Audit log reference

Note

This feature requires the Premium plan.

This article provides you with a comprehensive reference of available audit log services and events. By understanding which events are logged in the audit logs, your enterprise can monitor detailed Databricks usage patterns in your account.

For instructions on configuring log delivery, see Configure audit log delivery. For guidance on analyzing audit logs, see Analyze audit logs.

Audit log services

The following services and their events are logged by default in audit logs.

Workspace-level services

Workspace-level audit logs are available for these services:

Service name	Description
accounts	Events related to accounts, users, groups, and IP access lists.
clusterPolicies	Events related to cluster policies.
clusters	Events related to clusters.
databrickssql	Events related to Databricks SQL use.
dbfs	Events related to DBFS.
deltaPipelines	Events related to Delta Live Table pipelines.
featureStore	Events related to the Databricks Feature Store.
genie	Events related to workspace access by support personnel.
gitCredentials	Events related to Git credentials for Databricks Repos. See also repos.
globalInitScripts	Events related to global init scripts.
groups	Events related to account and workspace groups.
iamRole	Events related to IAM role permissions.
instancePools	Events related to pools.
jobs	Events related to jobs.
mlflowAcledArtifact	Events related to ML Flow artifacts with ACLs.
mlflowExperiment	Events related to ML Flow experiments.
modelRegistry	Events related to the model registry.
notebook	Events related to notebooks.
remoteHistoryService	Events related to adding a removing GitHub Credentials.
repos	Events related to Databricks Repos. See also gitCredentials.
secrets	Events related to secrets.
sqlPermissions	Events related to managing Databricks SQL permissions.
ssh	Events related to SSH access.
webTerminal	Events related to the web terminal feature.
workspace	Events related to workspaces.

Account-level services

Account-level audit logs are available for these services:

Service name	Description
accountBillableUsage	Actions related to billable usage access in the account console.
accounts	Actions related to account-level access and identity management.
accountsManager	Actions performed in the accounts console.
logDelivery	Log delivery configuration for such as billable usage or audit logs.
unityCatalog	Actions performed in Unity Catalog. For Delta Sharing events, see Audit and monitor data access using Delta Sharing (for recipients) or Audit and monitor data sharing using Delta Sharing (for providers).

Audit log example schema

In Databricks, audit logs output events in a JSON format. The serviceName and actionName properties identify the event. The naming convention follows the Databricks REST API.

The following example is for a createMetastoreAssignment event.

  {
    "version":"2.0",
    "auditLevel":"ACCOUNT_LEVEL",
    "timestamp":1629775584891,
    "orgId":"3049056262456431186970",
    "shardName":"test-shard",
    "accountId":"77636e6d-ac57-484f-9302-f7922285b9a5",
    "sourceIPAddress":"10.2.91.100",
    "userAgent":"curl/7.64.1",
    "sessionId":"ephemeral-f836a03a-d360-4792-b081-baba525324312",
    "userIdentity":{
      "email":"crampton.rods@email.com",
      "subjectName":null
    },
    "serviceName":"unityCatalog",
    "actionName":"createMetastoreAssignment",
    "requestId":"ServiceMain-da7fa5878f40002",
    "requestParams":{
      "workspace_id":"30490590956351435170",
      "metastore_id":"abc123456-8398-4c25-91bb-b000b08739c7",
      "default_catalog_name":"main"
    },
    "response":{
      "statusCode":200,
      "errorMessage":null,
      "result":null
    },
    "MAX_LOG_MESSAGE_LENGTH":16384
  }

Audit log schema considerations

• If actions take a long time, the request and response are logged separately but the request and response pair have the same requestId.

• Automated actions, such as resizing a cluster due to autoscaling or launching a job due to scheduling, are performed by the user System-User.

• The requestParams field is subject to truncation. If the size of its JSON representation exceeds 100 KB, values are truncated and the string ... truncated is appended to truncated entries. In rare cases where a truncated map is still larger than 100 KB, a single TRUNCATED key with an empty value is present instead.

Account events

The following are accounts events logged at the workspace level.

Service	Action	Description	Request parameters
accounts	add	An user is added to the Databricks account using username and password for authentication	targetUserName endpoint targetUserId
accounts	addPrincipalToGroup	A user is added to a group	targetGroupId endpoint targetUserId targetGroupName targetUserName
accounts	changeDatabricksSqlAcl	A user’s Databricks SQL permissions are changed	shardName targetUserId resourceId aclPermissionSet
accounts	changeDatabricksWorkspaceAcl	Permissions to a workspace are changed	shardName targetUserId resourceId aclPermissionSet
accounts	changeDbTokenAcl	When permissions on a token are changed	shardName targetUserId resourceId aclPermissionSet
accounts	changePassword	A user’s account password is changed	newPasswordSource targetUserId serviceSource wasPasswordChanged userId
accounts	changePasswordAcl	A user’s account password is changed	shardName targetUserId resourceId aclPermissionSet
accounts	changeServicePrincipalAcls	When a service principal’s permissions are changed	shardName targetServicePrincipal resourceId aclPermissionSet
accounts	createGroup	A group is created	endpoint targetGroupId targetGroupName
accounts	createIpAccessList	An IP access list is added to the workspace	ipAccessListId userId
accounts	delete	A user is deleted from the Databricks account	targetUserId targetUserName endpoint
accounts	deleteIpAccessList	An IP access list is deleted from the workspace	ipAccessListId userId
accounts	garbageCollectDbToken	A user runs a garbage collect command on expired tokens	tokenExpirationTime tokenClientId userId tokenCreationTime tokenFirstAccessed
accounts	gcpWorkspaceBrowserLogin	A user logs in to their workspace through the GCP browser workflow	user
accounts	generateDbToken	When someone generates a token from User Settings or when the service generates the token	tokenExpirationTime tokenCreatedBy tokenHash userId
accounts	IpAccessDenied	A user attempts to connect to the service through a denied IP	path userId
accounts	ipAccessListQuotaExceeded		userId
accounts	jwtLogin	User logs into Databricks using a JWt	user
accounts	login	User logs into the workspace	user
accounts	logout	User logs out of the workspace	user
accounts	reachMaxQuotaDbToken	When the current number of non-expired tokens exceeds the token quota
accounts	removeAdmin	A user is revoked of admin permissions	targetUserName endpoint targetUserId
accounts	removeGroup	A group is removed from the account	targetGroupId targetGroupName endpoint
accounts	removePrincipalFromGroup	A user is removed from a group	targetGroupId endpoint targetUserId targetGroupName targetUserName
accounts	resetPassword	A user’s account password is changed	serviceSource userId endpoint targetUserId targetUserName wasPasswordChanged newPasswordSource
accounts	revokeDbToken		userId
accounts	samlLogin	User logs in to Databricks through SAML SSO	user
accounts	setAdmin	A user is granted admin permissions	endpoint targetUserName targetUserId
accounts	tokenLogin	A user logs into Databricks using a token	tokenId user
accounts	updateIpAccessList	An IP access list is changed	ipAccessListId userId
accounts	validateEmail	When a user validates their email after account creation	endpoint targetUserName targetUserId

Clusters events

The following are cluster events logged at the workspace level.

Service	Action	Description	Request parameters
clusters	changeClusterAcl	A user changes the cluster ACl	shardName aclPermissionSet targetUserId resourceId
clusters	create	A user creates a cluster	cluster_log_conf num_workers enable_elastic_disk driver_node_type_id start_cluster docker_image ssh_public_keys gcp_attributes acl_path_prefix node_type_id instance_pool_id spark_env_vars init_scripts spark_version cluster_source autotermination_minutes cluster_name autoscale custom_tags cluster_creator enable_local_disk_encryption idempotency_token spark_conf organization_id no_driver_daemon user_id virtual_cluster_size apply_policy_default_values data_security_mode runtime_engine
clusters	createResult	Results from cluster creation. In conjunction with create.	clusterName clusterState clusterId clusterWorkers clusterOwnerUserId
clusters	delete	A cluster is terminated	cluster_id
clusters	deleteResult	Results from cluster termination. In conjunction with delete.	clusterName clusterState clusterId clusterWorkers clusterOwnerUserId
clusters	edit	A user makes changes to cluster settings. This logs all changes except for change in cluster size or autoscaling behavior.	cluster_log_conf num_workers enable_elastic_disk driver_node_type_id start_cluster docker_image ssh_public_keys gcp_attributes acl_path_prefix node_type_id instance_pool_id spark_env_vars init_scripts spark_version cluster_source autotermination_minutes cluster_name autoscale custom_tags cluster_creator enable_local_disk_encryption idempotency_token spark_conf organization_id no_driver_daemon user_id virtual_cluster_size apply_policy_default_values data_security_mode runtime_engine
clusters	permanentDelete	A cluster is deleted from the Ui	cluster_id
clusters	resize	Cluster resizes. This is logged on running clusters where the only property that changes is either the cluster size or autoscaling behavior.	cluster_id num_workers autoscale
clusters	resizeResult	Results from cluster resize. In conjunction with resize.	clusterName clusterState clusterId clusterWorkers clusterOwnerUserId
clusters	restart	A user restarts a running cluster	cluster_id
clusters	restartResult	Results from cluster restart. In conjunction with restart.	clusterName clusterState clusterId clusterWorkers clusterOwnerUserId
clusters	start	A user starts a cluster	init_scripts_safe_mode cluster_id
clusters	startResult	Results from cluster start. In conjunction with start.	clusterName clusterState clusterId clusterWorkers clusterOwnerUserId

Cluster libraries events

The following are clusterLibraries events logged at the workspace level.

Service	Action	Description	Request parameters
clusterLibraries	installLibraries	User installs a library on a cluster	cluster_id libraries
clusterLibraries	uninstallLibraries	User uninstalls a library on a cluster	cluster_id libraries
clusterLibraries	installLibraryOnAllClusters	Admin schedules a library to install on all cluster	user library
clusterLibraries	uninstallLibraryOnAllClusters	Admin removes a library from the list to install on all clusters	user library

Cluster policy events

The following are clusterPolicies events logged at the workspace level.

Service	Action	Description	Request parameters
clusterPolicies	create	A user created a cluster policy	name
clusterPolicies	edit	A user edited a cluster policy	policy_id name
clusterPolicies	delete	A user deleted a cluster policy	policy_id
clusterPolicies	changeClusterPolicyAcl	An admin changes permissions for a cluster policy	shardName targetUserId resourceId aclPermissionSet

Databricks SQL events

The following are databrickssql events logged at the workspace level.

Service	Action	Description	Request parameters
databrickssql	addDashboardWidget	Add widget is added to a dashboard	dashboardId widgetId
databrickssql	cancelQueryExecution	A query execution is cancelled	queryExecutionId
databrickssql	changeWarehouseAcls	An admin updates permissions on a SQL warehouse	aclPermissionSet resourceId shardName targetUserId
databrickssql	changePermissions	A user updates permissions on an object	granteeAndPermission objectId objectType
databrickssql	cloneDashboard	A user clones a dashboard	dashboardId
databrickssql	commandSubmit	Only in verbose audit logs. Runs when a command is submitted to Databricks SQL.	orgId sourceIpAddress timestamp userAgent userIdentity shardName
databrickssql	commandFinish	Only in verbose audit logs. Runs when a command completes or a command is cancelled.	orgId sourceIpAddress timestamp userAgent userIdentity shardName
databrickssql	createAlert	A user creates an alert	alertId
databrickssql	createNotificationDestination	An admin creates a notification destination	notificationDestinationId notificationDestinationType
databrickssql	createDashboard	A user creates a dashboard	dashboardId
databrickssql	createDataPreviewDashboard	A user creates a data preview dashboard	dashboardId
databrickssql	createWarehouse	An admin creates a SQL warehouse	auto_resume auto_stop_mins channel cluster_size conf_pairs custom_cluster_confs enable_databricks_compute enable_photon enable_serverless_compute instance_profile_arn max_num_clusters min_num_clusters name size spot_instance_policy tags test_overrides
databrickssql	createQuery	A user creates a query snippet	queryId
databrickssql	createQueryDraft	A user creates a query draft	queryId
databrickssql	createQuerySnippet	A user creates a query snippet	querySnippetId
databrickssql	createRefreshSchedule	A user sets a refresh schedule for a query	alertId dashboardId refreshScheduleId
databrickssql	createSampleDashboard	A user creates a sample dashboard	sampleDashboardId
databrickssql	createSubscription	A user subscribes to a dashboard (the dashboard must have a refresh schedule)	dashboardId refreshScheduleId subscriptionId
databrickssql	createVisualization	A user creates a visualization	queryId visualizationId
databrickssql	deleteAlert	A user deletes an alert	alertId
databrickssql	deleteNotificationDestination	An admin deletes a notification destination	notificationDestinationId
databrickssql	deleteDashboard	A user deletes a dashboard	dashboardId
databrickssql	deleteDashboardWidget	A user deletes a dashboard widget	widgetId
databrickssql	deleteWarehouse	An admin deletes a SQL warehouse	id
databrickssql	deleteExternalDatasource	An admin deletes an external data source from the workspace	dataSourceId
databrickssql	deleteQuery	A user deletes a query	queryId
databrickssql	deleteQueryDraft	A user deletes a query draft	queryId
databrickssql	deleteQuerySnippet	A user deletes a query snippet	querySnippetId
databrickssql	deleteRefreshSchedule	A user removes the refresh schedule from a dashboard	alertId dashboardId refreshScheduleId
databrickssql	deleteSubscription	A user removes their subscription from a dashboard	subscriptionId
databrickssql	deleteVisualization	A user deletes a visualization	visualizationId
databrickssql	downloadQueryResult	A user downloads a query result	fileType queryId queryResultId
databrickssql	editWarehouse	An admin makes edits to a SQL warehouse	auto_stop_mins channel cluster_size confs enable_photon enable_serverless_compute id instance_profile_arn max_num_clusters min_num_clusters name spot_instance_policy tags
databrickssql	executeAdhocQuery	A user runs an ad hoc query	dataSourceId
databrickssql	executeSavedQuery	A user runs a saved query	queryId
databrickssql	executeWidgetQuery	A user runs a query in a dashboard widget	widgetId
databrickssql	favoriteDashboard	A user favorites a dashboard	dashboardId
databrickssql	favoriteQuery	A user favorites a query	queryId
databrickssql	forkQuery	A user forks a query	originalQueryId queryId
databrickssql	listQueries		filter_by include_metrics max_results page_token
databrickssql	moveDashboardToTrash	A user moves a dashboard to the trash	dashboardId
databrickssql	moveQueryToTrash	A user moves a query to the trash	queryId
databrickssql	muteAlert	A user mutes an alert	alertId
databrickssql	publishBatch		statuses
databrickssql	publishDashboardSnapshot	A dashboard snapshot gets sent to a notification destination	dashboardId hookId subscriptionId
databrickssql	restoreDashboard	A user restores a dashboard from the trash	dashboardId
databrickssql	restoreQuery	A user restores a query from the trash	queryId
databrickssql	setWarehouseConfig	An admin sets the configuration for a SQL warehouse	data_access_config enable_serverless_compute instance_profile_arn security_policy serverless_agreement sql_configuration_parameters try_create_databricks_managed_starter_warehouse
databrickssql	snapshotDashboard	A user takes a snapshot of a dashboard	dashboardId
databrickssql	startWarehouse	A SQL warehouse is started	id
databrickssql	stopWarehouse	An admin stops a SQL warehouse (does not include auto stop)	id
databrickssql	subscribeAlert	A user subscribes to an alert	alertId destinationId
databrickssql	transferObjectOwnership	An admin transfers the ownership of a dashboard, query, or alert to an active user.	newOwner objectId objectType
databrickssql	unfavoriteDashboard	A user removes a dashboard from their favorites	dashboardId
databrickssql	unfavoriteQuery	A user removes a query from their favorites	queryId
databrickssql	unmuteAlert	A user unmutes an alert	alertId
databrickssql	unsubscribeAlert	A user unsubscribes from an alert	alertId subscriberId
databrickssql	updateAlert	A user makes updates to an alert	alertId queryId
databrickssql	updateNotificationDestination	An admin makes an update to a notification destination	notificationDestinationId
databrickssql	updateDashboard	A user makes an update to a dashboard	dashboardId
databrickssql	updateDashboardWidget	A user makes an update to a dashboard widget	widgetId
databrickssql	updateOrganizationSetting	An admin makes updates to the workspace’s SQL settings	has_configured_data_access has_explored_sql_warehouses has_granted_permissions
databrickssql	updateQuery	A user makes an update to a query	queryId
databrickssql	updateQueryDraft	A user makes an update to a query draft	queryId
databrickssql	updateQuerySnippet	A user makes an update to a query snippet	querySnippetId
databrickssql	updateRefreshSchedule	A user makes updates to a dashboard’s refresh schedule	alertId dashboardId refreshScheduleId
databrickssql	updateVisualization	A user updates a visualization	visualizationId

DBFS events

The following tables include dbfs events logged at the workspace level.

There are two types of DBFS events: API calls and operational events.

DBFS API events

The following DBFS audit events are only logged when written through the DBFS REST API.

Service	Action	Description	Request parameters
dbfs	addBlock	User appends a block of data to the stream. This is used in conjunction with dbfs/create to stream data to DBFS.	handle data_length
dbfs	create	User opens a stream to write a file to DBFs	path bufferSize overwrite
dbfs	delete	User deletes the file or directory from DBFs	recursive path
dbfs	mkdirs	User creates a new DBFS directory	path
dbfs	move	User moves a file from one location to another location within DBFs	dst source_path src destination_path
dbfs	put	User uploads a file through the use of multipart form post to DBFs	path overwrite

DBFS operational events

The following DBFS audit events occur at the data plane.

Service	Action	Description	Request parameters
dbfs	mount	User creates a mount point at a certain DBFS location	mountPoint owner
dbfs	unmount	User removes a mount point at a certain DBFS location	mountPoint

Delta pipelines events

Service	Action	Description	Request parameters
deltaPipelines	changePipelineAcls	A user changes permissions on a pipeline	shardId targetUserId resourceId aclPermissionSet
deltaPipelines	create	A user creates a Delta Live Tables pipeline	allow_duplicate_names clusters configuration continuous development dry_run id libraries name storage target channel edition photon
deltaPipelines	delete	A user deletes a Delta Live Tables pipeline	pipeline_id
deltaPipelines	edit	A user edits a Delta Live Tables pipeline	allow_duplicate_names clusters configuration continuous development expected_last_modified id libraries name pipeline_id storage target channel edition photon
deltaPipelines	startUpdate	A user restarts a Delta Live Tables pipeline	cause full_refresh job_task pipeline_id
deltaPipelines	stop	A user stops a Delta Live Tables pipeline	pipeline_id

Feature store events

The following featureStore events are logged at the workspace level.

Service	Action	Description	Request parameters
featureStore	addConsumer	A consumer is added to the feature store	features job_run notebook
featureStore	addDataSources	A data source is added to a feature table	feature_table paths, tables
featureStore	addProducer	A producer is added to a feature table	feature_table job_run notebook
featureStore	changeFeatureTableAcl	Permissions are changed in a feature table	aclPermissionSet resourceId shardName targetUserId
featureStore	createFeatureTable	A feature table is created	description name partition_keys primary_keys timestamp_keys
featureStore	createFeatures	Features are created in a feature table	feature_table features
featureStore	deleteFeatureTable	A feature table is deleted	name
featureStore	deleteTags	Tags are deleted from a feature table	feature_table_id keys
featureStore	getConsumers	A user makes a call to get the consumers in a feature table	feature_table
featureStore	getFeatureTable	A user makes a call to get feature tables	name
featureStore	getFeatureTablesById	A user makes a call to get feature table IDs	ids
featureStore	getFeatures	A user makes a call to get features	feature_table max_results
featureStore	getModelServingMetadata	A user makes a call to get Model Serving metadata	feature_table_features
featureStore	getOnlineStore	A user makes a call to get online store details	cloud feature_table online_table store_type
featureStore	getTags	A user makes a call to get tags for a feature table	feature_table_id
featureStore	publishFeatureTable	A feature table is published	cloud feature_table host online_table port read_secret_prefix store_type write_secret_prefix
featureStore	searchFeatureTables	A user searches for feature tables	max_results page_token text
featureStore	setTags	Tags are added to a feature table	feature_table_id tags
featureStore	updateFeatureTable	A feature table is updated	description name

Genie events

The following genie events are logged at the workspace level.

Service	Action	Description	Request parameters
genie	databricksAccess	A Databricks personnel is authorized to access a customer environment	duration approver reason authType user

Git credential events

The following gitCredentials events are logged at the workspace level.

Service	Action	Description	Request parameters
gitCredentials	getGitCredential	A user gets a git credentials	id
gitCredentials	listGitCredentials	A user lists all git credentials	none
gitCredentials	deleteGitCredential	A user deletes a git credential	id
gitCredentials	updateGitCredential	A user updates a git credential	id git_provider git_username
gitCredentials	createGitCredential	A user creates a git credential	git_provider git_username

Groups events

The following groups events are logged at the workspace level.

Service	Action	Description	Request parameters
groups	addPrincipalToGroup	An admin adds a user to a group	user_name parent_name
groups	createGroup	An admin creates a group	group_name
groups	getGroupMembers	An admin views group members	group_name
groups	getGroups	An admin views a list of groups	none
groups	getInheritedGroups	An admin views inherited groups	none
groups	removeGroup	An admin removes a group	group_name

IAM role events

The following iamRole events are logged at the workspace level.

Service	Action	Description	Request parameters
iamRole	changeIamRoleAcl	An admin changes permissions for an IAM role	targetUserId shardName resourceId aclPermissionSet

Global init scripts events

The following globalInitScripts events are logged at the workspace level.

Service	Action	Description	Request parameters
globalInitScripts	create	An admin creates a global initialization script	name position script-SHA256 enabled
globalInitScripts	update	An admin updates a global initialization script	script_id name position script-SHA256 enabled
globalInitScripts	delete	An admin deletes a global initialization script	script_id

Instance pool events

The following instancePools events are logged at the workspace level.

Service	Action	Description	Request parameters
instancePools	changeInstancePoolAcl	A user changes an instance pool’s permissions	shardName resourceId targetUserId aclPermissionSet
instancePools	create	A user creates an instance pool	enable_elastic_disk preloaded_spark_versions idle_instance_autotermination_minutes instance_pool_name node_type_id custom_tags max_capacity min_idle_instances aws_attributes
instancePools	delete	A user deletes an instance pool	instance_pool_id
instancePools	edit	A user edits an instance pool	instance_pool_name idle_instance_autotermination_minutes min_idle_instances preloaded_spark_versions max_capacity enable_elastic_disk node_type_id instance_pool_id aws_attributes

Job events

The following jobs events are logged at the workspace level.

Service	Action	Description	Request parameters
jobs	cancel	A job run is cancelled	run_id
jobs	cancelAllRuns	A user cancels all runs on a job	job_id
jobs	changeJobAcl	A user updates permissions on a job	shardName aclPermissionSet resourceId targetUserId
jobs	create	A user creates a job	spark_jar_task email_notifications notebook_task spark_submit_task timeout_seconds libraries name spark_python_task job_type new_cluster existing_cluster_id max_retries schedule
jobs	delete	A user deletes a job	job_id
jobs	deleteRun	A user deletes a job run	run_id
jobs	getRunOutput	A user makes an API call to get a run output	run_id is_from_webapp
jobs	repairRun	A user repairs a job run	run_id latest_repair_id rerun_tasks
jobs	reset	A job is reset	job_id new_settings
jobs	resetJobAcl	A user requests the change of a job’s permissions	grants job_id
jobs	runFailed	A job run fails	jobClusterType jobTriggerType jobId jobTaskType runId jobTerminalState idInJob orgId
jobs	runNow	A user triggers an on-demand job run	notebook_params job_id jar_params workflow_context
jobs	runStart	Emitted when a job run starts after validation and cluster creation. The request parameters emitted from this event depends on the type of tasks in the job. In addition to the parameters listed, they can include: dashboardId (for a SQL dashboard task) filePath (for a SQL file task) notebookPath (for a notebook task) mainClassName (for a Spark JAR task) pythonFile (for a Spark JAR task) projectDirectory (for a dbt task) commands (for a dbt task) packageName (for a Python wheel task) entryPoint (for a Python wheel task) pipelineId (for a pipeline task) queryIds (for a SQL query task) alertId (for a SQL alert task)	taskDependencies multitaskParentRunId orgId idInJob jobId jobTerminalState taskKey jobTriggerType jobTaskType runId
jobs	runSucceeded	A job run is successful	idInJob jobId jobTriggerType orgId runId jobClusterType jobTaskType jobTerminalState
jobs	runTriggered	A job schedule is triggered automatically according to its schedule or trigger	jobId jobTriggeredType runId
jobs	sendRunWebhook	A webhook is sent either when the job begins, completes, or fails.	orgId jobId jobWebhookId jobWebhookEvent runId
jobs	setTaskValue	A user sets values for a task	run_id key
jobs	submitRun	A user submits a one-time run via the APi	shell_command_task run_name spark_python_task existing_cluster_id notebook_task timeout_seconds libraries new_cluster spark_jar_task
jobs	update	A user edits a job’s settings	fields_to_remove job_id new_settings

MLflow artifacts with ACL events

The following mlflowAcledArtifact events are logged at the workspace level.

Service	Action name	Description	Request parameters
mlflowAcledArtifact	readArtifact	A user makes call to read an artifact	artifactLocation experimentId runId
mlflowAcledArtifact	writeArtifact	A user makes call to write to an artifact	artifactLocation experimentId runId

MLflow experiment events

The following mlflowExperiment events are logged at the workspace level.

Service	Action	Description	Request parameters
mlflowExperiment	deleteMlflowExperiment	A user deletes an MLflow experiment	experimentId path experimentName
mlflowExperiment	moveMlflowExperiment	A user moves an MLflow experiment	newPath experimentId oldPath
mlflowExperiment	restoreMlflowExperiment	A user restores an MLflow experiment	experimentId path experimentName
mlflowExperiment	renameMlflowExperiment	A user renames an MLflow experiment	oldName newName experimentId parentPath

MLflow model registry events

The following mlflowModelRegistry events are logged at the workspace level.

Service	Action	Description	Request parameters
modelRegistry	approveTransitionRequest	A user approves a model version stage transition request	name version stage archive_existing_versions
modelRegistry	changeRegisteredModelAcl	A user updates permissions for a registered model	registeredModelId userId
modelRegistry	createComment	A user posts a comment on a model version	name version
modelRegistry	createModelVersion	A user creates a model version	name source run_id tags run_link
modelRegistry	createRegisteredModel	A user creates a new registered model	name tags
modelRegistry	createRegistryWebhook	User creates a webhook for Model Registry events	orgId registeredModelId events description status creatorId httpUrlSpec
modelRegistry	createTransitionRequest	A user creates a model version stage transition request	name version stage
modelRegistry	deleteComment	A user deletes a comment on a model version	id
modelRegistry	deleteModelVersion	A user deletes a model version	name version
modelRegistry	deleteModelVersionTag	A user deletes a model version tag	name version key
modelRegistry	deleteRegisteredModel	A user deletes a registered model	name
modelRegistry	deleteRegisteredModelTag	A user deletes the tag for a registered model	name key
modelRegistry	deleteRegistryWebhook	User deletes a Model Registry webhook	orgId webhookId
modelRegistry	deleteTransitionRequest	A user cancels a model version stage transition request	“- name version stage creator
modelRegistry	finishCreateModelVersionAsync	Completed asynchronous model copying	name version
modelRegistry	generateBatchInferenceNotebook	Batch inference notebook is autogenerated	userId orgId modelName inputTableOpt outputTablePathOpt stageOrVersion modelVersionEntityOpt notebookPath
modelRegistry	generateDltInferenceNotebook	Inference notebook for a Delta Live Tables pipeline is autogenerated	userId orgId modelName inputTable outputTable stageOrVersion notebookPath
modelRegistry	getModelVersionDownloadUri	A user gets a URI to download the model version	name version
modelRegistry	getModelVersionSignedDownloadUri	A user gets a URI to download a signed model version	name version path
modelRegistry	listModelArtifacts	A user makes a call to list a model’s artifacts	name version path page_token
modelRegistry	listRegistryWebhooks	A user makes a call to list all registry webhooks in the model	orgId registeredModelId
modelRegistry	rejectTransitionRequest	A user rejects a model version stage transition request	name version stage
modelRegistry	renameRegisteredModel	A user renames a registered model	name new_name
modelRegistry	setEmailSubscriptionStatus	A user updates the email subscription status for a registered model
modelRegistry	setModelVersionTag	A user sets a model version tag	name version key value
modelRegistry	setRegisteredModelTag	A user sets a model version tag	name key value
modelRegistry	setUserLevelEmailSubscriptionStatus	A user updates their email notifications status for the whole registry	orgId userId subscriptionStatus
modelRegistry	testRegistryWebhook	A user tests the Model Registry webhook	orgId webhookId
modelRegistry	transitionModelVersionStage	A user gets a list of all open stage transition requests for the model version	name version stage archive_existing_versions
modelRegistry	triggerRegistryWebhook	A Model Registry webhook is triggered by an event	orgId registeredModelId events status
modelRegistry	updateComment	A user post an edit to a comment on a model version.	id
modelRegistry	updateRegistryWebhook	A user updates a Model Registry webhook	orgId webhookId

Notebook events

The following notebook events are logged at the workspace level.

Service	Action	Description	Request parameters
notebook	attachNotebook	A notebook is attached to a cluster	path clusterId notebookId
notebook	cloneNotebook	A user clones a notebook	notebookId path clonedNotebookId destinationPath
notebook	createNotebook	A notebook is created	notebookId path
notebook	deleteFolder	A notebook folder is deleted	path
notebook	deleteNotebook	A notebook is deleted	notebookId notebookName path
notebook	detachNotebook	A notebook is detached from a cluster	notebookId clusterId path
notebook	downloadLargeResults	A user downloads query results too large to display in the notebook	notebookId notebookFullPath
notebook	downloadPreviewResults	A user downloads the query results	notebookId notebookFullPath
notebook	importNotebook	A user imports a notebook	path
notebook	moveFolder	A notebook folder is moved from one location to another	oldPath newPath folderId
notebook	moveNotebook	A notebook is moved from one location to another	newPath oldPath notebookId
notebook	renameNotebook	A notebook is renamed	newName oldName parentPath notebookId
notebook	restoreFolder	A deleted folder is restored	path
notebook	restoreNotebook	A deleted notebook is restoired	path notebookId notebookName
notebook	runCommand	Avaible when verbose audit logs are enabled. Emitted after Databricks runs a command in a notebook. A command corresponds to a cell in a notebook.	notebookId executionTime status commandId commandText commandLanguage
notebook	takeNotebookSnapshot	Notebook snapshots are taken when either the job service or mlflow is run	path

Partner Connect events

The following partnerHub events are logged at the workspace level.

Service	Action	Description	Request parameters
partnerHub	createOrReusePartnerConnection	A workspace admin sets up a connection to a partner solution	partner_name
partnerHub	deletePartnerConnection	A workspace admin deletes a partner connection	partner_name
partnerHub	downloadPartnerConnectionFile	A workspace admin downloads the partner connection file	partner_name
partnerHub	setupResourcesForPartnerConnection	A workspace admin sets up resources for a partner connection	partner_name

Remote history service events

The following remoteHistoryService events are logged at the workspace level.

Service	Action	Description	Request parameters
remoteHistoryService	addUserGitHubCredentials	User adds Github Credentials	none
remoteHistoryService	deleteUserGitHubCredentials	User removes Github Credentials	none
remoteHistoryService	updateUserGitHubCredentials	User updates Github Credentials	none

Repos events

The following repos events are logged at the workspace level.

Service	Action name	Description	Request parameters
repos	checkoutBranch	A user checks out a branch on the repo	id branch
repos	commitAndPush	A user commits and pushes to a repo	id message files checkSensitiveToken
repos	createRepo	A user creates a repo in the workspace	url provider path
repos	deleteRepo	A user deletes a repo	id
repos	discard	A user discards a commit to a repo	id file_paths
repos	getRepo	A user makes a call to get information about a single repo	id
repos	listRepos	A user makes a call to get all repos they have Manage permissions on	path_prefix next_page_token
repos	pull	A user pulls the latest commits from a repo	id
repos	updateRepo	A user updates the repo to a different branch or tag, or to the latest commit on the same branch	id branch tag git_url git_provider

Secrets events

The following secrets events are logged at the workspace level.

Service	Action name	Description	Request parameters
secrets	createScope	User creates a secret scope	scope initial_manage_principal scope_backend_type
secrets	deleteAcl	User deletes ACLs for a secret scope	scope principal
secrets	deleteScope	User deletes a secret scope	scope
secrets	deleteSecret	User deletes a secret from a scope	key scope
secrets	getAcl	User gets ACLs for a secret scope	scope principal
secrets	getSecret	User gets a secret from a scope	key scope
secrets	listAcls	User makes a call to list ACLs for a secret scope	scope
secrets	listScopes	User makes a call to list secret scopes	none
secrets	listSecrets	User makes a call to list secrets within a scope	scope
secrets	putAcl	User changes ACLs for a secret scope	scope principal permission
secrets	putSecret	User adds or edits a secret within a scope	string_value key scope

SQL table access events

The following sqlPermissions events are logged at the workspace level.

Service	Action name	Description	Request parameters
sqlPermissions	changeSecurableOwner	Workspace admin or owner of an object transfers object ownership	securable principal
sqlPermissions	createSecurable	User creates a securable object	securable
sqlPermissions	denyPermission	Object owner denies privileges on a securable object	permission
sqlPermissions	grantPermission	Object owner grants permission on a securable object	permission
sqlPermissions	removeAllPermissions	User drops a securable object	securable
sqlPermissions	renameSecurable	User renames a securable object	before after
sqlPermissions	requestPermissions	User requests permissions on a securable object	requests
sqlPermissions	revokePermission	Object owner revokes permissions on their securable object	permission
sqlPermissions	showPermissions	User views securable object permissions	securable principal

SSH events

The following ssh events are logged at the workspace level.

Service	Action name	Description	Request parameters
ssh	login	Agent login of SSH into Spark driver	containerId userName port publicKey instanceId
ssh	logout	Agent logout of SSH from Spark driver	userName containerId instanceId

Web terminal events

The following webTerminal events are logged at the workspace level.

Service	Action name	Description	Request parameters
webTerminal	startSession	User starts a web terminal sessions	socketGUID clusterId serverPort ProxyTargetURI
webTerminal	closeSession	User closes a web terminal session	socketGUID clusterId serverPort ProxyTargetURI

Workspace events

The following workspace events are logged at the workspace level.

Service	Action name	Description	Request parameters
workspace	changeWorkspaceAcl	Permissions to the workspace are changed	shardName targetUserId aclPermissionSet resourceId
workspace	deleteSetting	A setting is deleted from the workspace	settingKeyTypeName settingKeyName settingTypeName settingName
workspace	fileCreate	User creates a file in the workspace	path
workspace	fileDelete	User deletes a file in the workspace	path
workspace	fileEditorOpenEvent	User opens the file editor	notebookId path
workspace	getRoleAssignment	User gets a workspace’s user roles	account_id workspace_id
workspace	moveWorkspaceNode	Admin moves workspace node	destinationPath path
workspace	purgeWorkspaceNodes	Admin purges workspace nodes	treestoreId
workspace	renameWorkspaceNode	Admin renames workspace nodes	path destinationPath
workspace	updateRoleAssignment	An admin updates a workspace user’s role	account_id workspace_id principal_id
workspace	setSetting	An admin configures a workspace setting	settingKeyTypeName settingKeyName settingTypeName settingName settingValueForAudit
workspace	workspaceConfEdit	Workspace admin makes updates to a setting, for example enabling verbose audit logs	workspaceConfKeys workspaceConfValues
workspace	workspaceExport	User exports a notebook from a workspace	workspaceExportDirectDownload workspaceExportFormat notebookFullPath

Billable usage events

The following accountBillableUsage events are logged at the account level.

Service	Action	Description	Request parameters
accountBillableUsage	getAggregatedUsage	User accessed aggregated billable usage (usage per day) for the account via the Usage Graph feature	account_id window_size start_time end_time meter_name workspace_ids_filter
accountBillableUsage	getDetailedUsage	User accessed detailed billable usage (usage for each cluster) for the account via the Usage Download feature	account_id start_month end_month with_pii

Account-level account events

Service	Action	Description	Request parameters
accounts	accountIpAclsValidationFailed	IP permissions validation fails. Returns statusCode 403.	sourceIpAddress user: logged as an email address
accounts	addPrincipalToGroup	A user is added to an account-level group	targetGroupId endpoint targetUserId targetGroupName targetUserName
accounts	createGroup	An account-level group is created	endpoint targetGroupId targetGroupName
accounts	deleteSetting	Account admin removes a setting from the Databricks account	settingKeyTypeName settingKeyName settingTypeName settingName settingValueForAudit
accounts	gcpWorkspaceBrowserLogin	Account admin navigates to the account console from their workspace	user
accounts	login	Account admin logs into the account console	user
accounts	logout	Account admin logs out of the account console	user
accounts	setAccountAdmin	An account admin assigns the account admin role to another user	targetUserName endpoint targetUserId
accounts	setSetting	Admin updates an account-level setting	settingKeyTypeName settingKeyName settingTypeName settingName settingValueForAudit
accounts	updateUser	An account admin updates a user’s account from the account console	targetUserName endpoint targetUserId

Account management events

The following accountsManager events are logged at the account level. These events have to do with configurations made by account admins in the account console.

Service	Action	Description	Request parameters
accountsManager	changeAccountOwner	Account owner role is transferred to another account admin	account_id first_name last_name email
accountsManager	createNetworkConfiguration	Account admin created a network configuration	network
accountsManager	createPrivateAccessSettings	Account admin created a private access settings configuration	private_access_settings
accountsManager	createVpcEndpoint	Account admin created a VPC endpoint configuration	vpc_endpoint
accountsManager	createWorkspaceConfiguration	Account admin creates a new workspace	workspace
accountsManager	deleteNetworkConfiguration	Account admin deleted a network configuration	account_id network_id
accountsManager	deletePrivateAccessSettings	Account admin deleted a private access settings configuration	account_id private_access_settings_id
accountsManager	deleteVpcEndpoint	Account admin deleted a VPC endpoint configuration	account_id vpc_endpoint_id
accountsManager	deleteWorkspaceConfiguration	Account admin deleted a workspace	account_id workspace_id
accountsManager	getNetworkConfiguration	Account admin requests details about a network configuration	account_id network_id
accountsManager	getPrivateAccessSettings	Account admin requests details about a private access settings configuration	account_id private_access_settings_id
accountsManager	getVpcEndpoint	Account admin requests details about a VPC endpoint configuration	account_id vpc_endpoint_id
accountsManager	getWorkspaceConfiguration	Account admin requests details about a workspace	account_id workspace_id
accountsManager	listNetworkConfigurations	Account admin lists all network configurations in the account	account_id
accountsManager	listPrivateAccessSettings	Account admin lists all private access settings configurations in the account	account_id
accountsManager	listSubscriptions	Account admin lists all account billing subscriptions	account_id
accountsManager	listVpcEndpoints	Account admin listed all VPC endpoint configurations for the account	account_id
accountsManager	listWorkspaceConfigurations	Account admin lists all workspace in the account	account_id
accountsManager	listWorkspaceEncryptionKeyRecords	Account admin lists all encryption key records in a specific workspace	account_id workspace_id
accountsManager	listWorkspaceEncryptionKeyRecordsForAccount	Account admin lists all encryption key records in the account	account_id
accountsManager	updateAccount	The account details were changed internally	account_id account
accountsManager	updateSubscription	The account billing subscriptions were updated	account_id subscription_id subscription
accountsManager	updateWorkspaceConfiguration	Admin updated the configuration for a workspace	account_id workspace_id

Log delivery events

The following logDelivery events are logged at the account level.

Service	Action	Description	Request parameters
logDelivery	createLogDeliveryConfiguration	Admin created a log delivery configuration	account_id config_id
logDelivery	getLogDeliveryConfiguration	Admin requested details about a log delivery configuration	log_delivery_configuration
logDelivery	listLogDeliveryConfigurations	Admin listed all log delivery configuration in the account	account_id storage_configuration_id credentials_id status
logDelivery	updateLogDeliveryConfiguration	Admin updated a log delivery configuration	config_id account_id status

Single-sign on events

The following ssoConfigBackend events are logged at the account level and are related to SSO authentication for the account console.

Service	Action	Description	Request parameters
ssoConfigBackend	create	Account admin created an accounts console SSO configuration	account_id sso_type config
ssoConfigBackend	get	Account admin requested details about an accounts console SSO configuration	account_id sso_type
ssoConfigBackend	update	Account admin updated an accounts console SSO configuration	account_id sso_type config

Unity Catalog events

The following audit events are related to Unity Catalog. Delta Sharing events are also logged under the unityCatalog service. For Delta Sharing events, see Audit and monitor data access using Delta Sharing (for recipients) or Audit and monitor data sharing using Delta Sharing (for providers).

Service	Action	Description	Request parameters
unityCatalog	createMetastore	Account admin creates a metastore	name storage_root
unityCatalog	getMetastore	Account admin requests metastore Id	id
unityCatalog	getMetastoreSummary	Account admin requests details about a metastore	workspace_id metastore_id
unityCatalog	listMetastores	Account admin requests a list of all metastores in an account	workspace_id
unityCatalog	updateMetastores	Account admin makes an update to a metastore	id name storage_root default_data_access_config_id delta_sharing_enabled owner
unityCatalog	deleteMetastore	Account admin deletes a metastore	id force
unityCatalog	createMetastore	Account admin creates a metastore	workspace_id metastore_id default_catalog_name
unityCatalog	updateMetastoreAssignment	Account admin makes an update to a metastore’s workspace assignment	workspace_id metastore_id default_catalog_name
unityCatalog	createExternalLocation	Account admin creates an external location	name skip_validation url credential_name workspace_id metastore_id
unityCatalog	getExternalLocation	Account admin requests details about an external location	name_arg workspace_id metastore_id
unityCatalog	listExternalLocations	Account admin request list of all external locations in an account	url max_results workspace_id metastore_id
unityCatalog	updateExternalLocation	Account admin makes an update to an external location
unityCatalog	deleteExternalLocation	Account admin deletes an external location	name_arg workspace_id metastore_id
unityCatalog	createCatalog	User creates a catalog	name
unityCatalog	deleteCatalog	User deletes a catalog	name_arg
unityCatalog	getCatalog	User requests details about a catalog	name_arg
unityCatalog	updateCatalog	User updates a catalog	name_arg name owner comment
unityCatalog	listCatalog	User makes a call to list all catalogs in the metastore	name_arg
unityCatalog	createSchema	User creates a schema	name catalog_name
unityCatalog	deleteSchema	User deletes a schema	full_name_arg
unityCatalog	getSchema	User requests details about a schema	full_name_arg
unityCatalog	listSchema	User requests list of all schemas in a catalog	catalog_name
unityCatalog	updateSchema	User updates a schema	full_name_arg name owner comment
unityCatalog	createStagingTable		name catalog_name schema_name
unityCatalog	createTable	User creates a table	name catalog_name schema_name table_type data_source_format column_infos storage_location sql_path view_definition comment
unityCatalog	deleteTable	User deletes a table	full_name_arg
unityCatalog	getTable	User requests details about a table	full_name_arg
unityCatalog	privilegedGetTable		full_name_arg
unityCatalog	listTables	User makes a call to list all tables in a schema	catalog_name schema_name
unityCatalog	listTableSummaries	User gets an array of summaries for tables for a schema and catalog within the metastore.	catalog_name workspace_id metastore_id
unityCatalog	updateTables	User makes an update to a table	name table_type data_source_format column_infos storage_location sql_path view_definition owner comment
unityCatalog	createStorageCredential	Account admin creates a storage credential	data_access_configuration_id table_id operation
unityCatalog	listStorageCredentials	Account admin makes a call to list all storage credentials in the account	workspace_id metastore_id
unityCatalog	getStorageCredential	Account admin requests details about a storage credential	name_arg workspace_id metastore_id
unityCatalog	updateStorageCredential	Account admin makes an update to a storage credential	name_arg owner workspace_id metastore_id
unityCatalog	deleteStorageCredential	Account admin deletes a storage credential	name_arg owner workspace_id metastore_id
unityCatalog	generateTemporaryTableCredential	Logged whenever a temporary credential is granted for a table. You can use this event to determine who queried what and when.	credential_id credential_type is_permissions_enforcing_client table_full_name operation table_id workspace_id table_url metastore_id
unityCatalog	generateTemporaryPathCredential	Logged whenever a temporary credential is granted for a path.	url operation workspace_id metastore_id
unityCatalog	getPermissions	User makes a call to get permission details for a securable object	securable_type securable_full_name principal
unityCatalog	updatePermissions	User updates permissions on a securable object	`securable_type securable_full_name changes
unityCatalog	metadataSnapshot	User queries the metadata from a previous table version	securables include_delta_metadata workspace_id metastore_id
unityCatalog	metadataAndPermissionsSnapshot	User queries the metadata and permissions from a previous table version	securables include_delta_metadata workspace_id metastore_id
unityCatalog	updateMetadataSnapshot	User updates the metadata from a previous table version	table_list_snapshots workspace_id metastore_id
unityCatalog	getForeignCredentials	User makes a call to get details about a foreign key	securables workspace_id metastore_id
unityCatalog	getInformationSchema	User makes a call to get details about a schema	table_name page_token required_column_names row_set_type workspace_id metastore_id
unityCatalog	createConstraint	User creates a constraint for a table
unityCatalog	deleteConstraint	User deletes a constraint for a table
unityCatalog	createPipeline	User creates a Unity Catalog pipeline	target_catalog_name has_workspace_definition id workspace_id metastore_id
unityCatalog	updatePipeline	User updates a Unity Catalog pipeline	id_arg definition_json id workspace_id metastore_id
unityCatalog	getPipeline	User requests details about a Unity Catalog pipeline	id workspace_id metastore_id
unityCatalog	deletePipeline	User deletes a Unity Catalog pipeline	id workspace_id metastore_id
unityCatalog	deleteResourceFailure	Resource fails to delete

Delta Sharing events

To view a reference of Delta Sharing audit events, see Audit and monitor data access using Delta Sharing (for recipients) or Audit and monitor data sharing using Delta Sharing (for providers).

Deprecated log events

Databricks has deprecated the following audit events:

• createAlertDestination (now createNotificationDestination)

• deleteAlertDestination (now deleteNotificationDestination)

• updateAlertDestination (now updateNotificationDestination)