Diagnostic log reference
Note
This feature requires the Premium plan.
This article provides you with a comprehensive reference of available audit log services and events. By understanding which events are logged in the diagnostic logs, your enterprise can monitor detailed Azure Databricks usage patterns in your account.
The easiest way to access and query your account’s audit logs is by using system tables (Public Preview).
If you’d like to configure a regular log delivery, see Configure diagnostic log delivery.
Azure Databricks retains a copy of audit logs for up to 1 year for security and fraud analysis purposes.
Diagnostic log services
The following services and their events are logged by default in diagnostic logs.
Workspace-level services
| Service name | Description |
|---|---|
| accounts | Events related to accounts, users, groups, and IP access lists. |
| clusters | Events related to clusters. |
| clusterPolicies | Events related to cluster policies. |
| dashboards | Events related to Lakeview dashboard use. |
| databrickssql | Events related to Databricks SQL use. |
| dbfs | Events related to DBFS. |
| deltaPipelines | Events related to Delta Live Table pipelines. |
| featureStore | Events related to the Databricks Feature Store. |
| filesystem | Events related to the Files API. |
| genie | Events related to workspace access by support personnel. |
| gitCredentials | Events related to Git credentials for Databricks Git folders. See also repos. |
| globalInitScripts | Events related to global init scripts. |
| groups | Events related to account and workspace groups. |
| ingestion | Events related to file uploads. |
| instancePools | Events related to pools. |
| jobs | Events related to jobs. |
| marketplaceConsumer | Events related to consumer actions in Databricks Marketplace. |
| marketplaceProvider | Events related to provider actions in Databricks Marketplace. |
| mlflowAcledArtifact | Events related to ML Flow artifacts with ACLs. |
| mlflowExperiment | Events related to ML Flow experiments. |
| modelRegistry | Events related to the model registry. |
| notebook | Events related to notebooks. |
| partnerConnect | Events related to Partner Connect. |
| remoteHistoryService | Events related to adding a removing GitHub Credentials. |
| repos | Events related to Databricks Git folders. See also gitCredentials. |
| secrets | Events related to secrets. |
| serverlessRealTimeInference | Events related to model serving. |
| sqlPermissions | Events related to the legacy Hive metastore table access control. |
| ssh | Events related to SSH access. |
| webTerminal | Events related to the web terminal feature. |
| workspace | Events related to workspaces. |
Account-level services
Account-level audit logs are available for these services:
| Service name | Description |
|---|---|
| accountBillableUsage | Actions related to billable usage access in the account console. |
| accountsAccessControl | Actions related to account-level access control rules. |
| accountsManager | Actions related to network connectivity configurations. |
| unityCatalog | Actions performed in Unity Catalog. This also includes Delta Sharing events, see Delta Sharing events. |
Additional security monitoring services
There are additional services and associated actions for workspaces that use the compliance security profile (required for some compliance standards such as FedRAMP, PCI, and HIPAA) or Enhanced security monitoring.
These are workspace-level services that will only generate in your logs if you are using the compliance security profile or enhanced security monitoring:
| Service name | Description |
|---|---|
| capsule8-alerts-dataplane | Actions related to file integrity monitoring. |
| clamAVScanService-dataplanel | Actions related to antivirus monitoring. |
| monit | Actions related to the process monitor. |
| syslog | Actions related to the system logs. |
Diagnostic log example schema
In Azure Databricks, diagnostic logs output events in a JSON format. In Azure Databricks, audit logs output events in a JSON format. The serviceName and actionName properties identify the event. The naming convention follows the Databricks REST API.
The following JSON sample is an example of an event logged when a user created a job:
{
"TenantId": "<your-tenant-id>",
"SourceSystem": "|Databricks|",
"TimeGenerated": "2019-05-01T00:18:58Z",
"ResourceId": "/SUBSCRIPTIONS/SUBSCRIPTION_ID/RESOURCEGROUPS/RESOURCE_GROUP/PROVIDERS/MICROSOFT.DATABRICKS/WORKSPACES/PAID-VNET-ADB-PORTAL",
"OperationName": "Microsoft.Databricks/jobs/create",
"OperationVersion": "1.0.0",
"Category": "jobs",
"Identity": {
"email": "mail@contoso.com",
"subjectName": null
},
"SourceIPAddress": "131.0.0.0",
"LogId": "201b6d83-396a-4f3c-9dee-65c971ddeb2b",
"ServiceName": "jobs",
"UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36",
"SessionId": "webapp-cons-webapp-01exaj6u94682b1an89u7g166c",
"ActionName": "create",
"RequestId": "ServiceMain-206b2474f0620002",
"Response": {
"statusCode": 200,
"result": "{\"job_id\":1}"
},
"RequestParams": {
"name": "Untitled",
"new_cluster": "{\"node_type_id\":\"Standard_DS3_v2\",\"spark_version\":\"5.2.x-scala2.11\",\"num_workers\":8,\"spark_conf\":{\"spark.databricks.delta.preview.enabled\":\"true\"},\"cluster_creator\":\"JOB_LAUNCHER\",\"spark_env_vars\":{\"PYSPARK_PYTHON\":\"/databricks/python3/bin/python3\"},\"enable_elastic_disk\":true}"
},
"Type": "DatabricksJobs"
}
Diagnostic log schema considerations
- If actions take a long time, the request and response are logged separately but the request and response pair have the same
requestId. - Automated actions, such as resizing a cluster due to autoscaling or launching a job due to scheduling, are performed by the user
System-User. - The
requestParamsfield is subject to truncation. If the size of its JSON representation exceeds 100 KB, values are truncated and the string... truncatedis appended to truncated entries. In rare cases where a truncated map is still larger than 100 KB, a singleTRUNCATEDkey with an empty value is present instead.
Account events
The following are accounts events logged at the workspace level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
accounts |
activateUser |
A user is reactivated after being deactivated. See Deactivate users in workspace. | * targetUserName* endpoint* targetUserId |
accounts |
aadBrowserLogin |
A user logs in to Databricks using a Microsoft Entra ID (formerly Azure Active Directory) token. | * user |
accounts |
aadTokenLogin |
A user logs in to Databricks through the Microsoft Entra ID (formerly Azure Active Directory) browser workflow. | * user |
accounts |
accountInHouseOAuthClientAuthentication |
An OAuth client is authenticated. | * endpoint |
accounts |
activateUser |
Admin adds a user to the Databricks account from the Azure portal. | * warehouse* targetUserName* targetUserId |
accounts |
add |
A user is added to a Azure Databricks workspace. | * targetUserName* endpoint* targetUserId |
accounts |
addPrincipalToGroup |
A user is added to a workspace-level group. | * targetGroupId* endpoint* targetUserId* targetGroupName* targetUserName |
accounts |
changeDatabricksSqlAcl |
A user’s Databricks SQL permissions are changed. | * shardName* targetUserId* resourceId* aclPermissionSet |
accounts |
changeDatabricksWorkspaceAcl |
Permissions to a workspace are changed. | * shardName* targetUserId* resourceId* aclPermissionSet |
accounts |
changeDbTokenAcl |
When permissions on a token are changed. | * shardName* targetUserId* resourceId* aclPermissionSet |
accounts |
changeServicePrincipalAcls |
When a service principal’s permissions are changed. | * shardName* targetServicePrincipal* resourceId* aclPermissionSet |
accounts |
createGroup |
A workspace-level group is created. | * endpoint* targetGroupId* targetGroupName |
accounts |
createIpAccessList |
An IP access list is added to the workspace. | * ipAccessListId* userId |
accounts |
deactivateUser |
A user is deactivated in the workspace. See Deactivate users in workspace. | * targetUserName* endpoint* targetUserId |
accounts |
delete |
A user is deleted from the Azure Databricks workspace. | * targetUserId* targetUserName* endpoint |
accounts |
deleteIpAccessList |
An IP access list is deleted from the workspace. | * ipAccessListId* userId |
accounts |
garbageCollectDbToken |
A user runs a garbage collect command on expired tokens. | * tokenExpirationTime* tokenClientId* userId* tokenCreationTime* tokenFirstAccessed |
accounts |
generateDbToken |
When someone generates a token from User Settings or when the service generates the token. | * tokenExpirationTime* tokenCreatedBy* tokenHash* userId |
accounts |
IpAccessDenied |
A user attempts to connect to the service through a denied IP. | * path* userName |
accounts |
ipAccessListQuotaExceeded |
* userId |
|
accounts |
jwtLogin |
User logs into Databricks using a JWT. | * user |
accounts |
login |
User logs into the workspace. | * user |
accounts |
logout |
User logs out of the workspace. | * user |
accounts |
oidcTokenAuthorization |
When an API call is authorized through a generic OIDC/OAuth token. | * user |
accounts |
passwordVerifyAuthentication |
* user |
|
accounts |
reachMaxQuotaDbToken |
When the current number of non-expired tokens exceeds the token quota | |
accounts |
removeAdmin |
A user is revoked of workspace admin permissions. | * targetUserName* endpoint* targetUserId |
accounts |
removeGroup |
A group is removed from the workspace. | * targetGroupId* targetGroupName* endpoint |
accounts |
removePrincipalFromGroup |
A user is removed from a group. | * targetGroupId* endpoint* targetUserId* targetGroupName* targetUserName |
accounts |
revokeDbToken |
A user’s token is dropped from a workspace. Can be triggered by a user being removed from the Databricks account. | * userId |
accounts |
setAdmin |
A user is granted account admin permissions. | * endpoint* targetUserName* targetUserId |
accounts |
tokenLogin |
A user logs into Databricks using a token. | * tokenId* user |
accounts |
updateIpAccessList |
An IP access list is changed. | * ipAccessListId* userId |
accounts |
updateUser |
A change is made to a user’s account. | * warehouse* targetUserName* targetUserId |
accounts |
validateEmail |
When a user validates their email after account creation. | * endpoint* targetUserName* targetUserId |
Clusters events
The following are cluster events logged at the workspace level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
clusters |
changeClusterAcl |
A user changes the cluster ACL. | * shardName* aclPermissionSet* targetUserId* resourceId |
clusters |
create |
A user creates a cluster. | * cluster_log_conf* num_workers* enable_elastic_disk* driver_node_type_id* start_cluster* docker_image* ssh_public_keys* aws_attributes* acl_path_prefix* node_type_id* instance_pool_id* spark_env_vars* init_scripts* spark_version* cluster_source* autotermination_minutes* cluster_name* autoscale* custom_tags* cluster_creator* enable_local_disk_encryption* idempotency_token* spark_conf* organization_id* no_driver_daemon* user_id* virtual_cluster_size* apply_policy_default_values* data_security_mode |
clusters |
createResult |
Results from cluster creation. In conjunction with create. |
* clusterName* clusterState* clusterId* clusterWorkers* clusterOwnerUserId |
clusters |
delete |
A cluster is terminated. | * cluster_id |
clusters |
deleteResult |
Results from cluster termination. In conjunction with delete. |
* clusterName* clusterState* clusterId* clusterWorkers* clusterOwnerUserId |
clusters |
edit |
A user makes changes to cluster settings. This logs all changes except for changes in cluster size or autoscaling behavior. | * cluster_log_conf* num_workers* enable_elastic_disk* driver_node_type_id* start_cluster* docker_image* ssh_public_keys* aws_attributes* acl_path_prefix* node_type_id* instance_pool_id* spark_env_vars* init_scripts* spark_version* cluster_source* autotermination_minutes* cluster_name* autoscale* custom_tags* cluster_creator* enable_local_disk_encryption* idempotency_token* spark_conf* organization_id* no_driver_daemon* user_id* virtual_cluster_size* apply_policy_default_values* data_security_mode |
clusters |
permanentDelete |
A cluster is deleted from the UI. | * cluster_id |
clusters |
resize |
Cluster resizes. This is logged on running clusters where the only property that changes is either the cluster size or autoscaling behavior. | * cluster_id* num_workers* autoscale |
clusters |
resizeResult |
Results from cluster resize. In conjunction with resize. |
* clusterName* clusterState* clusterId* clusterWorkers* clusterOwnerUserId |
clusters |
restart |
A user restarts a running cluster. | * cluster_id |
clusters |
restartResult |
Results from cluster restart. In conjunction with restart. |
* clusterName* clusterState* clusterId* clusterWorkers* clusterOwnerUserId |
clusters |
start |
A user starts a cluster. | * init_scripts_safe_mode* cluster_id |
clusters |
startResult |
Results from cluster start. In conjunction with start. |
* clusterName* clusterState* clusterId* clusterWorkers* clusterOwnerUserId |
Cluster libraries events
The following are clusterLibraries events logged at the workspace level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
clusterLibraries |
installLibraries |
User installs a library on a cluster. | * cluster_id* libraries |
clusterLibraries |
uninstallLibraries |
User uninstalls a library on a cluster. | * cluster_id* libraries |
clusterLibraries |
installLibraryOnAllClusters |
A workspace admin schedules a library to install on all cluster. | * user* library |
clusterLibraries |
uninstallLibraryOnAllClusters |
A workspace admin removes a library from the list to install on all clusters. | * user* library |
Cluster policy events
The following are clusterPolicies events logged at the workspace level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
clusterPolicies |
create |
A user created a cluster policy. | * name |
clusterPolicies |
edit |
A user edited a cluster policy. | * policy_id* name |
clusterPolicies |
delete |
A user deleted a cluster policy. | * policy_id |
clusterPolicies |
changeClusterPolicyAcl |
A workspace admin changes permissions for a cluster policy. | * shardName* targetUserId* resourceId* aclPermissionSet |
Dashboards events
The following are dashboards events logged at the workspace level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
dashboards |
createDashboard |
A user creates a new Lakeview dashboard using the UI or API. | * dashboard_id |
dashboards |
updateDashboard |
A user makes an update to a Lakeview dashboard using the UI or API. | * dashboard_id |
dashboards |
cloneDashboard |
A user clones a Lakeview dashboard. | * source_dashboard_id* new_dashboard_id |
dashboards |
publishDashboard |
A user publishes a Lakeview dashboard with or without embedded credentials using the UI or API. | * dashboard_id* credentials_embedded* warehouse_id |
dashboards |
unpublishDashboard |
A user unpublishes a published Lakeview dashboard using the UI or API. | * dashboard_id |
dashboards |
trashDashboard |
A user moves a Lakeview dashboard to the trash using the UI or API. | * dashboard_id |
dashboards |
restoreDashboard |
A user restores a Lakeview dashboard from the trash. | * dashboard_id |
dashboards |
migrateDashboard |
A user migrates a DBSQL dashboard to a Lakeview dashboard. | * source_dashboard_id* new_dashboard_id |
dashboards |
createSchedule |
A user creates an email subscription schedule. | * dashboard_id* schedule_id |
dashboards |
updateSchedule |
A user makes an update to a Lakeview dashboard’s schedule. | * dashboard_id* schedule_id |
dashboards |
deleteSchedule |
A user deletes a Lakeview dashboard’s schedule. | * dashboard_id* schedule_id |
dashboards |
createSubscription |
A user subscribes an email destination to a Lakeview dashboard schedule. | * dashboard_id* schedule_id* schedule |
dashboards |
deleteSubscription |
A user deletes an email destination from a Lakeview dashboard schedule. | * dashboard_id* schedule_id |
Databricks SQL events
The following are databrickssql events logged at the workspace level.
Note
If you manage your SQL warehouses using the legacy SQL endpoints API, your SQL warehouse audit events will have different action names. See SQL endpoint logs.
| Service | Action | Description | Request parameters |
|---|---|---|---|
databrickssql |
addDashboardWidget |
A widget is added to a dashboard. | * dashboardId* widgetId |
databrickssql |
cancelQueryExecution |
A query execution is cancelled from the SQL editor UI. This does not include cancellations that originate from the Query History UI or Databricks SQL Execution API. | * queryExecutionId |
databrickssql |
changeWarehouseAcls |
A warehouse manager updates permissions on a SQL warehouse. | * aclPermissionSet* resourceId* shardName* targetUserId |
databrickssql |
changePermissions |
A user updates permissions on an object. | * granteeAndPermission* objectId* objectType |
databrickssql |
cloneDashboard |
A user clones a dashboard. | * dashboardId |
databrickssql |
commandSubmit |
Only in verbose audit logs. Generated when a command is submitted to a SQL warehouse, regardless of origin of the request. | * warehouseId* commandId* validation* commandText |
databrickssql |
commandFinish |
Only in verbose audit logs. Generated when a command on a SQL warehouse completes or is canceled, regardless of the origin of the cancellation request. | * warehouseId* commandId |
databrickssql |
createAlert |
A user creates an alert. | * alertId |
databrickssql |
createNotificationDestination |
A workspace admin creates a notification destination. | * notificationDestinationId* notificationDestinationType |
databrickssql |
createDashboard |
A user creates a dashboard. | * dashboardId |
databrickssql |
createDataPreviewDashboard |
A user creates a data preview dashboard. | * dashboardId |
databrickssql |
createWarehouse |
A user with the cluster create entitlement creates a SQL warehouse. | * auto_resume* auto_stop_mins* channel* cluster_size* conf_pairs* custom_cluster_confs* enable_databricks_compute* enable_photon* enable_serverless_compute* instance_profile_arn* max_num_clusters* min_num_clusters* name* size* spot_instance_policy* tags* test_overrides |
databrickssql |
createQuery |
A user creates a query by saving a query draft. | * queryId |
databrickssql |
createQueryDraft |
A user creates a query draft. | * queryId |
databrickssql |
createQuerySnippet |
A user creates a query snippet. | * querySnippetId |
databrickssql |
createSampleDashboard |
A user creates a sample dashboard. | * sampleDashboardId |
databrickssql |
createVisualization |
A user generates a visualization using the SQL editor. Excludes default results tables and visualizations in notebooks that utilize SQL warehouses. | * queryId* visualizationId |
databrickssql |
deleteAlert |
A user deletes an alert either from the alert interface or through API. Excludes deletions from the file browser UI. | * alertId |
databrickssql |
deleteNotificationDestination |
A workspace admin deletes a notification destination. | * notificationDestinationId |
databrickssql |
deleteDashboard |
A user deletes a dashboard either from the dashboard interface or through API. Excludes deletion via the file browser UI. | * dashboardId |
databrickssql |
deleteDashboardWidget |
A user deletes a dashboard widget. | * widgetId |
databrickssql |
deleteWarehouse |
A warehouse manager deletes a SQL warehouse. | * id |
databrickssql |
deleteQuery |
A user deletes a query, either from the query interface or through API. Excludes deletion via the file browser UI. | * queryId |
databrickssql |
deleteQueryDraft |
A user deletes a query draft. | * queryId |
databrickssql |
deleteQuerySnippet |
A user deletes a query snippet. | * querySnippetId |
databrickssql |
deleteVisualization |
A user deletes a visualization from a query in the SQL Editor. | * visualizationId |
databrickssql |
downloadQueryResult |
A user downloads a query result from the SQL Editor. Excludes downloads from dashboards. | * fileType* queryId* queryResultId |
databrickssql |
editWarehouse |
A warehouse manager makes edits to a SQL warehouse. | * auto_stop_mins* channel* cluster_size* confs* enable_photon* enable_serverless_compute* id* instance_profile_arn* max_num_clusters* min_num_clusters* name* spot_instance_policy* tags |
databrickssql |
executeAdhocQuery |
Generated by one of the following: * A user runs a query draft in the SQL editor * A query is executed from a visualization aggregation * A user loads a dashboard and executes underlying queries |
* dataSourceId |
databrickssql |
executeSavedQuery |
A user runs a saved query. | * queryId |
databrickssql |
executeWidgetQuery |
Generated by any event that executes a query such that a dashboard panel refreshes. Some examples of applicable events include: * Refreshing a single panel * Refreshing an entire dashboard * Scheduled dashboard executions * Parameter or filter changes operating over more than 64,000 rows |
* widgetId |
databrickssql |
favoriteDashboard |
A user favorites a dashboard. | * dashboardId |
databrickssql |
favoriteQuery |
A user favorites a query. | * queryId |
databrickssql |
forkQuery |
A user clones a query. | * originalQueryId* queryId |
databrickssql |
listQueries |
A user opens the query listing page or calls the list query API. | * filter_by* include_metrics* max_results* page_token |
databrickssql |
moveDashboardToTrash |
A user moves a dashboard to the trash. | * dashboardId |
databrickssql |
moveQueryToTrash |
A user moves a query to the trash. | * queryId |
databrickssql |
muteAlert |
A user mutes an alert via the API. | * alertId |
databrickssql |
restoreDashboard |
A user restores a dashboard from the trash. | * dashboardId |
databrickssql |
restoreQuery |
A user restores a query from the trash. | * queryId |
databrickssql |
setWarehouseConfig |
A warehouse manager sets the configuration for a SQL warehouse. | * data_access_config* enable_serverless_compute* instance_profile_arn* security_policy* serverless_agreement* sql_configuration_parameters* try_create_databricks_managed_starter_warehouse |
databrickssql |
snapshotDashboard |
A user requests a snapshot of a dashboard. Includes scheduled dashboard snapshots. | * dashboardId |
databrickssql |
startWarehouse |
A SQL warehouse is started. | * id |
databrickssql |
stopWarehouse |
A warehouse manager stops a SQL warehouse. Excludes autostopped warehouses. | * id |
databrickssql |
transferObjectOwnership |
A workspace admin transfers the ownership of a dashboard, query, or alert to an active user. | * newOwner* objectId* objectType |
databrickssql |
unfavoriteDashboard |
A user removes a dashboard from their favorites. | * dashboardId |
databrickssql |
unfavoriteQuery |
A user removes a query from their favorites. | * queryId |
databrickssql |
unmuteAlert |
A user unmutes an alert via the API | * alertId. |
databrickssql |
updateAlert |
A user makes updates to an alert. | * alertId* queryId |
databrickssql |
updateNotificationDestination |
A workspace admin makes an update to a notification destination. | * notificationDestinationId |
databrickssql |
updateDashboardWidget |
A user makes an update to a dashboard widget. Excludes changes to axis scales. Examples of applicable updates include: * Change to widget size or placement * Adding or removing widget parameters |
* widgetId |
databrickssql |
updateDashboard |
A user makes an update to a dashboard property. Excludes changes to schedules and subscriptions. Examples of applicable updates include: * Change in dashboard name * Change to the SQL warehouse * Change to Run As settings |
* dashboardId |
databrickssql |
updateOrganizationSetting |
A workspace admin makes updates to the workspace’s SQL settings. | * has_configured_data_access* has_explored_sql_warehouses* has_granted_permissions |
databrickssql |
updateQuery |
A user makes an update to a query. | * queryId |
databrickssql |
updateQueryDraft |
A user makes an update to a query draft. | * queryId |
databrickssql |
updateQuerySnippet |
A user makes an update to a query snippet. | * querySnippetId |
databrickssql |
updateVisualization |
A user updates a visualization from either the SQL Editor or the dashboard. | * visualizationId |
DBFS events
The following tables include dbfs events logged at the workspace level.
There are two types of DBFS events: API calls and operational events.
DBFS API events
The following DBFS audit events are only logged when written through the DBFS REST API.
| Service | Action | Description | Request parameters |
|---|---|---|---|
dbfs |
addBlock |
User appends a block of data to the stream. This is used in conjunction with dbfs/create to stream data to DBFS. | * handle* data_length |
dbfs |
create |
User opens a stream to write a file to DBFs. | * path* bufferSize* overwrite |
dbfs |
delete |
User deletes the file or directory from DBFs. | * recursive* path |
dbfs |
mkdirs |
User creates a new DBFS directory. | * path |
dbfs |
move |
User moves a file from one location to another location within DBFs. | * dst* source_path* src* destination_path |
dbfs |
put |
User uploads a file through the use of multipart form post to DBFs. | * path* overwrite |
DBFS operational events
The following DBFS audit events occur at the compute plane.
| Service | Action | Description | Request parameters |
|---|---|---|---|
dbfs |
mount |
User creates a mount point at a certain DBFS location. | * mountPoint* owner |
dbfs |
unmount |
User removes a mount point at a certain DBFS location. | * mountPoint |
Delta pipelines events
| Service | Action | Description | Request parameters |
|---|---|---|---|
deltaPipelines |
changePipelineAcls |
A user changes permissions on a pipeline. | * shardId* targetUserId* resourceId* aclPermissionSet |
deltaPipelines |
create |
A user creates a Delta Live Tables pipeline. | * allow_duplicate_names* clusters* configuration* continuous* development* dry_run* id* libraries* name* storage* target* channel* edition* photon |
deltaPipelines |
delete |
A user deletes a Delta Live Tables pipeline. | * pipeline_id |
deltaPipelines |
edit |
A user edits a Delta Live Tables pipeline. | * allow_duplicate_names* clusters* configuration* continuous* development* expected_last_modified* id* libraries* name* pipeline_id* storage* target* channel* edition* photon |
deltaPipelines |
startUpdate |
A user restarts a Delta Live Tables pipeline. | * cause* full_refresh* job_task* pipeline_id |
deltaPipelines |
stop |
A user stops a Delta Live Tables pipeline. | * pipeline_id |
Feature store events
The following featureStore events are logged at the workspace level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
featureStore |
addConsumer |
A consumer is added to the feature store. | * features* job_run* notebook |
featureStore |
addDataSources |
A data source is added to a feature table. | * feature_table* paths, tables |
featureStore |
addProducer |
A producer is added to a feature table. | * feature_table* job_run* notebook |
featureStore |
changeFeatureTableAcl |
Permissions are changed in a feature table. | * aclPermissionSet* resourceId* shardName* targetUserId |
featureStore |
createFeatureTable |
A feature table is created. | * description* name* partition_keys* primary_keys* timestamp_keys |
featureStore |
createFeatures |
Features are created in a feature table. | * feature_table* features |
featureStore |
deleteFeatureTable |
A feature table is deleted. | * name |
featureStore |
deleteTags |
Tags are deleted from a feature table. | * feature_table_id* keys |
featureStore |
getConsumers |
A user makes a call to get the consumers in a feature table. | * feature_table |
featureStore |
getFeatureTable |
A user makes a call to get feature tables. | * name |
featureStore |
getFeatureTablesById |
A user makes a call to get feature table IDs. | * ids |
featureStore |
getFeatures |
A user makes a call to get features. | * feature_table* max_results |
featureStore |
getModelServingMetadata |
A user makes a call to get Model Serving metadata. | * feature_table_features |
featureStore |
getOnlineStore |
A user makes a call to get online store details. | * cloud* feature_table* online_table* store_type |
featureStore |
getTags |
A user makes a call to get tags for a feature table. | * feature_table_id |
featureStore |
publishFeatureTable |
A feature table is published. | * cloud* feature_table* host* online_table* port* read_secret_prefix* store_type* write_secret_prefix |
featureStore |
searchFeatureTables |
A user searches for feature tables. | * max_results* page_token* text |
featureStore |
setTags |
Tags are added to a feature table. | * feature_table_id* tags |
featureStore |
updateFeatureTable |
A feature table is updated. | * description* name |
Files API events
The following filesystem events are logged at the workspace level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
filesystem |
filesGet |
User downloads file. | * path* transferredSize |
filesystem |
filesPut |
User uploads file. | * path* receivedSize |
filesystem |
filesDelete |
User deletes file. | * path |
filesystem |
filesHead |
User gets information about file. | * path |
Genie events
The following genie events are logged at the workspace level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
genie |
databricksAccess |
A Databricks personnel is authorized to access a customer environment. | * duration* approver* reason* authType* user |
Git credential events
The following gitCredentials events are logged at the workspace level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
gitCredentials |
getGitCredential |
A user gets a git credentials. | * id |
gitCredentials |
listGitCredentials |
A user lists all git credentials | none |
gitCredentials |
deleteGitCredential |
A user deletes a git credential. | * id |
gitCredentials |
updateGitCredential |
A user updates a git credential. | * id* git_provider* git_username |
gitCredentials |
createGitCredential |
A user creates a git credential. | * git_provider* git_username |
Global init scripts events
The following globalInitScripts events are logged at the workspace level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
globalInitScripts |
create |
A workspace admin creates a global initialization script. | * name* position* script-SHA256* enabled |
globalInitScripts |
update |
A workspace admin updates a global initialization script. | * script_id* name* position* script-SHA256* enabled |
globalInitScripts |
delete |
A workspace admin deletes a global initialization script. | * script_id |
Groups events
The following groups events are logged at the workspace level. These actions are related to legacy ACL groups. For actions related to account- and workspace-level groups, see Account events and Account-level account events.
| Service | Action | Description | Request parameters |
|---|---|---|---|
groups |
addPrincipalToGroup |
An admin adds a user to a group. | * user_name* parent_name |
groups |
createGroup |
An admin creates a group. | * group_name |
groups |
getGroupMembers |
An admin views group members. | * group_name |
groups |
getGroups |
An admin views a list of groups | none |
groups |
getInheritedGroups |
An admin views inherited groups | none |
groups |
removeGroup |
An admin removes a group. | * group_name |
Ingestion events
The following ingestion event is logged at the workspace level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
ingestion |
proxyFileUpload |
A user uploads a file to their Azure Databricks workspace. | * x-databricks-content-length-0* x-databricks-total-files |
Instance pool events
The following instancePools events are logged at the workspace level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
instancePools |
changeInstancePoolAcl |
A user changes an instance pool’s permissions. | * shardName* resourceId* targetUserId* aclPermissionSet |
instancePools |
create |
A user creates an instance pool. | * enable_elastic_disk* preloaded_spark_versions* idle_instance_autotermination_minutes* instance_pool_name* node_type_id* custom_tags* max_capacity* min_idle_instances* aws_attributes |
instancePools |
delete |
A user deletes an instance pool. | * instance_pool_id |
instancePools |
edit |
A user edits an instance pool. | * instance_pool_name* idle_instance_autotermination_minutes* min_idle_instances* preloaded_spark_versions* max_capacity* enable_elastic_disk* node_type_id* instance_pool_id* aws_attributes |
Job events
The following jobs events are logged at the workspace level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
jobs |
cancel |
A job run is cancelled. | * run_id |
jobs |
cancelAllRuns |
A user cancels all runs on a job. | * job_id |
jobs |
changeJobAcl |
A user updates permissions on a job. | * shardName* aclPermissionSet* resourceId* targetUserId |
jobs |
create |
A user creates a job. | * spark_jar_task* email_notifications* notebook_task* spark_submit_task* timeout_seconds* libraries* name* spark_python_task* job_type* new_cluster* existing_cluster_id* max_retries* schedule* run_as |
jobs |
delete |
A user deletes a job. | * job_id |
jobs |
deleteRun |
A user deletes a job run. | * run_id |
jobs |
getRunOutput |
A user makes an API call to get a run output. | * run_id* is_from_webapp |
jobs |
repairRun |
A user repairs a job run. | * run_id* latest_repair_id* rerun_tasks |
jobs |
reset |
A job is reset. | * job_id* new_settings |
jobs |
resetJobAcl |
A user requests the change of a job’s permissions. | * grants* job_id |
jobs |
runCommand |
Available when verbose audit logs are enabled. Emitted after a command in a notebook is executed by a job run. A command corresponds to a cell in a notebook. | * jobId* runId* notebookId* executionTime* status* commandId* commandText |
jobs |
runFailed |
A job run fails. | * jobClusterType* jobTriggerType* jobId* jobTaskType* runId* jobTerminalState* idInJob* orgId* runCreatorUserName |
jobs |
runNow |
A user triggers an on-demand job run. | * notebook_params* job_id* jar_params* workflow_context |
jobs |
runStart |
Emitted when a job run starts after validation and cluster creation. The request parameters emitted from this event depend on the type of tasks in the job. In addition to the parameters listed, they can include: * dashboardId (for a SQL dashboard task)* filePath (for a SQL file task)* notebookPath (for a notebook task)* mainClassName (for a Spark JAR task)* pythonFile (for a Spark JAR task)* projectDirectory (for a dbt task)* commands (for a dbt task)* packageName (for a Python wheel task)* entryPoint (for a Python wheel task)* pipelineId (for a pipeline task)* queryIds (for a SQL query task)* alertId (for a SQL alert task) |
* taskDependencies* multitaskParentRunId* orgId* idInJob* jobId* jobTerminalState* taskKey* jobTriggerType* jobTaskType* runId* runCreatorUserName |
jobs |
runSucceeded |
A job run is successful. | * idInJob* jobId* jobTriggerType* orgId* runId* jobClusterType* jobTaskType* jobTerminalState* runCreatorUserName |
jobs |
runTriggered |
A job schedule is triggered automatically according to its schedule or trigger. | * jobId* jobTriggeredType* runId |
jobs |
sendRunWebhook |
A webhook is sent either when the job begins, completes, or fails. | * orgId* jobId* jobWebhookId* jobWebhookEvent* runId |
jobs |
setTaskValue |
A user sets values for a task. | * run_id* key |
jobs |
submitRun |
A user submits a one-time run via the API. | * shell_command_task* run_name* spark_python_task* existing_cluster_id* notebook_task* timeout_seconds* libraries* new_cluster* spark_jar_task |
jobs |
update |
A user edits a job’s settings. | * job_id* fields_to_remove* new_settings* is_from_dlt |
Marketplace consumer events
The following marketplaceConsumer events are logged at the workspace level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
marketplaceConsumer |
getDataProduct |
A user gets access to a data product through the Databricks Marketplace. | * listing_id* listing_name* share_name* catalog_name* request_context: Array of information about the account and metastore that got access to the data product |
marketplaceConsumer |
requestDataProduct |
A user requests access to a data product that requires provider approval. | * listing_id* listing_name* catalog_name* request_context: Array of information about the account and metastore requesting access to the data product |
Marketplace provider events
The following marketplaceProvider events are logged at the workspace level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
marketplaceProvider |
createListing |
A metastore admin creates a listing in their provider profile. | * listing: Array of details about the listing* request_context: Array of information about the provider’s account and metastore |
marketplaceProvider |
updateListing |
A metastore admin makes an update to a listing in their provider profile. | * id* listing: Array of details about the listing* request_context: Array of information about the provider’s account and metastore |
marketplaceProvider |
deleteListing |
A metastore admin deletes a listing in their provider profile. | * id* request_context: Array of details about the provider’s account and metastore |
marketplaceProvider |
updateConsumerRequestStatus |
A metastore admins approves or denies a data product request. | * listing_id* request_id* status* reason* share: Array of information about the share* request_context: Array of information about the provider’s account and metastore |
marketplaceProvider |
createProviderProfile |
A metastore admin creates a provider profile. | * provider: Array of information about the provider* request_context: Array of information about the provider’s account and metastore |
marketplaceProvider |
updateProviderProfile |
A metastore admin makes an update to their provider profile. | * id* provider: Array of information about the provider* request_context: Array of information about the provider’s account and metastore |
marketplaceProvider |
deleteProviderProfile |
A metastore admin deletes their provider profile. | * id* request_context: Array of information about the provider’s account and metastore |
marketplaceProvider |
uploadFile |
A provider uploads a file to their provider profile. | * request_context: Array of information about the provider’s account and metastore* marketplace_file_type* display_name* mime_type* file_parent: Array of file parent details |
marketplaceProvider |
deleteFile |
A provider deletes a file from their provider profile. | * file_id* request_context: Array of information about the provider’s account and metastore |
MLflow artifacts with ACL events
The following mlflowAcledArtifact events are logged at the workspace level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
mlflowAcledArtifact |
readArtifact |
A user makes call to read an artifact. | * artifactLocation* experimentId* runId |
mlflowAcledArtifact |
writeArtifact |
A user makes call to write to an artifact. | * artifactLocation* experimentId* runId |
MLflow experiment events
The following mlflowExperiment events are logged at the workspace level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
mlflowExperiment |
createMlflowExperiment |
A user creates an MLflow experiment. | * experimentId* path* experimentName |
mlflowExperiment |
deleteMlflowExperiment |
A user deletes an MLflow experiment. | * experimentId* path* experimentName |
mlflowExperiment |
moveMlflowExperiment |
A user moves an MLflow experiment. | * newPath* experimentId* oldPath |
mlflowExperiment |
restoreMlflowExperiment |
A user restores an MLflow experiment. | * experimentId* path* experimentName |
mlflowExperiment |
renameMlflowExperiment |
A user renames an MLflow experiment. | * oldName* newName* experimentId* parentPath |
MLflow model registry events
The following mlflowModelRegistry events are logged at the workspace level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
modelRegistry |
approveTransitionRequest |
A user approves a model version stage transition request. | * name* version* stage* archive_existing_versions |
modelRegistry |
changeRegisteredModelAcl |
A user updates permissions for a registered model. | * registeredModelId* userId |
modelRegistry |
createComment |
A user posts a comment on a model version. | * name* version |
modelRegistry |
createModelVersion |
A user creates a model version. | * name* source* run_id* tags* run_link |
modelRegistry |
createRegisteredModel |
A user creates a new registered model | * name* tags |
modelRegistry |
createRegistryWebhook |
User creates a webhook for Model Registry events. | * orgId* registeredModelId* events* description* status* creatorId* httpUrlSpec |
modelRegistry |
createTransitionRequest |
A user creates a model version stage transition request. | * name* version* stage |
modelRegistry |
deleteComment |
A user deletes a comment on a model version. | * id |
modelRegistry |
deleteModelVersion |
A user deletes a model version. | * name* version |
modelRegistry |
deleteModelVersionTag |
A user deletes a model version tag. | * name* version* key |
modelRegistry |
deleteRegisteredModel |
A user deletes a registered model | * name |
modelRegistry |
deleteRegisteredModelTag |
A user deletes the tag for a registered model. | * name* key |
modelRegistry |
deleteRegistryWebhook |
User deletes a Model Registry webhook. | * orgId* webhookId |
modelRegistry |
deleteTransitionRequest |
A user cancels a model version stage transition request. | * name* version* stage* creator |
modelRegistry |
finishCreateModelVersionAsync |
Completed asynchronous model copying. | * name* version |
modelRegistry |
generateBatchInferenceNotebook |
Batch inference notebook is autogenerated. | * userId* orgId* modelName* inputTableOpt* outputTablePathOpt* stageOrVersion* modelVersionEntityOpt* notebookPath |
modelRegistry |
generateDltInferenceNotebook |
Inference notebook for a Delta Live Tables pipeline is autogenerated. | * userId* orgId* modelName* inputTable* outputTable* stageOrVersion* notebookPath |
modelRegistry |
getModelVersionDownloadUri |
A user gets a URI to download the model version. | * name* version |
modelRegistry |
getModelVersionSignedDownloadUri |
A user gets a URI to download a signed model version. | * name* version* path |
modelRegistry |
listModelArtifacts |
A user makes a call to list a model’s artifacts. | * name* version* path* page_token |
modelRegistry |
listRegistryWebhooks |
A user makes a call to list all registry webhooks in the model. | * orgId* registeredModelId |
modelRegistry |
rejectTransitionRequest |
A user rejects a model version stage transition request. | * name* version* stage |
modelRegistry |
renameRegisteredModel |
A user renames a registered model | * name* new_name |
modelRegistry |
setEmailSubscriptionStatus |
A user updates the email subscription status for a registered model | |
modelRegistry |
setModelVersionTag |
A user sets a model version tag. | * name* version* key* value |
modelRegistry |
setRegisteredModelTag |
A user sets a model version tag. | * name* key* value |
modelRegistry |
setUserLevelEmailSubscriptionStatus |
A user updates their email notifications status for the whole registry. | * orgId* userId* subscriptionStatus |
modelRegistry |
testRegistryWebhook |
A user tests the Model Registry webhook. | * orgId* webhookId |
modelRegistry |
transitionModelVersionStage |
A user gets a list of all open stage transition requests for the model version. | * name* version* stage* archive_existing_versions |
modelRegistry |
triggerRegistryWebhook |
A Model Registry webhook is triggered by an event. | * orgId* registeredModelId* events* status |
modelRegistry |
updateComment |
A user post an edit to a comment on a model version. | * id |
modelRegistry |
updateRegistryWebhook |
A user updates a Model Registry webhook. | * orgId* webhookId |
Model serving events
The following serverlessRealTimeInference events are logged at the workspace level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
serverlessRealTimeInference |
changeInferenceEndpointAcl |
User updates permissions for an inference endpoint. | * shardName* targetUserId* resourceId* aclPermissionSet |
serverlessRealTimeInference |
createServingEndpoint |
User creates a model serving endpoint. | * name* config |
serverlessRealTimeInference |
deleteServingEndpoint |
User deletes a model serving endpoint. | * name |
serverlessRealTimeInference |
disable |
User disables model serving for a registered model. | * registered_mode_name |
serverlessRealTimeInference |
enable |
User enables model serving for a registered model. | * registered_mode_name |
serverlessRealTimeInference |
getQuerySchemaPreview |
Users makes a call to get the query schema preview. | * endpoint_name |
serverlessRealTimeInference |
updateServingEndpoint |
User updates a model serving endpoint. | * name* served_models* traffic_config |
Notebook events
The following notebook events are logged at the workspace level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
notebook |
attachNotebook |
A notebook is attached to a cluster. | * path* clusterId* notebookId |
notebook |
cloneNotebook |
A user clones a notebook. | * notebookId* path* clonedNotebookId* destinationPath |
notebook |
createNotebook |
A notebook is created. | * notebookId* path |
notebook |
deleteFolder |
A notebook folder is deleted. | * path |
notebook |
deleteNotebook |
A notebook is deleted. | * notebookId* notebookName* path |
notebook |
detachNotebook |
A notebook is detached from a cluster. | * notebookId* clusterId* path |
notebook |
downloadLargeResults |
A user downloads query results too large to display in the notebook. | * notebookId* notebookFullPath |
notebook |
downloadPreviewResults |
A user downloads the query results. | * notebookId* notebookFullPath |
notebook |
importNotebook |
A user imports a notebook. | * path |
notebook |
moveFolder |
A notebook folder is moved from one location to another. | * oldPath* newPath* folderId |
notebook |
moveNotebook |
A notebook is moved from one location to another. | * newPath* oldPath* notebookId |
notebook |
renameNotebook |
A notebook is renamed. | * newName* oldName* parentPath* notebookId |
notebook |
restoreFolder |
A deleted folder is restored. | * path |
notebook |
restoreNotebook |
A deleted notebook is restored. | * path* notebookId* notebookName |
notebook |
runCommand |
Available when verbose audit logs are enabled. Emitted after Databricks runs a command in a notebook. A command corresponds to a cell in a notebook.executionTime is measured in seconds. |
* notebookId* executionTime* status* commandId* commandText* commandLanguage |
notebook |
takeNotebookSnapshot |
Notebook snapshots are taken when either the job service or mlflow is run. | * path |
Partner Connect events
The following partnerHub events are logged at the workspace level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
partnerHub |
createOrReusePartnerConnection |
A workspace admin sets up a connection to a partner solution. | * partner_name |
partnerHub |
deletePartnerConnection |
A workspace admin deletes a partner connection. | * partner_name |
partnerHub |
downloadPartnerConnectionFile |
A workspace admin downloads the partner connection file. | * partner_name |
partnerHub |
setupResourcesForPartnerConnection |
A workspace admin sets up resources for a partner connection. | * partner_name |
Remote history service events
The following remoteHistoryService events are logged at the workspace level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
remoteHistoryService |
addUserGitHubCredentials |
User adds Github Credentials | none |
remoteHistoryService |
deleteUserGitHubCredentials |
User removes Github Credentials | none |
remoteHistoryService |
updateUserGitHubCredentials |
User updates Github Credentials | none |
Git folder events
The following repos events are logged at the workspace level.
| Service | Action name | Description | Request parameters |
|---|---|---|---|
repos |
checkoutBranch |
A user checks out a branch on the repo. | * id* branch |
repos |
commitAndPush |
A user commits and pushes to a repo. | * id* message* files* checkSensitiveToken |
repos |
createRepo |
A user creates a repo in the workspace | * url* provider* path |
repos |
deleteRepo |
A user deletes a repo. | * id |
repos |
discard |
A user discards a commit to a repo. | * id* file_paths |
repos |
getRepo |
A user makes a call to get information about a single repo. | * id |
repos |
listRepos |
A user makes a call to get all repos they have Manage permissions on. | * path_prefix* next_page_token |
repos |
pull |
A user pulls the latest commits from a repo. | * id |
repos |
updateRepo |
A user updates the repo to a different branch or tag, or to the latest commit on the same branch. | * id* branch* tag* git_url* git_provider |
Secrets events
The following secrets events are logged at the workspace level.
| Service | Action name | Description | Request parameters |
|---|---|---|---|
secrets |
createScope |
User creates a secret scope. | * scope* initial_manage_principal* scope_backend_type |
secrets |
deleteAcl |
User deletes ACLs for a secret scope. | * scope* principal |
secrets |
deleteScope |
User deletes a secret scope. | * scope |
secrets |
deleteSecret |
User deletes a secret from a scope. | * key* scope |
secrets |
getAcl |
User gets ACLs for a secret scope. | * scope* principal |
secrets |
getSecret |
User gets a secret from a scope. | * key* scope |
secrets |
listAcls |
User makes a call to list ACLs for a secret scope. | * scope |
secrets |
listScopes |
User makes a call to list secret scopes | none |
secrets |
listSecrets |
User makes a call to list secrets within a scope. | * scope |
secrets |
putAcl |
User changes ACLs for a secret scope. | * scope* principal* permission |
secrets |
putSecret |
User adds or edits a secret within a scope. | * string_value* key* scope |
SQL table access events
Note
The sqlPermissions service includes events related to the legacy Hive metastore table access control. Databricks recommends that you upgrade the tables managed by the Hive metastore to the Unity Catalog metastore.
The following sqlPermissions events are logged at the workspace level.
| Service | Action name | Description | Request parameters |
|---|---|---|---|
sqlPermissions |
changeSecurableOwner |
Workspace admin or owner of an object transfers object ownership. | * securable* principal |
sqlPermissions |
createSecurable |
User creates a securable object. | * securable |
sqlPermissions |
denyPermission |
Object owner denies privileges on a securable object. | * permission |
sqlPermissions |
grantPermission |
Object owner grants permission on a securable object. | * permission |
sqlPermissions |
removeAllPermissions |
User drops a securable object. | * securable |
sqlPermissions |
renameSecurable |
User renames a securable object. | * before* after |
sqlPermissions |
requestPermissions |
User requests permissions on a securable object. | * requests |
sqlPermissions |
revokePermission |
Object owner revokes permissions on their securable object. | * permission |
sqlPermissions |
showPermissions |
User views securable object permissions. | * securable* principal |
SSH events
The following ssh events are logged at the workspace level.
| Service | Action name | Description | Request parameters |
|---|---|---|---|
ssh |
login |
Agent login of SSH into Spark driver. | * containerId* userName* port* publicKey* instanceId |
ssh |
logout |
Agent logout of SSH from Spark driver. | * userName* containerId* instanceId |
Web terminal events
The following webTerminal events are logged at the workspace level.
| Service | Action name | Description | Request parameters |
|---|---|---|---|
webTerminal |
startSession |
User starts a web terminal sessions. | * socketGUID* clusterId* serverPort* ProxyTargetURI |
webTerminal |
closeSession |
User closes a web terminal session. | * socketGUID* clusterId* serverPort* ProxyTargetURI |
Workspace events
The following workspace events are logged at the workspace level.
| Service | Action name | Description | Request parameters |
|---|---|---|---|
workspace |
changeWorkspaceAcl |
Permissions to the workspace are changed. | * shardName* targetUserId* aclPermissionSet* resourceId |
workspace |
deleteSetting |
A setting is deleted from the workspace. | * settingKeyTypeName* settingKeyName* settingTypeName* settingName |
workspace |
fileCreate |
User creates a file in the workspace. | * path |
workspace |
fileDelete |
User deletes a file in the workspace. | * path |
workspace |
fileEditorOpenEvent |
User opens the file editor. | * notebookId* path |
workspace |
getRoleAssignment |
User gets a workspace’s user roles. | * account_id* workspace_id |
workspace |
mintOAuthAuthorizationCode |
Recorded when in-house OAuth authorization code is minted at the workspace level. | * client_id |
workspace |
mintOAuthToken |
OAuth token is minted for workspace. | * grant_type* scope* expires_in* client_id |
workspace |
moveWorkspaceNode |
A workspace admin moves workspace node. | * destinationPath* path |
workspace |
purgeWorkspaceNodes |
A workspace admin purges workspace nodes. | * treestoreId |
workspace |
reattachHomeFolder |
An existing home folder is re-attached for a user that is re-added to the workspace. | * path |
workspace |
renameWorkspaceNode |
A workspace admin renames workspace nodes. | * path* destinationPath |
workspace |
unmarkHomeFolder |
Home folder special attributes are removed when a user is removed from the workspace. | * path |
workspace |
updateRoleAssignment |
A workspace admin updates a workspace user’s role. | * account_id* workspace_id* principal_id |
workspace |
setSetting |
A workspace admin configures a workspace setting. | * settingKeyTypeName* settingKeyName* settingTypeName* settingName* settingValueForAudit |
workspace |
workspaceConfEdit |
Workspace admin makes updates to a setting, for example enabling verbose audit logs. | * workspaceConfKeys* workspaceConfValues |
workspace |
workspaceExport |
User exports a notebook from a workspace. | * workspaceExportDirectDownload* workspaceExportFormat* notebookFullPath |
workspace |
workspaceInHouseOAuthClientAuthentication |
OAuth client is authenticated in workspace service. | * user |
Billable usage events
The following accountBillableUsage events are logged at the account level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
accountBillableUsage |
getAggregatedUsage |
User accessed aggregated billable usage (usage per day) for the account via the Usage Graph feature. | * account_id* window_size* start_time* end_time* meter_name* workspace_ids_filter |
accountBillableUsage |
getDetailedUsage |
User accessed detailed billable usage (usage for each cluster) for the account via the Usage Download feature. | * account_id* start_month* end_month* with_pii |
Account-level account events
The following accounts events are logged at the account level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
accounts |
accountInHouseOAuthClientAuthentication |
An OAuth client is authenticated. | * endpoint |
accounts |
accountIpAclsValidationFailed |
IP permissions validation fails. Returns statusCode 403. | * sourceIpAddress* user: logged as an email address |
accounts |
activateUser |
A user is reactivated after being deactivated. See Deactivate users in account. | * targetUserName* endpoint* targetUserId |
accounts |
add |
A user is added to the Azure Databricks account. | * targetUserName* endpoint* targetUserId |
accounts |
addPrincipalToGroup |
A user is added to an account-level group. | * targetGroupId* endpoint* targetUserId* targetGroupName* targetUserName |
accounts |
addPrincipalsToGroup |
Users are added to an account-level group using SCIM provisioning. | * targetGroupId* endpoint* targetUserId* targetGroupName* targetUserName |
accounts |
createGroup |
An account-level group is created. | * endpoint* targetGroupId* targetGroupName |
accounts |
deactivateUser |
A user is deactivated. See Deactivate users in account. | * targetUserName* endpoint* targetUserId |
accounts |
delete |
A user is deleted from the Azure Databricks account. | * targetUserId* targetUserName* endpoint |
accounts |
deleteSetting |
Account admin removes a setting from the Azure Databricks account. | * settingKeyTypeName* settingKeyName* settingTypeName* settingName* settingValueForAudit |
accounts |
garbageCollectDbToken |
A user runs a garbage collect command on expired tokens. | * tokenExpirationTime* tokenClientId* userId* tokenCreationTime* tokenFirstAccessed |
accounts |
generateDbToken |
User generates a token from User Settings or when the service generates the token. | * tokenExpirationTime* tokenCreatedBy* tokenHash* userId |
accounts |
login |
A user logs into the account console. | * user |
accounts |
logout |
A user logs out of the account console. | * user |
accounts |
oidcBrowserLogin |
A user logs into their account with the OpenID Connect browser workflow. | * user |
accounts |
oidcTokenAuthorization |
An OIDC token is authenticated for an account admin login. | * user |
accounts |
removeAccountAdmin |
An account admin removes account admin permissions from another user. | * targetUserName* endpoint* targetUserId |
accounts |
removeGroup |
A group is removed from the account. | * targetGroupId* targetGroupName* endpoint |
accounts |
removePrincipalFromGroup |
A user is removed from an account-level group. | * targetGroupId* endpoint* targetUserId* targetGroupName* targetUserName |
accounts |
removePrincipalsFromGroup |
Users are removed from an account-level group using SCIM provisioning. | * targetGroupId* endpoint* targetUserId* targetGroupName* targetUserName |
accounts |
setAccountAdmin |
An account admin assigns the account admin role to another user. | * targetUserName* endpoint* targetUserId |
accounts |
setSetting |
An account admin updates an account-level setting. | * settingKeyTypeName* settingKeyName* settingTypeName* settingName* settingValueForAudit |
accounts |
tokenLogin |
A user logs into Databricks using a token. | * tokenId* user |
accounts |
updateUser |
An account admin updates a user account. | * targetUserName* endpoint* targetUserId |
accounts |
updateGroup |
An account admin updates an account-level group. | * endpoint* targetGroupId* targetGroupName |
accounts |
validateEmail |
When a user validates their email after account creation. | * endpoint* targetUserName* targetUserId |
Account-level access control events
The following accountsAccessControl event is logged at the account level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
accountsAccessControl |
updateRuleSet |
When a rule set is changed. | * account_id* name* rule_set |
Account management events
The following accountsManager events are logged at the account level. These events have to do with configurations made by account admins in the account console.
| Service | Action | Description | Request parameters |
|---|---|---|---|
accountsManager |
createNetworkConnectivityConfig |
Account admin created a network connectivity configuration. | * network_connectivity_config |
accountsManager |
getNetworkConnectivityConfig |
Account admin requests details about a network connectivity configuration. | * account_id* network_connectivity_config_id |
accountsManager |
listNetworkConnectivityConfigs |
Account admin lists all network connectivity configurations in the account. | * account_id |
accountsManager |
deleteNetworkConnectivityConfig |
Account admin deleted a network connectivity configuration. | * account_id* network_connectivity_config_id |
accountsManager |
createNetworkConnectivityConfigPrivateEndpointRule |
Account admin created a private endpoint rule. | * account_id* network_connectivity_config_id* azure_private_endpoint_rule |
accountsManager |
getNetworkConnectivityConfigPrivateEndpointRule |
Account admin requests details about a private endpoint rule. | * account_id* network_connectivity_config_id* rule_id |
accountsManager |
listNetworkConnectivityConfigPrivateEndpointRules |
Account admin lists all private endpoint rules under a network connectivity config. | * account_id* network_connectivity_config_id |
accountsManager |
deleteNetworkConnectivityConfigPrivateEndpointRule |
Account admin deleted a private endpoint rule. | * account_id* network_connectivity_config_id* rule_id |
accountsManager |
updateNetworkConnectivityConfigPrivateEndpointRule |
Account admin updated a private endpoint rule. | * account_id* network_connectivity_config_id* rule_id* azure_private_endpoint_rule |
Unity Catalog events
The following diagnostic events are related to Unity Catalog. Delta Sharing events are also logged under the unityCatalog service. For Delta Sharing events, see Delta Sharing events. Unity Catalog audit events can be logged at the workspace level or account level depending on the event.
| Service | Action | Description | Request parameters |
|---|---|---|---|
unityCatalog |
createMetastore |
Account admin creates a metastore. | * name* storage_root* workspace_id* metastore_id |
unityCatalog |
getMetastore |
Account admin requests metastore ID. | * id* workspace_id* metastore_id |
unityCatalog |
getMetastoreSummary |
Account admin requests details about a metastore. | * workspace_id* metastore_id |
unityCatalog |
listMetastores |
Account admin requests a list of all metastores in an account. | * workspace_id |
unityCatalog |
updateMetastore |
Account admin makes an update to a metastore. | * id* owner* workspace_id* metastore_id |
unityCatalog |
deleteMetastore |
Account admin deletes a metastore. | * id* force* workspace_id* metastore_id |
unityCatalog |
updateMetastoreAssignment |
Account admin makes an update to a metastore’s workspace assignment. | * workspace_id* metastore_id* default_catalog_name |
unityCatalog |
createExternalLocation |
Account admin creates an external location. | * name* skip_validation* url* credential_name* workspace_id* metastore_id |
unityCatalog |
getExternalLocation |
Account admin requests details about an external location. | * name_arg* include_browse* workspace_id* metastore_id |
unityCatalog |
listExternalLocations |
Account admin request list of all external locations in an account. | * url* max_results* workspace_id* metastore_id |
unityCatalog |
updateExternalLocation |
Account admin makes an update to an external location. | * name_arg* owner* workspace_id* metastore_id |
unityCatalog |
deleteExternalLocation |
Account admin deletes an external location. | * name_arg* force* workspace_id* metastore_id |
unityCatalog |
createCatalog |
User creates a catalog. | * name* comment* workspace_id* metastore_id |
unityCatalog |
deleteCatalog |
User deletes a catalog. | * name_arg* workspace_id* metastore_id |
unityCatalog |
getCatalog |
User requests details about a catalog. | * name_arg* dependent* workspace_id* metastore_id |
unityCatalog |
updateCatalog |
User updates a catalog. | * name_arg* isolation_mode* comment* workspace_id* metastore_id |
unityCatalog |
listCatalog |
User makes a call to list all catalogs in the metastore. | * name_arg* workspace_id* metastore_id |
unityCatalog |
createSchema |
User creates a schema. | * name* catalog_name* comment* workspace_id* metastore_id |
unityCatalog |
deleteSchema |
User deletes a schema. | * full_name_arg* force* workspace_id* metastore_id |
unityCatalog |
getSchema |
User requests details about a schema. | * full_name_arg* dependent* workspace_id* metastore_id |
unityCatalog |
listSchema |
User requests a list of all schemas in a catalog. | * catalog_name |
unityCatalog |
updateSchema |
User updates a schema. | * full_name_arg* name* workspace_id* metastore_id* comment |
unityCatalog |
createStagingTable |
* name* catalog_name* schema_name* workspace_id* metastore_id |
|
unityCatalog |
createTable |
User creates a table. The request parameters differ depending on the type of table created. | * name* data_source_format* catalog_name* schema_name* storage_location* columns* dry_run* table_type* view_dependencies* view_definition* sql_path* comment |
unityCatalog |
deleteTable |
User deletes a table. | * full_name_arg* workspace_id* metastore_id |
unityCatalog |
getTable |
User requests details about a table. | * include_delta_metadata* full_name_arg* dependent* workspace_id* metastore_id |
unityCatalog |
privilegedGetTable |
* full_name_arg |
|
unityCatalog |
listTables |
User makes a call to list all tables in a schema. | * catalog_name* schema_name* workspace_id* metastore_id* include_browse |
unityCatalog |
listTableSummaries |
User gets an array of summaries for tables for a schema and catalog within the metastore. | * catalog_name* schema_name_pattern* workspace_id* metastore_id |
unityCatalog |
updateTables |
User makes an update to a table. The request parameters displayed vary depending on the type of table updates made. | * full_name_arg* table_type* table_constraint_list* data_source_format* columns* dependent* row_filter* storage_location* sql_path* view_definition* view_dependencies* owner* comment* workspace_id* metastore_id |
unityCatalog |
createStorageCredential |
Account admin creates a storage credential. You might see an additional request parameter based on your cloud provider credentials. | * name* comment* workspace_id* metastore_id |
unityCatalog |
listStorageCredentials |
Account admin makes a call to list all storage credentials in the account. | * workspace_id* metastore_id |
unityCatalog |
getStorageCredential |
Account admin requests details about a storage credential. | * name_arg* workspace_id* metastore_id |
unityCatalog |
updateStorageCredential |
Account admin makes an update to a storage credential. | * name_arg* owner* workspace_id* metastore_id |
unityCatalog |
deleteStorageCredential |
Account admin deletes a storage credential. | * name_arg* workspace_id* metastore_id |
unityCatalog |
generateTemporaryTableCredential |
Logged whenever a temporary credential is granted for a table. You can use this event to determine who queried what and when. | * credential_id* credential_type* is_permissions_enforcing_client* table_full_name* operation* table_id* workspace_id* table_url* metastore_id |
unityCatalog |
generateTemporaryPathCredential |
Logged whenever a temporary credential is granted for a path. | * url* operation* make_path_only_parent* workspace_id* metastore_id |
unityCatalog |
getPermissions |
User makes a call to get permission details for a securable object. This call doesn’t return inherited permissions, only explicitly assigned permissions. | * securable_type* securable_full_name* workspace_id* metastore_id |
unityCatalog |
getEffectivePermissions |
User makes a call to get all permission details for a securable object. An effective permissions call returns both explicitly assigned and inherited permissions. | * securable_type* securable_full_name* workspace_id* metastore_id |
unityCatalog |
updatePermissions |
User updates permissions on a securable object. | * securable_type* changes* securable_full_name* workspace_id* metastore_id |
unityCatalog |
metadataSnapshot |
User queries the metadata from a previous table version. | * securables* include_delta_metadata* workspace_id* metastore_id |
unityCatalog |
metadataAndPermissionsSnapshot |
User queries the metadata and permissions from a previous table version. | * securables* include_delta_metadata* workspace_id* metastore_id |
unityCatalog |
updateMetadataSnapshot |
User updates the metadata from a previous table version. | * table_list_snapshots* schema_list_snapshots* workspace_id* metastore_id |
unityCatalog |
getForeignCredentials |
User makes a call to get details about a foreign key. | * securables* workspace_id* metastore_id |
unityCatalog |
getInformationSchema |
User makes a call to get details about a schema. | * table_name* page_token* required_column_names* row_set_type* required_column_names* workspace_id* metastore_id |
unityCatalog |
createConstraint |
User creates a constraint for a table. | * full_name_arg* constraint* workspace_id* metastore_id |
unityCatalog |
deleteConstraint |
User deletes a constraint for a table. | * full_name_arg* constraint* workspace_id* metastore_id |
unityCatalog |
createPipeline |
User creates a Unity Catalog pipeline. | * target_catalog_name* has_workspace_definition* id* workspace_id* metastore_id |
unityCatalog |
updatePipeline |
User updates a Unity Catalog pipeline. | * id_arg* definition_json* id* workspace_id* metastore_id |
unityCatalog |
getPipeline |
User requests details about a Unity Catalog pipeline. | * id* workspace_id* metastore_id |
unityCatalog |
deletePipeline |
User deletes a Unity Catalog pipeline. | * id* workspace_id* metastore_id |
unityCatalog |
deleteResourceFailure |
Resource fails to delete | none |
unityCatalog |
createVolume |
User creates a Unity Catalog volume. | * name* catalog_name* schema_name* volume_type* storage_location* owner* comment* workspace_id* metastore_id |
unityCatalog |
getVolume |
User makes a call to get information on a Unity Catalog volume. | * volume_full_name* workspace_id* metastore_id |
unityCatalog |
updateVolume |
User updates a Unity Catalog volume’s metadata with the ALTER VOLUME or COMMENT ON calls. |
* volume_full_name* name* owner* comment* workspace_id* metastore_id |
unityCatalog |
deleteVolume |
User deletes a Unity Catalog volume. | * volume_full_name* workspace_id* metastore_id |
unityCatalog |
listVolumes |
User makes a call to get a list of all Unity Catalog volumes in a schema. | * catalog_name* schema_name* workspace_id* metastore_id |
unityCatalog |
generateTemporaryVolumeCredential |
A temporary credential is generated when a user performs a read or write on a volume. You can use this event to determine who accessed a volume and when. | * volume_id* volume_full_name* operation* volume_storage_location* credential_id* credential_type* workspace_id* metastore_id |
unityCatalog |
getTagSecurableAssignments |
Tag assignments for a securable are fetched | * securable_type* securable_full_name* workspace_id* metastore_id |
unityCatalog |
getTagSubentityAssignments |
Tag assignments for a subentity are fetched | * securable_type* securable_full_name* workspace_id* metastore_id* subentity_name |
unityCatalog |
UpdateTagSecurableAssignments |
Tag assignments for a securable are updated | * securable_type* securable_full_name* workspace_id* metastore_id* changes |
unityCatalog |
UpdateTagSubentityAssignments |
Tag assignments for a subentity are updated | * securable_type* securable_full_name* workspace_id* metastore_id* subentity_name* changes |
unityCatalog |
createRegisteredModel |
User creates a Unity Catalog registered model. | * name* catalog_name* schema_name* owner* comment* workspace_id* metastore_id |
unityCatalog |
getRegisteredModel |
User makes a call to get information on a Unity Catalog registered model. | * full_name_arg* workspace_id* metastore_id |
unityCatalog |
updateRegisteredModel |
User updates a Unity Catalog registered model’s metadata. | * full_name_arg* name* owner* comment* workspace_id* metastore_id |
unityCatalog |
deleteRegisteredModel |
User deletes a Unity Catalog registered model. | * full_name_arg* workspace_id* metastore_id |
unityCatalog |
listRegisteredModels |
User makes a call to get a list of Unity Catalog registered models in a schema, or list models across catalogs and schemas. | * catalog_name* schema_name* max_results* page_token* workspace_id* metastore_id |
unityCatalog |
createModelVersion |
User creates a model version in Unity Catalog. | * catalog_name* schema_name* model_name* source* comment* workspace_id* metastore_id |
unityCatalog |
finalizeModelVersion |
User makes a call to “finalize” a Unity Catalog model version after uploading model version files to its storage location, making it read-only and usable in inference workflows. | * full_name_arg* version_arg* workspace_id* metastore_id |
unityCatalog |
getModelVersion |
User makes a call to get details on a model version. | * full_name_arg* version_arg* workspace_id* metastore_id |
unityCatalog |
getModelVersionByAlias |
User makes a call to get details on a model version using the alias. | * full_name_arg* include_aliases* alias_arg* workspace_id* metastore_id |
unityCatalog |
updateModelVersion |
User updates a model version’s metadata. | * full_name_arg* version_arg* name* owner* comment* workspace_id* metastore_id |
unityCatalog |
deleteModelVersion |
User deletes a model version. | * full_name_arg* version_arg* workspace_id* metastore_id |
unityCatalog |
listModelVersions |
User makes a call to get a list of Unity Catalog model versions in a registered model. | * catalog_name* schema_name* model_name* max_results* page_token* workspace_id* metastore_id |
unityCatalog |
generateTemporaryModelVersionCredential |
A temporary credential is generated when a user performs a write (during initial model version creaiton) or read (after the model version has been finalized) on a model version. You can use this event to determine who accessed a model version and when. | * full_name_arg* version_arg* operation* model_version_url* credential_id* credential_type* workspace_id* metastore_id |
unityCatalog |
setRegisteredModelAlias |
User sets an alias on a Unity Catalog registered model. | * full_name_arg* alias_arg* version |
unityCatalog |
deleteRegisteredModelAlias |
User deletes an alias on a Unity Catalog registered model. | * full_name_arg* alias_arg |
unityCatalog |
getModelVersionByAlias |
User gets a Unity Catalog model version by alias. | * full_name_arg* alias_arg |
unityCatalog |
createConnection |
A new foreign connection is created. | * name* connection_type* workspace_id* metastore_id |
unityCatalog |
deleteConnection |
A foreign connection is deleted. | * name_arg* workspace_id* metastore_id |
unityCatalog |
getConnection |
A foreign connection is retrieved. | * name_arg* workspace_id* metastore_id |
unityCatalog |
updateConnection |
A foreign connection is updated. | * name_arg* owner* workspace_id* metastore_id |
unityCatalog |
listConnections |
Foreign connections in a metastore are listed. | * workspace_id* metastore_id |
unityCatalog |
createFunction |
User creates a new function. | * function_info* workspace_id* metastore_id |
unityCatalog |
updateFunction |
User updates a function. | * full_name_arg* owner* workspace_id* metastore_id |
unityCatalog |
listFunctions |
User requests a list of all functions within a specific parent catalog or schema. | * catalog_name* schema_name* include_browse* workspace_id* metastore_id |
unityCatalog |
getFunction |
User requests a function from a parent catalog or schema. | * full_name_arg* workspace_id* metastore_id |
unityCatalog |
deleteFunction |
User requests a function from a parent catalog or schema. | * full_name_arg* workspace_id* metastore_id |
unityCatalog |
createShareMarketplaceListingLink |
* links_infos* metastore_id |
|
unityCatalog |
deleteShareMarketplaceListingLink |
* links_infos* metastore_id |
Delta Sharing events
Delta Sharing events are broken up into two sections: events recorded in the data provider’s account and events recorded in the data recipient’s account.
Delta Sharing provider events
The following audit log events are logged in the provider’s account. Actions that are performed by recipients start with the deltaSharing prefix. Each of these logs also includes request_params.metastore_id, which is the metastore that manages the shared data, and userIdentity.email, which is the ID of the user who initiated the activity.
| Service | Action | Description | Request parameters |
|---|---|---|---|
unityCatalog |
deltaSharingListShares |
A data recipient requests a list of shares. | * options: The pagination options provided with this request.* recipient_name: Indicates the recipient executing the action.* is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address. |
unityCatalog |
deltaSharingGetShare |
A data recipient requests details about a shares. | * share: The name of the share.* recipient_name: Indicates the recipient executing the action.* is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address. |
unityCatalog |
deltaSharingListSchemas |
A data recipient requests a list of shared schemas. | * share: The name of the share.* recipient_name: Indicates the recipient executing the action.* options: The pagination options provided with this request.* is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address. |
unityCatalog |
deltaSharingListAllTables |
A data recipient requests a list of all shared tables. | * share: The name of the share.* recipient_name: Indicates the recipient executing the action.* is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address. |
unityCatalog |
deltaSharingListTables |
A data recipient requests a list of shared tables. | * share: The name of the share.* recipient_name: Indicates the recipient executing the action.* options: The pagination options provided with this request.* is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address. |
unityCatalog |
deltaSharingGetTableMetadata |
A data recipient requests a details about a table’s metadata. | * share: The name of the share.* recipient_name: Indicates the recipient executing the action.* schema: The name of the schema.* name: The name of the table.* predicateHints: The predicates included in the query.* limitHints: The maximum number of rows to return.* is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address. |
unityCatalog |
deltaSharingGetTableVersion |
A data recipient requests a details about a table version. | * share: The name of the share.* recipient_name: Indicates the recipient executing the action.* schema: The name of the schema.* name: The name of the table.* is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address. |
unityCatalog |
deltaSharingQueryTable |
Logged when a data recipient queries a shared table. | * share: The name of the share.* recipient_name: Indicates the recipient executing the action.* schema: The name of the schema.* name: The name of the table.* predicateHints: The predicates included in the query.* limitHints: The maximum number of rows to return.* is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address. |
unityCatalog |
deltaSharingQueryTableChanges |
Logged when a data recipient queries change data for a table. | * share: The name of the share.* recipient_name: Indicates the recipient executing the action.* schema: The name of the schema.* name: The name of the table.* cdf_options: Change data feed options.* is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address. |
unityCatalog |
deltaSharingQueriedTable |
Logged after a data recipient gets a response to their query. The response.result field includes more information on the recipient’s query (see Audit and monitor data sharing) |
* recipient_name: Indicates the recipient executing the action.* is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address. |
unityCatalog |
deltaSharingQueriedTableChanges |
Logged after a data recipient gets a response to their query. The response.result field includes more information on the recipient’s query (see Audit and monitor data sharing). |
* recipient_name: Indicates the recipient executing the action.* is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address. |
unityCatalog |
deltaSharingListNotebookFiles |
A data recipient requests a list of shared notebook files. | * share: The name of the share.* recipient_name: Indicates the recipient executing the action.* is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address. |
unityCatalog |
deltaSharingQueryNotebookFile |
A data recipient queries a shared notebook file. | * file_name: The name of the notebook file.* recipient_name: Indicates the recipient executing the action.* is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address. |
unityCatalog |
deltaSharingListFunctions |
A data recipient requests a list of functions in a parent schema. | * share: The name of the share.* schema: The name of the parent schema of the function.* recipient_name: Indicates the recipient executing the action.* is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address. |
unityCatalog |
deltaSharingListAllFunctions |
A data recipient requests a list of all shared functions. | * share: The name of the share.* schema: The name of the parent schema of the function.* recipient_name: Indicates the recipient executing the action.* is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address. |
unityCatalog |
deltaSharingListFunctionVersions |
A data recipient requests a list of function versions. | * share: The name of the share.* schema: The name of the parent schema of the function.* function: The name of the function.* recipient_name: Indicates the recipient executing the action.* is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address. |
unityCatalog |
deltaSharingListVolumes |
A data recipient requests a list of shared volumes in a schema. | * share: The name of the share.* schema: The parents schema of the volumes.* recipient_name: Indicates the recipient executing the action.* is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address. |
unityCatalog |
deltaSharingListAllVolumes |
A data recipient requests all shared volumes. | * share: The name of the share.* recipient_name: Indicates the recipient executing the action.* is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address. |
unityCatalog |
updateMetastore |
Provider updates their metastore. | * delta_sharing_scope: Values can be INTERNAL or INTERNAL_AND_EXTERNAL.* delta_sharing_recipient_token_lifetime_in_seconds: If present, indicates that the recipient token lifetime was updated. |
unityCatalog |
createRecipient |
Provider creates a data recipient. | * name: The name of the recipient.* comment: The comment for the recipient.* ip_access_list.allowed_ip_addresses: Recipient IP address allowlist. |
unityCatalog |
deleteRecipient |
Provider deletes a data recipient. | * name: The name of the recipient. |
unityCatalog |
getRecipient |
Provider requests details about a data recipient. | * name: The name of the recipient. |
unityCatalog |
listRecipients |
Provider requests a list of all their data recipients. | none |
unityCatalog |
rotateRecipientToken |
Provider rotates a recipient’s token. | * name: The name of the recipient.* comment: The comment given in the rotation command. |
unityCatalog |
updateRecipient |
Provider updates a data recipient’s attributes. | * name: The name of the recipient.* updates: A JSON representation of recipient attributes that were added or removed from the share. |
unityCatalog |
createShare |
Provider updates a data recipient’s attributes. | * name: The name of the share.* comment: The comment for the share. |
unityCatalog |
deleteShare |
Provider updates a data recipient’s attributes. | * name: The name of the share. |
unityCatalog |
getShare |
Provider requests details about a share. | * name: The name of the share.* include_shared_objects: Whether the share’s table names were included in the request. |
unityCatalog |
updateShare |
Provider adds or removes data assets from a share. | * name: The name of the share.* updates: A JSON representation of data assets that were added or removed from the share. Each item includes action (add or remove), name (the actual name of the table), shared_as (the name the asset was shared as, if different from the actual name), and partition_specification (if a partition specification was provided). |
unityCatalog |
listShares |
Provider requests a list of their shares. | none |
unityCatalog |
getSharePermissions |
Provider requests details on a share’s permissions. | * name: The name of the share. |
unityCatalog |
updateSharePermissions |
Provider updates a share’s permissions. | * name: The name of the share.* changes: A JSON representation of the updated permissions. Each change includes principal (the user or group to whom permission is granted or revoked), add (the list of permissions that were granted), and remove (the list of permissions that were revoked). |
unityCatalog |
getRecipientSharePermissions |
Provider requests details about a recipient’s share permissions. | * name: The name of the share. |
unityCatalog |
getActivationUrlInfo |
Provider requests details about activity on their activation link. | * recipient_name: The name of the recipient who opened the activation URL.* is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address. |
unityCatalog |
generateTemporaryVolumeCredential |
Temporary credential is generated for the recipient to access a shared volume. | * share_name: The name of the share through which the recipient requests.* share_id: The ID of the share.* share_owner: The owner of the share.* recipient_name: The name of the recipient who requests the credential.* recipient_id: The ID of the recipient.* volume_full_name: The full 3-level name of the volume.* volume_id: The ID of the volume.* volume_storage_location: The cloud path of the volume root.* operation: Either READ_VOLUME or WRITE_VOLUME. For volume sharing, only READ_VOLUME is supported.* credential_id: The ID of the credential.* credential_type: The type of the credential. Value is always StorageCredential.* workspace_id: Value is always 0 when the request is for shared volumes. |
unityCatalog |
generateTemporaryTableCredential |
Temporary credential is generated for the recipient to access a shared table. | * share_name: The name of the share through which the recipient requests.* share_id: The ID of the share.* share_owner: The owner of the share.* recipient_name: The name of the recipient who requests the credential.* recipient_id: The ID of the recipient.* table_full_name: The full 3-level name of the table.* table_id: The ID of the table.* table_url: The cloud path of the table root.* operation: Either READ or READ_WRITE.* credential_id: The ID of the credential.* credential_type: The type of the credential. Value is always StorageCredential.* workspace_id: Value is always 0 when the request is for shared tables. |
Delta Sharing recipient events
The following events are logged in the data recipient’s account. These events record recipient access of shared data and AI assets, along with events associated with the management of providers. Each of these events also includes the following request parameters:
recipient_name: The name of the recipient in the data provider’s system.metastore_id: The name of the metastore in the data provider’s system.sourceIPAddress: The IP address where the request originated.
| Service | Action | Description | Request parameters |
|---|---|---|---|
unityCatalog |
deltaSharingProxyGetTableVersion |
A data recipient requests a details on a shared table version. | * share: The name of the share.* schema: The name of the table’s parent schema.* name: The name of the table. |
unityCatalog |
deltaSharingProxyGetTableMetadata |
A data recipient requests a details on a shared table’s metadata. | * share: The name of the share.* schema: The name of the table’s parent schema.* name: The name of the table. |
unityCatalog |
deltaSharingProxyQueryTable |
A data recipient queries a shared table. | * share: The name of the share.* schema: The name of the table’s parent schema.* name: The name of the table.* limitHints: The maximum number of rows to return.* predicateHints: The predicates included in the query.* version: Table version, if change data feed is enabled. |
unityCatalog |
deltaSharingProxyQueryTableChanges |
A data recipient queries change data for a table. | * share: The name of the share.* schema: The name of the table’s parent schema.* name: The name of the table.* cdf_options: Change data feed options. |
unityCatalog |
createProvider |
A data recipient creates a provider object. | * name: The name of the provider.* comment: The comment for the provider. |
unityCatalog |
updateProvider |
A data recipient updates a provider object. | * name: The name of the provider.* updates: A JSON representation of provider attributes that were added or removed from the share. Each item includes action (add or remove) and can include name (the new provider name), owner (new owner), and comment. |
unityCatalog |
deleteProvider |
A data recipient deletes a provider object. | * name: The name of the provider. |
unityCatalog |
getProvider |
A data recipient requests details about a provider object. | * name: The name of the provider. |
unityCatalog |
listProviders |
A data recipient requests a list of providers. | none |
unityCatalog |
activateProvider |
A data recipient activates a provider object. | * name: The name of the provider. |
unityCatalog |
listProviderShares |
A data recipient requests a list of a provider’s shares. | * name: The name of the provider. |
unityCatalog |
generateTemporaryVolumeCredential |
Temporary credential is generated for the recipient to access a shared volume. | * share_name: The name of the share through which the recipient requests.* volume_full_name: The full 3-level name of the volume.* volume_id: The ID of the volume.* operation: Either READ_VOLUME or WRITE_VOLUME. For volume sharing, only READ_VOLUME is supported.* workspace_id: The ID of the workspace that receives the user request. |
unityCatalog |
generateTemporaryTableCredential |
Temporary credential is generated for the recipient to access a shared table. | * share_name: The name of the share through which the recipient requests.* table_full_name: The full 3-level name of the table.* table_id: The ID of the table.* operation: Either READ or READ_WRITE.* workspace_id: The ID of the workspace that receives the user request. |
Additional security monitoring events
For Azure Databricks compute resources in the classic compute plane, such as VMs for clusters and pro or classic SQL warehouses, the following features enable additional monitoring agents:
- Enhanced security monitoring
- Compliance security profile. The compliance security profile is required for the compliance controls for PCI-DSS.
File integrity monitoring events
The following capsule8-alerts-dataplane events are logged at the workspace level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
capsule8-alerts-dataplane |
Heartbeat |
A regular event to confirm the monitor is on. Currently runs every 10 minutes. | * instanceId |
capsule8-alerts-dataplane |
Memory Marked Executable |
Memory is often marked executable in order to allow malicious code to execute when an application is being exploited. Alerts when a program sets heap or stack memory permissions to executable. This can cause false positives for certain application servers. | * instanceId |
capsule8-alerts-dataplane |
File Integrity Monitor |
Monitors the integrity of important system files. Alerts on any unauthorized changes to those files. Databricks defines specific sets of system paths on the image, and this set of paths might change over time. | * instanceId |
capsule8-alerts-dataplane |
Systemd Unit File Modified |
Changes to systemd units could result in security controls being relaxed or disabled, or the installation of a malicious service. Alerts whenever a systemd unit file is modified by a program other than systemctl. |
* instanceId |
capsule8-alerts-dataplane |
Repeated Program Crashes |
Repeated program crashes could indicate that an attacker is attempting to exploit a memory corruption vulnerability, or that there is a stability issue in the affected application. Alerts when more than 5 instances of an individual program crash via segmentation fault. | * instanceId |
capsule8-alerts-dataplane |
Userfaultfd Usage |
As containers are typically static workloads, this alert could indicate that an attacker has compromised the container and is attempting to install and run a backdoor. Alerts when a file that has been created or modified within 30 minutes is then executed within a container. | * instanceId |
capsule8-alerts-dataplane |
New File Executed in Container |
Memory is often marked executable in order to allow malicious code to execute when an application is being exploited. Alerts when a program sets heap or stack memory permissions to executable. This can cause false positives for certain application servers. | * instanceId |
capsule8-alerts-dataplane |
Suspicious Interactive Shell |
Interactive shells are rare occurrences on modern production infrastructure. Alerts when an interactive shell is started with arguments commonly used for reverse shells. | * instanceId |
capsule8-alerts-dataplane |
User Command Logging Evasion |
Evading command logging is common practice for attackers, but might also indicate that a legitimate user is performing unauthorized actions or trying to evade policy. Alerts when a change to user command history logging is detected, indicating that a user is attempting to evade command logging. | * instanceId |
capsule8-alerts-dataplane |
BPF Program Executed |
Detects some types of kernel backdoors. The loading of a new Berkeley Packet Filter (BPF) program could indicate that an attacker is loading a BPF-based rootkit to gain persistence and avoid detection. Alerts when a process loads a new privileged BPF program, if the process that is already part of an ongoing incident. | * instanceId |
capsule8-alerts-dataplane |
Kernel Module Loaded |
Attackers commonly load malicious kernel modules (rootkits) to evade detection and maintain persistence on a compromised node. Alerts when a kernel module is loaded, if the program is already part of an ongoing incident. | * instanceId |
capsule8-alerts-dataplane |
Suspicious Program Name Executed-Space After File |
Attackers might create or rename malicious binaries to include a space at the end of the name in an effort to impersonate a legitimate system program or service. Alerts when a program is executed with a space after the program name. | * instanceId |
capsule8-alerts-dataplane |
Illegal Elevation Of Privileges |
Kernel privilege escalation exploits commonly enable an unprivileged user to gain root privileges without passing standard gates for privilege changes. Alerts when a program attempts to elevate privileges through unusual means. This can issue false positive alerts on nodes with significant workloads. | * instanceId |
capsule8-alerts-dataplane |
Kernel Exploit |
Internal kernel functions are not accessible to regular programs, and if called, are a strong indicator that a kernel exploit has executed and that the attacker has full control of the node. Alerts when a kernel function unexpectedly returns to user space. | * instanceId |
capsule8-alerts-dataplane |
Processor-Level Protections Disabled |
SMEP and SMAP are processor-level protections that increase difficulty for kernel exploits to succeed, and disabling these restrictions is a common early step in kernel exploits. Alerts when a program tampers with the kernel SMEP/SMAP configuration. | * instanceId |
capsule8-alerts-dataplane |
Container Escape via Kernel Exploitation |
Alerts when a program uses kernel functions commonly used in container escape exploits, indicating that an attacker is escalating privileges from container-access to node-access. | * instanceId |
capsule8-alerts-dataplane |
Privileged Container Launched |
Privileged containers have direct access to host resources, leading to a greater impact when compromised. Alerts when a privileged container is launched, if the container isn’t a known privileged image such as kube-proxy. This can issue unwanted alerts for legitimate privileged containers. | * instanceId |
capsule8-alerts-dataplane |
Userland Container Escape |
Many container escapes coerce the host to execute an in-container binary, resulting in the attacker gaining full control of the affected node. Alerts when a container-created file is executed from outside a container. | * instanceId |
capsule8-alerts-dataplane |
AppArmor Disabled In Kernel |
Modification of certain AppArmor attributes can only occur in-kernel, indicating that AppArmor has been disabled by a kernel exploit or rootkit. Alerts when the AppArmor state is changed from the AppArmor configuration detected when the sensor starts. | * instanceId |
capsule8-alerts-dataplane |
AppArmor Profile Modified |
Attackers might attempt to disable enforcement of AppArmor profiles as part of evading detection. Alerts when a command for modifying an AppArmor profile is executed, if it was not executed by a user in an SSH session. | * instanceId |
capsule8-alerts-dataplane |
Boot Files Modified |
If not performed by a trusted source (such as a package manager or configuration management tool), modification of boot files could indicate an attacker modifying the kernel or its options in order to gain persistent access to a host. Alerts when changes are made to files in /boot, indicating installation of a new kernel or boot configuration. |
* instanceId |
capsule8-alerts-dataplane |
Log Files Deleted |
Log deletion not performed by a log management tool could indicate that an attacker is trying to remove indicators of compromise. Alerts on deletion of system log files. | * instanceId |
capsule8-alerts-dataplane |
New File Executed |
Newly created files from sources other than system update programs might be backdoors, kernel exploits, or part of an exploitation chain. Alerts when a file that has been created or modified within 30 minutes is then executed, excluding files created by system update programs. | * instanceId |
capsule8-alerts-dataplane |
Root Certificate Store Modified |
Modification of the root certificate store could indicate the installation of a rogue certificate authority, enabling interception of network traffic or bypass of code signature verification. Alerts when a system CA certificate store is changed. | * instanceId |
capsule8-alerts-dataplane |
Setuid/Setgid Bit Set On File |
Setting setuid/setgid bits can be used to provide a persistent method for privilege escalation on a node. Alerts when the setuid or setgid bit is set on a file with the chmod family of system calls. |
* instanceId |
capsule8-alerts-dataplane |
Hidden File Created |
Attackers often create hidden files as a means of obscuring tools and payloads on a compromised host. Alerts when a hidden file is created by a process associated with an ongoing incident. | * instanceId |
capsule8-alerts-dataplane |
Modification Of Common System Utilities |
Attackers might modify system utilities in order to execute malicious payloads whenever these utilities are run. Alerts when a common system utility is modified by an unauthorized process. | * instanceId |
capsule8-alerts-dataplane |
Network Service Scanner Executed |
An attacker or rogue user might use or install these programs to survey connected networks for additional nodes to compromise. Alerts when common network scanning program tools are executed. | * instanceId |
capsule8-alerts-dataplane |
Network Service Created |
Attackers might start a new network service to provide easy access to a host after compromise. Alerts when a program starts a new network service, if the program is already part of an ongoing incident. | * instanceId |
capsule8-alerts-dataplane |
Network Sniffing Program Executed |
An attacker or rogue user might execute network sniffing commands to capture credentials, personally-identifiable information (PII), or other sensitive information. Alerts when a program is executed that allows network capture. | * instanceId |
capsule8-alerts-dataplane |
Remote File Copy Detected |
Use of file transfer tools could indicate that an attacker is attempting to move toolsets to additional hosts or exfiltrate data to a remote system. Alerts when a program associated with remote file copying is executed, if the program is already part of an ongoing incident. | * instanceId |
capsule8-alerts-dataplane |
Unusual Outbound Connection Detected |
Command and Control channels and cryptocoin miners often create new outbound network connections on unusual ports. Alerts when a program initiates a new connection on an uncommon port, if the program is already part of an ongoing incident. | * instanceId |
capsule8-alerts-dataplane |
Data Archived Via Program |
After gaining access to a system, an attacker might create a compressed archive of files to reduce the size of data for exfiltration. Alerts when a data compression program is executed, if the program is already part of an ongoing incident. | * instanceId |
capsule8-alerts-dataplane |
Process Injection |
Use of process injection techniques commonly indicates that a user is debugging a program, but might also indicate that an attacker is reading secrets from or injecting code into other processes. Alerts when a program uses ptrace (debugging) mechanisms to interact with another process. |
* instanceId |
capsule8-alerts-dataplane |
Account Enumeration Via Program |
Attackers often use account enumeration programs to determine their level of access and to see if other users are currently logged in to the node. Alerts when a program associated with account enumeration is executed, if the program is already part of an ongoing incident. | * instanceId |
capsule8-alerts-dataplane |
File and Directory Discovery Via Program |
Exploring file systems is common post-exploitation behavior for an attacker looking for credentials and data of interest. Alerts when a program associated with file and directory enumeration is executed, if the program is already part of an ongoing incident. | * instanceId |
capsule8-alerts-dataplane |
Network Configuration Enumeration Via Program |
Attackers can interrogate local network and route information to identify adjacent hosts and networks ahead of lateral movement. Alerts when a program associated with network configuration enumeration is executed, if the program is already part of an ongoing incident. | * instanceId |
capsule8-alerts-dataplane |
Process Enumeration Via Program |
Attackers often list running programs in order to identify the purpose of a node and whether any security or monitoring tools are in place. Alerts when a program associated with process enumeration is executed, if the program is already part of an ongoing incident. | * instanceId |
capsule8-alerts-dataplane |
System Information Enumeration Via Program |
Attackers commonly execute system enumeration commands to determine Linux kernel and distribution versions and features, often to identify if the node is affected by specific vulnerabilities. Alerts when a program associated with system information enumeration is executed, if the program is already part of an ongoing incident. | * instanceId |
capsule8-alerts-dataplane |
Scheduled Tasks Modified Via Program |
Modifying scheduled tasks is a common method for establishing persistence on a compromised node. Alerts when the crontab, at, or batch commands are used to modify scheduled task configurations. |
* instanceId |
capsule8-alerts-dataplane |
Systemctl Usage Detected |
Changes to systemd units could result in security controls being relaxed or disabled, or the installation of a malicious service. Alerts when the systemctl command is used to modify systemd units. |
* instanceId |
capsule8-alerts-dataplane |
User Execution Of su Command |
Explicit escalation to the root user decreases the ability to correlate privileged activity to a specific user. Alerts when the su command is executed. |
* instanceId |
capsule8-alerts-dataplane |
User Execution Of sudo Command |
Alerts when the sudo command is executed. |
* instanceId |
capsule8-alerts-dataplane |
User Command History Cleared |
Deleting the history file is unusual, commonly performed by attackers hiding activity, or by legitimate users intending to evade audit controls. Alerts when command line history files are deleted. | * instanceId |
capsule8-alerts-dataplane |
New System User Added |
An attacker might add a new user to a host to provide a reliable method of access. Alerts if a new user entity is added to the local account management file /etc/passwd, if the entity is not added by a system update program. |
* instanceId |
capsule8-alerts-dataplane |
Password Database Modification |
Attackers might directly modify identity-related files to add a new user to the system. Alerts when a file related to user passwords is modified by a program unrelated to updating existing user information. | * instanceId |
capsule8-alerts-dataplane |
SSH Authorized Keys Modification |
Adding a new SSH public key is a common method for gaining persistent access to a compromised host. Alerts when an attempt to write to a user’s SSH authorized_keys file is observed, if the program is already part of an ongoing incident. |
* instanceId |
capsule8-alerts-dataplane |
User Account Created Via CLI |
Adding a new user is a common step for attackers when establishing persistence on a compromised node. Alerts when an identity management program is executed by a program other than a package manager. | * instanceId |
capsule8-alerts-dataplane |
User Configuration Changes |
Deleting the history file is unusual, commonly performed by attackers hiding activity, or by legitimate users intending to evade audit controls. Alerts when command line history files are deleted. | * instanceId |
capsule8-alerts-dataplane |
New System User Added |
User profile and configuration files are often modified as a method of persistence in order to execute a program whenever a user logs in. Alerts when .bash_profile and bashrc (as well as related files) are modified by a program other than a system update tool. |
* instanceId |
Antivirus monitoring events
Note
The response JSON object in these audit logs always has a result field that includes one line of the original scan result. Each scan result is represented typically by multiple audit log records, one for each line of the original scan output. For details of what could appear in this file, see the following third-party documentation.
The following clamAVScanService-dataplane event is logged at the workspace level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
clamAVScanService-dataplane |
clamAVScanAction |
The antivirus monitoring performs a scan. A log will generate for each line of the original scan output. | * instanceId |
System log events
Note
The response JSON object in the audit log has a result field that includes the original system log content.
The following syslog event is logged at the workspace level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
syslog |
processEvent |
The system log processes an event. | * instanceId* processName |
Process monitor log events
The following monit events are logged at the workspace level.
| Service | Action | Description | Request parameters |
|---|---|---|---|
monit |
processNotRunning |
The monitor is not running. | * instanceId* processName |
monit |
processRestarting |
The monitor is restarting. | * instanceId* processName |
monit |
processStarted |
The monitor started. | * instanceId* processName |
monit |
processRunning |
The monitor is running. | * instanceId* processName |
Deprecated log events
Databricks has deprecated the following diagnostic events:
createAlertDestination(nowcreateNotificationDestination)deleteAlertDestination(nowdeleteNotificationDestination)updateAlertDestination(nowupdateNotificationDestination)
SQL endpoint logs
If you create SQL warehouses using the deprecated SQL endpoint API (the former name for SQL warehouses), the corresponding audit event name will include the word Endpoint instead of Warehouse. Besides the name, these events are identical to the SQL warehouse events. To view descriptions and request parameters of these events, see their corresponding warehouse events in Databricks SQL events.
The SQL endpoint events are:
changeEndpointAclscreateEndpointeditEndpointstartEndpointstopEndpointdeleteEndpointsetEndpointConfig
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for