securables and entities (notebooks, jobs, etc.) of a model and its version. |
|
|
|
A user gets the upstream and downstream tables of an entity (notebooks, jobs, etc.). |
|
|
|
A user gets the frequently joined tables for a table. |
|
|
|
A user gets the frequent queries for a table. |
|
|
|
A user gets the frequent users for a table. |
|
|
|
A user gets the popularity (query count) for a table for the past month. |
|
|
|
A user gets the popular entities (notebooks, jobs, etc.) for a table. |
|
|
|
A user gets the table popularity info for a list of tables. |
|
Marketplace consumer events
The following marketplaceConsumer
events are logged at the workspace level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
A user gets access to a data product through the Databricks Marketplace. |
|
|
|
A user requests access to a data product that requires provider approval. |
|
Marketplace provider events
The following marketplaceProvider
events are logged at the workspace level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
A metastore admin creates a listing in their provider profile. |
|
|
|
A metastore admin makes an update to a listing in their provider profile. |
|
|
|
A metastore admin deletes a listing in their provider profile. |
|
|
|
A metastore admins approves or denies a data product request. |
|
|
|
A metastore admin creates a provider profile. |
|
|
|
A metastore admin makes an update to their provider profile. |
|
|
|
A metastore admin deletes their provider profile. |
|
|
|
A provider uploads a file to their provider profile. |
|
|
|
A provider deletes a file from their provider profile. |
|
MLflow artifacts with ACL events
The following mlflowAcledArtifact
events are logged at the workspace level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
A user makes call to read an artifact. |
|
|
|
A user makes call to write to an artifact. |
|
MLflow experiment events
The following mlflowExperiment
events are logged at the workspace level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
A user creates an MLflow experiment. |
|
|
|
A user deletes an MLflow experiment. |
|
|
|
A user moves an MLflow experiment. |
|
|
|
A user restores an MLflow experiment. |
|
|
|
A user renames an MLflow experiment. |
|
MLflow model registry events
The following mlflowModelRegistry
events are logged at the workspace level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
A user approves a model version stage transition request. |
|
|
|
A user updates permissions for a registered model. |
|
|
|
A user posts a comment on a model version. |
|
|
|
A user creates a model version. |
|
|
|
A user creates a new registered model |
|
|
|
User creates a webhook for Model Registry events. |
|
|
|
A user creates a model version stage transition request. |
|
|
|
A user deletes a comment on a model version. |
|
|
|
A user deletes a model version. |
|
|
|
A user deletes a model version tag. |
|
|
|
A user deletes a registered model |
|
|
|
A user deletes the tag for a registered model. |
|
|
|
User deletes a Model Registry webhook. |
|
|
|
A user cancels a model version stage transition request. |
|
|
|
Completed asynchronous model copying. |
|
|
|
Batch inference notebook is autogenerated. |
|
|
|
Inference notebook for a Delta Live Tables pipeline is autogenerated. |
|
|
|
A user gets a URI to download the model version. |
|
|
|
A user gets a URI to download a signed model version. |
|
|
|
A user makes a call to list a model’s artifacts. |
|
|
|
A user makes a call to list all registry webhooks in the model. |
|
|
|
A user rejects a model version stage transition request. |
|
|
|
A user renames a registered model |
|
|
|
A user updates the email subscription status for a registered model |
|
|
|
A user sets a model version tag. |
|
|
|
A user sets a model version tag. |
|
|
|
A user updates their email notifications status for the whole registry. |
|
|
|
A user tests the Model Registry webhook. |
|
|
|
A user gets a list of all open stage transition requests for the model version. |
|
|
|
A Model Registry webhook is triggered by an event. |
|
|
|
A user post an edit to a comment on a model version. |
|
|
|
A user updates a Model Registry webhook. |
|
Notebook events
The following notebook
events are logged at the workspace level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
A notebook is attached to a cluster. |
|
|
|
A user clones a notebook. |
|
|
|
A notebook is created. |
|
|
|
A notebook folder is deleted. |
|
|
|
A notebook is deleted. |
|
|
|
A notebook is detached from a cluster. |
|
|
|
A user downloads query results too large to display in the notebook. |
|
|
|
A user downloads the query results. |
|
|
|
A user imports a notebook. |
|
|
|
A notebook folder is moved from one location to another. |
|
|
|
A notebook is moved from one location to another. |
|
|
|
A notebook is renamed. |
|
|
|
A deleted folder is restored. |
|
|
|
A deleted notebook is restored. |
|
|
|
Available when verbose audit logs are enabled. Emitted after Databricks runs a command in a notebook. A command corresponds to a cell in a notebook.
|
|
|
|
Notebook snapshots are taken when either the job service or mlflow is run. |
|
Partner Connect events
The following partnerHub
events are logged at the workspace level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
A workspace admin sets up a connection to a partner solution. |
|
|
|
A workspace admin deletes a partner connection. |
|
|
|
A workspace admin downloads the partner connection file. |
|
|
|
A workspace admin sets up resources for a partner connection. |
|
Remote history service events
The following remoteHistoryService
events are logged at the workspace level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
User adds Github Credentials |
none |
|
|
User removes Github Credentials |
none |
|
|
User updates Github Credentials |
none |
Git folder events
The following repos
events are logged at the workspace level.
Service |
Action name |
Description |
Request parameters |
---|---|---|---|
|
|
A user checks out a branch on the repo. |
|
|
|
A user commits and pushes to a repo. |
|
|
|
A user creates a repo in the workspace |
|
|
|
A user deletes a repo. |
|
|
|
A user discards a commit to a repo. |
|
|
|
A user makes a call to get information about a single repo. |
|
|
|
A user makes a call to get all repos they have Manage permissions on. |
|
|
|
A user pulls the latest commits from a repo. |
|
|
|
A user updates the repo to a different branch or tag, or to the latest commit on the same branch. |
|
Secrets events
The following secrets
events are logged at the workspace level.
Service |
Action name |
Description |
Request parameters |
---|---|---|---|
|
|
User creates a secret scope. |
|
|
|
User deletes ACLs for a secret scope. |
|
|
|
User deletes a secret scope. |
|
|
|
User deletes a secret from a scope. |
|
|
|
User gets ACLs for a secret scope. |
|
|
|
User gets a secret from a scope. |
|
|
|
User makes a call to list ACLs for a secret scope. |
|
|
|
User makes a call to list secret scopes |
none |
|
|
User makes a call to list secrets within a scope. |
|
|
|
User changes ACLs for a secret scope. |
|
|
|
User adds or edits a secret within a scope. |
|
SQL table access events
Note
The sqlPermissions
service includes events related to the legacy Hive metastore table access control. Databricks recommends that you upgrade the tables managed by the Hive metastore to the Unity Catalog metastore.
The following sqlPermissions
events are logged at the workspace level.
Service |
Action name |
Description |
Request parameters |
---|---|---|---|
|
|
Workspace admin or owner of an object transfers object ownership. |
|
|
|
User creates a securable object. |
|
|
|
Object owner denies privileges on a securable object. |
|
|
|
Object owner grants permission on a securable object. |
|
|
|
User drops a securable object. |
|
|
|
User renames a securable object. |
|
|
|
User requests permissions on a securable object. |
|
|
|
Object owner revokes permissions on their securable object. |
|
|
|
User views securable object permissions. |
|
SSH events
The following ssh
events are logged at the workspace level.
Service |
Action name |
Description |
Request parameters |
---|---|---|---|
|
|
Agent login of SSH into Spark driver. |
|
|
|
Agent logout of SSH from Spark driver. |
|
Web terminal events
The following webTerminal
events are logged at the workspace level.
Service |
Action name |
Description |
Request parameters |
---|---|---|---|
|
|
User starts a web terminal sessions. |
|
|
|
User closes a web terminal session. |
|
Workspace events
The following workspace
events are logged at the workspace level.
Service |
Action name |
Description |
Request parameters |
---|---|---|---|
|
|
Permissions to the workspace are changed. |
|
|
|
A setting is deleted from the workspace. |
|
|
|
User creates a file in the workspace. |
|
|
|
User deletes a file in the workspace. |
|
|
|
User opens the file editor. |
|
|
|
User gets a workspace’s user roles. |
|
|
|
A workspace admin moves workspace node. |
|
|
|
A workspace admin purges workspace nodes. |
|
|
|
A workspace admin renames workspace nodes. |
|
|
|
A workspace admin updates a workspace user’s role. |
|
|
|
A workspace admin adds a principal to the workspace. |
|
|
|
A workspace admin configures a workspace setting. |
|
|
|
Workspace admin makes updates to a setting, for example enabling verbose audit logs. |
|
|
|
User exports a notebook from a workspace. |
|
Billable usage events
The following accountBillableUsage
events are logged at the account level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
User accessed aggregated billable usage (usage per day) for the account via the Usage Graph feature. |
|
|
|
User accessed detailed billable usage (usage for each cluster) for the account via the Usage Download feature. |
|
Account-level account events
The following accounts
events are logged at the account level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
An OAuth client is authenticated. |
|
|
|
IP permissions validation fails. Returns statusCode 403. |
|
|
|
A user is reactivated after being deactivated. See Deactivate users in account. |
|
|
|
A user is added to the Databricks account. |
|
|
|
A user is added to an account-level group. |
|
|
|
Users are added to an account-level group using SCIM provisioning. |
|
|
|
An account-level group is created. |
|
|
|
A user is deactivated. See Deactivate users in account. |
|
|
|
A user is deleted from the Databricks account. |
|
|
|
Account admin removes a setting from the Databricks account. |
|
|
|
A user runs a garbage collect command on expired tokens. |
|
|
|
User generates a token from User Settings or when the service generates the token. |
|
|
|
A user logs into the account console. |
|
|
|
A user logs out of the account console. |
|
|
|
An account admin removes account admin permissions from another user. |
|
|
|
A group is removed from the account. |
|
|
|
A user is removed from an account-level group. |
|
|
|
Users are removed from an account-level group using SCIM provisioning. |
|
|
|
An account admin assigns the account admin role to another user. |
|
|
|
An account admin updates an account-level setting. |
|
|
|
A user logs into Databricks using a token. |
|
|
|
An account admin updates a user account. |
|
|
|
An account admin updates an account-level group. |
|
|
|
When a user validates their email after account creation. |
|
Account-level access control events
The following accountsAccessControl
event is logged at the account level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
When a rule set is changed. |
|
Account management events
The following accountsManager
events are logged at the account level. These events have to do with configurations made by account admins in the account console.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
Account owner role is transferred to another account admin. |
|
|
|
Account admin created a network configuration. |
|
|
|
Account admin created a private access settings configuration. |
|
|
|
Account admin created a VPC endpoint configuration. |
|
|
|
Account admin creates a new workspace. |
|
|
|
Account admin deleted a network configuration. |
|
|
|
Account admin deleted a private access settings configuration. |
|
|
|
Account admin deleted a VPC endpoint configuration. |
|
|
|
Account admin deleted a workspace. |
|
|
|
Account admin requests details about a network configuration. |
|
|
|
Account admin requests details about a private access settings configuration. |
|
|
|
Account admin requests details about a VPC endpoint configuration. |
|
|
|
Account admin requests details about a workspace. |
|
|
|
Account admin lists all network configurations in the account. |
|
|
|
Account admin lists all private access settings configurations in the account. |
|
|
|
Account admin lists all account billing subscriptions. |
|
|
|
Account admin listed all VPC endpoint configurations for the account. |
|
|
|
Account admin lists all workspace in the account. |
|
|
|
Account admin lists all encryption key records in a specific workspace. |
|
|
|
Account admin lists all encryption key records in the account. |
|
|
|
The account details were changed internally. |
|
|
|
The account billing subscriptions were updated. |
|
|
|
Admin updated the configuration for a workspace. |
|
Log delivery events
The following logDelivery
events are logged at the account level.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
Admin created a log delivery configuration. |
|
|
|
Admin requested details about a log delivery configuration. |
|
|
|
Admin listed all log delivery configurations in the account. |
|
|
|
Admin updated a log delivery configuration. |
|
Single-sign on events
The following ssoConfigBackend
events are logged at the account level and are related to SSO authentication for the account console.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
Account admin created an account console SSO configuration. |
|
|
|
Account admin requested details about an account console SSO configuration. |
|
|
|
Account admin updated an account console SSO configuration. |
|
Unity Catalog events
The following audit events are related to Unity Catalog. Delta Sharing events are also logged under the unityCatalog
service. For Delta Sharing events, see Delta Sharing events. Unity Catalog audit events can be logged at the workspace level or account level depending on the event.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
Account admin creates a metastore. |
|
|
|
Account admin requests metastore ID. |
|
|
|
Account admin requests details about a metastore. |
|
|
|
Account admin requests a list of all metastores in an account. |
|
|
|
Account admin makes an update to a metastore. |
|
|
|
Account admin deletes a metastore. |
|
|
|
Account admin makes an update to a metastore’s workspace assignment. |
|
|
|
Account admin creates an external location. |
|
|
|
Account admin requests details about an external location. |
|
|
|
Account admin request list of all external locations in an account. |
|
|
|
Account admin makes an update to an external location. |
|
|
|
Account admin deletes an external location. |
|
|
|
User creates a catalog. |
|
|
|
User deletes a catalog. |
|
|
|
User requests details about a catalog. |
|
|
|
User updates a catalog. |
|
|
|
User makes a call to list all catalogs in the metastore. |
|
|
|
User creates a schema. |
|
|
|
User deletes a schema. |
|
|
|
User requests details about a schema. |
|
|
|
User requests a list of all schemas in a catalog. |
|
|
|
User updates a schema. |
|
|
|
|
|
|
|
User creates a table. The request parameters differ depending on the type of table created. |
|
|
|
User deletes a table. |
|
|
|
User requests details about a table. |
|
|
|
|
|
|
|
User makes a call to list all tables in a schema. |
|
|
|
User gets an array of summaries for tables for a schema and catalog within the metastore. |
|
|
|
User makes an update to a table. The request parameters displayed vary depending on the type of table updates made. |
|
|
|
Account admin creates a storage credential. You might see an additional request parameter based on your cloud provider credentials. |
|
|
|
Account admin makes a call to list all storage credentials in the account. |
|
|
|
Account admin requests details about a storage credential. |
|
|
|
Account admin makes an update to a storage credential. |
|
|
|
Account admin deletes a storage credential. |
|
|
|
Logged whenever a temporary credential is granted for a table. You can use this event to determine who queried what and when. |
|
|
|
Logged whenever a temporary credential is granted for a path. |
|
|
|
User makes a call to get permission details for a securable object. This call doesn’t return inherited permissions, only explicitly assigned permissions. |
|
|
|
User makes a call to get all permission details for a securable object. An effective permissions call returns both explicitly assigned and inherited permissions. |
|
|
|
User updates permissions on a securable object. |
|
|
|
User queries the metadata from a previous table version. |
|
|
|
User queries the metadata and permissions from a previous table version. |
|
|
|
User updates the metadata from a previous table version. |
|
|
|
User makes a call to get details about a foreign key. |
|
|
|
User makes a call to get details about a schema. |
|
|
|
User creates a constraint for a table. |
|
|
|
User deletes a constraint for a table. |
|
|
|
User creates a Unity Catalog pipeline. |
|
|
|
User updates a Unity Catalog pipeline. |
|
|
|
User requests details about a Unity Catalog pipeline. |
|
|
|
User deletes a Unity Catalog pipeline. |
|
|
|
Resource fails to delete |
none |
|
|
User creates a Unity Catalog volume. |
|
|
|
User makes a call to get information on a Unity Catalog volume. |
|
|
|
User updates a Unity Catalog volume’s metadata with the |
|
|
|
User deletes a Unity Catalog volume. |
|
|
|
User makes a call to get a list of all Unity Catalog volumes in a schema. |
|
|
|
A temporary credential is generated when a user performs a read or write on a volume. You can use this event to determine who accessed a volume and when. |
|
|
|
Tag assignments for a securable are fetched |
|
|
|
Tag assignments for a subentity are fetched |
|
|
|
Tag assignments for a securable are updated |
|
|
|
Tag assignments for a subentity are updated |
|
|
|
User creates a Unity Catalog registered model. |
|
|
|
User makes a call to get information on a Unity Catalog registered model. |
|
|
|
User updates a Unity Catalog registered model’s metadata. |
|
|
|
User deletes a Unity Catalog registered model. |
|
|
|
User makes a call to get a list of Unity Catalog registered models in a schema, or list models across catalogs and schemas. |
|
|
|
User creates a model version in Unity Catalog. |
|
|
|
User makes a call to “finalize” a Unity Catalog model version after uploading model version files to its storage location, making it read-only and usable in inference workflows. |
|
|
|
User makes a call to get details on a model version. |
|
|
|
User makes a call to get details on a model version using the alias. |
|
|
|
User updates a model version’s metadata. |
|
|
|
User deletes a model version. |
|
|
|
User makes a call to get a list of Unity Catalog model versions in a registered model. |
|
|
|
A temporary credential is generated when a user performs a write (during initial model version creaiton) or read (after the model version has been finalized) on a model version. You can use this event to determine who accessed a model version and when. |
|
|
|
User sets an alias on a Unity Catalog registered model. |
|
|
|
User deletes an alias on a Unity Catalog registered model. |
|
|
|
User gets a Unity Catalog model version by alias. |
|
|
|
A new foreign connection is created. |
|
|
|
A foreign connection is deleted. |
|
|
|
A foreign connection is retrieved. |
|
|
|
A foreign connection is updated. |
|
|
|
Foreign connections in a metastore are listed. |
|
|
|
User creates a new function. |
|
|
|
User updates a function. |
|
|
|
User requests a list of all functions within a specific parent catalog or schema. |
|
|
|
User requests a function from a parent catalog or schema. |
|
|
|
User requests a function from a parent catalog or schema. |
|
|
|
|
|
|
|
|
|
|
|
A temporary credential is generated to access a cloud service account from Databricks. |
|
Delta Sharing events
Delta Sharing events are broken up into two sections: events recorded in the data provider’s account and events recorded in the data recipient’s account.
Delta Sharing provider events
The following audit log events are logged in the provider’s account. Actions that are performed by recipients start with the deltaSharing
prefix. Each of these logs also includes request_params.metastore_id
, which is the metastore that manages the shared data, and userIdentity.email
, which is the ID of the user who initiated the activity.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
A data recipient requests a list of shares. |
|
|
|
A data recipient requests details about a shares. |
|
|
|
A data recipient requests a list of shared schemas. |
|
|
|
A data recipient requests a list of all shared tables. |
|
|
|
A data recipient requests a list of shared tables. |
|
|
|
A data recipient requests a details about a table’s metadata. |
|
|
|
A data recipient requests a details about a table version. |
|
|
|
Logged when a data recipient queries a shared table. |
|
|
|
Logged when a data recipient queries change data for a table. |
|
|
|
Logged after a data recipient gets a response to their query. The |
|
|
|
Logged after a data recipient gets a response to their query. The |
|
|
|
A data recipient requests a list of shared notebook files. |
|
|
|
A data recipient queries a shared notebook file. |
|
|
|
A data recipient requests a list of functions in a parent schema. |
|
|
|
A data recipient requests a list of all shared functions. |
|
|
|
A data recipient requests a list of function versions. |
|
|
|
A data recipient requests a list of shared volumes in a schema. |
|
|
|
A data recipient requests all shared volumes. |
|
|
|
Provider updates their metastore. |
|
|
|
Provider creates a data recipient. |
|
|
|
Provider deletes a data recipient. |
|
|
|
Provider requests details about a data recipient. |
|
|
|
Provider requests a list of all their data recipients. |
none |
|
|
Provider rotates a recipient’s token. |
|
|
|
Provider updates a data recipient’s attributes. |
|
|
|
Provider updates a data recipient’s attributes. |
|
|
|
Provider updates a data recipient’s attributes. |
|
|
|
Provider requests details about a share. |
|
|
|
Provider adds or removes data assets from a share. |
|
|
|
Provider requests a list of their shares. |
none |
|
|
Provider requests details on a share’s permissions. |
|
|
|
Provider updates a share’s permissions. |
|
|
|
Provider requests details about a recipient’s share permissions. |
|
|
|
Provider requests details about activity on their activation link. |
|
|
|
Temporary credential is generated for the recipient to access a shared volume. |
|
|
|
Temporary credential is generated for the recipient to access a shared table. |
|
Delta Sharing recipient events
The following events are logged in the data recipient’s account. These events record recipient access of shared data and AI assets, along with events associated with the management of providers. Each of these events also includes the following request parameters:
recipient_name
: The name of the recipient in the data provider’s system.metastore_id
: The name of the metastore in the data provider’s system.sourceIPAddress
: The IP address where the request originated.
Service |
Action |
Description |
Request parameters |
---|---|---|---|
|
|
A data recipient requests a details on a shared table version. |
|
|
|
A data recipient requests a details on a shared table’s metadata. |
|
|
|
A data recipient queries a shared table. |
|
|
|
A data recipient queries change data for a table. |
|
|
|
A data recipient creates a provider object. |
|
|
|
A data recipient updates a provider object. |
|
|
|
A data recipient deletes a provider object. |
|
|
|
A data recipient requests details about a provider object. |
|
|
|
A data recipient requests a list of providers. |
none |
|
|
A data recipient activates a provider object. |
|
|
|
A data recipient requests a list of a provider’s shares. |
|
|
|
Temporary credential is generated for the recipient to access a shared volume. |
|
|
|
Temporary credential is generated for the recipient to access a shared table. |
|
Deprecated log events
Databricks has deprecated the following databrickssql
audit events:
createAlertDestination
(nowcreateNotificationDestination
)deleteAlertDestination
(nowdeleteNotificationDestination
)updateAlertDestination
(nowupdateNotificationDestination
)muteAlert
unmuteAlert
SQL endpoint logs
If you create SQL warehouses using the deprecated SQL endpoint API (the former name for SQL warehouses), the corresponding audit event name will include the word Endpoint
instead of Warehouse
. Besides the name, these events are identical to the SQL warehouse events. To view descriptions and request parameters of these events, see their corresponding warehouse events in Databricks SQL events.
The SQL endpoint events are:
changeEndpointAcls
createEndpoint
editEndpoint
startEndpoint
stopEndpoint
deleteEndpoint
setEndpointConfig