Diagnostic log reference

2025-06-20

Note

This feature requires the Premium plan.

This article provides you with a comprehensive reference of audit log services and events. The availability of these services depends on how you access the logs:

The audit log system table records all events and services listed in this article.
Azure Monitor's diagnostic settings service does not log all of these services. Services that are unavailable on Azure's diagnostic settings are labeled accordingly.

Note

Azure Databricks retains a copy of audit logs for up to 1 year for security and fraud analysis purposes.

Diagnostic log services

The following services and their events are logged by default in diagnostic logs.

Note

The workspace-level and account-level designations only apply to the audit logs system table. Azure diagnostic logs do not include account-level events.

Workspace-level services

Service name	Description
accounts	Events related to accounts, users, groups, and IP access lists.
aibiGenie	Events related to AI/BI Genie spaces.
alerts	Events related to alerts.
apps	Events related to Databricks Apps.
clusters	Events related to clusters.
clusterPolicies	Events related to cluster policies.
dashboards	Events related to AI/BI dashboard use.
database	Events related to Lakebase.
databrickssql	Events related to Databricks SQL use.
dataMonitoring	Events related to Lakehouse Monitoring.
dbfs	Events related to DBFS.
deltaPipelines	Events related to Lakeflow Declarative Pipelines.
featureStore	Events related to the Databricks Feature Store.
filesystem	Events related to file management, which includes interacting with files using the Files API or in the volumes UI.
genie	Events related to workspace access by support personnel. Not related AI/BI Genie spaces.
gitCredentials	Events related to Git credentials for Databricks Git folders. See also `repos`.
globalInitScripts	Events related to global init scripts.
groups	Events related to account and workspace groups.
iamRole	Events related to IAM role permissions.
ingestion	Events related to file uploads.
instancePools	Events related to pools.
jobs	Events related to jobs.
lineageTracking	Events related to data lineage.
marketplaceConsumer	Events related to consumer actions in Databricks Marketplace.
marketplaceProvider	Events related to provider actions in Databricks Marketplace.
mlflowAcledArtifact	Events related to ML Flow artifacts with ACLs.
mlflowExperiment	Events related to ML Flow experiments.
modelRegistry	Events related to the model registry.
notebook	Events related to notebooks.
partnerConnect	Events related to Partner Connect.
predictiveOptimization	Events related to predictive optimization.
RemoteHistoryService	Events related to adding and removing GitHub Credentials.
repos	Events related to Databricks Git folders. See also `gitCredentials`.
secrets	Events related to secrets.
serverlessRealTimeInference	Events related to model serving.
sqlPermissions	Events related to the legacy Hive metastore table access control.
ssh	Events related to SSH access.
uniformIcebergRestCatalog	Events related to the use of the Iceberg REST Catalog API.
vectorSearch	Events related to Vector Search.
webhookNotifications	Events related to notification destinations.
webTerminal	Events related to the web terminal feature.
workspace	Events related to workspaces.

Account-level services

Account-level audit logs are available for these services:

Service name	Description
accountsAccessControl	Actions related to the Account Access Control API.
accountBillableUsage	Actions related to billable usage access in the account console.
accountsManager	Actions related to network connectivity configurations.
budgetPolicyCentral	Actions related to managing serverless budget policies.
clean-room	Actions related to Clean Rooms.
unityCatalog	Actions performed in Unity Catalog. This also includes Delta Sharing events, see Delta Sharing events.

Additional security monitoring services

There are additional services and associated actions for workspaces that use the compliance security profile (required for some compliance standards such as HIPAA) or Enhanced security monitoring.

These are workspace-level services that will only generate in your logs if you are using the compliance security profile or enhanced security monitoring:

Service name	Description
capsule8-alerts-dataplane	Actions related to file integrity monitoring.
clamAVScanService-dataplane	Actions related to antivirus monitoring.

Diagnostic log example schema

In Azure Databricks, diagnostic logs output events in a JSON format. In Azure Databricks, audit logs output events in a JSON format. The serviceName and actionName properties identify the event. The naming convention follows the Databricks REST API.

The following JSON sample is an example of an event logged when a user created a job:

{
  "TenantId": "<your-tenant-id>",
  "SourceSystem": "|Databricks|",
  "TimeGenerated": "2019-05-01T00:18:58Z",
  "ResourceId": "/SUBSCRIPTIONS/SUBSCRIPTION_ID/RESOURCEGROUPS/RESOURCE_GROUP/PROVIDERS/MICROSOFT.DATABRICKS/WORKSPACES/PAID-VNET-ADB-PORTAL",
  "OperationName": "Microsoft.Databricks/jobs/create",
  "OperationVersion": "1.0.0",
  "Category": "jobs",
  "Identity": {
    "email": "mail@contoso.com",
    "subjectName": null
  },
  "SourceIPAddress": "131.0.0.0",
  "LogId": "201b6d83-396a-4f3c-9dee-65c971ddeb2b",
  "ServiceName": "jobs",
  "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36",
  "SessionId": "webapp-cons-webapp-01exaj6u94682b1an89u7g166c",
  "ActionName": "create",
  "RequestId": "ServiceMain-206b2474f0620002",
  "Response": {
    "statusCode": 200,
    "result": "{\"job_id\":1}"
  },
  "RequestParams": {
    "name": "Untitled",
    "new_cluster": "{\"node_type_id\":\"Standard_DS3_v2\",\"spark_version\":\"5.2.x-scala2.11\",\"num_workers\":8,\"spark_conf\":{\"spark.databricks.delta.preview.enabled\":\"true\"},\"cluster_creator\":\"JOB_LAUNCHER\",\"spark_env_vars\":{\"PYSPARK_PYTHON\":\"/databricks/python3/bin/python3\"},\"enable_elastic_disk\":true}"
  },
  "Type": "DatabricksJobs"
}

Diagnostic log schema considerations

If actions take a long time, the request and response are logged separately but the request and response pair have the same requestId.
Automated actions, such as resizing a cluster due to autoscaling or launching a job due to scheduling, are performed by the user System-User.
The requestParams field is subject to truncation. If the size of its JSON representation exceeds 100 KB, values are truncated and the string ... truncated is appended to truncated entries. In rare cases where a truncated map is still larger than 100 KB, a single TRUNCATED key with an empty value is present instead.

Account events

The following are accounts events logged at the workspace level.

Service	Action	Description	Request parameters
`accounts`	`accountLoginCodeAuthentication`	A user's account login code is authenticated.	`user`
`accounts`	`activateUser`	A user is reactivated after being deactivated. See Deactivate users in workspace.	`targetUserName` `endpoint` `targetUserId`
`accounts`	`aadBrowserLogin`	A user logs in to Databricks using a Microsoft Entra ID browser workflow.	`user`
`accounts`	`aadTokenLogin`	A user logs in to Databricks through the Microsoft Entra ID token.	`user`
`accounts`	`add`	A user is added to a Azure Databricks workspace.	`targetUserName` `endpoint` `targetUserId`
`accounts`	`addPrincipalToGroup`	A user is added to a workspace-level group.	`targetGroupId` `endpoint` `targetUserId` `targetGroupName` `groupMembershipType` `targetUserName`
`accounts`	`changeDatabricksSqlAcl`	A user's Databricks SQL permissions are changed.	`shardName` `targetUserId` `resourceId` `aclPermissionSet`
`accounts`	`changeDatabricksWorkspaceAcl`	Permissions to a workspace are changed.	`shardName` `targetUserId` `resourceId` `aclPermissionSet`
`accounts`	`changeDbTokenAcl`	Permissions on an access token are changed.	`shardName` `targetUserId` `resourceId` `aclPermissionSet`
`accounts`	`changeDbTokenState`	A Databricks access token is disabled.	`tokenHash` `tokenState` `userId`
`accounts`	`changeServicePrincipalAcls`	When a service principal's permissions are changed.	`shardName` `targetServicePrincipal` `resourceId` `aclPermissionSet`
`accounts`	`createGroup`	A workspace-level group is created.	`endpoint` `targetUserId` `targetUserName`
`accounts`	`createIpAccessList`	An IP access list is added to the workspace.	`ipAccessListId` `userId`
`accounts`	`deactivateUser`	A user is deactivated in the workspace. See Deactivate users in workspace.	`targetUserName` `endpoint` `targetUserId`
`accounts`	`delete`	A user is deleted from the Azure Databricks workspace.	`targetUserId` `targetUserName` `endpoint`
`accounts`	`deleteIpAccessList`	An IP access list is deleted from the workspace.	`ipAccessListId` `userId`
`accounts`	`garbageCollectDbToken`	A user runs a garbage collect command on expired tokens.	`tokenExpirationTime` `tokenClientId` `userId` `tokenCreationTime` `tokenFirstAccessed` `tokenHash`
`accounts`	`generateDbToken`	When someone generates a token from User Settings or when the service generates the token.	`tokenExpirationTime` `tokenCreatedBy` `tokenHash` `userId`
`accounts`	`IpAccessDenied`	A user attempts to connect to the service through a denied IP.	`path` `user` `userId`
`accounts`	`ipAccessListQuotaExceeded`		`userId`
`accounts`	`jwtLogin`	User logs into Databricks using a JWT.	`user` `authenticationMethod`
`accounts`	`login`	User logs into the workspace.	`user` `authenticationMethod`
`accounts`	`logout`	User logs out of the workspace.	`user`
`accounts`	`oidcTokenAuthorization`	When an API call is authorized through a generic OIDC/OAuth token.	`user` `authenticationMethod`
`accounts`	`passwordVerifyAuthentication`		`user`
`accounts`	`reachMaxQuotaDbToken`	When the current number of non-expired tokens exceeds the token quota.
`accounts`	`removeAdmin`	A user is revoked of workspace admin permissions.	`targetUserName` `endpoint` `targetUserId`
`accounts`	`removeGroup`	A group is removed from the workspace.	`targetGroupId` `targetGroupName` `endpoint`
`accounts`	`removePrincipalFromGroup`	A user is removed from a group.	`targetGroupId` `endpoint` `targetUserId` `targetGroupName` `groupMembershipType` `targetUserName`
`accounts`	`revokeDbToken`	A user's token is dropped from a workspace. Can be triggered by a user being removed from the Databricks account.	`userId` `tokenHash`
`accounts`	`setAdmin`	A user is granted account admin permissions.	`endpoint` `targetUserName` `targetUserId`
`accounts`	`tokenLogin`	A user logs into Databricks using a token.	`tokenId` `user` `authenticationMethod`
`accounts`	`updateIpAccessList`	An IP access list is changed.	`ipAccessListId` `userId`
`accounts`	`updateUser`	A change is made to a user's account.	`endpoint` `targetUserName` `targetUserId` `targetUserExternalId`
`accounts`	`validateEmail`	When a user validates their email after account creation.	`endpoint` `targetUserName` `targetUserId`
`accounts`	`workspaceLoginCodeAuthentication`	A user's workspace-scoped login code is authenticated.	`user` `authenticationMethod`

AI/BI dashboard events

The following are dashboards events logged at the workspace level.

Service	Action	Description	Request parameters
`dashboards`	`getDashboard`	A user accesses the draft version of a dashboard either by viewing it in the UI or requesting the dashboard definition using the API. Only workspace users can access the draft version of a dashboard.	`dashboard_id`
`dashboards`	`getPublishedDashboard`	A user accesses the published version of a dashboard by viewing in the UI or requesting the dashboard definition using the API. Includes activity from both workspace users and account users. Excludes receiving a PDF snapshot of a dashboard using scheduled email.	`dashboard_id` `credentials_embedded`
`dashboards`	`executeQuery`	A user executes a query from a dashboard.	`dashboard_id` `statement_id`
`dashboards`	`cancelQuery`	A user cancels a query from a dashboard.	`dashboard_id` `statement_id`
`dashboards`	`getQueryResult`	A user receives the results of a query from a dashboard.	`dashboard_id` `statement_id`
`dashboards`	`triggerDashboardSnapshot`	A user downloads a PDF snapshot of a dashboard.	`dashboard_id`
`dashboards`	`sendDashboardSnapshot`	A PDF snapshot of a dashboard is sent through a scheduled email. The request parameters values depend on the type of recipient. For a Databricks notification destination, only the `destination_id` is shown. For a Databricks user, the subscriber's user ID and email address are shown. If the recipient is an email address, only the email address is shown.	`dashboard_id` `subscriber_destination_id` `subscriber_user_details: {` `user_id`, `email_address }`
`dashboards`	`getDashboardDetails`	A user accesses details of a draft dashboard, such as datasets and widgets. `getDashboardDetails` is always emitted when a user views a draft dashboard using UI or requests the dashboard definition using the API.	`dashboard_id`
`dashboards`	`createDashboard`	A user creates a new AI/BI dashboard using the UI or API.	`dashboard_id`
`dashboards`	`updateDashboard`	A user makes an update to an AI/BI dashboard using the UI or API.	`dashboard_id`
`dashboards`	`cloneDashboard`	A user clones an AI/BI dashboard.	`source_dashboard_id` `new_dashboard_id`
`dashboards`	`publishDashboard`	A user publishes an AI/BI dashboard with or without embedded credentials using the UI or API.	`dashboard_id` `credentials_embedded` `warehouse_id`
`dashboards`	`unpublishDashboard`	A user unpublishes a published AI/BI dashboard using the UI or API.	`dashboard_id`
`dashboards`	`trashDashboard`	A user moves a dashboard to the trash using the dashboard UI or Lakeview API commands. This event is logged only when performed through these channels, not for workspace actions. To audit workspace actions, see Workspace events	`dashboard_id`
`dashboards`	`restoreDashboard`	A user restores an AI/BI dashboard from the trash using the dashboard UI or Lakeview API commands. This event is logged only when performed through these channels, not for workspace actions. To audit workspace actions, see Workspace events	`dashboard_id`
`dashboards`	`migrateDashboard`	A user migrates a DBSQL dashboard to an AI/BI dashboard.	`source_dashboard_id` `new_dashboard_id`
`dashboards`	`createSchedule`	A user creates an email subscription schedule.	`dashboard_id` `schedule_id`
`dashboards`	`updateSchedule`	A user makes an update to an AI/BI dashboard's schedule.	`dashboard_id` `schedule_id`
`dashboards`	`deleteSchedule`	A user deletes an AI/BI dashboard's schedule.	`dashboard_id` `schedule_id`
`dashboards`	`createSubscription`	A user subscribes an email destination to an AI/BI dashboard schedule.	`dashboard_id` `schedule_id` `schedule`
`dashboards`	`deleteSubscription`	A user deletes an email destination from an AI/BI dashboard schedule.	`dashboard_id` `schedule_id`

AI/BI Genie events

The following are aibiGenie events logged at the workspace level.

Service	Action	Description	Request parameters
`aibiGenie`	`createSpace`	A user creates a new Genie space. The `space_id` of the new space is logged in the `response` column.
`aibiGenie`	`getSpace`	A user accesses the Genie space.	`space_id`
`aibiGenie`	`listSpaces`	A user lists all available Genie spaces.
`aibiGenie`	`updateSpace`	A user updates the settings of a Genie space. Possible settings include the title, description, warehouse, tables, and sample questions.	`space_id` `display_name` `description` `warehouse_id` `table_identifiers`
`aibiGenie`	`trashSpace`	A Genie space is moved to trash.	`space_id`
`aibiGenie`	`cloneSpace`	A user clones a Genie space.	`space_id`
`aibiGenie`	`genieGetSpace`	A user accesses details about a Genie space using the API.	`space_id`
`aibiGenie`	`createConversation`	A user creates a new conversation thread in the Genie space.	`space_id`
`aibiGenie`	`listConversations`	A user opens the list of conversations in the Genie space.	`space_id`
`aibiGenie`	`genieStartConversationMessage`	A user starts a conversation thread with a message using the API.	`space_id` `conversation_id`
`aibiGenie`	`getConversation`	A user opens a conversation thread in the Genie space.	`conversation_id` `space_id`
`aibiGenie`	`updateConversation`	A user updates a conversation thread's title.	`conversation_id` `space_id`
`aibiGenie`	`deleteConversation`	A user deletes a conversation thread in the Genie space.	`conversation_id` `space_id`
`aibiGenie`	`createConversationMessage`	A user submits a new message to the Genie space.	`conversation_id` `space_id`
`aibiGenie`	`genieCreateConversationMessage`	A user creates a new message in a conversation using the API.	`conversation_id` `space_id` `message_id`
`aibiGenie`	`getConversationMessage`	A user accesses a message in the Genie space.	`conversation_id` `space_id` `message_id`
`aibiGenie`	`genieGetConversationMessage`	A user retrieves a specific message in a conversation using the API.	`conversation_id` `space_id` `message_id`
`aibiGenie`	`deleteConversationMessage`	A user deletes an existing message.	`conversation_id` `space_id` `message_id`
`aibiGenie`	`genieGetMessageQueryResult`	Genie retrieves the query results associated with a conversation message using the API.	`conversation_id` `space_id`, `message_id`
`aibiGenie`	`genieGetMessageAttachmentQueryResult`	A user retrieves the query results for message attachments using the API.	`conversation_id` `space_id` `attachment_id`
`aibiGenie`	`executeFullQueryResult`	A user retrieves the full query results using the API (up to ~1GB in size).	`space_id` `conversation_id` `message_id`
`aibiGenie`	`genieExecuteMessageQuery`	Genie executes generated SQL to return query results, including refresh data actions using the API.	`conversation_id` `space_id` `message_id`
`aibiGenie`	`genieExecuteMessageAttachmentQuery`	Genie executes a query for message attachment results using the API.	`conversation_id` `space_id` `message_id` `attachment_id`
`aibiGenie`	`getMessageQueryResult`	Genie retrieves the query results associated with a conversation message.	`conversation_id` `space_id`, `message_id`
`aibiGenie`	`createInstruction`	A user creates an instruction for a Genie space.	`space_id` `instruction_type`
`aibiGenie`	`listInstructions`	A user navigates to the Instructions tab or the Data tab.	`space_id`
`aibiGenie`	`updateInstruction`	A user updates an instruction for a Genie space.	`space_id` `instruction_id`
`aibiGenie`	`deleteInstruction`	A user deletes an instruction for a Genie space.	`space_id` `instruction_id`
`aibiGenie`	`updateSampleQuestions`	A user updates the default sample questions for the space.	`space_id`
`aibiGenie`	`createCuratedQuestion`	A user creates a sample question or benchmark question.	`space_id`
`aibiGenie`	`deleteCuratedQuestion`	A user deletes a sample question or benchmark question.	`space_id` `curated_question_id`
`aibiGenie`	`listCuratedQuestions`	A user accesses the list of sample questions or benchmark questions in a space. This is logged whenever users open a new chat, view benchmarks, or add sample questions.	`space_id`
`aibiGenie`	`updateCuratedQuestion`	A user updates a sample question or benchmark question.	`space_id` `curated_question_id`
`aibiGenie`	`createEvaluationResult`	Genie creates an evaluation result for a specific question in an evaluation run.	`space_id` `eval_id`
`aibiGenie`	`getEvaluationResult`	A user accesses the results for a specific question in an evaluation run.	`space_id` `eval_id`
`aibiGenie`	`getEvaluationResultDetails`	A user accesses the query results for a specific question in an evaluation run.	`space_id` `eval_id`
`aibiGenie`	`updateEvaluationResult`	A user updates their evaluation result for a specific question.	`space_id` `eval_id`
`aibiGenie`	`createEvaluationRun`	A user creates a new evaluation run.	`space_id`
`aibiGenie`	`listEvaluationResults`	A user accesses the list of results for an evaluation run.	`space_id` `run_id`
`aibiGenie`	`listEvaluationRuns`	A user accesses the list of all evaluation runs.	`space_id`
`aibiGenie`	`createConversationMessageComment`	A user adds a feedback comment to a conversation message.	`conversation_id` `space_id` `message_id`
`aibiGenie`	`listConversationMessageComments`	A user accesses a list of the feedback comments from a space.	`space_id` `conversation_ids` `message_ids` `user_ids` `comment_types`
`aibiGenie`	`deleteConversationMessageComment`	A user deletes a feedback comment added to a conversation message.	`conversation_id` `space_id` `message_id` `message_comment_id`

Alerts events

Important

This feature is in Beta.

The following alerts events are logged at the workspace level.

Note

This service does not record legacy alert events. Legacy alert events are logged under the databrickssql service.

Service	Action	Description	Request parameters
`alerts`	`apiCreateAlert`	A user creates an alert using the Alerts V2 API.	`alert.id`
`alerts`	`apiGetAlert`	A user gets an alert using the Alerts V2 API.	`alert_id`
`alerts`	`apiTrashAlert`	A user deletes an alert using the Alerts V2 API.	`alert_id`
`alerts`	`apiUpdateAlert`	A user updates an alert using the Alerts V2 API.	`alert.id`
`alerts`	`cloneAlert`	A user clones an existing alert.	`alert_id`
`alerts`	`createAlert`	A user creates a new alert.	`alert_id`
`alerts`	`getAlert`	A user gets information about an alert using the UI.	`alert_id`
`alerts`	`previewAlertEvaluate`	The Test condition feature returns the results of the alert test.	`execution_session_id`
`alerts`	`previewAlertExecute`	A user uses the Test condition feature to preview and test their alert.	`warehouse_id`
`alerts`	`runNowAlert`	A user clicks the Run now button to run the alert query immediately.	`alert_id`
`alerts`	`updateAlert`	A user updates the details of an alert.	`alert.id`

Clusters events

The following are cluster events logged at the workspace level.

Service	Action	Description	Request parameters
`clusters`	`changeClusterAcl`	A user changes the cluster ACL.	`shardName` `aclPermissionSet` `targetUserId` `resourceId`
`clusters`	`create`	A user creates a cluster.	`cluster_log_conf` `num_workers` `enable_elastic_disk` `driver_node_type_id` `start_cluster` `docker_image` `ssh_public_keys` `aws_attributes` `acl_path_prefix` `node_type_id` `instance_pool_id` `spark_env_vars` `init_scripts` `spark_version` `cluster_source` `autotermination_minutes` `cluster_name` `autoscale` `custom_tags` `cluster_creator` `enable_local_disk_encryption` `idempotency_token` `spark_conf` `organization_id` `no_driver_daemon` `user_id` `virtual_cluster_size` `apply_policy_default_values` `data_security_mode`
`clusters`	`createResult`	Results from cluster creation. In conjunction with `create`.	`clusterName` `clusterState` `clusterId` `clusterWorkers` `clusterOwnerUserId`
`clusters`	`delete`	A cluster is terminated.	`cluster_id`
`clusters`	`deleteResult`	Results from cluster termination. In conjunction with `delete`.	`clusterName` `clusterState` `clusterId` `clusterWorkers` `clusterOwnerUserId`
`clusters`	`edit`	A user makes changes to cluster settings. This logs all changes except for changes in cluster size or autoscaling behavior.	`cluster_log_conf` `num_workers` `enable_elastic_disk` `driver_node_type_id` `start_cluster` `docker_image` `ssh_public_keys` `aws_attributes` `acl_path_prefix` `node_type_id` `instance_pool_id` `spark_env_vars` `init_scripts` `spark_version` `cluster_source` `autotermination_minutes` `cluster_name` `autoscale` `custom_tags` `cluster_creator` `enable_local_disk_encryption` `idempotency_token` `spark_conf` `organization_id` `no_driver_daemon` `user_id` `virtual_cluster_size` `apply_policy_default_values` `data_security_mode`
`clusters`	`permanentDelete`	A cluster is deleted from the UI.	`cluster_id`
`clusters`	`resize`	Cluster resizes. This is logged on running clusters where the only property that changes is either the cluster size or autoscaling behavior.	`cluster_id` `num_workers` `autoscale`
`clusters`	`resizeResult`	Results from cluster resize. In conjunction with `resize`.	`clusterName` `clusterState` `clusterId` `clusterWorkers` `clusterOwnerUserId`
`clusters`	`restart`	A user restarts a running cluster.	`cluster_id`
`clusters`	`restartResult`	Results from cluster restart. In conjunction with `restart`.	`clusterName` `clusterState` `clusterId` `clusterWorkers` `clusterOwnerUserId`
`clusters`	`start`	A user starts a cluster.	`init_scripts_safe_mode` `cluster_id`
`clusters`	`startResult`	Results from cluster start. In conjunction with `start`.	`clusterName` `clusterState` `clusterId` `clusterWorkers` `clusterOwnerUserId`

Cluster libraries events

The following are clusterLibraries events logged at the workspace level.

Service	Action	Description	Request parameters
`clusterLibraries`	`installLibraries`	User installs a library on a cluster.	`cluster_id` `libraries` `are_installed_via_policy` `replace`
`clusterLibraries`	`uninstallLibraries`	User uninstalls a library on a cluster.	`cluster_id` `libraries`
`clusterLibraries`	`installLibraryOnAllClusters`	A workspace admin schedules a library to install on all cluster.	`user` `library`
`clusterLibraries`	`uninstallLibraryOnAllClusters`	A workspace admin removes a library from the list to install on all clusters.	`user` `library`

Cluster policy events

Note

This service is unavailable through Azure diagnostic settings. Enable the audit log system table to access these events.

The following are clusterPolicies events logged at the workspace level.

Service	Action	Description	Request parameters
`clusterPolicies`	`create`	A user created a cluster policy.	`name` `policy_family_id` `policy_family_version`
`clusterPolicies`	`edit`	A user edited a cluster policy.	`policy_id` `name` `libraries` `max_clusters_per_user` `policy_family_id` `policy_family_version`
`clusterPolicies`	`delete`	A user deleted a cluster policy.	`policy_id`
`clusterPolicies`	`changeClusterPolicyAcl`	A workspace admin changes permissions for a cluster policy.	`shardName` `targetUserId` `resourceId` `aclPermissionSet`

Database events

The following are database events logged at the workspace level.

These events are related to Lakebase. See What is Lakebase?.

Service	Action	Description	Request parameters
`database`	`createDatabaseInstance`	A user creates a new database instance.	`name` `capacity`
`database`	`getDatabaseInstance`	A user queries for a database instance.	`name`
`database`	`listDatabaseInstance`	A user queries for all database instances.	none
`database`	`updateDatabaseInstance`	A user updates properties on an existing instance. For example, its capacity or whether it is paused.	`capacity` `stopped`
`database`	`deleteDatabaseInstance`	A user hard deletes an instance.	`name` `force` `purge`
`database`	`changeDatabaseInstanceAcl`	A user modifies permissions on a database instance.	none
`database`	`createDatabaseCatalog`	A user creates and registers a catalog in Unity Catalog for an existing database.	`name` `database_name` `database_instance_name`
`database`	`deleteDatabaseCatalog`	A user unregisters a registered catalog from Unity Catalog.	`name`
`database`	`getDatabaseCatalog`	A user queries for a database catalog.	`name`
`database`	`createDatabaseTable`	A user creates a table inside a database on a database instance.	`name` `database_instance_name` `database_name`
`database`	`getDatabaseTable`	A user queries for a database table.	`name`
`database`	`deleteDatabaseTable`	A user deletes a database table from Unity Catalog.	`name`
`database`	`createSyncedDatabaseTable`	A user creates a synced table inside a database on a database instance.	`name` `spec` `scheduling_policy` `source_table_full_name` `primary_key_columns`
`database`	`getSyncedDatabaseTable`	A user queries for a synced table.	`name`
`database`	`deleteSyncedDatabaseTable`	A user deletes a synced table from Unity Catalog.	`name`

Databricks SQL events

The following are databrickssql events logged at the workspace level.

Note

If you manage your SQL warehouses using the legacy SQL endpoints API, your SQL warehouse audit events will have different action names. See SQL endpoint logs.

Service	Action	Description	Request parameters
`databrickssql`	`cancelQueryExecution`	A query execution is cancelled from the SQL editor UI. This does not include cancellations that originate from the Query History UI or Databricks SQL Execution API.	`queryExecutionId`: Only emitted when the legacy SQL editor is used. `query_id`: Only emitted when the new SQL editor is used.
`databrickssql`	`changeEndpointAcls`	A warehouse manager updates permissions on a SQL warehouse.	`aclPermissionSet` `resourceId` `shardName` `targetUserId`
`databrickssql`	`cloneFolderNode`	A user clones a folder in the workspace browser.	`dashboardId`
`databrickssql`	`commandFinish`	Only in verbose audit logs. Generated when a command on a SQL warehouse completes or is canceled, regardless of the origin of the cancellation request.	`warehouseId` `commandId`
`databrickssql`	`commandSubmit`	Only in verbose audit logs. Generated when a command is submitted to a SQL warehouse, regardless of origin of the request.	`warehouseId` `commandId` `validation` `commandText` `commandParameters`
`databrickssql`	`createAlert`	A user creates a legacy alert.	`alertId` `queryId`
`databrickssql`	`createQuery`	A user creates a new query.	`queryId`
`databrickssql`	`getQuery`	A user opens a query in SQL editor page or calls the Databricks SQL Get a query API. Only emitted when the legacy SQL editor or Databricks SQL REST API is used.	`queryId`
`databrickssql`	`createQueryDraft`	A user creates a query draft. Only emitted when the legacy SQL editor is used.	`queryId`
`databrickssql`	`createQuerySnippet`	A user creates a query snippet.	`querySnippetId`
`databrickssql`	`createVisualization`	A user generates a visualization using the SQL editor. Excludes default results tables and visualizations in notebooks that utilize SQL warehouses. Only emitted when the legacy SQL editor is used.	`queryId` `visualizationId`
`databrickssql`	`createWarehouse`	A user with the cluster create entitlement creates a SQL warehouse.	`auto_resume` `auto_stop_mins` `channel` `warehouse_type` `cluster_size` `conf_pairs` `custom_cluster_confs` `enable_databricks_compute` `enable_photon` `enable_serverless_compute` `instance_profile_arn` `max_num_clusters` `min_num_clusters` `name` `size` `spot_instance_policy` `tags` `test_overrides`
`databrickssql`	`deleteAlert`	A user deletes a legacy alert through the API. Excludes deletions from the file browser UI or from the legacy alert interface.	`alertId`
`databrickssql`	`deleteNotificationDestination`	A workspace admin deletes a notification destination.	`notificationDestinationId`
`databrickssql`	`deleteDashboard`	A user deletes a dashboard either from the dashboard interface or through API. Excludes deletion via the file browser UI.	`dashboardId`
`databrickssql`	`deleteDashboardWidget`	A user deletes a dashboard widget.	`widgetId`
`databrickssql`	`deleteWarehouse`	A warehouse manager deletes a SQL warehouse.	`id`
`databrickssql`	`deleteQuery`	A user deletes a query, either from the query interface or through API. Excludes deletion via the file browser UI.	`queryId`
`databrickssql`	`deleteQueryDraft`	A user deletes a query draft. Only emitted when the legacy SQL editor is used.	`queryId`
`databrickssql`	`deleteQuerySnippet`	A user deletes a query snippet.	`querySnippetId`
`databrickssql`	`deleteVisualization`	A user deletes a visualization from a query in the SQL Editor. Only emitted when the legacy SQL editor is used.	`visualizationId`
`databrickssql`	`downloadQueryResult`	A user downloads a query result from the SQL Editor. Excludes downloads from dashboards.	`fileType` `queryId` `queryResultId`: Only emitted when the legacy SQL editor is used. `credentialsEmbedded` `credentialsEmbeddedId`
`databrickssql`	`editWarehouse`	A warehouse manager makes edits to a SQL warehouse.	`auto_stop_mins` `channel` `warehouse_type` `cluster_size` `confs` `enable_photon` `enable_serverless_compute` `id` `instance_profile_arn` `max_num_clusters` `min_num_clusters` `name` `spot_instance_policy` `tags`
`databrickssql`	`executeAdhocQuery`	Generated by one of the following: A user runs a query draft in the SQL editor A query is executed from a visualization aggregation A user loads a dashboard and executes underlying queries	`dataSourceId`: Only emitted when the legacy SQL editor is used. Equivalent to the SQL warehouse ID. `warehouse_id`: Only emitted when the new SQL editor is used. `query_id`: Only emitted when the new SQL editor is used. Corresponds to the current query text in the new SQL editor, which may be equivalent to the original saved query.
`databrickssql`	`executeSavedQuery`	A user runs a saved query. Only emitted when the legacy SQL editor is used.	`queryId`
`databrickssql`	`executeWidgetQuery`	Generated by any event that executes a query such that a dashboard panel refreshes. Some examples of applicable events include: Refreshing a single panel Refreshing an entire dashboard Scheduled dashboard executions Parameter or filter changes operating over more than 64,000 rows	`widgetId`
`databrickssql`	`favoriteDashboard`	A user favorites a dashboard.	`dashboardId`
`databrickssql`	`favoriteQuery`	A user favorites a query.	`queryId`
`databrickssql`	`forkQuery`	A user clones a query.	`originalQueryId` `queryId`
`databrickssql`	`getAlert`	A user opens a legacy alert's details page or calls the legacy get alert API.	`id`: ID of the alert
`databrickssql`	`getHistoryQueriesByLookupKeys`	A user gets details for one or more query executions using lookup keys.	`lookup_keys` `include_metrics`
`databrickssql`	`getHistoryQuery`	A user gets details for a query execution using the UI.	`id` `queryId` `include_metrics` `include_plans` `include_json_plans`
`databrickssql`	`listHistoryQueries`	A user opens the query history page or calls the Query History List Queries API.	`filter_by` `include_metrics` `max_results` `page_token` `order_by`
`databrickssql`	`moveAlertToTrash`	A user moves an legacy alert to the trash using the API. Excludes deletions from the file browser UI or from the legacy alert interface.	`alertId`
`databrickssql`	`moveDashboardToTrash`	A user moves a dashboard to the trash.	`dashboardId`
`databrickssql`	`moveQueryToTrash`	A user moves a query to the trash.	`queryId` `treestoreId`: Only emitted when the new SQL editor is used and a valid `queryId` cannot be returned.
`databrickssql`	`restoreAlert`	A user restores a legacy alert from the trash.	`alertId`
`databrickssql`	`restoreDashboard`	A user restores a dashboard from the trash.	`dashboardId`
`databrickssql`	`restoreQuery`	A user restores a query from the trash.	`queryId`
`databrickssql`	`setWarehouseConfig`	A workspace admin updates their workspace's SQL warehouse settings, including configuration parameters and data access properties.	`data_access_config` `enable_serverless_compute` `instance_profile_arn` `security_policy` `serverless_agreement` `sql_configuration_parameters`
`databrickssql`	`snapshotDashboard`	A user requests a snapshot of a dashboard. Includes scheduled dashboard snapshots.	`dashboardId`
`databrickssql`	`startWarehouse`	A SQL warehouse is started.	`id`
`databrickssql`	`stopWarehouse`	A warehouse manager stops a SQL warehouse. Excludes autostopped warehouses.	`id`
`databrickssql`	`transferObjectOwnership`	A workspace admin transfers the ownership of a dashboard, query, or legacy alert to an active user through the transfer object ownership API. Ownership transfer done through the UI or update APIs is not captured by this audit log event.	`newOwner` `objectId` `objectType`
`databrickssql`	`unfavoriteDashboard`	A user removes a dashboard from their favorites.	`dashboardId`
`databrickssql`	`unfavoriteQuery`	A user removes a query from their favorites.	`queryId`
`databrickssql`	`updateAlert`	A user makes updates to a legacy alert. `ownerUserName` is populated if the legacy alert ownership is transferred using the API.	`alertId` `queryId` `ownerUserName`
`databrickssql`	`updateNotificationDestination`	A workspace admin makes an update to a notification destination.	`notificationDestinationId`
`databrickssql`	`updateDashboardWidget`	A user makes an update to a dashboard widget. Excludes changes to axis scales. Examples of applicable updates include: Change to widget size or placement Adding or removing widget parameters	`widgetId`
`databrickssql`	`updateDashboard`	A user makes an update to a dashboard property. Excludes changes to schedules and subscriptions. Examples of applicable updates include: Change in dashboard name Change to the SQL warehouse Change to Run As settings	`dashboardId`
`databrickssql`	`updateFolderNode`	A user updates a folder node in the workspace browser.	`name`
`databrickssql`	`updateOrganizationSetting`	A workspace admin makes updates to the workspace's SQL settings.	`has_configured_data_access` `has_explored_sql_warehouses` `has_granted_permissions` `hide_plotly_mode_bar` `send_email_on_failed_dashboards` `allow_downloads`
`databrickssql`	`updateQuery`	A user makes an update to a query. `ownerUserName` is populated if the query ownership is transferred using the API.	`queryId` `ownerUserName`
`databrickssql`	`updateQueryDraft`	A user makes an update to a query draft. Only emitted when the legacy SQL editor is used.	`queryId`
`databrickssql`	`updateQuerySnippet`	A user makes an update to a query snippet.	`querySnippetId`
`databrickssql`	`updateVisualization`	A user updates a visualization from either the SQL Editor or the dashboard. Only emitted when the legacy SQL editor is used.	`visualizationId`
`databrickssql`	`viewAdhocVisualizationQuery`	A user views the query behind a visualization.	none

Data monitoring events

The following dataMonitoring events are logged at the workspace level.

Service	Action	Description	Request parameters
`dataMonitoring`	`CreateMonitor`	User creates a monitor.	`data_classification_config` `full_table_name_arg` `assets_dir` `schedule` `output_schema_name` `notifications` `inference_log`
`dataMonitoring`	`UpdateMonitor`	User makes an update to a monitor.	`data_classification_config` `table_name` `full_table_name_arg` `drift_metrics_table_name` `dashboard_id` `custom_metrics` `assets_dir` `monitor_version` `profile_metrics_table_name` `baseline_table_name` `status` `output_schema_name` `inference_log` `slicing_exprs`
`dataMonitoring`	`DeleteMonitor`	User deletes a monitor.	`full_table_name_arg`
`dataMonitoring`	`RunRefresh`	Monitor is refreshed, either by schedule or manually.	`full_table_name_arg`

DBFS events

The following tables include dbfs events logged at the workspace level.

There are two types of DBFS events: API calls and operational events.

DBFS API events

The following DBFS audit events are only logged when written through the DBFS REST API.

Service	Action	Description	Request parameters
`dbfs`	`addBlock`	User appends a block of data to the stream. This is used in conjunction with dbfs/create to stream data to DBFS.	`handle` `data_length`
`dbfs`	`create`	User opens a stream to write a file to DBFs.	`path` `bufferSize` `overwrite`
`dbfs`	`delete`	User deletes the file or directory from DBFs.	`recursive` `path`
`dbfs`	`mkdirs`	User creates a new DBFS directory.	`path`
`dbfs`	`move`	User moves a file from one location to another location within DBFs.	`dst` `source_path` `src` `destination_path`
`dbfs`	`put`	User uploads a file through the use of multipart form post to DBFs.	`path` `overwrite`

DBFS operational events

The following DBFS audit events occur at the compute plane.

Service	Action	Description	Request parameters
`dbfs`	`mount`	User creates a mount point at a certain DBFS location.	`mountPoint` `owner`
`dbfs`	`unmount`	User removes a mount point at a certain DBFS location.	`mountPoint`

Delta pipelines events

Service	Action	Description	Request parameters
`deltaPipelines`	`changePipelineAcls`	A user changes permissions on a pipeline.	`shardId` `targetUserId` `resourceId` `aclPermissionSet`
`deltaPipelines`	`create`	A user creates a declarative pipeline.	`allow_duplicate_names` `clusters` `configuration` `continuous` `development` `dry_run` `id` `libraries` `name` `storage` `target` `channel` `edition` `photon`
`deltaPipelines`	`delete`	A user deletes a declarative pipeline.	`pipeline_id`
`deltaPipelines`	`edit`	A user edits a declarative pipeline.	`allow_duplicate_names` `clusters` `configuration` `continuous` `development` `expected_last_modified` `id` `libraries` `name` `pipeline_id` `storage` `target` `channel` `edition` `photon`
`deltaPipelines`	`startUpdate`	A user restarts a declarative pipeline.	`cause` `full_refresh` `job_task` `pipeline_id`
`deltaPipelines`	`stop`	A user stops a declarative pipeline.	`pipeline_id`

Feature store events

The following featureStore events are logged at the workspace level.

Service	Action	Description	Request parameters
`featureStore`	`addConsumer`	A consumer is added to the feature store.	`features` `job_run` `notebook`
`featureStore`	`addDataSources`	A data source is added to a feature table.	`feature_table` `paths, tables`
`featureStore`	`addProducer`	A producer is added to a feature table.	`feature_table` `job_run` `notebook`
`featureStore`	`changeFeatureTableAcl`	Permissions are changed in a feature table.	`aclPermissionSet` `resourceId` `shardName` `targetUserId`
`featureStore`	`createFeatureTable`	A feature table is created.	`description` `name` `partition_keys` `primary_keys` `timestamp_keys`
`featureStore`	`createFeatures`	Features are created in a feature table.	`feature_table` `features`
`featureStore`	`deleteFeatureTable`	A feature table is deleted.	`name`
`featureStore`	`deleteTags`	Tags are deleted from a feature table.	`feature_table_id` `keys`
`featureStore`	`getConsumers`	A user makes a call to get the consumers in a feature table.	`feature_table`
`featureStore`	`getFeatureTable`	A user makes a call to get feature tables.	`name`
`featureStore`	`getFeatureTablesById`	A user makes a call to get feature table IDs.	`ids`
`featureStore`	`getFeatures`	A user makes a call to get features.	`feature_table` `max_results`
`featureStore`	`getModelServingMetadata`	A user makes a call to get Model Serving metadata.	`feature_table_features`
`featureStore`	`getOnlineStore`	A user makes a call to get online store details.	`cloud` `feature_table` `online_table` `store_type`
`featureStore`	`getTags`	A user makes a call to get tags for a feature table.	`feature_table_id`
`featureStore`	`publishFeatureTable`	A feature table is published.	`cloud` `feature_table` `host` `online_table` `port` `read_secret_prefix` `store_type` `write_secret_prefix`
`featureStore`	`searchFeatureTables`	A user searches for feature tables.	`max_results` `page_token` `text`
`featureStore`	`setTags`	Tags are added to a feature table.	`feature_table_id` `tags`
`featureStore`	`updateFeatureTable`	A feature table is updated.	`description` `name`

Files events

The following filesystem events are logged at the workspace level.

Service	Action	Description	Request parameters
`filesystem`	`filesGet`	User downloads a file using the Files API or the volumes UI.	`path` `transferredSize`
`filesystem`	`filesPut`	User uploads a file using the Files API or the volumes UI.	`path` `receivedSize`
`filesystem`	`filesDelete`	User deletes a file using the Files API or the volumes UI.	`path`
`filesystem`	`filesHead`	User gets information about a file using the Files API or the volumes UI.	`path`

Genie events

The following genie events are logged at the workspace level.

Note

This service is unrelated to AI/BI Genie spaces. See AI/BI Genie events.

Service	Action	Description	Request parameters
`genie`	`databricksAccess`	A Databricks personnel is authorized to access a customer environment.	`duration` `approver` `reason` `authType` `user`

Git credential events

The following gitCredentials events are logged at the workspace level.

Service	Action	Description	Request parameters
`gitCredentials`	`getGitCredential`	A user gets a git credentials.	`id`
`gitCredentials`	`listGitCredentials`	A user lists all git credentials	none
`gitCredentials`	`deleteGitCredential`	A user deletes a git credential.	`id`
`gitCredentials`	`updateGitCredential`	A user updates a git credential.	`id` `git_provider` `git_username`
`gitCredentials`	`createGitCredential`	A user creates a git credential.	`git_provider` `git_username`

Global init scripts events

The following globalInitScripts events are logged at the workspace level.

Service	Action	Description	Request parameters
`globalInitScripts`	`create`	A workspace admin creates a global initialization script.	`name` `position` `script-SHA256` `enabled`
`globalInitScripts`	`update`	A workspace admin updates a global initialization script.	`script_id` `name` `position` `script-SHA256` `enabled`
`globalInitScripts`	`delete`	A workspace admin deletes a global initialization script.	`script_id`

Groups events

Note

This service is unavailable through Azure diagnostic settings. Enable the audit log system table to access these events.

The following groups events are logged at the workspace level. These actions are related to legacy ACL groups. For actions related to account- and workspace-level groups, see Account events and Account-level account events.

Service	Action	Description	Request parameters
`groups`	`addPrincipalToGroup`	An admin adds a user to a group.	`user_name` `parent_name`
`groups`	`createGroup`	An admin creates a group.	`group_name`
`groups`	`getGroupMembers`	An admin views group members.	`group_name`
`groups`	`getGroups`	An admin views a list of groups	none
`groups`	`getInheritedGroups`	An admin views inherited groups	none
`groups`	`removeGroup`	An admin removes a group.	`group_name`

IAM role events

The following iamRole event is logged at the workspace level.

Service	Action	Description	Request parameters
`iamRole`	`changeIamRoleAcl`	A workspace admin changes permissions for an IAM role.	`targetUserId` `shardName` `resourceId` `aclPermissionSet`

Ingestion events

The following ingestion event is logged at the workspace level.

Service	Action	Description	Request parameters
`ingestion`	`proxyFileUpload`	A user uploads a file to their Azure Databricks workspace.	`x-databricks-content-length-0` `x-databricks-total-files`

Instance pool events

The following instancePools events are logged at the workspace level.

Service	Action	Description	Request parameters
`instancePools`	`changeInstancePoolAcl`	A user changes an instance pool's permissions.	`shardName` `resourceId` `targetUserId` `aclPermissionSet`
`instancePools`	`create`	A user creates an instance pool.	`enable_elastic_disk` `preloaded_spark_versions` `idle_instance_autotermination_minutes` `instance_pool_name` `node_type_id` `custom_tags` `max_capacity` `min_idle_instances` `aws_attributes`
`instancePools`	`delete`	A user deletes an instance pool.	`instance_pool_id`
`instancePools`	`edit`	A user edits an instance pool.	`instance_pool_name` `idle_instance_autotermination_minutes` `min_idle_instances` `preloaded_spark_versions` `max_capacity` `enable_elastic_disk` `node_type_id` `instance_pool_id` `aws_attributes`

Job events

The following jobs events are logged at the workspace level.

Service	Action	Description	Request parameters
`jobs`	`cancel`	A job run is cancelled.	`run_id`
`jobs`	`cancelAllRuns`	A user cancels all runs on a job.	`job_id`
`jobs`	`changeJobAcl`	A user updates permissions on a job.	`shardName` `aclPermissionSet` `resourceId` `targetUserId`
`jobs`	`create`	A user creates a job.	`spark_jar_task` `email_notifications` `notebook_task` `spark_submit_task` `timeout_seconds` `libraries` `name` `spark_python_task` `job_type` `new_cluster` `existing_cluster_id` `max_retries` `schedule` `run_as`
`jobs`	`delete`	A user deletes a job.	`job_id`
`jobs`	`deleteRun`	A user deletes a job run.	`run_id`
`jobs`	`getRunOutput`	A user makes an API call to get a run output.	`run_id` `is_from_webapp`
`jobs`	`repairRun`	A user repairs a job run.	`run_id` `latest_repair_id` `rerun_tasks`
`jobs`	`reset`	A job is reset.	`job_id` `new_settings`
`jobs`	`resetJobAcl`	A user requests the change of a job's permissions.	`grants` `job_id`
`jobs`	`runCommand`	Available when verbose audit logs are enabled. Emitted after a command in a notebook is executed by a job run. A command corresponds to a cell in a notebook.	`jobId` `runId` `notebookId` `executionTime` `status` `commandId` `commandText`
`jobs`	`runFailed`	A job run fails or is canceled.	`jobClusterType` `jobTriggerType` `jobId` `jobTaskType` `runId` `jobTerminalState` `idInJob` `orgId` `runCreatorUserName`
`jobs`	`runNow`	A user triggers an on-demand job run.	`notebook_params` `job_id` `jar_params` `workflow_context`
`jobs`	`runStart`	Emitted when a job run starts after validation and cluster creation. The request parameters emitted from this event depend on the type of tasks in the job. In addition to the parameters listed, they can include: `dashboardId` (for a SQL dashboard task) `filePath` (for a SQL file task) `notebookPath` (for a notebook task) `mainClassName` (for a Spark JAR task) `pythonFile` (for a Spark JAR task) `projectDirectory` (for a dbt task) `commands` (for a dbt task) `packageName` (for a Python wheel task) `entryPoint` (for a Python wheel task) `pipelineId` (for a pipeline task) `queryIds` (for a SQL query task) `alertId` (for a SQL alert task)	`taskDependencies` `multitaskParentRunId` `orgId` `idInJob` `jobId` `jobTerminalState` `taskKey` `jobTriggerType` `jobTaskType` `runId` `runCreatorUserName`
`jobs`	`runSucceeded`	A job run is successful.	`idInJob` `jobId` `jobTriggerType` `orgId` `runId` `jobClusterType` `jobTaskType` `jobTerminalState` `runCreatorUserName`
`jobs`	`runTriggered`	A job schedule is triggered automatically according to its schedule or trigger.	`jobId` `jobTriggeredType` `runId`
`jobs`	`sendRunWebhook`	A webhook is sent either when the job begins, completes, or fails.	`orgId` `jobId` `jobWebhookId` `jobWebhookEvent` `runId`
`jobs`	`setTaskValue`	A user sets values for a task.	`run_id` `key`
`jobs`	`submitRun`	A user submits a one-time run via the API.	`shell_command_task` `run_name` `spark_python_task` `existing_cluster_id` `notebook_task` `timeout_seconds` `libraries` `new_cluster` `spark_jar_task`
`jobs`	`update`	A user edits a job's settings.	`job_id` `fields_to_remove` `new_settings` `is_from_dlt`

Lineage tracking events

The following lineageTracking events are logged at the workspace level.

Service	Action	Description	Request parameters
`lineageTracking`	`listColumnLineages`	A user accesses the list of the upstream or downstream columns of a column.	`table_name` `column_name` `lineage_direction`: The lineage direction (`UPSTREAM` or `DOWNSTREAM`).
`lineageTracking`	`listSecurableLineagesBySecurable`	A user accesses the list of the upstream or downstream securables of a securable.	`securable_full_name` `securable_type` `lineage_direction`: The lineage direction (`UPSTREAM` or `DOWNSTREAM`).
`lineageTracking`	`listEntityLineagesBySecurable`	A user accesses the list of entities (notebooks, jobs, etc.) that write to or read a securable.	`securable_full_name` `securable_type` `lineage_direction`: The lineage direction (`UPSTREAM` or `DOWNSTREAM`). `entity_response_filter`: The entity type (notebook, job, dashboard, pipeline, query, serving endpoint, etc.).
`lineageTracking`	`getColumnLineages`	A user gets the column lineages for a table and its column.	`table_name` `column_name`
`lineageTracking`	`getTableEntityLineages`	A user gets the upstream and downstream lineages of a table.	`table_name` `include_entity_lineage`
`lineageTracking`	`getJobTableLineages`	A user gets the upstream and downstream table lineages of a job.	`job_id`
`lineageTracking`	`getFunctionLineages`	A user gets the upstream and downstream securables and entities (notebooks, jobs, etc.) of a function.	`function_name`
`lineageTracking`	`getModelVersionLineages`	A user gets the upstream and downstream securables and entities (notebooks, jobs, etc.) of a model and its version.	`model_name` `version`
`lineageTracking`	`getEntityTableLineages`	A user gets the upstream and downstream tables of an entity (notebooks, jobs, etc.).	`entity_type` `entity_id`
`lineageTracking`	`getFrequentlyJoinedTables`	A user gets the frequently joined tables for a table.	`table_name`
`lineageTracking`	`getFrequentQueryByTable`	A user gets the frequent queries for a table.	`source_table_name`
`lineageTracking`	`getFrequentUserByTable`	A user gets the frequent users for a table.	`table_name`
`lineageTracking`	`getTablePopularityByDate`	A user gets the popularity (query count) for a table for the past month.	`table_name`
`lineageTracking`	`getPopularEntities`	A user gets the popular entities (notebooks, jobs, etc.) for a table.	`scope`: Specifies the scope for retrieving popular entities, either from the workspace or table name. `table_name`
`lineageTracking`	`getPopularTables`	A user gets the table popularity info for a list of tables.	`scope`: Specifies the scope for retrieving popular tables, either from the metastore or the table list. `table_name_list`

Marketplace consumer events

The following marketplaceConsumer events are logged at the workspace level.

Service	Action	Description	Request parameters
`marketplaceConsumer`	`getDataProduct`	A user gets access to a data product through the Databricks Marketplace.	`listing_id` `listing_name` `share_name` `catalog_name` `request_context`: Array of information about the account and metastore that got access to the data product
`marketplaceConsumer`	`requestDataProduct`	A user requests access to a data product that requires provider approval.	`listing_id` `listing_name` `catalog_name` `request_context`: Array of information about the account and metastore requesting access to the data product

Marketplace provider events

Note

This service is unavailable through Azure diagnostic settings. Enable the audit log system table to access these events.

The following marketplaceProvider events are logged at the workspace level.

Service	Action	Description	Request parameters
`marketplaceProvider`	`createListing`	A metastore admin creates a listing in their provider profile.	`listing`: Array of details about the listing `request_context`: Array of information about the provider's account and metastore
`marketplaceProvider`	`updateListing`	A metastore admin makes an update to a listing in their provider profile.	`id` `listing`: Array of details about the listing `request_context`: Array of information about the provider's account and metastore
`marketplaceProvider`	`deleteListing`	A metastore admin deletes a listing in their provider profile.	`id` `request_context`: Array of details about the provider's account and metastore
`marketplaceProvider`	`updateConsumerRequestStatus`	A metastore admins approves or denies a data product request.	`listing_id` `request_id` `status` `reason` `share`: Array of information about the share `request_context`: Array of information about the provider's account and metastore
`marketplaceProvider`	`createProviderProfile`	A metastore admin creates a provider profile.	`provider`: Array of information about the provider `request_context`: Array of information about the provider's account and metastore
`marketplaceProvider`	`updateProviderProfile`	A metastore admin makes an update to their provider profile.	`id` `provider`: Array of information about the provider `request_context`: Array of information about the provider's account and metastore
`marketplaceProvider`	`deleteProviderProfile`	A metastore admin deletes their provider profile.	`id` `request_context`: Array of information about the provider's account and metastore
`marketplaceProvider`	`uploadFile`	A provider uploads a file to their provider profile.	`request_context`: Array of information about the provider's account and metastore `marketplace_file_type` `display_name` `mime_type` `file_parent`: Array of file parent details
`marketplaceProvider`	`deleteFile`	A provider deletes a file from their provider profile.	`file_id` `request_context`: Array of information about the provider's account and metastore

MLflow artifacts with ACL events

The following mlflowAcledArtifact events are logged at the workspace level.

Service	Action	Description	Request parameters
`mlflowAcledArtifact`	`readArtifact`	A user makes call to read an artifact.	`artifactLocation` `experimentId` `runId`
`mlflowAcledArtifact`	`writeArtifact`	A user makes call to write to an artifact.	`artifactLocation` `experimentId` `runId`

MLflow experiment events

The following mlflowExperiment events are logged at the workspace level.

Service	Action	Description	Request parameters
`mlflowExperiment`	`createMlflowExperiment`	A user creates an MLflow experiment.	`experimentId` `path` `experimentName`
`mlflowExperiment`	`deleteMlflowExperiment`	A user deletes an MLflow experiment.	`experimentId` `path` `experimentName`
`mlflowExperiment`	`moveMlflowExperiment`	A user moves an MLflow experiment.	`newPath` `experimentId` `oldPath`
`mlflowExperiment`	`restoreMlflowExperiment`	A user restores an MLflow experiment.	`experimentId` `path` `experimentName`
`mlflowExperiment`	`renameMlflowExperiment`	A user renames an MLflow experiment.	`oldName` `newName` `experimentId` `parentPath`

MLflow model registry events

The following mlflowModelRegistry events are logged at the workspace level.

Service	Action	Description	Request parameters
`modelRegistry`	`approveTransitionRequest`	A user approves a model version stage transition request.	`name` `version` `stage` `archive_existing_versions`
`modelRegistry`	`changeRegisteredModelAcl`	A user updates permissions for a registered model.	`registeredModelId` `userId`
`modelRegistry`	`createComment`	A user posts a comment on a model version.	`name` `version`
`modelRegistry`	`createModelVersion`	A user creates a model version.	`name` `source` `run_id` `tags` `run_link`
`modelRegistry`	`createRegisteredModel`	A user creates a new registered model	`name` `tags`
`modelRegistry`	`createRegistryWebhook`	User creates a webhook for Model Registry events.	`orgId` `registeredModelId` `events` `description` `status` `creatorId` `httpUrlSpec`
`modelRegistry`	`createTransitionRequest`	A user creates a model version stage transition request.	`name` `version` `stage`
`modelRegistry`	`deleteComment`	A user deletes a comment on a model version.	`id`
`modelRegistry`	`deleteModelVersion`	A user deletes a model version.	`name` `version`
`modelRegistry`	`deleteModelVersionTag`	A user deletes a model version tag.	`name` `version` `key`
`modelRegistry`	`deleteRegisteredModel`	A user deletes a registered model	`name`
`modelRegistry`	`deleteRegisteredModelTag`	A user deletes the tag for a registered model.	`name` `key`
`modelRegistry`	`deleteRegistryWebhook`	User deletes a Model Registry webhook.	`orgId` `webhookId`
`modelRegistry`	`deleteTransitionRequest`	A user cancels a model version stage transition request.	`name` `version` `stage` `creator`
`modelRegistry`	`finishCreateModelVersionAsync`	Completed asynchronous model copying.	`name` `version`
`modelRegistry`	`generateBatchInferenceNotebook`	Batch inference notebook is autogenerated.	`userId` `orgId` `modelName` `inputTableOpt` `outputTablePathOpt` `stageOrVersion` `modelVersionEntityOpt` `notebookPath`
`modelRegistry`	`generateDltInferenceNotebook`	Inference notebook for a declarative pipeline is autogenerated.	`userId` `orgId` `modelName` `inputTable` `outputTable` `stageOrVersion` `notebookPath`
`modelRegistry`	`getModelVersionDownloadUri`	A user gets a URI to download the model version.	`name` `version`
`modelRegistry`	`getModelVersionSignedDownloadUri`	A user gets a URI to download a signed model version.	`name` `version` `path`
`modelRegistry`	`listModelArtifacts`	A user makes a call to list a model's artifacts.	`name` `version` `path` `page_token`
`modelRegistry`	`listRegistryWebhooks`	A user makes a call to list all registry webhooks in the model.	`orgId` `registeredModelId`
`modelRegistry`	`rejectTransitionRequest`	A user rejects a model version stage transition request.	`name` `version` `stage`
`modelRegistry`	`renameRegisteredModel`	A user renames a registered model	`name` `new_name`
`modelRegistry`	`setEmailSubscriptionStatus`	A user updates the email subscription status for a registered model
`modelRegistry`	`setModelVersionTag`	A user sets a model version tag.	`name` `version` `key` `value`
`modelRegistry`	`setRegisteredModelTag`	A user sets a model version tag.	`name` `key` `value`
`modelRegistry`	`setUserLevelEmailSubscriptionStatus`	A user updates their email notifications status for the whole registry.	`orgId` `userId` `subscriptionStatus`
`modelRegistry`	`testRegistryWebhook`	A user tests the Model Registry webhook.	`orgId` `webhookId`
`modelRegistry`	`transitionModelVersionStage`	A user gets a list of all open stage transition requests for the model version.	`name` `version` `stage` `archive_existing_versions`
`modelRegistry`	`triggerRegistryWebhook`	A Model Registry webhook is triggered by an event.	`orgId` `registeredModelId` `events` `status`
`modelRegistry`	`updateComment`	A user post an edit to a comment on a model version.	`id`
`modelRegistry`	`updateRegistryWebhook`	A user updates a Model Registry webhook.	`orgId` `webhookId`

Model serving events

The following serverlessRealTimeInference events are logged at the workspace level.

Service	Action	Description	Request parameters
`serverlessRealTimeInference`	`changeInferenceEndpointAcl`	User updates permissions for an inference endpoint.	`shardName` `targetUserId` `resourceId` `aclPermissionSet`
`serverlessRealTimeInference`	`createServingEndpoint`	User creates a model serving endpoint.	`name` `config`
`serverlessRealTimeInference`	`deleteServingEndpoint`	User deletes a model serving endpoint.	`name`
`serverlessRealTimeInference`	`disable`	User disables model serving for a registered model.	`registered_mode_name`
`serverlessRealTimeInference`	`enable`	User enables model serving for a registered model.	`registered_mode_name`
`serverlessRealTimeInference`	`getQuerySchemaPreview`	Users makes a call to get the query schema preview.	`endpoint_name`
`serverlessRealTimeInference`	`updateServingEndpoint`	User updates a model serving endpoint.	`name` `served_models` `traffic_config`
`serverlessRealTimeInference`	`updateInferenceEndpointRateLimits`	User updates the rate limits for an inference endpoint. Rate limits only apply to Foundation Model APIs pay-per-token and external model endpoints.	`name` `rate_limits`

Notebook events

The following notebook events are logged at the workspace level.

Service	Action	Description	Request parameters
`notebook`	`attachNotebook`	A notebook is attached to a cluster. Also emitted when the new SQL editor is attached to a SQL warehouse.	`path` `clusterId` `notebookId`
`notebook`	`cloneNotebook`	A user clones a notebook.	`notebookId` `path` `clonedNotebookId` `destinationPath`
`notebook`	`createNotebook`	A notebook is created.	`notebookId` `path`
`notebook`	`deleteFolder`	A notebook folder is deleted.	`path`
`notebook`	`deleteNotebook`	A notebook is deleted.	`notebookId` `notebookName` `path`
`notebook`	`detachNotebook`	A notebook is detached from a cluster. Also emitted when the new SQL editor is detached from a SQL warehouse.	`notebookId` `clusterId` `path`
`notebook`	`downloadLargeResults`	A user downloads query results too large to display in the notebook.	`notebookId` `notebookFullPath`
`notebook`	`downloadPreviewResults`	A user downloads the query results.	`notebookId` `notebookFullPath`
`notebook`	`importNotebook`	A user imports a notebook.	`path`
`notebook`	`moveFolder`	A notebook folder is moved from one location to another.	`oldPath` `newPath` `folderId`
`notebook`	`moveNotebook`	A notebook is moved from one location to another.	`newPath` `oldPath` `notebookId`
`notebook`	`renameNotebook`	A notebook is renamed.	`newName` `oldName` `parentPath` `notebookId`
`notebook`	`restoreFolder`	A deleted folder is restored.	`path`
`notebook`	`restoreNotebook`	A deleted notebook is restored.	`path` `notebookId` `notebookName`
`notebook`	`runCommand`	Available when verbose audit logs are enabled. Emitted after Databricks runs a command in a notebook or the new SQL editor. A command corresponds to a cell in a notebook or the query text in the new SQL editor. `executionTime` is measured in seconds.	`notebookId` `executionTime` `status` `commandId` `commandText` `commandLanguage`
`notebook`	`takeNotebookSnapshot`	Notebook snapshots are taken when either the job service or mlflow is run.	`path`

Partner Connect events

The following partnerHub events are logged at the workspace level.

Service	Action	Description	Request parameters
`partnerHub`	`createOrReusePartnerConnection`	A workspace admin sets up a connection to a partner solution.	`partner_name`
`partnerHub`	`deletePartnerConnection`	A workspace admin deletes a partner connection.	`partner_name`
`partnerHub`	`downloadPartnerConnectionFile`	A workspace admin downloads the partner connection file.	`partner_name`
`partnerHub`	`setupResourcesForPartnerConnection`	A workspace admin sets up resources for a partner connection.	`partner_name`

Predictive optimization events

The following predictiveOptimization events are logged at the workspace level.

Service	Action	Description	Request parameters
`predictiveOptimization`	`PutMetrics`	Recorded when predictive optimization updates table and workload metrics so the service can more intelligently schedule optimization operations.	`table_metrics_list` `start_time` `end_time`

Remote history service events

The following RemoteHistoryService events are logged at the workspace level.

Service	Action	Description	Request parameters
`RemoteHistoryService`	`addUserGitHubCredentials`	User adds Github Credentials	none
`RemoteHistoryService`	`deleteUserGitHubCredentials`	User removes Github Credentials	none
`RemoteHistoryService`	`updateUserGitHubCredentials`	User updates Github Credentials	none

Git folder events

The following repos events are logged at the workspace level.

Service	Action name	Description	Request parameters
`repos`	`checkoutBranch`	A user checks out a branch on the repo.	`id` `branch`
`repos`	`commitAndPush`	A user commits and pushes to a repo.	`id` `message` `files` `checkSensitiveToken`
`repos`	`createRepo`	A user creates a repo in the workspace	`url` `provider` `path`
`repos`	`deleteRepo`	A user deletes a repo.	`id`
`repos`	`discard`	A user discards a commit to a repo.	`id` `file_paths`
`repos`	`getRepo`	A user makes a call to get information about a single repo.	`id`
`repos`	`listRepos`	A user makes a call to get all repos they have Manage permissions on.	`path_prefix` `next_page_token`
`repos`	`pull`	A user pulls the latest commits from a repo.	`id`
`repos`	`updateRepo`	A user updates the repo to a different branch or tag, or to the latest commit on the same branch.	`id` `branch` `tag` `git_url` `git_provider`

Secrets events

The following secrets events are logged at the workspace level.

Service	Action name	Description	Request parameters
`secrets`	`createScope`	User creates a secret scope.	`scope` `initial_manage_principal` `scope_backend_type`
`secrets`	`deleteAcl`	User deletes ACLs for a secret scope.	`scope` `principal`
`secrets`	`deleteScope`	User deletes a secret scope.	`scope`
`secrets`	`deleteSecret`	User deletes a secret from a scope.	`key` `scope`
`secrets`	`getAcl`	User gets ACLs for a secret scope.	`scope` `principal`
`secrets`	`getSecret`	User gets a secret from a scope.	`key` `scope`
`secrets`	`listAcls`	User makes a call to list ACLs for a secret scope.	`scope`
`secrets`	`listScopes`	User makes a call to list secret scopes	none
`secrets`	`listSecrets`	User makes a call to list secrets within a scope.	`scope`
`secrets`	`putAcl`	User changes ACLs for a secret scope.	`scope` `principal` `permission`
`secrets`	`putSecret`	User adds or edits a secret within a scope.	`string_value` `key` `scope`

SQL table access events

Note

The sqlPermissions service includes events related to the legacy Hive metastore table access control. Databricks recommends that you upgrade the tables managed by the Hive metastore to the Unity Catalog metastore.

The following sqlPermissions events are logged at the workspace level.

Service	Action name	Description	Request parameters
`sqlPermissions`	`changeSecurableOwner`	Workspace admin or owner of an object transfers object ownership.	`securable` `principal`
`sqlPermissions`	`createSecurable`	User creates a securable object.	`securable`
`sqlPermissions`	`denyPermission`	Object owner denies privileges on a securable object.	`permission`
`sqlPermissions`	`grantPermission`	Object owner grants permission on a securable object.	`permission`
`sqlPermissions`	`removeAllPermissions`	User drops a securable object.	`securable`
`sqlPermissions`	`renameSecurable`	User renames a securable object.	`before` `after`
`sqlPermissions`	`requestPermissions`	User requests permissions on a securable object.	`requests`
`sqlPermissions`	`revokePermission`	Object owner revokes permissions on their securable object.	`permission`
`sqlPermissions`	`showPermissions`	User views securable object permissions.	`securable` `principal`

SSH events

The following ssh events are logged at the workspace level.

Service	Action name	Description	Request parameters
`ssh`	`login`	Agent login of SSH into Spark driver.	`containerId` `userName` `port` `publicKey` `instanceId`
`ssh`	`logout`	Agent logout of SSH from Spark driver.	`userName` `containerId` `instanceId`

Uniform Iceberg REST API events

The following uniformIcebergRestCatalog events are logged at the workspace level. These events are logged when users interact with managed Apache Iceberg tables using an external Iceberg-compatible engine that supports the Iceberg REST Catalog API.

Service	Action	Description	Request parameters
`uniformIcebergRestCatalog`	`config`	User gets a catalog configuration.	`http_method` `http_path`
`uniformIcebergRestCatalog`	`createNamespace`	User creates a namespace, with an optional set of properties.	`http_method` `http_path`
`uniformIcebergRestCatalog`	`createTable`	User creates a new Iceberg table.	`http_method` `http_path`
`uniformIcebergRestCatalog`	`deleteNamespace`	User deletes an existing namespace.	`http_method` `http_path`
`uniformIcebergRestCatalog`	`deleteTable`	User deletes an existing table.	`http_method` `http_path`
`uniformIcebergRestCatalog`	`getNamespace`	User gets properties of a namespace.	`http_method` `http_path`
`uniformIcebergRestCatalog`	`listNamespaces`	User makes a call to list all namespaces at a specified level.	`http_method` `http_path`
`uniformIcebergRestCatalog`	`listTables`	User lists all tables under a given namespace.	`http_method` `http_path`
`uniformIcebergRestCatalog`	`loadTableCredentials`	User loads vended credentials for a table from the catalog.	`http_method` `http_path`
`uniformIcebergRestCatalog`	`loadTable`	User loads a table from the catalog.	`http_method` `http_path`
`uniformIcebergRestCatalog`	`loadView`	User loads a view from the catalog.	`http_method` `http_path`
`uniformIcebergRestCatalog`	`namespaceExists`	User checks if a namespace exists.	`http_method` `http_path`
`uniformIcebergRestCatalog`	`renameTable`	User renames an existing table	`http_method` `http_path`
`uniformIcebergRestCatalog`	`reportMetrics`	User sends a metrics report	`http_method` `http_path`
`uniformIcebergRestCatalog`	`tableExists`	User checks if a table exists within a given namespace.	`http_method` `http_path`
`uniformIcebergRestCatalog`	`updateNamespaceProperties`	User updates properties for a namespace.	`http_method` `http_path`
`uniformIcebergRestCatalog`	`updateTable`	User updates table metadata.	`http_method` `http_path`
`uniformIcebergRestCatalog`	`viewExists`	User checks if a view exists within a given namespace.	`http_method` `http_path`

Vector search events

Note

This service is unavailable through Azure diagnostic settings. Enable the audit log system table to access these events.

The following vectorSearch events are logged at the workspace level.

Service	Action	Description	Request parameters
`vectorSearch`	`createEndpoint`	User creates a vector search endpoint.	`name` `endpoint_type`
`vectorSearch`	`deleteEndpoint`	User deletes a vector search endpoint.	`name`
`vectorSearch`	`createVectorIndex`	User creates a vector search index.	`name` `endpoint_name` `primary_key` `index_type` `delta_sync_index_spec` `direct_access_index_spec`
`vectorSearch`	`deleteVectorIndex`	User deletes a vector search index.	`name` `endpoint_name` (optional) `delete_embedding_writeback_table`
`vectorSearch`	`changeEndpointAcl`	User changes access control list for an endpoint.	`name` `endpoint_name` `access_control_list`
`vectorSearch`	`queryVectorIndex`	User queries a vector search index.	`name` `endpoint_name` (optional)
`vectorSearch`	`queryVectorIndexNextPage`	User reads the paginated results of a vector search index query.	`name` `endpoint_name` (optional)
`vectorSearch`	`scanVectorIndex`	User scans all data in a vector search index.	`name` `endpoint_name` (optional)
`vectorSearch`	`upsertDataVectorIndex`	User upserts data in a Direct Access vector search index.	`name` `endpoint_name` (optional)
`vectorSearch`	`deleteDataVectorIndex`	User deletes data in a Direct Access vector search index.	`name` `endpoint_name` (optional)
`vectorSearch`	`queryVectorIndexRouteOptimized`	User queries a vector search index using a low-latency API route.	`name` `endpoint_name` (optional)
`vectorSearch`	`queryVectorIndexNextPageRouteOptimized`	User reads the paginated results of a vector search index query using a low-latency API route.	`name` `endpoint_name` (optional)
`vectorSearch`	`scanVectorIndexRouteOptimized`	User scans all data in a vector search index using a low-latency API route.	`name` `endpoint_name` (optional)
`vectorSearch`	`upsertDataVectorIndexRouteOptimized`	User upserts data in a Direct Access vector search index using a low-latency API route.	`name` `endpoint_name` (optional)
`vectorSearch`	`deleteDataVectorIndexRouteOptimized`	User deletes data in a Direct Access vector search index using a low-latency API route.	`name` `endpoint_name` (optional)

Webhook events

The following webhookNotifications events are logged at the workspace level.

Service	Action	Description	Request parameters
`webhookNotifications`	`createWebhook`	An admin creates a new notification destination.	`name` `options` `type`
`webhookNotifications`	`deleteWebhook`	An admin deletes a notification destination.	`id`
`webhookNotifications`	`getWebhook`	A user views information about a notification destination using the UI or API.	`id`
`webhookNotifications`	`notifyWebhook`	A webhook is triggered and sends a notification payload to the target URL.	`body` `id`
`webhookNotifications`	`testWebhook`	A test payload is sent to a webhook URL to verify the configuration and ensure it can receive notifications successfully.	`id`
`webhookNotifications`	`updateWebhook`	An admin updates a notification destination.	`name` `options` `type`

Web terminal events

The following webTerminal events are logged at the workspace level.

Service	Action name	Description	Request parameters
`webTerminal`	`startSession`	User starts a web terminal sessions.	`socketGUID` `clusterId` `serverPort` `ProxyTargetURI`
`webTerminal`	`closeSession`	User closes a web terminal session.	`socketGUID` `clusterId` `serverPort` `ProxyTargetURI`

Workspace events

The following workspace events are logged at the workspace level.

Service	Action name	Description	Request parameters
`workspace`	`changeWorkspaceAcl`	Permissions to the workspace are changed.	`shardName` `targetUserId` `aclPermissionSet` `resourceId`
`workspace`	`deleteSetting`	A setting is deleted from the workspace.	`settingKeyTypeName` `settingKeyName` `settingTypeName` `settingName`
`workspace`	`fileCreate`	User creates a file in the workspace.	`path`
`workspace`	`fileDelete`	User deletes a file in the workspace.	`path`
`workspace`	`fileEditorOpenEvent`	User opens the file editor.	`notebookId` `path`
`workspace`	`getRoleAssignment`	User gets a workspace's user roles.	`account_id` `workspace_id`
`workspace`	`mintOAuthAuthorizationCode`	Recorded when in-house OAuth authorization code is minted at the workspace level.	`client_id`
`workspace`	`mintOAuthToken`	OAuth token is minted for workspace.	`grant_type` `scope` `expires_in` `client_id`
`workspace`	`moveWorkspaceNode`	A workspace admin moves workspace node.	`destinationPath` `path`
`workspace`	`purgeWorkspaceNodes`	A workspace admin purges workspace nodes.	`treestoreId`
`workspace`	`reattachHomeFolder`	An existing home folder is re-attached for a user that is re-added to the workspace.	`path`
`workspace`	`renameWorkspaceNode`	A workspace admin renames workspace nodes.	`path` `destinationPath`
`workspace`	`unmarkHomeFolder`	Home folder special attributes are removed when a user is removed from the workspace.	`path`
`workspace`	`updateRoleAssignment`	A workspace admin updates a workspace user's role.	`account_id` `workspace_id` `principal_id`
`workspace`	`updatePermissionAssignment`	A workspace admin adds a principal to the workspace.	`principal_id` `permissions`
`workspace`	`setSetting`	A workspace admin configures a workspace setting.	`settingKeyTypeName` `settingKeyName` `settingTypeName` `settingName` `settingValueForAudit`
`workspace`	`workspaceConfEdit`	Workspace admin makes updates to a setting, for example enabling verbose audit logs.	`workspaceConfKeys` `workspaceConfValues`
`workspace`	`workspaceExport`	User exports a notebook from a workspace.	`workspaceExportDirectDownload` `workspaceExportFormat` `notebookFullPath`
`workspace`	`workspaceInHouseOAuthClientAuthentication`	OAuth client is authenticated in workspace service.	`user`

Databricks Apps events

The following Databricks Apps events are logged at the workspace level.

Service	Action name	Description	Request parameters
`apps`	`createApp`	A user creates a custom app using the Apps UI or API.	`app`
`apps`	`installTemplateApp`	A user installs a template app using the Apps UI or API.	`app`
`apps`	`updateApp`	A user updates an app using the Apps UI or API.	`app`
`apps`	`startApp`	A user starts the app compute using the Apps UI or API.	`name`
`apps`	`stopApp`	A user stops the app compute using the Apps UI or API.	`name`
`apps`	`deployApp`	A user deploys an app using the Apps UI or API.	`app_deployment`
`apps`	`deleteApp`	A user deletes an app using the Apps UI or API.	`name`
`apps`	`changeAppsAcl`	A user updates an app's access using the Apps UI or API.	`request_object_type` `request_object_id` `access_control_list`

Account access control events

Note

This service is unavailable through Azure diagnostic settings. Enable the audit log system table to access these events.

The following accountsAccessControl events are logged at the account level and are related to the Account Access Control API (Public Preview).

Service	Action name	Description	Request parameters
`accountsAccessControl`	`updateRuleSet`	A user updates a rule set using the Account Access Control API.	`account_id` `name`: Name of the rule set `rule_set` `authz_identity`

Billable usage events

Note

This service is unavailable through Azure diagnostic settings. Enable the audit log system table to access these events.

The following accountBillableUsage events are logged at the account level.

Service	Action	Description	Request parameters
`accountBillableUsage`	`getAggregatedUsage`	User accessed aggregated billable usage (usage per day) for the account via the Usage Graph feature.	`account_id` `window_size` `start_time` `end_time` `meter_name` `workspace_ids_filter`
`accountBillableUsage`	`getDetailedUsage`	User accessed detailed billable usage (usage for each cluster) for the account via the Usage Download feature.	`account_id` `start_month` `end_month` `with_pii`

Account-level account events

Note

This service is unavailable through Azure diagnostic settings. Enable the audit log system table to access these events.

The following accounts events are logged at the account level.

Service	Action	Description	Request parameters
`accounts`	`accountInHouseOAuthClientAuthentication`	An OAuth client is authenticated.	`endpoint` `user`: logged as an email address `authenticationMethod`
`accounts`	`accountIpAclsValidationFailed`	IP permissions validation fails. Returns statusCode 403.	`sourceIpAddress` `user`: logged as an email address
`accounts`	`activateUser`	A user is reactivated after being deactivated. See Deactivate users in account.	`targetUserName` `endpoint` `targetUserId`
`accounts`	`add`	A user is added to the Azure Databricks account.	`targetUserName` `endpoint` `targetUserId`
`accounts`	`addPrincipalsToGroup`	Users are added to an account-level group using SCIM provisioning.	`targetGroupId` `endpoint` `targetUserId` `targetGroupName` `groupMembershipType` `targetUserName`
`accounts`	`createGroup`	An account-level group is created.	`endpoint` `targetGroupId` `targetGroupName`
`accounts`	`deactivateUser`	A user is deactivated. See Deactivate users in account.	`targetUserName` `endpoint` `targetUserId`
`accounts`	`delete`	A user is deleted from the Azure Databricks account.	`targetUserId` `targetUserName` `endpoint`
`accounts`	`deleteSetting`	Account admin removes a setting from the Azure Databricks account.	`settingKeyTypeName` `settingKeyName` `settingTypeName` `settingName` `settingValueForAudit`
`accounts`	`garbageCollectDbToken`	A user runs a garbage collect command on expired tokens.	`tokenExpirationTime` `tokenClientId` `userId` `tokenCreationTime` `tokenFirstAccessed` `tokenHash`
`accounts`	`generateDbToken`	User generates a token from User Settings or when the service generates the token.	`tokenExpirationTime` `tokenCreatedBy` `tokenHash` `userId`
`accounts`	`login`	A user logs into the account console.	`user` `authenticationMethod`
`accounts`	`logout`	A user logs out of the account console.	`user`
`accounts`	`oidcBrowserLogin`	A user logs into their account with the OpenID Connect browser workflow.	`user`
`accounts`	`oidcTokenAuthorization`	An OIDC token is authenticated for an account admin login.	`user` `authenticationMethod`
`accounts`	`removeAccountAdmin`	An account admin removes account admin permissions from another user.	`targetUserName` `endpoint` `targetUserId`
`accounts`	`removeGroup`	A group is removed from the account.	`targetGroupId` `targetGroupName` `endpoint`
`accounts`	`removePrincipalFromGroup`	A user is removed from an account-level group.	`targetGroupId` `endpoint` `targetUserId` `targetGroupName` `groupMembershipType` `targetUserName`
`accounts`	`removePrincipalsFromGroup`	Users are removed from an account-level group using SCIM provisioning.	`targetGroupId` `endpoint` `targetUserId` `targetGroupName` `targetUserName`
`accounts`	`setAccountAdmin`	An account admin assigns the account admin role to another user.	`targetUserName` `endpoint` `targetUserId`
`accounts`	`setSetting`	An account admin updates an account-level setting.	`settingKeyTypeName` `settingKeyName` `settingTypeName` `settingName` `settingValueForAudit`
`accounts`	`tokenLogin`	A user logs into Databricks using a token.	`tokenId` `user` `authenticationMethod`
`accounts`	`updateUser`	An account admin updates a user account.	`targetUserName` `endpoint` `targetUserId` `targetUserExternalId`
`accounts`	`updateGroup`	An account admin updates an account-level group.	`endpoint` `targetGroupId` `targetGroupName`
`accounts`	`validateEmail`	When a user validates their email after account creation.	`endpoint` `targetUserName` `targetUserId`

Account management events

Note

This service is unavailable through Azure diagnostic settings. Enable the audit log system table to access these events.

The following accountsManager events are logged at the account level. These events have to do with configurations made by account admins in the account console.

Service	Action	Description	Request parameters
`accountsManager`	`createNetworkConnectivityConfig`	Account admin created a network connectivity configuration.	`network_connectivity_config` `account_id`
`accountsManager`	`getNetworkConnectivityConfig`	Account admin requests details about a network connectivity configuration.	`account_id` `network_connectivity_config_id`
`accountsManager`	`listNetworkConnectivityConfigs`	Account admin lists all network connectivity configurations in the account.	`account_id`
`accountsManager`	`deleteNetworkConnectivityConfig`	Account admin deleted a network connectivity configuration.	`account_id` `network_connectivity_config_id`
`accountsManager`	`createNetworkConnectivityConfigPrivateEndpointRule`	Account admin created a private endpoint rule.	`account_id` `network_connectivity_config_id` `azure_private_endpoint_rule`
`accountsManager`	`getNetworkConnectivityConfigPrivateEndpointRule`	Account admin requests details about a private endpoint rule.	`account_id` `network_connectivity_config_id` `rule_id`
`accountsManager`	`listNetworkConnectivityConfigPrivateEndpointRules`	Account admin lists all private endpoint rules under a network connectivity config.	`account_id` `network_connectivity_config_id` `page_token`
`accountsManager`	`deleteNetworkConnectivityConfigPrivateEndpointRule`	Account admin deleted a private endpoint rule.	`account_id` `network_connectivity_config_id` `rule_id`
`accountsManager`	`updateNetworkConnectivityConfigPrivateEndpointRule`	Account admin updated a private endpoint rule.	`account_id` `network_connectivity_config_id` `rule_id` `azure_private_endpoint_rule`

Serverless budget policy events

The following budgetPolicyCentral events are logged at the account level and are related to serverless budget policies. See Attribute usage with serverless budget policies.

Service	Action	Description	Request parameters
`budgetPolicyCentral`	`createBudgetPolicy`	Workspace admin or billing admin creates a serverless budget policy. The new `policy_id` is logged in the `response` column.	`policy_name`
`budgetPolicyCentral`	`updateBudgetPolicy`	Workspace admin, billing admin, or policy manager updates a serverless budget policy.	`policy.policy_id` `policy.policy_name`
`budgetPolicyCentral`	`deleteBudgetPolicy`	Workspace admin, billing admin, or policy manager deletes a serverless budget policy.	`policy_id`

Clean Rooms events

The following clean-room events are logged at the account level.

Service	Action	Description	Request parameters
`clean-room`	`createCleanRoom`	A user in your Databricks account creates a new clean room using the UI or API.	`clean_room_name` `cloud_vendor` `collaborators` `metastore_id` `region` `workspace_id`
`clean-room`	`createCleanRoomAsset`	A user in your account creates a clean room asset.	`asset` `clean_room_name`
`clean-room`	`createCleanRoomAssetReview`	A user in your Databricks account creates a review for a clean room asset using the UI or API. Currently, only notebooks are reviewable.	`clean_room_name` `asset_full_name` `notebook_review` `asset_type`
`clean-room`	`createCleanRoomAutoApprovalRule`	A user in your Databricks account creates an auto-approval rule for a clean room using the UI or API. The response includes a rule_id that is referenced in the clean_room_events system table.	`clean_room_name` `auto_approval_rule`
`clean-room`	`createCleanRoomOutputCatalog`	A user in your Databricks account creates an output table in a clean room using the UI or API.	`clean_room_name` `output_catalog_name` `metastore_id` `workspace_id`
`clean-room`	`deleteCleanRoom`	A user in your Databricks account deletes a clean room using the UI or API.	`clean_room_name` `metastore_id` `workspace_id`
`clean-room`	`deleteCleanRoomAsset`	A user in your account deletes a clean room asset.	`asset_full_name` `asset_type` `clean_room_name`
`clean-room`	`deleteCleanRoomAutoApprovalRule`	A user in your Databricks account deletes an auto-approval rule for a clean room using the UI or API.	`clean_room_name` `rule_id`
`clean-room`	`getCleanRoom`	A user in your account gets details about a clean room using the UI or API.	`clean_room_name` `metastore_id` `workspace_id`
`clean-room`	`getCleanRoomAsset`	A user in your account views details about a clean room's data asset using the UI.	`asset_full_name` `metastore_id` `workspace_id` `asset_type` `clean_room_name` `collaborator_global_metastore_id`
`clean-room`	`listCleanRoomAssets`	A user gets a list of assets within a clean room.	`clean_room_name`
`clean-room`	`listCleanRoomAutoApprovalRules`	A user in your Databricks account lists auto-approval rules for a clean room using the UI or API.	`clean_room_name`
`clean-room`	`listCleanRoomNotebookTaskRuns`	A user gets a list of notebook task runs within a clean room.	`clean_room_name` `notebook_name`
`clean-room`	`listCleanRooms`	A user gets a list of all clean rooms using the workspace UI or all clean rooms in the metastore using the API.	`metastore_id` `workspace_id`
`clean-room`	`updateCleanRoom`	A user in your account updates a clean room's details or assets.	`added_assets` `clean_room_name` `owner` `metastore_id` `workspace_id` `updated_assets` `removed_assets`
`clean-room`	`updateCleanRoomAsset`	A user in your account updates a clean room asset.	`asset` `clean_room_name`

Unity Catalog events

Note

This service is unavailable through Azure diagnostic settings. Enable the audit log system table to access these events.

The following diagnostic events are related to Unity Catalog. Delta Sharing events are also logged under the unityCatalog service. For Delta Sharing events, see Delta Sharing events. Unity Catalog audit events can be logged at the workspace level or account level depending on the event.

Service	Action	Description	Request parameters
`unityCatalog`	`createMetastore`	Account admin creates a metastore.	`name` `storage_root` `workspace_id` `metastore_id`
`unityCatalog`	`getMetastore`	Account admin requests metastore ID.	`id` `workspace_id` `metastore_id`
`unityCatalog`	`getMetastoreSummary`	Account admin requests details about a metastore.	`workspace_id` `metastore_id`
`unityCatalog`	`listMetastores`	Account admin requests a list of all metastores in an account.	`workspace_id`
`unityCatalog`	`updateMetastore`	Account admin makes an update to a metastore.	`id` `owner` `workspace_id` `metastore_id`
`unityCatalog`	`deleteMetastore`	Account admin deletes a metastore.	`id` `force` `workspace_id` `metastore_id`
`unityCatalog`	`updateMetastoreAssignment`	Account admin makes an update to a metastore's workspace assignment.	`workspace_id` `metastore_id` `default_catalog_name`
`unityCatalog`	`createExternalLocation`	Account admin creates an external location.	`name` `skip_validation` `url` `credential_name` `workspace_id` `metastore_id`
`unityCatalog`	`getExternalLocation`	Account admin requests details about an external location.	`name_arg` `include_browse` `workspace_id` `metastore_id`
`unityCatalog`	`listExternalLocations`	Account admin request list of all external locations in an account.	`url` `max_results` `workspace_id` `metastore_id`
`unityCatalog`	`updateExternalLocation`	Account admin makes an update to an external location.	`name_arg` `owner` `workspace_id` `metastore_id`
`unityCatalog`	`deleteExternalLocation`	Account admin deletes an external location.	`name_arg` `force` `workspace_id` `metastore_id`
`unityCatalog`	`createCatalog`	User creates a catalog.	`name` `comment` `workspace_id` `metastore_id`
`unityCatalog`	`deleteCatalog`	User deletes a catalog.	`name_arg` `workspace_id` `metastore_id`
`unityCatalog`	`getCatalog`	User requests details about a catalog.	`name_arg` `dependent` `workspace_id` `metastore_id`
`unityCatalog`	`updateCatalog`	User updates a catalog.	`name_arg` `isolation_mode` `comment` `workspace_id` `metastore_id`
`unityCatalog`	`listCatalog`	User makes a call to list all catalogs in the metastore.	`name_arg` `workspace_id` `metastore_id`
`unityCatalog`	`createSchema`	User creates a schema.	`name` `catalog_name` `comment` `workspace_id` `metastore_id`
`unityCatalog`	`deleteSchema`	User deletes a schema.	`full_name_arg` `force` `workspace_id` `metastore_id`
`unityCatalog`	`getSchema`	User requests details about a schema.	`full_name_arg` `dependent` `workspace_id` `metastore_id`
`unityCatalog`	`listSchema`	User requests a list of all schemas in a catalog.	`catalog_name`
`unityCatalog`	`updateSchema`	User updates a schema.	`full_name_arg` `name` `workspace_id` `metastore_id` `comment`
`unityCatalog`	`createStagingTable`		`name` `catalog_name` `schema_name` `workspace_id` `metastore_id`
`unityCatalog`	`createTable`	User creates a table. The request parameters differ depending on the type of table created.	`name` `data_source_format` `catalog_name` `schema_name` `storage_location` `columns` `dry_run` `table_type` `view_dependencies` `view_definition` `sql_path` `comment`
`unityCatalog`	`deleteTable`	User deletes a table.	`full_name_arg` `workspace_id` `metastore_id`
`unityCatalog`	`getTable`	User requests details about a table.	`include_delta_metadata` `full_name_arg` `dependent` `workspace_id` `metastore_id`
`unityCatalog`	`privilegedGetTable`		`full_name_arg`
`unityCatalog`	`listTables`	User makes a call to list all tables in a schema.	`catalog_name` `schema_name` `workspace_id` `metastore_id` `include_browse`
`unityCatalog`	`listTableSummaries`	User gets an array of summaries for tables for a schema and catalog within the metastore.	`catalog_name` `schema_name_pattern` `workspace_id` `metastore_id`
`unityCatalog`	`updateTables`	User makes an update to a table. The request parameters displayed vary depending on the type of table updates made.	`full_name_arg` `table_type` `table_constraint_list` `data_source_format` `columns` `dependent` `row_filter` `storage_location` `sql_path` `view_definition` `view_dependencies` `owner` `comment` `workspace_id` `metastore_id`
`unityCatalog`	`createStorageCredential`	Account admin creates a storage credential. You might see an additional request parameter based on your cloud provider credentials.	`name` `comment` `workspace_id` `metastore_id`
`unityCatalog`	`listStorageCredentials`	Account admin makes a call to list all storage credentials in the account.	`workspace_id` `metastore_id`
`unityCatalog`	`getStorageCredential`	Account admin requests details about a storage credential.	`name_arg` `workspace_id` `metastore_id`
`unityCatalog`	`updateStorageCredential`	Account admin makes an update to a storage credential.	`name_arg` `owner` `workspace_id` `metastore_id`
`unityCatalog`	`deleteStorageCredential`	Account admin deletes a storage credential.	`name_arg` `workspace_id` `metastore_id`
`unityCatalog`	`generateTemporaryTableCredential`	Logged whenever a temporary credential is granted for a table. You can use this event to determine who queried what and when.	`credential_id` `credential_type` `credential_kind` `is_permissions_enforcing_client` `table_full_name` `operation` `table_id` `workspace_id` `table_url` `metastore_id`
`unityCatalog`	`generateTemporaryPathCredential`	Logged whenever a temporary credential is granted for a path.	`url` `operation` `make_path_only_parent` `credential_kind` `fallback_enabled` `workspace_id` `metastore_id`
`unityCatalog`	`checkPathAccess`	Logged whenever user permissions are checked for a given path.	`path` `fallback_enabled`
`unityCatalog`	`getPermissions`	User makes a call to get permission details for a securable object. This call doesn't return inherited permissions, only explicitly assigned permissions.	`securable_type` `securable_full_name` `workspace_id` `metastore_id`
`unityCatalog`	`getEffectivePermissions`	User makes a call to get all permission details for a securable object. An effective permissions call returns both explicitly assigned and inherited permissions.	`securable_type` `securable_full_name` `workspace_id` `metastore_id`
`unityCatalog`	`updatePermissions`	User updates permissions on a securable object.	`securable_type` `changes` `securable_full_name` `workspace_id` `metastore_id`
`unityCatalog`	`metadataSnapshot`	User queries the metadata from a previous table version.	`securables` `include_delta_metadata` `workspace_id` `metastore_id`
`unityCatalog`	`metadataAndPermissionsSnapshot`	User queries the metadata and permissions from a previous table version.	`securables` `include_delta_metadata` `workspace_id` `metastore_id`
`unityCatalog`	`updateMetadataSnapshot`	User updates the metadata from a previous table version.	`table_list_snapshots` `schema_list_snapshots` `workspace_id` `metastore_id`
`unityCatalog`	`getForeignCredentials`	User makes a call to get details about a foreign key.	`securables` `workspace_id` `metastore_id`
`unityCatalog`	`getInformationSchema`	User makes a call to get details about a schema.	`table_name` `page_token` `required_column_names` `row_set_type` `required_column_names` `workspace_id` `metastore_id`
`unityCatalog`	`createConstraint`	User creates a constraint for a table.	`full_name_arg` `constraint` `workspace_id` `metastore_id`
`unityCatalog`	`deleteConstraint`	User deletes a constraint for a table.	`full_name_arg` `constraint` `workspace_id` `metastore_id`
`unityCatalog`	`createPipeline`	User creates a Unity Catalog pipeline.	`target_catalog_name` `has_workspace_definition` `id` `workspace_id` `metastore_id`
`unityCatalog`	`updatePipeline`	User updates a Unity Catalog pipeline.	`id_arg` `definition_json` `id` `workspace_id` `metastore_id`
`unityCatalog`	`getPipeline`	User requests details about a Unity Catalog pipeline.	`id` `workspace_id` `metastore_id`
`unityCatalog`	`deletePipeline`	User deletes a Unity Catalog pipeline.	`id` `workspace_id` `metastore_id`
`unityCatalog`	`deleteResourceFailure`	Resource fails to delete	none
`unityCatalog`	`createVolume`	User creates a Unity Catalog volume.	`name` `catalog_name` `schema_name` `volume_type` `storage_location` `owner` `comment` `workspace_id` `metastore_id`
`unityCatalog`	`getVolume`	User makes a call to get information on a Unity Catalog volume.	`volume_full_name` `workspace_id` `metastore_id`
`unityCatalog`	`updateVolume`	User updates a Unity Catalog volume's metadata with the `ALTER VOLUME` or `COMMENT ON` calls.	`volume_full_name` `name` `owner` `comment` `workspace_id` `metastore_id`
`unityCatalog`	`deleteVolume`	User deletes a Unity Catalog volume.	`volume_full_name` `workspace_id` `metastore_id`
`unityCatalog`	`listVolumes`	User makes a call to get a list of all Unity Catalog volumes in a schema.	`catalog_name` `schema_name` `workspace_id` `metastore_id`
`unityCatalog`	`generateTemporaryVolumeCredential`	A temporary credential is generated when a user performs a read or write on a volume. You can use this event to determine who accessed a volume and when.	`volume_id` `volume_full_name` `operation` `volume_storage_location` `credential_id` `credential_type` `credential_kind` `workspace_id` `metastore_id`
`unityCatalog`	`getTagSecurableAssignments`	Tag assignments for a securable are fetched	`securable_type` `securable_full_name` `workspace_id` `metastore_id`
`unityCatalog`	`getTagSubentityAssignments`	Tag assignments for a subentity are fetched	`securable_type` `securable_full_name` `workspace_id` `metastore_id` `subentity_name`
`unityCatalog`	`UpdateTagSecurableAssignments`	Tag assignments for a securable are updated	`securable_type` `securable_full_name` `workspace_id` `metastore_id` `changes`
`unityCatalog`	`UpdateTagSubentityAssignments`	Tag assignments for a subentity are updated	`securable_type` `securable_full_name` `workspace_id` `metastore_id` `subentity_name` `changes`
`unityCatalog`	`createRegisteredModel`	User creates a Unity Catalog registered model.	`name` `catalog_name` `schema_name` `owner` `comment` `workspace_id` `metastore_id`
`unityCatalog`	`getRegisteredModel`	User makes a call to get information on a Unity Catalog registered model.	`full_name_arg` `workspace_id` `metastore_id`
`unityCatalog`	`updateRegisteredModel`	User updates a Unity Catalog registered model's metadata.	`full_name_arg` `name` `owner` `comment` `workspace_id` `metastore_id`
`unityCatalog`	`deleteRegisteredModel`	User deletes a Unity Catalog registered model.	`full_name_arg` `workspace_id` `metastore_id`
`unityCatalog`	`listRegisteredModels`	User makes a call to get a list of Unity Catalog registered models in a schema, or list models across catalogs and schemas.	`catalog_name` `schema_name` `max_results` `page_token` `workspace_id` `metastore_id`
`unityCatalog`	`createModelVersion`	User creates a model version in Unity Catalog.	`catalog_name` `schema_name` `model_name` `source` `comment` `workspace_id` `metastore_id`
`unityCatalog`	`finalizeModelVersion`	User makes a call to “finalize” a Unity Catalog model version after uploading model version files to its storage location, making it read-only and usable in inference workflows.	`full_name_arg` `version_arg` `workspace_id` `metastore_id`
`unityCatalog`	`getModelVersion`	User makes a call to get details on a model version.	`full_name_arg` `version_arg` `workspace_id` `metastore_id`
`unityCatalog`	`getModelVersionByAlias`	User makes a call to get details on a model version using the alias.	`full_name_arg` `include_aliases` `alias_arg` `workspace_id` `metastore_id`
`unityCatalog`	`updateModelVersion`	User updates a model version's metadata.	`full_name_arg` `version_arg` `name` `owner` `comment` `workspace_id` `metastore_id`
`unityCatalog`	`deleteModelVersion`	User deletes a model version.	`full_name_arg` `version_arg` `workspace_id` `metastore_id`
`unityCatalog`	`listModelVersions`	User makes a call to get a list of Unity Catalog model versions in a registered model.	`catalog_name` `schema_name` `model_name` `max_results` `page_token` `workspace_id` `metastore_id`
`unityCatalog`	`generateTemporaryModelVersionCredential`	A temporary credential is generated when a user performs a write (during initial model version creaiton) or read (after the model version has been finalized) on a model version. You can use this event to determine who accessed a model version and when.	`full_name_arg` `version_arg` `operation` `model_version_url` `credential_id` `credential_type` `credential_kind` `workspace_id` `metastore_id`
`unityCatalog`	`setRegisteredModelAlias`	User sets an alias on a Unity Catalog registered model.	`full_name_arg` `alias_arg` `version`
`unityCatalog`	`deleteRegisteredModelAlias`	User deletes an alias on a Unity Catalog registered model.	`full_name_arg` `alias_arg`
`unityCatalog`	`getModelVersionByAlias`	User gets a Unity Catalog model version by alias.	`full_name_arg` `alias_arg`
`unityCatalog`	`createConnection`	A new foreign connection is created.	`name` `connection_type` `workspace_id` `metastore_id`
`unityCatalog`	`deleteConnection`	A foreign connection is deleted.	`name_arg` `workspace_id` `metastore_id`
`unityCatalog`	`getConnection`	A foreign connection is retrieved.	`name_arg` `workspace_id` `metastore_id`
`unityCatalog`	`updateConnection`	A foreign connection is updated.	`name_arg` `owner` `workspace_id` `metastore_id`
`unityCatalog`	`listConnections`	Foreign connections in a metastore are listed.	`workspace_id` `metastore_id`
`unityCatalog`	`createFunction`	User creates a new function.	`function_info` `workspace_id` `metastore_id`
`unityCatalog`	`updateFunction`	User updates a function.	`full_name_arg` `owner` `workspace_id` `metastore_id`
`unityCatalog`	`listFunctions`	User requests a list of all functions within a specific parent catalog or schema.	`catalog_name` `schema_name` `include_browse` `workspace_id` `metastore_id`
`unityCatalog`	`getFunction`	User requests a function from a parent catalog or schema.	`full_name_arg` `workspace_id` `metastore_id`
`unityCatalog`	`deleteFunction`	User requests a function from a parent catalog or schema.	`full_name_arg` `workspace_id` `metastore_id`
`unityCatalog`	`createShareMarketplaceListingLink`		`links_infos` `metastore_id`
`unityCatalog`	`deleteShareMarketplaceListingLink`		`links_infos` `metastore_id`
`unityCatalog`	`generateTemporaryServiceCredential`	A temporary credential is generated to access a cloud service account from Databricks.	`credential_id` `credential_type` `credential_kind` `workspace_id` `metastore_id`
`unityCatalog`	`UpdateWorkspaceBindings`	A metastore admin or object owner updates the workspace bindings of a catalog, external location, or storage credential.	`securable_type` `securable_full_name` `add`: Only logged when binding is assigned. Includes a list of workspace IDs and the binding type. `remove`: Only logged when a binding is unassigned. Includes workspace IDs of affected workspaces. `workspace_id` `metastore_id`

Note

This service is unavailable through Azure diagnostic settings. Enable the audit log system table to access these events.

Delta Sharing events are broken up into two sections: events recorded in the data provider's account and events recorded in the data recipient's account.

To learn how to use audit logs to monitor Delta Sharing events, see Audit and monitor data sharing.

The following audit log events are logged in the provider's account. Actions that are performed by recipients start with the deltaSharing prefix. Each of these logs also includes request_params.metastore_id, which is the metastore that manages the shared data, and userIdentity.email, which is the ID of the user who initiated the activity.

Service	Action	Description	Request parameters
`unityCatalog`	`deltaSharingListShares`	A data recipient requests a list of shares.	`options`: The pagination options provided with this request. `recipient_name`: Indicates the recipient executing the action. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingGetShare`	A data recipient requests details about a shares.	`share`: The name of the share. `recipient_name`: Indicates the recipient executing the action. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingListSchemas`	A data recipient requests a list of shared schemas.	`share`: The name of the share. `recipient_name`: Indicates the recipient executing the action. `options`: The pagination options provided with this request. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingListAllTables`	A data recipient requests a list of all shared tables.	`share`: The name of the share. `recipient_name`: Indicates the recipient executing the action. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingListTables`	A data recipient requests a list of shared tables.	`share`: The name of the share. `recipient_name`: Indicates the recipient executing the action. `options`: The pagination options provided with this request. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingGetTableMetadata`	A data recipient requests a details about a table's metadata.	`share`: The name of the share. `recipient_name`: Indicates the recipient executing the action. `schema`: The name of the schema. `name`: The name of the table. `predicateHints`: The predicates included in the query. `limitHints`: The maximum number of rows to return. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingGetTableVersion`	A data recipient requests a details about a table version.	`share`: The name of the share. `recipient_name`: Indicates the recipient executing the action. `schema`: The name of the schema. `name`: The name of the table. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingQueryTable`	Logged when a data recipient queries a shared table.	`share`: The name of the share. `recipient_name`: Indicates the recipient executing the action. `schema`: The name of the schema. `name`: The name of the table. `predicateHints`: The predicates included in the query. `limitHints`: The maximum number of rows to return. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingQueryTableChanges`	Logged when a data recipient queries change data for a table.	`share`: The name of the share. `recipient_name`: Indicates the recipient executing the action. `schema`: The name of the schema. `name`: The name of the table. `cdf_options`: Change data feed options. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingQueriedTable`	Logged after a data recipient gets a response to their query. The `response.result` field includes more information on the recipient's query (see Audit and monitor data sharing)	`recipient_name`: Indicates the recipient executing the action. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingQueriedTableChanges`	Logged after a data recipient gets a response to their query. The `response.result` field includes more information on the recipient's query (see Audit and monitor data sharing).	`recipient_name`: Indicates the recipient executing the action. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingListNotebookFiles`	A data recipient requests a list of shared notebook files.	`share`: The name of the share. `recipient_name`: Indicates the recipient executing the action. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingQueryNotebookFile`	A data recipient queries a shared notebook file.	`file_name`: The name of the notebook file. `recipient_name`: Indicates the recipient executing the action. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingListFunctions`	A data recipient requests a list of functions in a parent schema.	`share`: The name of the share. `schema`: The name of the parent schema of the function. `recipient_name`: Indicates the recipient executing the action. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingListAllFunctions`	A data recipient requests a list of all shared functions.	`share`: The name of the share. `schema`: The name of the parent schema of the function. `recipient_name`: Indicates the recipient executing the action. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingListFunctionVersions`	A data recipient requests a list of function versions.	`share`: The name of the share. `schema`: The name of the parent schema of the function. `function`: The name of the function. `recipient_name`: Indicates the recipient executing the action. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingListVolumes`	A data recipient requests a list of shared volumes in a schema.	`share`: The name of the share. `schema`: The parents schema of the volumes. `recipient_name`: Indicates the recipient executing the action. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingListAllVolumes`	A data recipient requests all shared volumes.	`share`: The name of the share. `recipient_name`: Indicates the recipient executing the action. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`updateMetastore`	Provider updates their metastore.	`delta_sharing_scope`: Values can be `INTERNAL` or `INTERNAL_AND_EXTERNAL`. `delta_sharing_recipient_token_lifetime_in_seconds`: If present, indicates that the recipient token lifetime was updated.
`unityCatalog`	`createRecipient`	Provider creates a data recipient.	`name`: The name of the recipient. `comment`: The comment for the recipient. `ip_access_list.allowed_ip_addresses:` Recipient IP address allowlist.
`unityCatalog`	`deleteRecipient`	Provider deletes a data recipient.	`name`: The name of the recipient.
`unityCatalog`	`getRecipient`	Provider requests details about a data recipient.	`name`: The name of the recipient.
`unityCatalog`	`listRecipients`	Provider requests a list of all their data recipients.	none
`unityCatalog`	`rotateRecipientToken`	Provider rotates a recipient's token.	`name`: The name of the recipient. `comment`: The comment given in the rotation command.
`unityCatalog`	`updateRecipient`	Provider updates a data recipient's attributes.	`name`: The name of the recipient. `updates`: A JSON representation of recipient attributes that were added or removed from the share.
`unityCatalog`	`createShare`	Provider updates a data recipient's attributes.	`name`: The name of the share. `comment`: The comment for the share.
`unityCatalog`	`deleteShare`	Provider updates a data recipient's attributes.	`name`: The name of the share.
`unityCatalog`	`getShare`	Provider requests details about a share.	`name`: The name of the share. `include_shared_objects`: Whether the share's table names were included in the request.
`unityCatalog`	`updateShare`	Provider adds or removes data assets from a share.	`name`: The name of the share. `updates`: A JSON representation of data assets that were added or removed from the share. Each item includes `action` (add or remove), `name` (the actual name of the table), `shared_as` (the name the asset was shared as, if different from the actual name), and `partition_specification` (if a partition specification was provided).
`unityCatalog`	`listShares`	Provider requests a list of their shares.	none
`unityCatalog`	`getSharePermissions`	Provider requests details on a share's permissions.	`name`: The name of the share.
`unityCatalog`	`updateSharePermissions`	Provider updates a share's permissions.	`name`: The name of the share. `changes`: A JSON representation of the updated permissions. Each change includes `principal` (the user or group to whom permission is granted or revoked), `add` (the list of permissions that were granted), and `remove` (the list of permissions that were revoked).
`unityCatalog`	`getRecipientSharePermissions`	Provider requests details about a recipient's share permissions.	`name`: The name of the share.
`unityCatalog`	`getActivationUrlInfo`	Provider requests details about activity on their activation link.	`recipient_name`: The name of the recipient who opened the activation URL. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, `true` if the request was denied and `false` if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`generateTemporaryVolumeCredential`	Temporary credential is generated for the recipient to access a shared volume.	`share_name`: The name of the share through which the recipient requests. `share_id`: The ID of the share. `share_owner`: The owner of the share. `recipient_name`: The name of the recipient who requests the credential. `recipient_id`: The ID of the recipient. `volume_full_name`: The full 3-level name of the volume. `volume_id`: The ID of the volume. `volume_storage_location`: The cloud path of the volume root. `operation`: Either `READ_VOLUME` or `WRITE_VOLUME`. For volume sharing, only `READ_VOLUME` is supported. `credential_id`: The ID of the credential. `credential_type`: The type of the credential. Value is either `StorageCredential` or `ServiceCredential`. `credential_kind`: The method used to authorize access. `workspace_id`: Value is always `0` when the request is for shared volumes.
`unityCatalog`	`generateTemporaryTableCredential`	Temporary credential is generated for the recipient to access a shared table.	`share_name`: The name of the share through which the recipient requests. `share_id`: The ID of the share. `share_owner`: The owner of the share. `recipient_name`: The name of the recipient who requests the credential. `recipient_id`: The ID of the recipient. `table_full_name`: The full 3-level name of the table. `table_id`: The ID of the table. `table_url`: The cloud path of the table root. `operation`: Either `READ` or `READ_WRITE`. `credential_id`: The ID of the credential. `credential_type`: The type of the credential. Value is either `StorageCredential` or `ServiceCredential`. `credential_kind`: The method used to authorize access. `workspace_id`: Value is always `0` when the request is for shared tables.

The following events are logged in the data recipient's account. These events record recipient access of shared data and AI assets, along with events associated with the management of providers. Each of these events also includes the following request parameters:

recipient_name: The name of the recipient in the data provider's system.
metastore_id: The name of the metastore in the data provider's system.
sourceIPAddress: The IP address where the request originated.

Service	Action	Description	Request parameters
`unityCatalog`	`deltaSharingProxyGetTableVersion`	A data recipient requests a details on a shared table version.	`share`: The name of the share. `schema`: The name of the table's parent schema. `name`: The name of the table.
`unityCatalog`	`deltaSharingProxyGetTableMetadata`	A data recipient requests a details on a shared table's metadata.	`share`: The name of the share. `schema`: The name of the table's parent schema. `name`: The name of the table.
`unityCatalog`	`deltaSharingProxyQueryTable`	A data recipient queries a shared table.	`share`: The name of the share. `schema`: The name of the table's parent schema. `name`: The name of the table. `limitHints`: The maximum number of rows to return. `predicateHints`: The predicates included in the query. `version`: Table version, if change data feed is enabled.
`unityCatalog`	`deltaSharingProxyQueryTableChanges`	A data recipient queries change data for a table.	`share`: The name of the share. `schema`: The name of the table's parent schema. `name`: The name of the table. `cdf_options`: Change data feed options.
`unityCatalog`	`createProvider`	A data recipient creates a provider object.	`name`: The name of the provider. `comment`: The comment for the provider.
`unityCatalog`	`updateProvider`	A data recipient updates a provider object.	`name`: The name of the provider. `updates`: A JSON representation of provider attributes that were added or removed from the share. Each item includes `action` (add or remove) and can include `name` (the new provider name), `owner` (new owner), and `comment`.
`unityCatalog`	`deleteProvider`	A data recipient deletes a provider object.	`name`: The name of the provider.
`unityCatalog`	`getProvider`	A data recipient requests details about a provider object.	`name`: The name of the provider.
`unityCatalog`	`listProviders`	A data recipient requests a list of providers.	none
`unityCatalog`	`activateProvider`	A data recipient activates a provider object.	`name`: The name of the provider.
`unityCatalog`	`listProviderShares`	A data recipient requests a list of a provider's shares.	`name`: The name of the provider.

Additional security monitoring events

For Azure Databricks compute resources in the classic compute plane, such as VMs for clusters and pro or classic SQL warehouses, the following features enable additional monitoring agents:

File integrity monitoring events

The following capsule8-alerts-dataplane events are logged at the workspace level.

Service	Action	Description	Request parameters
`capsule8-alerts-dataplane`	`Heartbeat`	A regular event to confirm the monitor is on. Currently runs every 10 minutes.	`instanceId`
`capsule8-alerts-dataplane`	`Memory Marked Executable`	Memory is often marked executable in order to allow malicious code to execute when an application is being exploited. Alerts when a program sets heap or stack memory permissions to executable. This can cause false positives for certain application servers.	`instanceId`
`capsule8-alerts-dataplane`	`File Integrity Monitor`	Monitors the integrity of important system files. Alerts on any unauthorized changes to those files. Databricks defines specific sets of system paths on the image, and this set of paths might change over time.	`instanceId`
`capsule8-alerts-dataplane`	`Systemd Unit File Modified`	Changes to systemd units could result in security controls being relaxed or disabled, or the installation of a malicious service. Alerts whenever a `systemd` unit file is modified by a program other than `systemctl`.	`instanceId`
`capsule8-alerts-dataplane`	`Repeated Program Crashes`	Repeated program crashes could indicate that an attacker is attempting to exploit a memory corruption vulnerability, or that there is a stability issue in the affected application. Alerts when more than 5 instances of an individual program crash via segmentation fault.	`instanceId`
`capsule8-alerts-dataplane`	`Userfaultfd Usage`	As containers are typically static workloads, this alert could indicate that an attacker has compromised the container and is attempting to install and run a backdoor. Alerts when a file that has been created or modified within 30 minutes is then executed within a container.	`instanceId`
`capsule8-alerts-dataplane`	`New File Executed in Container`	Memory is often marked executable in order to allow malicious code to execute when an application is being exploited. Alerts when a program sets heap or stack memory permissions to executable. This can cause false positives for certain application servers.	`instanceId`
`capsule8-alerts-dataplane`	`Suspicious Interactive Shell`	Interactive shells are rare occurrences on modern production infrastructure. Alerts when an interactive shell is started with arguments commonly used for reverse shells.	`instanceId`
`capsule8-alerts-dataplane`	`User Command Logging Evasion`	Evading command logging is common practice for attackers, but might also indicate that a legitimate user is performing unauthorized actions or trying to evade policy. Alerts when a change to user command history logging is detected, indicating that a user is attempting to evade command logging.	`instanceId`
`capsule8-alerts-dataplane`	`BPF Program Executed`	Detects some types of kernel backdoors. The loading of a new Berkeley Packet Filter (BPF) program could indicate that an attacker is loading a BPF-based rootkit to gain persistence and avoid detection. Alerts when a process loads a new privileged BPF program, if the process that is already part of an ongoing incident.	`instanceId`
`capsule8-alerts-dataplane`	`Kernel Module Loaded`	Attackers commonly load malicious kernel modules (rootkits) to evade detection and maintain persistence on a compromised node. Alerts when a kernel module is loaded, if the program is already part of an ongoing incident.	`instanceId`
`capsule8-alerts-dataplane`	`Suspicious Program Name Executed-Space After File`	Attackers might create or rename malicious binaries to include a space at the end of the name in an effort to impersonate a legitimate system program or service. Alerts when a program is executed with a space after the program name.	`instanceId`
`capsule8-alerts-dataplane`	`Illegal Elevation Of Privileges`	Kernel privilege escalation exploits commonly enable an unprivileged user to gain root privileges without passing standard gates for privilege changes. Alerts when a program attempts to elevate privileges through unusual means. This can issue false positive alerts on nodes with significant workloads.	`instanceId`
`capsule8-alerts-dataplane`	`Kernel Exploit`	Internal kernel functions are not accessible to regular programs, and if called, are a strong indicator that a kernel exploit has executed and that the attacker has full control of the node. Alerts when a kernel function unexpectedly returns to user space.	`instanceId`
`capsule8-alerts-dataplane`	`Processor-Level Protections Disabled`	SMEP and SMAP are processor-level protections that increase difficulty for kernel exploits to succeed, and disabling these restrictions is a common early step in kernel exploits. Alerts when a program tampers with the kernel SMEP/SMAP configuration.	`instanceId`
`capsule8-alerts-dataplane`	`Container Escape via Kernel Exploitation`	Alerts when a program uses kernel functions commonly used in container escape exploits, indicating that an attacker is escalating privileges from container-access to node-access.	`instanceId`
`capsule8-alerts-dataplane`	`Privileged Container Launched`	Privileged containers have direct access to host resources, leading to a greater impact when compromised. Alerts when a privileged container is launched, if the container isn't a known privileged image such as kube-proxy. This can issue unwanted alerts for legitimate privileged containers.	`instanceId`
`capsule8-alerts-dataplane`	`Userland Container Escape`	Many container escapes coerce the host to execute an in-container binary, resulting in the attacker gaining full control of the affected node. Alerts when a container-created file is executed from outside a container.	`instanceId`
`capsule8-alerts-dataplane`	`AppArmor Disabled In Kernel`	Modification of certain AppArmor attributes can only occur in-kernel, indicating that AppArmor has been disabled by a kernel exploit or rootkit. Alerts when the AppArmor state is changed from the AppArmor configuration detected when the sensor starts.	`instanceId`
`capsule8-alerts-dataplane`	`AppArmor Profile Modified`	Attackers might attempt to disable enforcement of AppArmor profiles as part of evading detection. Alerts when a command for modifying an AppArmor profile is executed, if it was not executed by a user in an SSH session.	`instanceId`
`capsule8-alerts-dataplane`	`Boot Files Modified`	If not performed by a trusted source (such as a package manager or configuration management tool), modification of boot files could indicate an attacker modifying the kernel or its options in order to gain persistent access to a host. Alerts when changes are made to files in `/boot`, indicating installation of a new kernel or boot configuration.	`instanceId`
`capsule8-alerts-dataplane`	`Log Files Deleted`	Log deletion not performed by a log management tool could indicate that an attacker is trying to remove indicators of compromise. Alerts on deletion of system log files.	`instanceId`
`capsule8-alerts-dataplane`	`New File Executed`	Newly created files from sources other than system update programs might be backdoors, kernel exploits, or part of an exploitation chain. Alerts when a file that has been created or modified within 30 minutes is then executed, excluding files created by system update programs.	`instanceId`
`capsule8-alerts-dataplane`	`Root Certificate Store Modified`	Modification of the root certificate store could indicate the installation of a rogue certificate authority, enabling interception of network traffic or bypass of code signature verification. Alerts when a system CA certificate store is changed.	`instanceId`
`capsule8-alerts-dataplane`	`Setuid/Setgid Bit Set On File`	Setting `setuid/setgid` bits can be used to provide a persistent method for privilege escalation on a node. Alerts when the `setuid` or `setgid` bit is set on a file with the `chmod` family of system calls.	`instanceId`
`capsule8-alerts-dataplane`	`Hidden File Created`	Attackers often create hidden files as a means of obscuring tools and payloads on a compromised host. Alerts when a hidden file is created by a process associated with an ongoing incident.	`instanceId`
`capsule8-alerts-dataplane`	`Modification Of Common System Utilities`	Attackers might modify system utilities in order to execute malicious payloads whenever these utilities are run. Alerts when a common system utility is modified by an unauthorized process.	`instanceId`
`capsule8-alerts-dataplane`	`Network Service Scanner Executed`	An attacker or rogue user might use or install these programs to survey connected networks for additional nodes to compromise. Alerts when common network scanning program tools are executed.	`instanceId`
`capsule8-alerts-dataplane`	`Network Service Created`	Attackers might start a new network service to provide easy access to a host after compromise. Alerts when a program starts a new network service, if the program is already part of an ongoing incident.	`instanceId`
`capsule8-alerts-dataplane`	`Network Sniffing Program Executed`	An attacker or rogue user might execute network sniffing commands to capture credentials, personally-identifiable information (PII), or other sensitive information. Alerts when a program is executed that allows network capture.	`instanceId`
`capsule8-alerts-dataplane`	`Remote File Copy Detected`	Use of file transfer tools could indicate that an attacker is attempting to move toolsets to additional hosts or exfiltrate data to a remote system. Alerts when a program associated with remote file copying is executed, if the program is already part of an ongoing incident.	`instanceId`
`capsule8-alerts-dataplane`	`Unusual Outbound Connection Detected`	Command and Control channels and cryptocoin miners often create new outbound network connections on unusual ports. Alerts when a program initiates a new connection on an uncommon port, if the program is already part of an ongoing incident.	`instanceId`
`capsule8-alerts-dataplane`	`Data Archived Via Program`	After gaining access to a system, an attacker might create a compressed archive of files to reduce the size of data for exfiltration. Alerts when a data compression program is executed, if the program is already part of an ongoing incident.	`instanceId`
`capsule8-alerts-dataplane`	`Process Injection`	Use of process injection techniques commonly indicates that a user is debugging a program, but might also indicate that an attacker is reading secrets from or injecting code into other processes. Alerts when a program uses `ptrace` (debugging) mechanisms to interact with another process.	`instanceId`
`capsule8-alerts-dataplane`	`Account Enumeration Via Program`	Attackers often use account enumeration programs to determine their level of access and to see if other users are currently logged in to the node. Alerts when a program associated with account enumeration is executed, if the program is already part of an ongoing incident.	`instanceId`
`capsule8-alerts-dataplane`	`File and Directory Discovery Via Program`	Exploring file systems is common post-exploitation behavior for an attacker looking for credentials and data of interest. Alerts when a program associated with file and directory enumeration is executed, if the program is already part of an ongoing incident.	`instanceId`
`capsule8-alerts-dataplane`	`Network Configuration Enumeration Via Program`	Attackers can interrogate local network and route information to identify adjacent hosts and networks ahead of lateral movement. Alerts when a program associated with network configuration enumeration is executed, if the program is already part of an ongoing incident.	`instanceId`
`capsule8-alerts-dataplane`	`Process Enumeration Via Program`	Attackers often list running programs in order to identify the purpose of a node and whether any security or monitoring tools are in place. Alerts when a program associated with process enumeration is executed, if the program is already part of an ongoing incident.	`instanceId`
`capsule8-alerts-dataplane`	`System Information Enumeration Via Program`	Attackers commonly execute system enumeration commands to determine Linux kernel and distribution versions and features, often to identify if the node is affected by specific vulnerabilities. Alerts when a program associated with system information enumeration is executed, if the program is already part of an ongoing incident.	`instanceId`
`capsule8-alerts-dataplane`	`Scheduled Tasks Modified Via Program`	Modifying scheduled tasks is a common method for establishing persistence on a compromised node. Alerts when the `crontab`, `at`, or `batch` commands are used to modify scheduled task configurations.	`instanceId`
`capsule8-alerts-dataplane`	`Systemctl Usage Detected`	Changes to systemd units could result in security controls being relaxed or disabled, or the installation of a malicious service. Alerts when the `systemctl` command is used to modify systemd units.	`instanceId`
`capsule8-alerts-dataplane`	`User Execution Of su Command`	Explicit escalation to the root user decreases the ability to correlate privileged activity to a specific user. Alerts when the `su` command is executed.	`instanceId`
`capsule8-alerts-dataplane`	`User Execution Of sudo Command`	Alerts when the `sudo` command is executed.	`instanceId`
`capsule8-alerts-dataplane`	`User Command History Cleared`	Deleting the history file is unusual, commonly performed by attackers hiding activity, or by legitimate users intending to evade audit controls. Alerts when command line history files are deleted.	`instanceId`
`capsule8-alerts-dataplane`	`New System User Added`	An attacker might add a new user to a host to provide a reliable method of access. Alerts if a new user entity is added to the local account management file `/etc/passwd`, if the entity is not added by a system update program.	`instanceId`
`capsule8-alerts-dataplane`	`Password Database Modification`	Attackers might directly modify identity-related files to add a new user to the system. Alerts when a file related to user passwords is modified by a program unrelated to updating existing user information.	`instanceId`
`capsule8-alerts-dataplane`	`SSH Authorized Keys Modification`	Adding a new SSH public key is a common method for gaining persistent access to a compromised host. Alerts when an attempt to write to a user's SSH `authorized_keys` file is observed, if the program is already part of an ongoing incident.	`instanceId`
`capsule8-alerts-dataplane`	`User Account Created Via CLI`	Adding a new user is a common step for attackers when establishing persistence on a compromised node. Alerts when an identity management program is executed by a program other than a package manager.	`instanceId`
`capsule8-alerts-dataplane`	`User Configuration Changes`	Deleting the history file is unusual, commonly performed by attackers hiding activity, or by legitimate users intending to evade audit controls. Alerts when command line history files are deleted.	`instanceId`
`capsule8-alerts-dataplane`	`New System User Added`	User profile and configuration files are often modified as a method of persistence in order to execute a program whenever a user logs in. Alerts when `.bash_profile` and `bashrc` (as well as related files) are modified by a program other than a system update tool.	`instanceId`

Antivirus monitoring events

Note

The response JSON object in these audit logs always has a result field that includes one line of the original scan result. Each scan result is represented typically by multiple audit log records, one for each line of the original scan output. For details of what could appear in this file, see the following third-party documentation.

The following clamAVScanService-dataplane event is logged at the workspace level.

Service	Action	Description	Request parameters
`clamAVScanService-dataplane`	`clamAVScanAction`	The antivirus monitoring performs a scan. A log will generate for each line of the original scan output.	`instanceId`

Deprecated log events

Databricks has deprecated the following databrickssql diagnostic events:

createAlertDestination (now createNotificationDestination)
deleteAlertDestination (now deleteNotificationDestination)
updateAlertDestination (now updateNotificationDestination)
muteAlert
unmuteAlert

SQL endpoint logs

If you create SQL warehouses using the deprecated SQL endpoint API (the former name for SQL warehouses), the corresponding audit event name will include the word Endpoint instead of Warehouse. Besides the name, these events are identical to the SQL warehouse events. To view descriptions and request parameters of these events, see their corresponding warehouse events in Databricks SQL events.

The SQL endpoint events are:

changeEndpointAcls
createEndpoint
editEndpoint
startEndpoint
stopEndpoint
deleteEndpoint
setEndpointConfig

Share via

Diagnostic log reference

Diagnostic log services

Workspace-level services

Account-level services

Additional security monitoring services

Diagnostic log example schema

Diagnostic log schema considerations

Account events

AI/BI dashboard events

AI/BI Genie events

Alerts events

Clusters events

Cluster libraries events

Cluster policy events

Database events

Databricks SQL events

Data monitoring events

DBFS events

DBFS API events

DBFS operational events

Delta pipelines events

Feature store events

Files events

Genie events

Git credential events

Global init scripts events

Groups events

IAM role events

Ingestion events

Instance pool events

Job events

Lineage tracking events

Marketplace consumer events

Marketplace provider events

MLflow artifacts with ACL events

MLflow experiment events

MLflow model registry events

Model serving events

Notebook events

Partner Connect events

Predictive optimization events

Remote history service events

Git folder events

Secrets events

SQL table access events

SSH events

Uniform Iceberg REST API events

Vector search events

Webhook events

Web terminal events

Workspace events

Databricks Apps events

Account access control events

Billable usage events

Account-level account events

Account management events

Serverless budget policy events

Clean Rooms events

Unity Catalog events

Delta Sharing events

Delta Sharing provider events

Delta Sharing recipient events

Additional security monitoring events

File integrity monitoring events

Antivirus monitoring events

Deprecated log events

SQL endpoint logs

Feedback

Additional resources