Audit log reference

Note

This feature requires the Premium plan.

This article provides you with a comprehensive reference of available audit log services and events. By understanding which events are logged in the audit logs, your enterprise can monitor detailed Databricks usage patterns in your account.

For instructions on configuring log delivery, see Configure audit log delivery. For guidance on analyzing audit logs, see Analyze audit logs.

Audit log services

The following services and their events are logged by default in audit logs.

Workspace-level services

Workspace-level audit logs are available for these services:

Service name

Description

accounts

Events related to accounts, users, groups, and IP access lists.

clusterPolicies

Events related to cluster policies.

clusters

Events related to clusters.

databrickssql

Events related to Databricks SQL use.

dbfs

Events related to DBFS.

deltaPipelines

Events related to Delta Live Table pipelines.

featureStore

Events related to the Databricks Feature Store.

genie

Events related to workspace access by support personnel.

gitCredentials

Events related to Git credentials for Databricks Repos. See also repos.

globalInitScripts

Events related to global init scripts.

groups

Events related to account and workspace groups.

iamRole

Events related to IAM role permissions.

instancePools

Events related to pools.

jobs

Events related to jobs.

mlflowAcledArtifact

Events related to ML Flow artifacts with ACLs.

mlflowExperiment

Events related to ML Flow experiments.

modelRegistry

Events related to the model registry.

notebook

Events related to notebooks.

remoteHistoryService

Events related to adding a removing GitHub Credentials.

repos

Events related to Databricks Repos. See also gitCredentials.

secrets

Events related to secrets.

sqlPermissions

Events related to managing Databricks SQL permissions.

ssh

Events related to SSH access.

webTerminal

Events related to the web terminal feature.

workspace

Events related to workspaces.

Account-level services

Account-level audit logs are available for these services:

Service name

Description

accountBillableUsage

Actions related to billable usage access in the account console.

accounts

Actions related to account-level access and identity management.

accountsManager

Actions performed in the accounts console.

logDelivery

Log delivery configuration for such as billable usage or audit logs.

unityCatalog

Actions performed in Unity Catalog. For Delta Sharing events, see Audit and monitor data access using Delta Sharing (for recipients) or Audit and monitor data sharing using Delta Sharing (for providers).

Audit log example schema

In Databricks, audit logs output events in a JSON format. The serviceName and actionName properties identify the event. The naming convention follows the Databricks REST API.

The following example is for a createMetastoreAssignment event.

  {
    "version":"2.0",
    "auditLevel":"ACCOUNT_LEVEL",
    "timestamp":1629775584891,
    "orgId":"3049056262456431186970",
    "shardName":"test-shard",
    "accountId":"77636e6d-ac57-484f-9302-f7922285b9a5",
    "sourceIPAddress":"10.2.91.100",
    "userAgent":"curl/7.64.1",
    "sessionId":"ephemeral-f836a03a-d360-4792-b081-baba525324312",
    "userIdentity":{
      "email":"crampton.rods@email.com",
      "subjectName":null
    },
    "serviceName":"unityCatalog",
    "actionName":"createMetastoreAssignment",
    "requestId":"ServiceMain-da7fa5878f40002",
    "requestParams":{
      "workspace_id":"30490590956351435170",
      "metastore_id":"abc123456-8398-4c25-91bb-b000b08739c7",
      "default_catalog_name":"main"
    },
    "response":{
      "statusCode":200,
      "errorMessage":null,
      "result":null
    },
    "MAX_LOG_MESSAGE_LENGTH":16384
  }

Audit log schema considerations

  • If actions take a long time, the request and response are logged separately but the request and response pair have the same requestId.

  • Automated actions, such as resizing a cluster due to autoscaling or launching a job due to scheduling, are performed by the user System-User.

  • The requestParams field is subject to truncation. If the size of its JSON representation exceeds 100 KB, values are truncated and the string ... truncated is appended to truncated entries. In rare cases where a truncated map is still larger than 100 KB, a single TRUNCATED key with an empty value is present instead.

Account events

The following are accounts events logged at the workspace level.

Service

Action

Description

Request parameters

accounts

add

An user is added to the Databricks account using username and password for authentication

  • targetUserName

  • endpoint

  • targetUserId

accounts

addPrincipalToGroup

A user is added to a group

  • targetGroupId

  • endpoint

  • targetUserId

  • targetGroupName

  • targetUserName

accounts

changeDatabricksSqlAcl

A user’s Databricks SQL permissions are changed

  • shardName

  • targetUserId

  • resourceId

  • aclPermissionSet

accounts

changeDatabricksWorkspaceAcl

Permissions to a workspace are changed

  • shardName

  • targetUserId

  • resourceId

  • aclPermissionSet

accounts

changeDbTokenAcl

When permissions on a token are changed

  • shardName

  • targetUserId

  • resourceId

  • aclPermissionSet

accounts

changePassword

A user’s account password is changed

  • newPasswordSource

  • targetUserId

  • serviceSource

  • wasPasswordChanged

  • userId

accounts

changePasswordAcl

A user’s account password is changed

  • shardName

  • targetUserId

  • resourceId

  • aclPermissionSet

accounts

changeServicePrincipalAcls

When a service principal’s permissions are changed

  • shardName

  • targetServicePrincipal

  • resourceId

  • aclPermissionSet

accounts

createGroup

A group is created

  • endpoint

  • targetGroupId

  • targetGroupName

accounts

createIpAccessList

An IP access list is added to the workspace

  • ipAccessListId

  • userId

accounts

delete

A user is deleted from the Databricks account

  • targetUserId

  • targetUserName

  • endpoint

accounts

deleteIpAccessList

An IP access list is deleted from the workspace

  • ipAccessListId

  • userId

accounts

garbageCollectDbToken

A user runs a garbage collect command on expired tokens

  • tokenExpirationTime

  • tokenClientId

  • userId

  • tokenCreationTime

  • tokenFirstAccessed

accounts

gcpWorkspaceBrowserLogin

A user logs in to their workspace through the GCP browser workflow

  • user

accounts

generateDbToken

When someone generates a token from User Settings or when the service generates the token

  • tokenExpirationTime

  • tokenCreatedBy

  • tokenHash

  • userId

accounts

IpAccessDenied

A user attempts to connect to the service through a denied IP

  • path

  • userId

accounts

ipAccessListQuotaExceeded

  • userId

accounts

jwtLogin

User logs into Databricks using a JWt

  • user

accounts

login

User logs into the workspace

  • user

accounts

logout

User logs out of the workspace

  • user

accounts

reachMaxQuotaDbToken

When the current number of non-expired tokens exceeds the token quota

accounts

removeAdmin

A user is revoked of admin permissions

  • targetUserName

  • endpoint

  • targetUserId

accounts

removeGroup

A group is removed from the account

  • targetGroupId

  • targetGroupName

  • endpoint

accounts

removePrincipalFromGroup

A user is removed from a group

  • targetGroupId

  • endpoint

  • targetUserId

  • targetGroupName

  • targetUserName

accounts

resetPassword

A user’s account password is changed

  • serviceSource

  • userId

  • endpoint

  • targetUserId

  • targetUserName

  • wasPasswordChanged

  • newPasswordSource

accounts

revokeDbToken

  • userId

accounts

samlLogin

User logs in to Databricks through SAML SSO

  • user

accounts

setAdmin

A user is granted admin permissions

  • endpoint

  • targetUserName

  • targetUserId

accounts

tokenLogin

A user logs into Databricks using a token

  • tokenId

  • user

accounts

updateIpAccessList

An IP access list is changed

  • ipAccessListId

  • userId

accounts

validateEmail

When a user validates their email after account creation

  • endpoint

  • targetUserName

  • targetUserId

Clusters events

The following are cluster events logged at the workspace level.

Service

Action

Description

Request parameters

clusters

changeClusterAcl

A user changes the cluster ACl

  • shardName

  • aclPermissionSet

  • targetUserId

  • resourceId

clusters

create

A user creates a cluster

  • cluster_log_conf

  • num_workers

  • enable_elastic_disk

  • driver_node_type_id

  • start_cluster

  • docker_image

  • ssh_public_keys

  • gcp_attributes

  • acl_path_prefix

  • node_type_id

  • instance_pool_id

  • spark_env_vars

  • init_scripts

  • spark_version

  • cluster_source

  • autotermination_minutes

  • cluster_name

  • autoscale

  • custom_tags

  • cluster_creator

  • enable_local_disk_encryption

  • idempotency_token

  • spark_conf

  • organization_id

  • no_driver_daemon

  • user_id

  • virtual_cluster_size

  • apply_policy_default_values

  • data_security_mode

  • runtime_engine

clusters

createResult

Results from cluster creation. In conjunction with create.

  • clusterName

  • clusterState

  • clusterId

  • clusterWorkers

  • clusterOwnerUserId

clusters

delete

A cluster is terminated

  • cluster_id

clusters

deleteResult

Results from cluster termination. In conjunction with delete.

  • clusterName

  • clusterState

  • clusterId

  • clusterWorkers

  • clusterOwnerUserId

clusters

edit

A user makes changes to cluster settings. This logs all changes except for change in cluster size or autoscaling behavior.

  • cluster_log_conf

  • num_workers

  • enable_elastic_disk

  • driver_node_type_id

  • start_cluster

  • docker_image

  • ssh_public_keys

  • gcp_attributes

  • acl_path_prefix

  • node_type_id

  • instance_pool_id

  • spark_env_vars

  • init_scripts

  • spark_version

  • cluster_source

  • autotermination_minutes

  • cluster_name

  • autoscale

  • custom_tags

  • cluster_creator

  • enable_local_disk_encryption

  • idempotency_token

  • spark_conf

  • organization_id

  • no_driver_daemon

  • user_id

  • virtual_cluster_size

  • apply_policy_default_values

  • data_security_mode

  • runtime_engine

clusters

permanentDelete

A cluster is deleted from the Ui

  • cluster_id

clusters

resize

Cluster resizes. This is logged on running clusters where the only property that changes is either the cluster size or autoscaling behavior.

  • cluster_id

  • num_workers

  • autoscale

clusters

resizeResult

Results from cluster resize. In conjunction with resize.

  • clusterName

  • clusterState

  • clusterId

  • clusterWorkers

  • clusterOwnerUserId

clusters

restart

A user restarts a running cluster

  • cluster_id

clusters

restartResult

Results from cluster restart. In conjunction with restart.

  • clusterName

  • clusterState

  • clusterId

  • clusterWorkers

  • clusterOwnerUserId

clusters

start

A user starts a cluster

  • init_scripts_safe_mode

  • cluster_id

clusters

startResult

Results from cluster start. In conjunction with start.

  • clusterName

  • clusterState

  • clusterId

  • clusterWorkers

  • clusterOwnerUserId

Cluster libraries events

The following are clusterLibraries events logged at the workspace level.

Service

Action

Description

Request parameters

clusterLibraries

installLibraries

User installs a library on a cluster

  • cluster_id

  • libraries

clusterLibraries

uninstallLibraries

User uninstalls a library on a cluster

  • cluster_id

  • libraries

clusterLibraries

installLibraryOnAllClusters

Admin schedules a library to install on all cluster

  • user

  • library

clusterLibraries

uninstallLibraryOnAllClusters

Admin removes a library from the list to install on all clusters

  • user

  • library

Cluster policy events

The following are clusterPolicies events logged at the workspace level.

Service

Action

Description

Request parameters

clusterPolicies

create

A user created a cluster policy

  • name

clusterPolicies

edit

A user edited a cluster policy

  • policy_id

  • name

clusterPolicies

delete

A user deleted a cluster policy

  • policy_id

clusterPolicies

changeClusterPolicyAcl

An admin changes permissions for a cluster policy

  • shardName

  • targetUserId

  • resourceId

  • aclPermissionSet

Databricks SQL events

The following are databrickssql events logged at the workspace level.

Service

Action

Description

Request parameters

databrickssql

addDashboardWidget

Add widget is added to a dashboard

  • dashboardId

  • widgetId

databrickssql

cancelQueryExecution

A query execution is cancelled

  • queryExecutionId

databrickssql

changeWarehouseAcls

An admin updates permissions on a SQL warehouse

  • aclPermissionSet

  • resourceId

  • shardName

  • targetUserId

databrickssql

changePermissions

A user updates permissions on an object

  • granteeAndPermission

  • objectId

  • objectType

databrickssql

cloneDashboard

A user clones a dashboard

  • dashboardId

databrickssql

commandSubmit

Only in verbose audit logs. Runs when a command is submitted to Databricks SQL.

  • orgId

  • sourceIpAddress

  • timestamp

  • userAgent

  • userIdentity

  • shardName

databrickssql

commandFinish

Only in verbose audit logs. Runs when a command completes or a command is cancelled.

  • orgId

  • sourceIpAddress

  • timestamp

  • userAgent

  • userIdentity

  • shardName

databrickssql

createAlert

A user creates an alert

  • alertId

databrickssql

createNotificationDestination

An admin creates a notification destination

  • notificationDestinationId

  • notificationDestinationType

databrickssql

createDashboard

A user creates a dashboard

  • dashboardId

databrickssql

createDataPreviewDashboard

A user creates a data preview dashboard

  • dashboardId

databrickssql

createWarehouse

An admin creates a SQL warehouse

  • auto_resume

  • auto_stop_mins

  • channel

  • cluster_size

  • conf_pairs

  • custom_cluster_confs

  • enable_databricks_compute

  • enable_photon

  • enable_serverless_compute

  • instance_profile_arn

  • max_num_clusters

  • min_num_clusters

  • name

  • size

  • spot_instance_policy

  • tags

  • test_overrides

databrickssql

createQuery

A user creates a query snippet

  • queryId

databrickssql

createQueryDraft

A user creates a query draft

  • queryId

databrickssql

createQuerySnippet

A user creates a query snippet

  • querySnippetId

databrickssql

createRefreshSchedule

A user sets a refresh schedule for a query

  • alertId

  • dashboardId

  • refreshScheduleId

databrickssql

createSampleDashboard

A user creates a sample dashboard

  • sampleDashboardId

databrickssql

createSubscription

A user subscribes to a dashboard (the dashboard must have a refresh schedule)

  • dashboardId

  • refreshScheduleId

  • subscriptionId

databrickssql

createVisualization

A user creates a visualization

  • queryId

  • visualizationId

databrickssql

deleteAlert

A user deletes an alert

  • alertId

databrickssql

deleteNotificationDestination

An admin deletes a notification destination

  • notificationDestinationId

databrickssql

deleteDashboard

A user deletes a dashboard

  • dashboardId

databrickssql

deleteDashboardWidget

A user deletes a dashboard widget

  • widgetId

databrickssql

deleteWarehouse

An admin deletes a SQL warehouse

  • id

databrickssql

deleteExternalDatasource

An admin deletes an external data source from the workspace

  • dataSourceId

databrickssql

deleteQuery

A user deletes a query

  • queryId

databrickssql

deleteQueryDraft

A user deletes a query draft

  • queryId

databrickssql

deleteQuerySnippet

A user deletes a query snippet

  • querySnippetId

databrickssql

deleteRefreshSchedule

A user removes the refresh schedule from a dashboard

  • alertId

  • dashboardId

  • refreshScheduleId

databrickssql

deleteSubscription

A user removes their subscription from a dashboard

  • subscriptionId

databrickssql

deleteVisualization

A user deletes a visualization

  • visualizationId

databrickssql

downloadQueryResult

A user downloads a query result

  • fileType

  • queryId

  • queryResultId

databrickssql

editWarehouse

An admin makes edits to a SQL warehouse

  • auto_stop_mins

  • channel

  • cluster_size

  • confs

  • enable_photon

  • enable_serverless_compute

  • id

  • instance_profile_arn

  • max_num_clusters

  • min_num_clusters

  • name

  • spot_instance_policy

  • tags

databrickssql

executeAdhocQuery

A user runs an ad hoc query

  • dataSourceId

databrickssql

executeSavedQuery

A user runs a saved query

  • queryId

databrickssql

executeWidgetQuery

A user runs a query in a dashboard widget

  • widgetId

databrickssql

favoriteDashboard

A user favorites a dashboard

  • dashboardId

databrickssql

favoriteQuery

A user favorites a query

  • queryId

databrickssql

forkQuery

A user forks a query

  • originalQueryId

  • queryId

databrickssql

listQueries

  • filter_by

  • include_metrics

  • max_results

  • page_token

databrickssql

moveDashboardToTrash

A user moves a dashboard to the trash

  • dashboardId

databrickssql

moveQueryToTrash

A user moves a query to the trash

  • queryId

databrickssql

muteAlert

A user mutes an alert

  • alertId

databrickssql

publishBatch

  • statuses

databrickssql

publishDashboardSnapshot

A dashboard snapshot gets sent to a notification destination

  • dashboardId

  • hookId

  • subscriptionId

databrickssql

restoreDashboard

A user restores a dashboard from the trash

  • dashboardId

databrickssql

restoreQuery

A user restores a query from the trash

  • queryId

databrickssql

setWarehouseConfig

An admin sets the configuration for a SQL warehouse

  • data_access_config

  • enable_serverless_compute

  • instance_profile_arn

  • security_policy

  • serverless_agreement

  • sql_configuration_parameters

  • try_create_databricks_managed_starter_warehouse

databrickssql

snapshotDashboard

A user takes a snapshot of a dashboard

  • dashboardId

databrickssql

startWarehouse

A SQL warehouse is started

  • id

databrickssql

stopWarehouse

An admin stops a SQL warehouse (does not include auto stop)

  • id

databrickssql

subscribeAlert

A user subscribes to an alert

  • alertId

  • destinationId

databrickssql

transferObjectOwnership

An admin transfers the ownership of a dashboard, query, or alert to an active user.

  • newOwner

  • objectId

  • objectType

databrickssql

unfavoriteDashboard

A user removes a dashboard from their favorites

  • dashboardId

databrickssql

unfavoriteQuery

A user removes a query from their favorites

  • queryId

databrickssql

unmuteAlert

A user unmutes an alert

  • alertId

databrickssql

unsubscribeAlert

A user unsubscribes from an alert

  • alertId

  • subscriberId

databrickssql

updateAlert

A user makes updates to an alert

  • alertId

  • queryId

databrickssql

updateNotificationDestination

An admin makes an update to a notification destination

  • notificationDestinationId

databrickssql

updateDashboard

A user makes an update to a dashboard

  • dashboardId

databrickssql

updateDashboardWidget

A user makes an update to a dashboard widget

  • widgetId

databrickssql

updateOrganizationSetting

An admin makes updates to the workspace’s SQL settings

  • has_configured_data_access

  • has_explored_sql_warehouses

  • has_granted_permissions

databrickssql

updateQuery

A user makes an update to a query

  • queryId

databrickssql

updateQueryDraft

A user makes an update to a query draft

  • queryId

databrickssql

updateQuerySnippet

A user makes an update to a query snippet

  • querySnippetId

databrickssql

updateRefreshSchedule

A user makes updates to a dashboard’s refresh schedule

  • alertId

  • dashboardId

  • refreshScheduleId

databrickssql

updateVisualization

A user updates a visualization

  • visualizationId

DBFS events

The following tables include dbfs events logged at the workspace level.

There are two types of DBFS events: API calls and operational events.

DBFS API events

The following DBFS audit events are only logged when written through the DBFS REST API.

Service

Action

Description

Request parameters

dbfs

addBlock

User appends a block of data to the stream. This is used in conjunction with dbfs/create to stream data to DBFS.

  • handle

  • data_length

dbfs

create

User opens a stream to write a file to DBFs

  • path

  • bufferSize

  • overwrite

dbfs

delete

User deletes the file or directory from DBFs

  • recursive

  • path

dbfs

mkdirs

User creates a new DBFS directory

  • path

dbfs

move

User moves a file from one location to another location within DBFs

  • dst

  • source_path

  • src

  • destination_path

dbfs

put

User uploads a file through the use of multipart form post to DBFs

  • path

  • overwrite

DBFS operational events

The following DBFS audit events occur at the data plane.

Service

Action

Description

Request parameters

dbfs

mount

User creates a mount point at a certain DBFS location

  • mountPoint

  • owner

dbfs

unmount

User removes a mount point at a certain DBFS location

  • mountPoint

Delta pipelines events

Service

Action

Description

Request parameters

deltaPipelines

changePipelineAcls

A user changes permissions on a pipeline

  • shardId

  • targetUserId

  • resourceId

  • aclPermissionSet

deltaPipelines

create

A user creates a Delta Live Tables pipeline

  • allow_duplicate_names

  • clusters

  • configuration

  • continuous

  • development

  • dry_run

  • id

  • libraries

  • name

  • storage

  • target

  • channel

  • edition

  • photon

deltaPipelines

delete

A user deletes a Delta Live Tables pipeline

  • pipeline_id

deltaPipelines

edit

A user edits a Delta Live Tables pipeline

  • allow_duplicate_names

  • clusters

  • configuration

  • continuous

  • development

  • expected_last_modified

  • id

  • libraries

  • name

  • pipeline_id

  • storage

  • target

  • channel

  • edition

  • photon

deltaPipelines

startUpdate

A user restarts a Delta Live Tables pipeline

  • cause

  • full_refresh

  • job_task

  • pipeline_id

deltaPipelines

stop

A user stops a Delta Live Tables pipeline

  • pipeline_id

Feature store events

The following featureStore events are logged at the workspace level.

Service

Action

Description

Request parameters

featureStore

addConsumer

A consumer is added to the feature store

  • features

  • job_run

  • notebook

featureStore

addDataSources

A data source is added to a feature table

  • feature_table

  • paths, tables

featureStore

addProducer

A producer is added to a feature table

  • feature_table

  • job_run

  • notebook

featureStore

changeFeatureTableAcl

Permissions are changed in a feature table

  • aclPermissionSet

  • resourceId

  • shardName

  • targetUserId

featureStore

createFeatureTable

A feature table is created

  • description

  • name

  • partition_keys

  • primary_keys

  • timestamp_keys

featureStore

createFeatures

Features are created in a feature table

  • feature_table

  • features

featureStore

deleteFeatureTable

A feature table is deleted

  • name

featureStore

deleteTags

Tags are deleted from a feature table

  • feature_table_id

  • keys

featureStore

getConsumers

A user makes a call to get the consumers in a feature table

  • feature_table

featureStore

getFeatureTable

A user makes a call to get feature tables

  • name

featureStore

getFeatureTablesById

A user makes a call to get feature table IDs

  • ids

featureStore

getFeatures

A user makes a call to get features

  • feature_table

  • max_results

featureStore

getModelServingMetadata

A user makes a call to get Model Serving metadata

  • feature_table_features

featureStore

getOnlineStore

A user makes a call to get online store details

  • cloud

  • feature_table

  • online_table

  • store_type

featureStore

getTags

A user makes a call to get tags for a feature table

  • feature_table_id

featureStore

publishFeatureTable

A feature table is published

  • cloud

  • feature_table

  • host

  • online_table

  • port

  • read_secret_prefix

  • store_type

  • write_secret_prefix

featureStore

searchFeatureTables

A user searches for feature tables

  • max_results

  • page_token

  • text

featureStore

setTags

Tags are added to a feature table

  • feature_table_id

  • tags

featureStore

updateFeatureTable

A feature table is updated

  • description

  • name

Genie events

The following genie events are logged at the workspace level.

Service

Action

Description

Request parameters

genie

databricksAccess

A Databricks personnel is authorized to access a customer environment

  • duration

  • approver

  • reason

  • authType

  • user

Git credential events

The following gitCredentials events are logged at the workspace level.

Service

Action

Description

Request parameters

gitCredentials

getGitCredential

A user gets a git credentials

  • id

gitCredentials

listGitCredentials

A user lists all git credentials

none

gitCredentials

deleteGitCredential

A user deletes a git credential

  • id

gitCredentials

updateGitCredential

A user updates a git credential

  • id

  • git_provider

  • git_username

gitCredentials

createGitCredential

A user creates a git credential

  • git_provider

  • git_username

Groups events

The following groups events are logged at the workspace level.

Service

Action

Description

Request parameters

groups

addPrincipalToGroup

An admin adds a user to a group

  • user_name

  • parent_name

groups

createGroup

An admin creates a group

  • group_name

groups

getGroupMembers

An admin views group members

  • group_name

groups

getGroups

An admin views a list of groups

none

groups

getInheritedGroups

An admin views inherited groups

none

groups

removeGroup

An admin removes a group

  • group_name

IAM role events

The following iamRole events are logged at the workspace level.

Service

Action

Description

Request parameters

iamRole

changeIamRoleAcl

An admin changes permissions for an IAM role

  • targetUserId

  • shardName

  • resourceId

  • aclPermissionSet

Global init scripts events

The following globalInitScripts events are logged at the workspace level.

Service

Action

Description

Request parameters

globalInitScripts

create

An admin creates a global initialization script

  • name

  • position

  • script-SHA256

  • enabled

globalInitScripts

update

An admin updates a global initialization script

  • script_id

  • name

  • position

  • script-SHA256

  • enabled

globalInitScripts

delete

An admin deletes a global initialization script

  • script_id

Instance pool events

The following instancePools events are logged at the workspace level.

Service

Action

Description

Request parameters

instancePools

changeInstancePoolAcl

A user changes an instance pool’s permissions

  • shardName

  • resourceId

  • targetUserId

  • aclPermissionSet

instancePools

create

A user creates an instance pool

  • enable_elastic_disk

  • preloaded_spark_versions

  • idle_instance_autotermination_minutes

  • instance_pool_name

  • node_type_id

  • custom_tags

  • max_capacity

  • min_idle_instances

  • aws_attributes

instancePools

delete

A user deletes an instance pool

  • instance_pool_id

instancePools

edit

A user edits an instance pool

  • instance_pool_name

  • idle_instance_autotermination_minutes

  • min_idle_instances

  • preloaded_spark_versions

  • max_capacity

  • enable_elastic_disk

  • node_type_id

  • instance_pool_id

  • aws_attributes

Job events

The following jobs events are logged at the workspace level.

Service

Action

Description

Request parameters

jobs

cancel

A job run is cancelled

  • run_id

jobs

cancelAllRuns

A user cancels all runs on a job

  • job_id

jobs

changeJobAcl

A user updates permissions on a job

  • shardName

  • aclPermissionSet

  • resourceId

  • targetUserId

jobs

create

A user creates a job

  • spark_jar_task

  • email_notifications

  • notebook_task

  • spark_submit_task

  • timeout_seconds

  • libraries

  • name

  • spark_python_task

  • job_type

  • new_cluster

  • existing_cluster_id

  • max_retries

  • schedule

jobs

delete

A user deletes a job

  • job_id

jobs

deleteRun

A user deletes a job run

  • run_id

jobs

getRunOutput

A user makes an API call to get a run output

  • run_id

  • is_from_webapp

jobs

repairRun

A user repairs a job run

  • run_id

  • latest_repair_id

  • rerun_tasks

jobs

reset

A job is reset

  • job_id

  • new_settings

jobs

resetJobAcl

A user requests the change of a job’s permissions

  • grants

  • job_id

jobs

runFailed

A job run fails

  • jobClusterType

  • jobTriggerType

  • jobId

  • jobTaskType

  • runId

  • jobTerminalState

  • idInJob

  • orgId

jobs

runNow

A user triggers an on-demand job run

  • notebook_params

  • job_id

  • jar_params

  • workflow_context

jobs

runStart

Emitted when a job run starts after validation and cluster creation. The request parameters emitted from this event depends on the type of tasks in the job. In addition to the parameters listed, they can include:

  • dashboardId (for a SQL dashboard task)

  • filePath (for a SQL file task)

  • notebookPath (for a notebook task)

  • mainClassName (for a Spark JAR task)

  • pythonFile (for a Spark JAR task)

  • projectDirectory (for a dbt task)

  • commands (for a dbt task)

  • packageName (for a Python wheel task)

  • entryPoint (for a Python wheel task)

  • pipelineId (for a pipeline task)

  • queryIds (for a SQL query task)

  • alertId (for a SQL alert task)

  • taskDependencies

  • multitaskParentRunId

  • orgId

  • idInJob

  • jobId

  • jobTerminalState

  • taskKey

  • jobTriggerType

  • jobTaskType

  • runId

jobs

runSucceeded

A job run is successful

  • idInJob

  • jobId

  • jobTriggerType

  • orgId

  • runId

  • jobClusterType

  • jobTaskType

  • jobTerminalState

jobs

runTriggered

A job schedule is triggered automatically according to its schedule or trigger

  • jobId

  • jobTriggeredType

  • runId

jobs

sendRunWebhook

A webhook is sent either when the job begins, completes, or fails.

  • orgId

  • jobId

  • jobWebhookId

  • jobWebhookEvent

  • runId

jobs

setTaskValue

A user sets values for a task

  • run_id

  • key

jobs

submitRun

A user submits a one-time run via the APi

  • shell_command_task

  • run_name

  • spark_python_task

  • existing_cluster_id

  • notebook_task

  • timeout_seconds

  • libraries

  • new_cluster

  • spark_jar_task

jobs

update

A user edits a job’s settings

  • fields_to_remove

  • job_id

  • new_settings

MLflow artifacts with ACL events

The following mlflowAcledArtifact events are logged at the workspace level.

Service

Action name

Description

Request parameters

mlflowAcledArtifact

readArtifact

A user makes call to read an artifact

  • artifactLocation

  • experimentId

  • runId

mlflowAcledArtifact

writeArtifact

A user makes call to write to an artifact

  • artifactLocation

  • experimentId

  • runId

MLflow experiment events

The following mlflowExperiment events are logged at the workspace level.

Service

Action

Description

Request parameters

mlflowExperiment

deleteMlflowExperiment

A user deletes an MLflow experiment

  • experimentId

  • path

  • experimentName

mlflowExperiment

moveMlflowExperiment

A user moves an MLflow experiment

  • newPath

  • experimentId

  • oldPath

mlflowExperiment

restoreMlflowExperiment

A user restores an MLflow experiment

  • experimentId

  • path

  • experimentName

mlflowExperiment

renameMlflowExperiment

A user renames an MLflow experiment

  • oldName

  • newName

  • experimentId

  • parentPath

MLflow model registry events

The following mlflowModelRegistry events are logged at the workspace level.

Service

Action

Description

Request parameters

modelRegistry

approveTransitionRequest

A user approves a model version stage transition request

  • name

  • version

  • stage

  • archive_existing_versions

modelRegistry

changeRegisteredModelAcl

A user updates permissions for a registered model

  • registeredModelId

  • userId

modelRegistry

createComment

A user posts a comment on a model version

  • name

  • version

modelRegistry

createModelVersion

A user creates a model version

  • name

  • source

  • run_id

  • tags

  • run_link

modelRegistry

createRegisteredModel

A user creates a new registered model

  • name

  • tags

modelRegistry

createRegistryWebhook

User creates a webhook for Model Registry events

  • orgId

  • registeredModelId

  • events

  • description

  • status

  • creatorId

  • httpUrlSpec

modelRegistry

createTransitionRequest

A user creates a model version stage transition request

  • name

  • version

  • stage

modelRegistry

deleteComment

A user deletes a comment on a model version

  • id

modelRegistry

deleteModelVersion

A user deletes a model version

  • name

  • version

modelRegistry

deleteModelVersionTag

A user deletes a model version tag

  • name

  • version

  • key

modelRegistry

deleteRegisteredModel

A user deletes a registered model

  • name

modelRegistry

deleteRegisteredModelTag

A user deletes the tag for a registered model

  • name

  • key

modelRegistry

deleteRegistryWebhook

User deletes a Model Registry webhook

  • orgId

  • webhookId

modelRegistry

deleteTransitionRequest

A user cancels a model version stage transition request

“- name

  • version

  • stage

  • creator

modelRegistry

finishCreateModelVersionAsync

Completed asynchronous model copying

  • name

  • version

modelRegistry

generateBatchInferenceNotebook

Batch inference notebook is autogenerated

  • userId

  • orgId

  • modelName

  • inputTableOpt

  • outputTablePathOpt

  • stageOrVersion

  • modelVersionEntityOpt

  • notebookPath

modelRegistry

generateDltInferenceNotebook

Inference notebook for a Delta Live Tables pipeline is autogenerated

  • userId

  • orgId

  • modelName

  • inputTable

  • outputTable

  • stageOrVersion

  • notebookPath

modelRegistry

getModelVersionDownloadUri

A user gets a URI to download the model version

  • name

  • version

modelRegistry

getModelVersionSignedDownloadUri

A user gets a URI to download a signed model version

  • name

  • version

  • path

modelRegistry

listModelArtifacts

A user makes a call to list a model’s artifacts

  • name

  • version

  • path

  • page_token

modelRegistry

listRegistryWebhooks

A user makes a call to list all registry webhooks in the model

  • orgId

  • registeredModelId

modelRegistry

rejectTransitionRequest

A user rejects a model version stage transition request

  • name

  • version

  • stage

modelRegistry

renameRegisteredModel

A user renames a registered model

  • name

  • new_name

modelRegistry

setEmailSubscriptionStatus

A user updates the email subscription status for a registered model

modelRegistry

setModelVersionTag

A user sets a model version tag

  • name

  • version

  • key

  • value

modelRegistry

setRegisteredModelTag

A user sets a model version tag

  • name

  • key

  • value

modelRegistry

setUserLevelEmailSubscriptionStatus

A user updates their email notifications status for the whole registry

  • orgId

  • userId

  • subscriptionStatus

modelRegistry

testRegistryWebhook

A user tests the Model Registry webhook

  • orgId

  • webhookId

modelRegistry

transitionModelVersionStage

A user gets a list of all open stage transition requests for the model version

  • name

  • version

  • stage

  • archive_existing_versions

modelRegistry

triggerRegistryWebhook

A Model Registry webhook is triggered by an event

  • orgId

  • registeredModelId

  • events

  • status

modelRegistry

updateComment

A user post an edit to a comment on a model version.

  • id

modelRegistry

updateRegistryWebhook

A user updates a Model Registry webhook

  • orgId

  • webhookId

Notebook events

The following notebook events are logged at the workspace level.

Service

Action

Description

Request parameters

notebook

attachNotebook

A notebook is attached to a cluster

  • path

  • clusterId

  • notebookId

notebook

cloneNotebook

A user clones a notebook

  • notebookId

  • path

  • clonedNotebookId

  • destinationPath

notebook

createNotebook

A notebook is created

  • notebookId

  • path

notebook

deleteFolder

A notebook folder is deleted

  • path

notebook

deleteNotebook

A notebook is deleted

  • notebookId

  • notebookName

  • path

notebook

detachNotebook

A notebook is detached from a cluster

  • notebookId

  • clusterId

  • path

notebook

downloadLargeResults

A user downloads query results too large to display in the notebook

  • notebookId

  • notebookFullPath

notebook

downloadPreviewResults

A user downloads the query results

  • notebookId

  • notebookFullPath

notebook

importNotebook

A user imports a notebook

  • path

notebook

moveFolder

A notebook folder is moved from one location to another

  • oldPath

  • newPath

  • folderId

notebook

moveNotebook

A notebook is moved from one location to another

  • newPath

  • oldPath

  • notebookId

notebook

renameNotebook

A notebook is renamed

  • newName

  • oldName

  • parentPath

  • notebookId

notebook

restoreFolder

A deleted folder is restored

  • path

notebook

restoreNotebook

A deleted notebook is restoired

  • path

  • notebookId

  • notebookName

notebook

runCommand

Avaible when verbose audit logs are enabled. Emitted after Databricks runs a command in a notebook. A command corresponds to a cell in a notebook.

  • notebookId

  • executionTime

  • status

  • commandId

  • commandText

  • commandLanguage

notebook

takeNotebookSnapshot

Notebook snapshots are taken when either the job service or mlflow is run

  • path

Partner Connect events

The following partnerHub events are logged at the workspace level.

Service

Action

Description

Request parameters

partnerHub

createOrReusePartnerConnection

A workspace admin sets up a connection to a partner solution

  • partner_name

partnerHub

deletePartnerConnection

A workspace admin deletes a partner connection

  • partner_name

partnerHub

downloadPartnerConnectionFile

A workspace admin downloads the partner connection file

  • partner_name

partnerHub

setupResourcesForPartnerConnection

A workspace admin sets up resources for a partner connection

  • partner_name

Remote history service events

The following remoteHistoryService events are logged at the workspace level.

Service

Action

Description

Request parameters

remoteHistoryService

addUserGitHubCredentials

User adds Github Credentials

none

remoteHistoryService

deleteUserGitHubCredentials

User removes Github Credentials

none

remoteHistoryService

updateUserGitHubCredentials

User updates Github Credentials

none

Repos events

The following repos events are logged at the workspace level.

Service

Action name

Description

Request parameters

repos

checkoutBranch

A user checks out a branch on the repo

  • id

  • branch

repos

commitAndPush

A user commits and pushes to a repo

  • id

  • message

  • files

  • checkSensitiveToken

repos

createRepo

A user creates a repo in the workspace

  • url

  • provider

  • path

repos

deleteRepo

A user deletes a repo

  • id

repos

discard

A user discards a commit to a repo

  • id

  • file_paths

repos

getRepo

A user makes a call to get information about a single repo

  • id

repos

listRepos

A user makes a call to get all repos they have Manage permissions on

  • path_prefix

  • next_page_token

repos

pull

A user pulls the latest commits from a repo

  • id

repos

updateRepo

A user updates the repo to a different branch or tag, or to the latest commit on the same branch

  • id

  • branch

  • tag

  • git_url

  • git_provider

Secrets events

The following secrets events are logged at the workspace level.

Service

Action name

Description

Request parameters

secrets

createScope

User creates a secret scope

  • scope

  • initial_manage_principal

  • scope_backend_type

secrets

deleteAcl

User deletes ACLs for a secret scope

  • scope

  • principal

secrets

deleteScope

User deletes a secret scope

  • scope

secrets

deleteSecret

User deletes a secret from a scope

  • key

  • scope

secrets

getAcl

User gets ACLs for a secret scope

  • scope

  • principal

secrets

getSecret

User gets a secret from a scope

  • key

  • scope

secrets

listAcls

User makes a call to list ACLs for a secret scope

  • scope

secrets

listScopes

User makes a call to list secret scopes

none

secrets

listSecrets

User makes a call to list secrets within a scope

  • scope

secrets

putAcl

User changes ACLs for a secret scope

  • scope

  • principal

  • permission

secrets

putSecret

User adds or edits a secret within a scope

  • string_value

  • key

  • scope

SQL table access events

The following sqlPermissions events are logged at the workspace level.

Service

Action name

Description

Request parameters

sqlPermissions

changeSecurableOwner

Workspace admin or owner of an object transfers object ownership

  • securable

  • principal

sqlPermissions

createSecurable

User creates a securable object

  • securable

sqlPermissions

denyPermission

Object owner denies privileges on a securable object

  • permission

sqlPermissions

grantPermission

Object owner grants permission on a securable object

  • permission

sqlPermissions

removeAllPermissions

User drops a securable object

  • securable

sqlPermissions

renameSecurable

User renames a securable object

  • before

  • after

sqlPermissions

requestPermissions

User requests permissions on a securable object

  • requests

sqlPermissions

revokePermission

Object owner revokes permissions on their securable object

  • permission

sqlPermissions

showPermissions

User views securable object permissions

  • securable

  • principal

SSH events

The following ssh events are logged at the workspace level.

Service

Action name

Description

Request parameters

ssh

login

Agent login of SSH into Spark driver

  • containerId

  • userName

  • port

  • publicKey

  • instanceId

ssh

logout

Agent logout of SSH from Spark driver

  • userName

  • containerId

  • instanceId

Web terminal events

The following webTerminal events are logged at the workspace level.

Service

Action name

Description

Request parameters

webTerminal

startSession

User starts a web terminal sessions

  • socketGUID

  • clusterId

  • serverPort

  • ProxyTargetURI

webTerminal

closeSession

User closes a web terminal session

  • socketGUID

  • clusterId

  • serverPort

  • ProxyTargetURI

Workspace events

The following workspace events are logged at the workspace level.

Service

Action name

Description

Request parameters

workspace

changeWorkspaceAcl

Permissions to the workspace are changed

  • shardName

  • targetUserId

  • aclPermissionSet

  • resourceId

workspace

deleteSetting

A setting is deleted from the workspace

  • settingKeyTypeName

  • settingKeyName

  • settingTypeName

  • settingName

workspace

fileCreate

User creates a file in the workspace

  • path

workspace

fileDelete

User deletes a file in the workspace

  • path

workspace

fileEditorOpenEvent

User opens the file editor

  • notebookId

  • path

workspace

getRoleAssignment

User gets a workspace’s user roles

  • account_id

  • workspace_id

workspace

moveWorkspaceNode

Admin moves workspace node

  • destinationPath

  • path

workspace

purgeWorkspaceNodes

Admin purges workspace nodes

  • treestoreId

workspace

renameWorkspaceNode

Admin renames workspace nodes

  • path

  • destinationPath

workspace

updateRoleAssignment

An admin updates a workspace user’s role

  • account_id

  • workspace_id

  • principal_id

workspace

setSetting

An admin configures a workspace setting

  • settingKeyTypeName

  • settingKeyName

  • settingTypeName

  • settingName

  • settingValueForAudit

workspace

workspaceConfEdit

Workspace admin makes updates to a setting, for example enabling verbose audit logs

  • workspaceConfKeys

  • workspaceConfValues

workspace

workspaceExport

User exports a notebook from a workspace

  • workspaceExportDirectDownload

  • workspaceExportFormat

  • notebookFullPath

Billable usage events

The following accountBillableUsage events are logged at the account level.

Service

Action

Description

Request parameters

accountBillableUsage

getAggregatedUsage

User accessed aggregated billable usage (usage per day) for the account via the Usage Graph feature

  • account_id

  • window_size

  • start_time

  • end_time

  • meter_name

  • workspace_ids_filter

accountBillableUsage

getDetailedUsage

User accessed detailed billable usage (usage for each cluster) for the account via the Usage Download feature

  • account_id

  • start_month

  • end_month

  • with_pii

Account-level account events

Service

Action

Description

Request parameters

accounts

accountIpAclsValidationFailed

IP permissions validation fails. Returns statusCode 403.

  • sourceIpAddress

  • user: logged as an email address

accounts

addPrincipalToGroup

A user is added to an account-level group

  • targetGroupId

  • endpoint

  • targetUserId

  • targetGroupName

  • targetUserName

accounts

createGroup

An account-level group is created

  • endpoint

  • targetGroupId

  • targetGroupName

accounts

deleteSetting

Account admin removes a setting from the Databricks account

  • settingKeyTypeName

  • settingKeyName

  • settingTypeName

  • settingName

  • settingValueForAudit

accounts

gcpWorkspaceBrowserLogin

Account admin navigates to the account console from their workspace

  • user

accounts

login

Account admin logs into the account console

  • user

accounts

logout

Account admin logs out of the account console

  • user

accounts

setAccountAdmin

An account admin assigns the account admin role to another user

  • targetUserName

  • endpoint

  • targetUserId

accounts

setSetting

Admin updates an account-level setting

  • settingKeyTypeName

  • settingKeyName

  • settingTypeName

  • settingName

  • settingValueForAudit

accounts

updateUser

An account admin updates a user’s account from the account console

  • targetUserName

  • endpoint

  • targetUserId

Account management events

The following accountsManager events are logged at the account level. These events have to do with configurations made by account admins in the account console.

Service

Action

Description

Request parameters

accountsManager

changeAccountOwner

Account owner role is transferred to another account admin

  • account_id

  • first_name

  • last_name

  • email

accountsManager

createNetworkConfiguration

Account admin created a network configuration

  • network

accountsManager

createPrivateAccessSettings

Account admin created a private access settings configuration

  • private_access_settings

accountsManager

createVpcEndpoint

Account admin created a VPC endpoint configuration

  • vpc_endpoint

accountsManager

createWorkspaceConfiguration

Account admin creates a new workspace

  • workspace

accountsManager

deleteNetworkConfiguration

Account admin deleted a network configuration

  • account_id

  • network_id

accountsManager

deletePrivateAccessSettings

Account admin deleted a private access settings configuration

  • account_id

  • private_access_settings_id

accountsManager

deleteVpcEndpoint

Account admin deleted a VPC endpoint configuration

  • account_id

  • vpc_endpoint_id

accountsManager

deleteWorkspaceConfiguration

Account admin deleted a workspace

  • account_id

  • workspace_id

accountsManager

getNetworkConfiguration

Account admin requests details about a network configuration

  • account_id

  • network_id

accountsManager

getPrivateAccessSettings

Account admin requests details about a private access settings configuration

  • account_id

  • private_access_settings_id

accountsManager

getVpcEndpoint

Account admin requests details about a VPC endpoint configuration

  • account_id

  • vpc_endpoint_id

accountsManager

getWorkspaceConfiguration

Account admin requests details about a workspace

  • account_id

  • workspace_id

accountsManager

listNetworkConfigurations

Account admin lists all network configurations in the account

  • account_id

accountsManager

listPrivateAccessSettings

Account admin lists all private access settings configurations in the account

  • account_id

accountsManager

listSubscriptions

Account admin lists all account billing subscriptions

  • account_id

accountsManager

listVpcEndpoints

Account admin listed all VPC endpoint configurations for the account

  • account_id

accountsManager

listWorkspaceConfigurations

Account admin lists all workspace in the account

  • account_id

accountsManager

listWorkspaceEncryptionKeyRecords

Account admin lists all encryption key records in a specific workspace

  • account_id

  • workspace_id

accountsManager

listWorkspaceEncryptionKeyRecordsForAccount

Account admin lists all encryption key records in the account

  • account_id

accountsManager

updateAccount

The account details were changed internally

  • account_id

  • account

accountsManager

updateSubscription

The account billing subscriptions were updated

  • account_id

  • subscription_id

  • subscription

accountsManager

updateWorkspaceConfiguration

Admin updated the configuration for a workspace

  • account_id

  • workspace_id

Log delivery events

The following logDelivery events are logged at the account level.

Service

Action

Description

Request parameters

logDelivery

createLogDeliveryConfiguration

Admin created a log delivery configuration

  • account_id

  • config_id

logDelivery

getLogDeliveryConfiguration

Admin requested details about a log delivery configuration

  • log_delivery_configuration

logDelivery

listLogDeliveryConfigurations

Admin listed all log delivery configuration in the account

  • account_id

  • storage_configuration_id

  • credentials_id

  • status

logDelivery

updateLogDeliveryConfiguration

Admin updated a log delivery configuration

  • config_id

  • account_id

  • status

Single-sign on events

The following ssoConfigBackend events are logged at the account level and are related to SSO authentication for the account console.

Service

Action

Description

Request parameters

ssoConfigBackend

create

Account admin created an accounts console SSO configuration

  • account_id

  • sso_type

  • config

ssoConfigBackend

get

Account admin requested details about an accounts console SSO configuration

  • account_id

  • sso_type

ssoConfigBackend

update

Account admin updated an accounts console SSO configuration

  • account_id

  • sso_type

  • config

Unity Catalog events

The following audit events are related to Unity Catalog. Delta Sharing events are also logged under the unityCatalog service. For Delta Sharing events, see Audit and monitor data access using Delta Sharing (for recipients) or Audit and monitor data sharing using Delta Sharing (for providers).

Service

Action

Description

Request parameters

unityCatalog

createMetastore

Account admin creates a metastore

  • name

  • storage_root

unityCatalog

getMetastore

Account admin requests metastore Id

  • id

unityCatalog

getMetastoreSummary

Account admin requests details about a metastore

  • workspace_id

  • metastore_id

unityCatalog

listMetastores

Account admin requests a list of all metastores in an account

  • workspace_id

unityCatalog

updateMetastores

Account admin makes an update to a metastore

  • id

  • name

  • storage_root

  • default_data_access_config_id

  • delta_sharing_enabled

  • owner

unityCatalog

deleteMetastore

Account admin deletes a metastore

  • id

  • force

unityCatalog

createMetastore

Account admin creates a metastore

  • workspace_id

  • metastore_id

  • default_catalog_name

unityCatalog

updateMetastoreAssignment

Account admin makes an update to a metastore’s workspace assignment

  • workspace_id

  • metastore_id

  • default_catalog_name

unityCatalog

createExternalLocation

Account admin creates an external location

  • name

  • skip_validation

  • url

  • credential_name

  • workspace_id

  • metastore_id

unityCatalog

getExternalLocation

Account admin requests details about an external location

  • name_arg

  • workspace_id

  • metastore_id

unityCatalog

listExternalLocations

Account admin request list of all external locations in an account

  • url

  • max_results

  • workspace_id

  • metastore_id

unityCatalog

updateExternalLocation

Account admin makes an update to an external location

unityCatalog

deleteExternalLocation

Account admin deletes an external location

  • name_arg

  • workspace_id

  • metastore_id

unityCatalog

createCatalog

User creates a catalog

  • name

unityCatalog

deleteCatalog

User deletes a catalog

  • name_arg

unityCatalog

getCatalog

User requests details about a catalog

  • name_arg

unityCatalog

updateCatalog

User updates a catalog

  • name_arg

  • name

  • owner

  • comment

unityCatalog

listCatalog

User makes a call to list all catalogs in the metastore

  • name_arg

unityCatalog

createSchema

User creates a schema

  • name

  • catalog_name

unityCatalog

deleteSchema

User deletes a schema

  • full_name_arg

unityCatalog

getSchema

User requests details about a schema

  • full_name_arg

unityCatalog

listSchema

User requests list of all schemas in a catalog

  • catalog_name

unityCatalog

updateSchema

User updates a schema

  • full_name_arg

  • name

  • owner

  • comment

unityCatalog

createStagingTable

  • name

  • catalog_name

  • schema_name

unityCatalog

createTable

User creates a table

  • name

  • catalog_name

  • schema_name

  • table_type

  • data_source_format

  • column_infos

  • storage_location

  • sql_path

  • view_definition

  • comment

unityCatalog

deleteTable

User deletes a table

  • full_name_arg

unityCatalog

getTable

User requests details about a table

  • full_name_arg

unityCatalog

privilegedGetTable

  • full_name_arg

unityCatalog

listTables

User makes a call to list all tables in a schema

  • catalog_name

  • schema_name

unityCatalog

listTableSummaries

User gets an array of summaries for tables for a schema and catalog within the metastore.

  • catalog_name

  • workspace_id

  • metastore_id

unityCatalog

updateTables

User makes an update to a table

  • name

  • table_type

  • data_source_format

  • column_infos

  • storage_location

  • sql_path

  • view_definition

  • owner

  • comment

unityCatalog

createStorageCredential

Account admin creates a storage credential

  • data_access_configuration_id

  • table_id

  • operation

unityCatalog

listStorageCredentials

Account admin makes a call to list all storage credentials in the account

  • workspace_id

  • metastore_id

unityCatalog

getStorageCredential

Account admin requests details about a storage credential

  • name_arg

  • workspace_id

  • metastore_id

unityCatalog

updateStorageCredential

Account admin makes an update to a storage credential

  • name_arg

  • owner

  • workspace_id

  • metastore_id

unityCatalog

deleteStorageCredential

Account admin deletes a storage credential

  • name_arg

  • owner

  • workspace_id

  • metastore_id

unityCatalog

generateTemporaryTableCredential

Logged whenever a temporary credential is granted for a table. You can use this event to determine who queried what and when.

  • credential_id

  • credential_type

  • is_permissions_enforcing_client

  • table_full_name

  • operation

  • table_id

  • workspace_id

  • table_url

  • metastore_id

unityCatalog

generateTemporaryPathCredential

Logged whenever a temporary credential is granted for a path.

  • url

  • operation

  • workspace_id

  • metastore_id

unityCatalog

getPermissions

User makes a call to get permission details for a securable object

  • securable_type

  • securable_full_name

  • principal

unityCatalog

updatePermissions

User updates permissions on a securable object

  • `securable_type

  • securable_full_name

  • changes

unityCatalog

metadataSnapshot

User queries the metadata from a previous table version

  • securables

  • include_delta_metadata

  • workspace_id

  • metastore_id

unityCatalog

metadataAndPermissionsSnapshot

User queries the metadata and permissions from a previous table version

  • securables

  • include_delta_metadata

  • workspace_id

  • metastore_id

unityCatalog

updateMetadataSnapshot

User updates the metadata from a previous table version

  • table_list_snapshots

  • workspace_id

  • metastore_id

unityCatalog

getForeignCredentials

User makes a call to get details about a foreign key

  • securables

  • workspace_id

  • metastore_id

unityCatalog

getInformationSchema

User makes a call to get details about a schema

  • table_name

  • page_token

  • required_column_names

  • row_set_type

  • workspace_id

  • metastore_id

unityCatalog

createConstraint

User creates a constraint for a table

unityCatalog

deleteConstraint

User deletes a constraint for a table

unityCatalog

createPipeline

User creates a Unity Catalog pipeline

  • target_catalog_name

  • has_workspace_definition

  • id

  • workspace_id

  • metastore_id

unityCatalog

updatePipeline

User updates a Unity Catalog pipeline

  • id_arg

  • definition_json

  • id

  • workspace_id

  • metastore_id

unityCatalog

getPipeline

User requests details about a Unity Catalog pipeline

  • id

  • workspace_id

  • metastore_id

unityCatalog

deletePipeline

User deletes a Unity Catalog pipeline

  • id

  • workspace_id

  • metastore_id

unityCatalog

deleteResourceFailure

Resource fails to delete

Deprecated log events

Databricks has deprecated the following audit events:

  • createAlertDestination (now createNotificationDestination)

  • deleteAlertDestination (now deleteNotificationDestination)

  • updateAlertDestination (now updateNotificationDestination)