Audit log reference

Note

This feature requires the Premium plan or above.

This article provides you with a comprehensive reference of available audit log services and events. By understanding which events are logged in the audit logs, your enterprise can monitor detailed Databricks usage patterns in your account.

The easiest way to access and query your account’s audit logs is by using system tables (Public Preview).

If you’d like to configure a regular log delivery, see Configure audit log delivery.

Audit log services

The following services and their events are logged by default in audit logs.

Workspace-level services

Workspace-level audit logs are available for these services:

Service name	Description
accounts	Events related to accounts, users, groups, and IP access lists.
clusterPolicies	Events related to cluster policies.
clusters	Events related to clusters.
dashboards	Events related to AI/BI dashboard use.
databrickssql	Events related to Databricks SQL use.
dataMonitoring	Events related to Lakehouse Monitoring.
dbfs	Events related to DBFS.
deltaPipelines	Events related to Delta Live Table pipelines.
featureStore	Events related to the Databricks Feature Store.
filesystem	Events related to the Files API.
genie	Events related to workspace access by support personnel.
gitCredentials	Events related to Git credentials for Databricks Git folders. See also repos.
globalInitScripts	Events related to global init scripts.
groups	Events related to account and workspace groups.
iamRole	Events related to IAM role permissions.
ingestion	Events related to file uploads.
instancePools	Events related to pools.
jobs	Events related to jobs.
marketplaceConsumer	Events related to consumer actions in Databricks Marketplace.
marketplaceProvider	Events related to provider actions in Databricks Marketplace.
mlflowAcledArtifact	Events related to ML Flow artifacts with ACLs.
mlflowExperiment	Events related to ML Flow experiments.
modelRegistry	Events related to the workspace model registry. For activity logs for models in Unity Catalog, see Unity Catalog events.
notebook	Events related to notebooks.
partnerConnect	Events related to Partner Connect.
predictiveOptimization	Events related to predictive optimization.
remoteHistoryService	Events related to adding a removing GitHub Credentials.
repos	Events related to Databricks Git folders. See also gitCredentials.
secrets	Events related to secrets.
serverlessRealTimeInference	Events related to model serving.
sqlPermissions	Events related to the legacy Hive metastore table access control.
ssh	Events related to SSH access.
vectorSearch	Events related to Mosaic AI Vector Search.
webTerminal	Events related to the web terminal feature.
workspace	Events related to workspaces.

Account-level services

Account-level audit logs are available for these services:

Service name	Description
accountBillableUsage	Actions related to billable usage access in the account console.
accounts	Actions related to account-level access and identity management.
accountsAccessControl	Actions related to account-level access control rules.
accountsManager	Actions performed in the account console.
budgetPolicyCentral	Actions related to managing budget policies.
logDelivery	Log delivery configuration for such as billable usage or audit logs.
oauth2	Actions related to OAuth SSO authentication to the account console.
servicePrincipalCredentials	Actions related to service principal credentials.
ssoConfigBackend	Single sign-on settings for the account.
unityCatalog	Actions performed in Unity Catalog. This also includes Delta Sharing events, see Delta Sharing events.

Additional security monitoring services

There are additional services and associated actions for workspaces that use the compliance security profile (required for some compliance standards such as FedRAMP, PCI, and HIPAA) or Enhanced security monitoring.

These are workspace-level services that will only generate in your logs if you are using the compliance security profile or enhanced security monitoring:

Service name	Description
capsule8-alerts-dataplane	Actions related to file integrity monitoring.
clamAVScanService-dataplane	Actions related to antivirus monitoring.
monit	Actions related to the process monitor.
syslog	Actions related to the system logs.

Audit log example schema

In Databricks, audit logs output events in a JSON format. The serviceName and actionName properties identify the event. The naming convention follows the Databricks REST API.

The following example is for a createMetastoreAssignment event.

  {
    "version":"2.0",
    "auditLevel":"ACCOUNT_LEVEL",
    "timestamp":1629775584891,
    "orgId":"3049056262456431186970",
    "shardName":"test-shard",
    "accountId":"77636e6d-ac57-484f-9302-f7922285b9a5",
    "sourceIPAddress":"10.2.91.100",
    "userAgent":"curl/7.64.1",
    "sessionId":"f836a03a-d360-4792-b081-baba525324312",
    "userIdentity":{
      "email":"crampton.rods@email.com",
      "subjectName":null
    },
    "serviceName":"unityCatalog",
    "actionName":"createMetastoreAssignment",
    "requestId":"ServiceMain-da7fa5878f40002",
    "requestParams":{
      "workspace_id":"30490590956351435170",
      "metastore_id":"abc123456-8398-4c25-91bb-b000b08739c7",
      "default_catalog_name":"main"
    },
    "response":{
      "statusCode":200,
      "errorMessage":null,
      "result":null
    },
    "MAX_LOG_MESSAGE_LENGTH":16384
  }

Audit log schema considerations

• If actions take a long time, the request and response are logged separately but the request and response pair have the same requestId.

• Automated actions, such as resizing a cluster due to autoscaling or launching a job due to scheduling, are performed by the user System-User.

• The requestParams field is subject to truncation. If the size of its JSON representation exceeds 100 KB, values are truncated and the string ... truncated is appended to truncated entries. In rare cases where a truncated map is still larger than 100 KB, a single TRUNCATED key with an empty value is present instead.

Account events

The following are accounts events logged at the workspace level.

Service	Action	Description	Request parameters
accounts	activateUser	A user is reactivated after being deactivated. See Deactivate users in workspace.	targetUserName endpoint targetUserId
accounts	add	A user is added to a Databricks workspace.	targetUserName endpoint targetUserId
accounts	addPrincipalToGroup	A user is added to a workspace-level group.	targetGroupId endpoint targetUserId targetGroupName targetUserName
accounts	addX509	A user account is added using an X509 certificate for authentication
accounts	certLogin	A user logs in to Databricks using X509 certification.	user
accounts	changeDatabricksSqlAcl	A user’s Databricks SQL permissions are changed.	shardName targetUserId resourceId aclPermissionSet
accounts	changeDatabricksWorkspaceAcl	Permissions to a workspace are changed.	shardName targetUserId resourceId aclPermissionSet
accounts	changeDbTokenAcl	When permissions on a token are changed.	shardName targetUserId resourceId aclPermissionSet
accounts	changePassword	A user’s password is changed.	newPasswordSource targetUserId serviceSource wasPasswordChanged userId
accounts	changePasswordAcl	Password changing permissions are changed in the account.	shardName targetUserId resourceId aclPermissionSet
accounts	changeServicePrincipalAcls	When a service principal’s permissions are changed.	shardName targetServicePrincipal resourceId aclPermissionSet
accounts	createGroup	A workspace-level group is created.	endpoint targetGroupId targetGroupName
accounts	createIpAccessList	An IP access list is added to the workspace.	ipAccessListId userId
accounts	deactivateUser	A user is deactivated in the workspace. See Deactivate users in workspace.	targetUserName endpoint targetUserId
accounts	delete	A user is deleted from the Databricks workspace.	targetUserId targetUserName endpoint
accounts	deleteIpAccessList	An IP access list is deleted from the workspace.	ipAccessListId userId
accounts	garbageCollectDbToken	A user runs a garbage collect command on expired tokens.	tokenExpirationTime tokenClientId userId tokenCreationTime tokenFirstAccessed
accounts	generateDbToken	When someone generates a token from User Settings or when the service generates the token.	tokenExpirationTime tokenCreatedBy tokenHash userId
accounts	IpAccessDenied	A user attempts to connect to the service through a denied IP.	path user
accounts	ipAccessListQuotaExceeded		userId
accounts	jwtLogin	User logs into Databricks using a JWT.	user
accounts	login	User logs into the workspace.	user
accounts	logout	User logs out of the workspace.	user
accounts	mfaAddKey	User registers a new security key.
accounts	mfaDeleteKey	User deletes a security key.	id
accounts	mfaLogin	User logs into Databricks using MFA.	user
accounts	oidcTokenAuthorization	When an API call is authorized through a generic OIDC/OAuth token.	user
accounts	passwordVerifyAuthentication		user
accounts	reachMaxQuotaDbToken	When the current number of non-expired tokens exceeds the token quota
accounts	removeAdmin	A user is revoked of workspace admin permissions.	targetUserName endpoint targetUserId
accounts	removeGroup	A group is removed from the workspace.	targetGroupId targetGroupName endpoint
accounts	removePrincipalFromGroup	A user is removed from a group.	targetGroupId endpoint targetUserId targetGroupName targetUserName
accounts	resetPassword	A user’s password is reset.	serviceSource userId endpoint targetUserId targetUserName wasPasswordChanged newPasswordSource
accounts	revokeDbToken	A user’s token is dropped from a workspace. Can be triggered by a user being removed from the Databricks account.	userId
accounts	samlLogin	User logs in to Databricks through SAML SSO.	user
accounts	setAdmin	A user is granted account admin permissions.	endpoint targetUserName targetUserId
accounts	tokenLogin	A user logs into Databricks using a token.	tokenId user
accounts	updateIpAccessList	An IP access list is changed.	ipAccessListId userId
accounts	updateUser	An account admin updates a user’s account.	targetUserName endpoint targetUserId
accounts	validateEmail	When a user validates their email after account creation.	endpoint targetUserName targetUserId

Clusters events

The following are cluster events logged at the workspace level.

Service	Action	Description	Request parameters
clusters	changeClusterAcl	A user changes the cluster ACL.	shardName aclPermissionSet targetUserId resourceId
clusters	create	A user creates a cluster.	cluster_log_conf num_workers enable_elastic_disk driver_node_type_id start_cluster docker_image ssh_public_keys aws_attributes acl_path_prefix node_type_id instance_pool_id spark_env_vars init_scripts spark_version cluster_source autotermination_minutes cluster_name autoscale custom_tags cluster_creator enable_local_disk_encryption idempotency_token spark_conf organization_id no_driver_daemon user_id virtual_cluster_size apply_policy_default_values data_security_mode runtime_engine
clusters	createResult	Results from cluster creation. In conjunction with create.	clusterName clusterState clusterId clusterWorkers clusterOwnerUserId
clusters	delete	A cluster is terminated.	cluster_id
clusters	deleteResult	Results from cluster termination. In conjunction with delete.	clusterName clusterState clusterId clusterWorkers clusterOwnerUserId
clusters	edit	A user makes changes to cluster settings. This logs all changes except for changes in cluster size or autoscaling behavior.	cluster_log_conf num_workers enable_elastic_disk driver_node_type_id start_cluster docker_image ssh_public_keys aws_attributes acl_path_prefix node_type_id instance_pool_id spark_env_vars init_scripts spark_version cluster_source autotermination_minutes cluster_name autoscale custom_tags cluster_creator enable_local_disk_encryption idempotency_token spark_conf organization_id no_driver_daemon user_id virtual_cluster_size apply_policy_default_values data_security_mode runtime_engine
clusters	permanentDelete	A cluster is deleted from the UI.	cluster_id
clusters	resize	Cluster resizes. This is logged on running clusters where the only property that changes is either the cluster size or autoscaling behavior.	cluster_id num_workers autoscale
clusters	resizeResult	Results from cluster resize. In conjunction with resize.	clusterName clusterState clusterId clusterWorkers clusterOwnerUserId
clusters	restart	A user restarts a running cluster.	cluster_id
clusters	restartResult	Results from cluster restart. In conjunction with restart.	clusterName clusterState clusterId clusterWorkers clusterOwnerUserId
clusters	start	A user starts a cluster.	init_scripts_safe_mode cluster_id
clusters	startResult	Results from cluster start. In conjunction with start.	clusterName clusterState clusterId clusterWorkers clusterOwnerUserId

Cluster libraries events

The following are clusterLibraries events logged at the workspace level.

Service	Action	Description	Request parameters
clusterLibraries	installLibraries	User installs a library on a cluster.	cluster_id libraries
clusterLibraries	uninstallLibraries	User uninstalls a library on a cluster.	cluster_id libraries
clusterLibraries	installLibraryOnAllClusters	A workspace admin schedules a library to install on all cluster.	user library
clusterLibraries	uninstallLibraryOnAllClusters	A workspace admin removes a library from the list to install on all clusters.	user library

Cluster policy events

The following are clusterPolicies events logged at the workspace level.

Service	Action	Description	Request parameters
clusterPolicies	create	A user created a cluster policy.	name
clusterPolicies	edit	A user edited a cluster policy.	policy_id name
clusterPolicies	delete	A user deleted a cluster policy.	policy_id
clusterPolicies	changeClusterPolicyAcl	A workspace admin changes permissions for a cluster policy.	shardName targetUserId resourceId aclPermissionSet

Dashboards events

The following are dashboards events logged at the workspace level.

Service	Action	Description	Request parameters
dashboards	getDashboard	A user accesses the draft version of a dashboard either by viewing it in the UI or requesting the dashboard definition using the API. Only workspace users can access the draft version of a dashboard.	dashboard_id
dashboards	getPublishedDashboard	A user accesses the published version of a dashboard by viewing in the UI or requesting the dashboard definition using the API. Includes activity from both workspace users and account users. Excludes receiving a PDF snapshot of a dashboard using scheduled email.	dashboard_id credentials_embedded
dashboards	executeQuery	A user executes a query from a dashboard.	dashboard_id statement_id
dashboards	cancelQuery	A user cancels a query from a dashboard.	dashboard_id statement_id
dashboards	getQueryResult	A user receives the results of a query from a dashboard.	dashboard_id statement_id
dashboards	sendDashboardSnapshot	A PDF snapshot of a dashboard is sent through a scheduled email. The request parameters values depend on the type of recipient. For a Databricks notification destination, only the destination_id is shown. For a Databricks user, the subscriber’s user ID and email address are shown. If the recipient is an email address, only the email address is shown.	dashboard_id subscriber_destination_id subscriber_user_details: { user_id, email_address }
dashboards	getDashboardDetails	A user accesses details of a draft dashboard, such as datasets and widgets. getDashboardDetails is always emitted when a user views a draft dashboard using UI or requests the dashboard definition using the API.	dashboard_id
dashboards	createDashboard	A user creates a new AI/BI dashboard using the UI or API.	dashboard_id
dashboards	updateDashboard	A user makes an update to an AI/BI dashboard using the UI or API.	dashboard_id
dashboards	cloneDashboard	A user clones an AI/BI dashboard.	source_dashboard_id new_dashboard_id
dashboards	publishDashboard	A user publishes an AI/BI dashboard with or without embedded credentials using the UI or API.	dashboard_id credentials_embedded warehouse_id
dashboards	unpublishDashboard	A user unpublishes a published AI/BI dashboard using the UI or API.	dashboard_id
dashboards	trashDashboard	A user moves an AI/BI dashboard to the trash using the UI or API.	dashboard_id
dashboards	restoreDashboard	A user restores an AI/BI dashboard from the trash.	dashboard_id
dashboards	migrateDashboard	A user migrates a DBSQL dashboard to an AI/BI dashboard.	source_dashboard_id new_dashboard_id
dashboards	createSchedule	A user creates an email subscription schedule.	dashboard_id schedule_id
dashboards	updateSchedule	A user makes an update to an AI/BI dashboard’s schedule.	dashboard_id schedule_id
dashboards	deleteSchedule	A user deletes an AI/BI dashboard’s schedule.	dashboard_id schedule_id
dashboards	createSubscription	A user subscribes an email destination to an AI/BI dashboard schedule.	dashboard_id schedule_id schedule
dashboards	deleteSubscription	A user deletes an email destination from an AI/BI dashboard schedule.	dashboard_id schedule_id

Databricks SQL events

The following are databrickssql events logged at the workspace level.

Note

If you manage your SQL warehouses using the legacy SQL endpoints API, your SQL warehouse audit events will have different action names. See SQL endpoint logs.

Service	Action	Description	Request parameters
databrickssql	addDashboardWidget	A widget is added to a dashboard.	dashboardId widgetId
databrickssql	cancelQueryExecution	A query execution is cancelled from the SQL editor UI. This does not include cancellations that originate from the Query History UI or Databricks SQL Execution API.	queryExecutionId
databrickssql	changeWarehouseAcls	A warehouse manager updates permissions on a SQL warehouse.	aclPermissionSet resourceId shardName targetUserId
databrickssql	changePermissions	A user updates permissions on an object.	granteeAndPermission objectId objectType
databrickssql	cloneDashboard	A user clones a dashboard.	dashboardId
databrickssql	commandSubmit	Only in verbose audit logs. Generated when a command is submitted to a SQL warehouse, regardless of origin of the request.	warehouseId commandId validation commandText
databrickssql	commandFinish	Only in verbose audit logs. Generated when a command on a SQL warehouse completes or is canceled, regardless of the origin of the cancellation request.	warehouseId commandId
databrickssql	createAlert	A user creates an alert.	alertId
databrickssql	createNotificationDestination	A workspace admin creates a notification destination.	notificationDestinationId notificationDestinationType
databrickssql	createDashboard	A user creates a dashboard.	dashboardId
databrickssql	createDataPreviewDashboard	A user creates a data preview dashboard.	dashboardId
databrickssql	createWarehouse	A user with the cluster create entitlement creates a SQL warehouse.	auto_resume auto_stop_mins channel cluster_size conf_pairs custom_cluster_confs enable_databricks_compute enable_photon enable_serverless_compute instance_profile_arn max_num_clusters min_num_clusters name size spot_instance_policy tags test_overrides
databrickssql	createQuery	A user creates a new query.	queryId
databrickssql	createQueryDraft	A user creates a query draft.	queryId
databrickssql	createQuerySnippet	A user creates a query snippet.	querySnippetId
databrickssql	createSampleDashboard	A user creates a sample dashboard.	sampleDashboardId
databrickssql	createVisualization	A user generates a visualization using the SQL editor. Excludes default results tables and visualizations in notebooks that utilize SQL warehouses.	queryId visualizationId
databrickssql	deleteAlert	A user deletes an alert either from the alert interface or through API. Excludes deletions from the file browser UI.	alertId
databrickssql	deleteNotificationDestination	A workspace admin deletes a notification destination.	notificationDestinationId
databrickssql	deleteDashboard	A user deletes a dashboard either from the dashboard interface or through API. Excludes deletion via the file browser UI.	dashboardId
databrickssql	deleteDashboardWidget	A user deletes a dashboard widget.	widgetId
databrickssql	deleteWarehouse	A warehouse manager deletes a SQL warehouse.	id
databrickssql	deleteQuery	A user deletes a query, either from the query interface or through API. Excludes deletion via the file browser UI.	queryId
databrickssql	deleteQueryDraft	A user deletes a query draft.	queryId
databrickssql	deleteQuerySnippet	A user deletes a query snippet.	querySnippetId
databrickssql	deleteVisualization	A user deletes a visualization from a query in the SQL Editor.	visualizationId
databrickssql	downloadQueryResult	A user downloads a query result from the SQL Editor. Excludes downloads from dashboards.	fileType queryId queryResultId credentialsEmbedded credentialsEmbeddedId
databrickssql	editWarehouse	A warehouse manager makes edits to a SQL warehouse.	auto_stop_mins channel cluster_size confs enable_photon enable_serverless_compute id instance_profile_arn max_num_clusters min_num_clusters name spot_instance_policy tags
databrickssql	executeAdhocQuery	Generated by one of the following: A user runs a query draft in the SQL editor A query is executed from a visualization aggregation A user loads a dashboard and executes underlying queries	dataSourceId
databrickssql	executeSavedQuery	A user runs a saved query.	queryId
databrickssql	executeWidgetQuery	Generated by any event that executes a query such that a dashboard panel refreshes. Some examples of applicable events include: Refreshing a single panel Refreshing an entire dashboard Scheduled dashboard executions Parameter or filter changes operating over more than 64,000 rows	widgetId
databrickssql	favoriteDashboard	A user favorites a dashboard.	dashboardId
databrickssql	favoriteQuery	A user favorites a query.	queryId
databrickssql	forkQuery	A user clones a query.	originalQueryId queryId
databrickssql	listQueries	A user opens the query listing page or calls the list query API.	filter_by include_metrics max_results page_token
databrickssql	moveAlertToTrash	A user moves an alert to the trash.	alertId
databrickssql	moveDashboardToTrash	A user moves a dashboard to the trash.	dashboardId
databrickssql	moveQueryToTrash	A user moves a query to the trash.	queryId
databrickssql	restoreAlert	A user restores an alert from the trash.	alertId
databrickssql	restoreDashboard	A user restores a dashboard from the trash.	dashboardId
databrickssql	restoreQuery	A user restores a query from the trash.	queryId
databrickssql	setWarehouseConfig	A warehouse manager sets the configuration for a SQL warehouse.	data_access_config enable_serverless_compute instance_profile_arn security_policy serverless_agreement sql_configuration_parameters try_create_databricks_managed_starter_warehouse
databrickssql	snapshotDashboard	A user requests a snapshot of a dashboard. Includes scheduled dashboard snapshots.	dashboardId
databrickssql	startWarehouse	A SQL warehouse is started.	id
databrickssql	stopWarehouse	A warehouse manager stops a SQL warehouse. Excludes autostopped warehouses.	id
databrickssql	transferObjectOwnership	A workspace admin transfers the ownership of a dashboard, query, or alert to an active user through the transfer object ownership API. Ownership transfer done through the UI or update APIs is not captured by this audit log event.	newOwner objectId objectType
databrickssql	unfavoriteDashboard	A user removes a dashboard from their favorites.	dashboardId
databrickssql	unfavoriteQuery	A user removes a query from their favorites.	queryId
databrickssql	updateAlert	A user makes updates to an alert. ownerUserName is populated if the alert ownership is transferred using the API.	alertId queryId ownerUserName
databrickssql	updateNotificationDestination	A workspace admin makes an update to a notification destination.	notificationDestinationId
databrickssql	updateDashboardWidget	A user makes an update to a dashboard widget. Excludes changes to axis scales. Examples of applicable updates include: Change to widget size or placement Adding or removing widget parameters	widgetId
databrickssql	updateDashboard	A user makes an update to a dashboard property. Excludes changes to schedules and subscriptions. Examples of applicable updates include: Change in dashboard name Change to the SQL warehouse Change to Run As settings	dashboardId
databrickssql	updateOrganizationSetting	A workspace admin makes updates to the workspace’s SQL settings.	has_configured_data_access has_explored_sql_warehouses has_granted_permissions
databrickssql	updateQuery	A user makes an update to a query. ownerUserName is populated if the query ownership is transferred using the API.	queryId ownerUserName
databrickssql	updateQueryDraft	A user makes an update to a query draft.	queryId
databrickssql	updateQuerySnippet	A user makes an update to a query snippet.	querySnippetId
databrickssql	updateVisualization	A user updates a visualization from either the SQL Editor or the dashboard.	visualizationId

Data monitoring events

The following dataMonitoring events are logged at the workspace level.

Service	Action	Description	Request parameters
dataMonitoring	CreateMonitor	User creates a monitor.	data_classification_config full_table_name_arg assets_dir schedule output_schema_name notifications inference_log
dataMonitoring	UpdateMonitor	User makes an update to a monitor.	data_classification_config table_name full_table_name_arg drift_metrics_table_name dashboard_id custom_metrics assets_dir monitor_version profile_metrics_table_name baseline_table_name status output_schema_name inference_log slicing_exprs
dataMonitoring	DeleteMonitor	User deletes a monitor.	full_table_name_arg
dataMonitoring	RunRefresh	Monitor is refreshed, either by schedule or manually.	full_table_name_arg

DBFS events

The following tables include dbfs events logged at the workspace level.

There are two types of DBFS events: API calls and operational events.

DBFS API events

The following DBFS audit events are only logged when written through the DBFS REST API.

Service	Action	Description	Request parameters
dbfs	addBlock	User appends a block of data to the stream. This is used in conjunction with dbfs/create to stream data to DBFS.	handle data_length
dbfs	create	User opens a stream to write a file to DBFs.	path bufferSize overwrite
dbfs	delete	User deletes the file or directory from DBFs.	recursive path
dbfs	mkdirs	User creates a new DBFS directory.	path
dbfs	move	User moves a file from one location to another location within DBFs.	dst source_path src destination_path
dbfs	put	User uploads a file through the use of multipart form post to DBFs.	path overwrite

DBFS operational events

The following DBFS audit events occur at the compute plane.

Service	Action	Description	Request parameters
dbfs	mount	User creates a mount point at a certain DBFS location.	mountPoint owner
dbfs	unmount	User removes a mount point at a certain DBFS location.	mountPoint

Delta pipelines events

Service	Action	Description	Request parameters
deltaPipelines	changePipelineAcls	A user changes permissions on a pipeline.	shardId targetUserId resourceId aclPermissionSet
deltaPipelines	create	A user creates a Delta Live Tables pipeline.	allow_duplicate_names clusters configuration continuous development dry_run id libraries name storage target channel edition photon
deltaPipelines	delete	A user deletes a Delta Live Tables pipeline.	pipeline_id
deltaPipelines	edit	A user edits a Delta Live Tables pipeline.	allow_duplicate_names clusters configuration continuous development expected_last_modified id libraries name pipeline_id storage target channel edition photon
deltaPipelines	startUpdate	A user restarts a Delta Live Tables pipeline.	cause full_refresh job_task pipeline_id
deltaPipelines	stop	A user stops a Delta Live Tables pipeline.	pipeline_id

Feature store events

The following featureStore events are logged at the workspace level.

Service	Action	Description	Request parameters
featureStore	addConsumer	A consumer is added to the feature store.	features job_run notebook
featureStore	addDataSources	A data source is added to a feature table.	feature_table paths, tables
featureStore	addProducer	A producer is added to a feature table.	feature_table job_run notebook
featureStore	changeFeatureTableAcl	Permissions are changed in a feature table.	aclPermissionSet resourceId shardName targetUserId
featureStore	createFeatureTable	A feature table is created.	description name partition_keys primary_keys timestamp_keys
featureStore	createFeatures	Features are created in a feature table.	feature_table features
featureStore	deleteFeatureTable	A feature table is deleted.	name
featureStore	deleteTags	Tags are deleted from a feature table.	feature_table_id keys
featureStore	getConsumers	A user makes a call to get the consumers in a feature table.	feature_table
featureStore	getFeatureTable	A user makes a call to get feature tables.	name
featureStore	getFeatureTablesById	A user makes a call to get feature table IDs.	ids
featureStore	getFeatures	A user makes a call to get features.	feature_table max_results
featureStore	getModelServingMetadata	A user makes a call to get Model Serving metadata.	feature_table_features
featureStore	getOnlineStore	A user makes a call to get online store details.	cloud feature_table online_table store_type
featureStore	getTags	A user makes a call to get tags for a feature table.	feature_table_id
featureStore	publishFeatureTable	A feature table is published.	cloud feature_table host online_table port read_secret_prefix store_type write_secret_prefix
featureStore	searchFeatureTables	A user searches for feature tables.	max_results page_token text
featureStore	setTags	Tags are added to a feature table.	feature_table_id tags
featureStore	updateFeatureTable	A feature table is updated.	description name

Files API events

The following filesystem events are logged at the workspace level.

Service	Action	Description	Request parameters
filesystem	filesGet	User downloads file.	path transferredSize
filesystem	filesPut	User uploads file.	path receivedSize
filesystem	filesDelete	User deletes file.	path
filesystem	filesHead	User gets information about file.	path

Genie events

The following genie events are logged at the workspace level.

Note

This service is unrelated to AI/BI Genie spaces.

Service	Action	Description	Request parameters
genie	databricksAccess	A Databricks personnel is authorized to access a customer environment.	duration approver reason authType user

Git credential events

The following gitCredentials events are logged at the workspace level.

Service	Action	Description	Request parameters
gitCredentials	getGitCredential	A user gets a git credentials.	id
gitCredentials	listGitCredentials	A user lists all git credentials	none
gitCredentials	deleteGitCredential	A user deletes a git credential.	id
gitCredentials	updateGitCredential	A user updates a git credential.	id git_provider git_username
gitCredentials	createGitCredential	A user creates a git credential.	git_provider git_username

Global init scripts events

The following globalInitScripts events are logged at the workspace level.

Service	Action	Description	Request parameters
globalInitScripts	create	A workspace admin creates a global initialization script.	name position script-SHA256 enabled
globalInitScripts	update	A workspace admin updates a global initialization script.	script_id name position script-SHA256 enabled
globalInitScripts	delete	A workspace admin deletes a global initialization script.	script_id

Groups events

The following groups events are logged at the workspace level. These actions are related to legacy ACL groups. For actions related to account- and workspace-level groups, see Account events and Account-level account events.

Service	Action	Description	Request parameters
groups	addPrincipalToGroup	An admin adds a user to a group.	user_name parent_name
groups	createGroup	An admin creates a group.	group_name
groups	getGroupMembers	An admin views group members.	group_name
groups	getGroups	An admin views a list of groups	none
groups	getInheritedGroups	An admin views inherited groups	none
groups	removeGroup	An admin removes a group.	group_name

IAM role events

The following iamRole event is logged at the workspace level.

Service	Action	Description	Request parameters
iamRole	changeIamRoleAcl	A workspace admin changes permissions for an IAM role.	targetUserId shardName resourceId aclPermissionSet

Ingestion events

The following ingestion event is logged at the workspace level.

Service	Action	Description	Request parameters
ingestion	proxyFileUpload	A user uploads a file to their Databricks workspace.	x-databricks-content-length-0 x-databricks-total-files

Instance pool events

The following instancePools events are logged at the workspace level.

Service	Action	Description	Request parameters
instancePools	changeInstancePoolAcl	A user changes an instance pool’s permissions.	shardName resourceId targetUserId aclPermissionSet
instancePools	create	A user creates an instance pool.	enable_elastic_disk preloaded_spark_versions idle_instance_autotermination_minutes instance_pool_name node_type_id custom_tags max_capacity min_idle_instances aws_attributes
instancePools	delete	A user deletes an instance pool.	instance_pool_id
instancePools	edit	A user edits an instance pool.	instance_pool_name idle_instance_autotermination_minutes min_idle_instances preloaded_spark_versions max_capacity enable_elastic_disk node_type_id instance_pool_id aws_attributes

Job events

The following jobs events are logged at the workspace level.

Service	Action	Description	Request parameters
jobs	cancel	A job run is cancelled.	run_id
jobs	cancelAllRuns	A user cancels all runs on a job.	job_id
jobs	changeJobAcl	A user updates permissions on a job.	shardName aclPermissionSet resourceId targetUserId
jobs	create	A user creates a job.	spark_jar_task email_notifications notebook_task spark_submit_task timeout_seconds libraries name spark_python_task job_type new_cluster existing_cluster_id max_retries schedule run_as
jobs	delete	A user deletes a job.	job_id
jobs	deleteRun	A user deletes a job run.	run_id
jobs	getRunOutput	A user makes an API call to get a run output.	run_id is_from_webapp
jobs	repairRun	A user repairs a job run.	run_id latest_repair_id rerun_tasks
jobs	reset	A job is reset.	job_id new_settings
jobs	resetJobAcl	A user requests the change of a job’s permissions.	grants job_id
jobs	runCommand	Available when verbose audit logs are enabled. Emitted after a command in a notebook is executed by a job run. A command corresponds to a cell in a notebook.	jobId runId notebookId executionTime status commandId commandText
jobs	runFailed	A job run fails.	jobClusterType jobTriggerType jobId jobTaskType runId jobTerminalState idInJob orgId runCreatorUserName
jobs	runNow	A user triggers an on-demand job run.	notebook_params job_id jar_params workflow_context
jobs	runStart	Emitted when a job run starts after validation and cluster creation. The request parameters emitted from this event depend on the type of tasks in the job. In addition to the parameters listed, they can include: dashboardId (for a SQL dashboard task) filePath (for a SQL file task) notebookPath (for a notebook task) mainClassName (for a Spark JAR task) pythonFile (for a Spark JAR task) projectDirectory (for a dbt task) commands (for a dbt task) packageName (for a Python wheel task) entryPoint (for a Python wheel task) pipelineId (for a pipeline task) queryIds (for a SQL query task) alertId (for a SQL alert task)	taskDependencies multitaskParentRunId orgId idInJob jobId jobTerminalState taskKey jobTriggerType jobTaskType runId runCreatorUserName
jobs	runSucceeded	A job run is successful.	idInJob jobId jobTriggerType orgId runId jobClusterType jobTaskType jobTerminalState runCreatorUserName
jobs	runTriggered	A job schedule is triggered automatically according to its schedule or trigger.	jobId jobTriggeredType runId
jobs	sendRunWebhook	A webhook is sent either when the job begins, completes, or fails.	orgId jobId jobWebhookId jobWebhookEvent runId
jobs	setTaskValue	A user sets values for a task.	run_id key
jobs	submitRun	A user submits a one-time run via the API.	shell_command_task run_name spark_python_task existing_cluster_id notebook_task timeout_seconds libraries new_cluster spark_jar_task
jobs	update	A user edits a job’s settings.	job_id fields_to_remove new_settings is_from_dlt

Marketplace consumer events

The following marketplaceConsumer events are logged at the workspace level.

Service	Action	Description	Request parameters
marketplaceConsumer	getDataProduct	A user gets access to a data product through the Databricks Marketplace.	listing_id listing_name share_name catalog_name request_context: Array of information about the account and metastore that got access to the data product
marketplaceConsumer	requestDataProduct	A user requests access to a data product that requires provider approval.	listing_id listing_name catalog_name request_context: Array of information about the account and metastore requesting access to the data product

Marketplace provider events

The following marketplaceProvider events are logged at the workspace level.

Service	Action	Description	Request parameters
marketplaceProvider	createListing	A metastore admin creates a listing in their provider profile.	listing: Array of details about the listing request_context: Array of information about the provider’s account and metastore
marketplaceProvider	updateListing	A metastore admin makes an update to a listing in their provider profile.	id listing: Array of details about the listing request_context: Array of information about the provider’s account and metastore
marketplaceProvider	deleteListing	A metastore admin deletes a listing in their provider profile.	id request_context: Array of details about the provider’s account and metastore
marketplaceProvider	updateConsumerRequestStatus	A metastore admins approves or denies a data product request.	listing_id request_id status reason share: Array of information about the share request_context: Array of information about the provider’s account and metastore
marketplaceProvider	createProviderProfile	A metastore admin creates a provider profile.	provider: Array of information about the provider request_context: Array of information about the provider’s account and metastore
marketplaceProvider	updateProviderProfile	A metastore admin makes an update to their provider profile.	id provider: Array of information about the provider request_context: Array of information about the provider’s account and metastore
marketplaceProvider	deleteProviderProfile	A metastore admin deletes their provider profile.	id request_context: Array of information about the provider’s account and metastore
marketplaceProvider	uploadFile	A provider uploads a file to their provider profile.	request_context: Array of information about the provider’s account and metastore marketplace_file_type display_name mime_type file_parent: Array of file parent details
marketplaceProvider	deleteFile	A provider deletes a file from their provider profile.	file_id request_context: Array of information about the provider’s account and metastore

MLflow artifacts with ACL events

The following mlflowAcledArtifact events are logged at the workspace level.

Service	Action	Description	Request parameters
mlflowAcledArtifact	readArtifact	A user makes call to read an artifact.	artifactLocation experimentId runId
mlflowAcledArtifact	writeArtifact	A user makes call to write to an artifact.	artifactLocation experimentId runId

MLflow experiment events

The following mlflowExperiment events are logged at the workspace level.

Service	Action	Description	Request parameters
mlflowExperiment	createMlflowExperiment	A user creates an MLflow experiment.	experimentId path experimentName
mlflowExperiment	deleteMlflowExperiment	A user deletes an MLflow experiment.	experimentId path experimentName
mlflowExperiment	moveMlflowExperiment	A user moves an MLflow experiment.	newPath experimentId oldPath
mlflowExperiment	restoreMlflowExperiment	A user restores an MLflow experiment.	experimentId path experimentName
mlflowExperiment	renameMlflowExperiment	A user renames an MLflow experiment.	oldName newName experimentId parentPath

MLflow model registry events

The following mlflowModelRegistry events are logged at the workspace level.

Service	Action	Description	Request parameters
modelRegistry	approveTransitionRequest	A user approves a model version stage transition request.	name version stage archive_existing_versions
modelRegistry	changeRegisteredModelAcl	A user updates permissions for a registered model.	registeredModelId userId
modelRegistry	createComment	A user posts a comment on a model version.	name version
modelRegistry	createModelVersion	A user creates a model version.	name source run_id tags run_link
modelRegistry	createRegisteredModel	A user creates a new registered model	name tags
modelRegistry	createRegistryWebhook	User creates a webhook for Model Registry events.	orgId registeredModelId events description status creatorId httpUrlSpec
modelRegistry	createTransitionRequest	A user creates a model version stage transition request.	name version stage
modelRegistry	deleteComment	A user deletes a comment on a model version.	id
modelRegistry	deleteModelVersion	A user deletes a model version.	name version
modelRegistry	deleteModelVersionTag	A user deletes a model version tag.	name version key
modelRegistry	deleteRegisteredModel	A user deletes a registered model	name
modelRegistry	deleteRegisteredModelTag	A user deletes the tag for a registered model.	name key
modelRegistry	deleteRegistryWebhook	User deletes a Model Registry webhook.	orgId webhookId
modelRegistry	deleteTransitionRequest	A user cancels a model version stage transition request.	name version stage creator
modelRegistry	finishCreateModelVersionAsync	Completed asynchronous model copying.	name version
modelRegistry	generateBatchInferenceNotebook	Batch inference notebook is autogenerated.	userId orgId modelName inputTableOpt outputTablePathOpt stageOrVersion modelVersionEntityOpt notebookPath
modelRegistry	generateDltInferenceNotebook	Inference notebook for a Delta Live Tables pipeline is autogenerated.	userId orgId modelName inputTable outputTable stageOrVersion notebookPath
modelRegistry	getModelVersionDownloadUri	A user gets a URI to download the model version.	name version
modelRegistry	getModelVersionSignedDownloadUri	A user gets a URI to download a signed model version.	name version path
modelRegistry	listModelArtifacts	A user makes a call to list a model’s artifacts.	name version path page_token
modelRegistry	listRegistryWebhooks	A user makes a call to list all registry webhooks in the model.	orgId registeredModelId
modelRegistry	rejectTransitionRequest	A user rejects a model version stage transition request.	name version stage
modelRegistry	renameRegisteredModel	A user renames a registered model	name new_name
modelRegistry	setEmailSubscriptionStatus	A user updates the email subscription status for a registered model
modelRegistry	setModelVersionTag	A user sets a model version tag.	name version key value
modelRegistry	setRegisteredModelTag	A user sets a model version tag.	name key value
modelRegistry	setUserLevelEmailSubscriptionStatus	A user updates their email notifications status for the whole registry.	orgId userId subscriptionStatus
modelRegistry	testRegistryWebhook	A user tests the Model Registry webhook.	orgId webhookId
modelRegistry	transitionModelVersionStage	A user gets a list of all open stage transition requests for the model version.	name version stage archive_existing_versions
modelRegistry	triggerRegistryWebhook	A Model Registry webhook is triggered by an event.	orgId registeredModelId events status
modelRegistry	updateComment	A user post an edit to a comment on a model version.	id
modelRegistry	updateRegistryWebhook	A user updates a Model Registry webhook.	orgId webhookId

Model serving events

The following serverlessRealTimeInference events are logged at the workspace level.

Service	Action	Description	Request parameters
serverlessRealTimeInference	changeInferenceEndpointAcl	User updates permissions for an inference endpoint.	shardName targetUserId resourceId aclPermissionSet
serverlessRealTimeInference	createServingEndpoint	User creates a model serving endpoint.	name config
serverlessRealTimeInference	deleteServingEndpoint	User deletes a model serving endpoint.	name
serverlessRealTimeInference	disable	User disables model serving for a registered model.	registered_mode_name
serverlessRealTimeInference	enable	User enables model serving for a registered model.	registered_mode_name
serverlessRealTimeInference	getQuerySchemaPreview	Users makes a call to get the query schema preview.	endpoint_name
serverlessRealTimeInference	updateServingEndpoint	User updates a model serving endpoint.	name served_models traffic_config
serverlessRealTimeInference	updateInferenceEndpointRateLimits	User updates the rate limits for an inference endpoint. Rate limits only apply to Foundation Model APIs pay-per-token and external model endpoints.	name rate_limits

Notebook events

The following notebook events are logged at the workspace level.

Service	Action	Description	Request parameters
notebook	attachNotebook	A notebook is attached to a cluster.	path clusterId notebookId
notebook	cloneNotebook	A user clones a notebook.	notebookId path clonedNotebookId destinationPath
notebook	createNotebook	A notebook is created.	notebookId path
notebook	deleteFolder	A notebook folder is deleted.	path
notebook	deleteNotebook	A notebook is deleted.	notebookId notebookName path
notebook	detachNotebook	A notebook is detached from a cluster.	notebookId clusterId path
notebook	downloadLargeResults	A user downloads query results too large to display in the notebook.	notebookId notebookFullPath
notebook	downloadPreviewResults	A user downloads the query results.	notebookId notebookFullPath
notebook	importNotebook	A user imports a notebook.	path
notebook	moveFolder	A notebook folder is moved from one location to another.	oldPath newPath folderId
notebook	moveNotebook	A notebook is moved from one location to another.	newPath oldPath notebookId
notebook	renameNotebook	A notebook is renamed.	newName oldName parentPath notebookId
notebook	restoreFolder	A deleted folder is restored.	path
notebook	restoreNotebook	A deleted notebook is restored.	path notebookId notebookName
notebook	runCommand	Available when verbose audit logs are enabled. Emitted after Databricks runs a command in a notebook. A command corresponds to a cell in a notebook. executionTime is measured in seconds.	notebookId executionTime status commandId commandText commandLanguage
notebook	takeNotebookSnapshot	Notebook snapshots are taken when either the job service or mlflow is run.	path

Partner Connect events

The following partnerHub events are logged at the workspace level.

Service	Action	Description	Request parameters
partnerHub	createOrReusePartnerConnection	A workspace admin sets up a connection to a partner solution.	partner_name
partnerHub	deletePartnerConnection	A workspace admin deletes a partner connection.	partner_name
partnerHub	downloadPartnerConnectionFile	A workspace admin downloads the partner connection file.	partner_name
partnerHub	setupResourcesForPartnerConnection	A workspace admin sets up resources for a partner connection.	partner_name

Predictive optimization events

The following predictiveOptimization events are logged at the workspace level.

Service	Action	Description	Request parameters
predictiveOptimization	PutMetrics	Recorded when predictive optimization updates table and workload metrics so the service can more intelligently schedule optimization operations.	table_metrics_list start_time end_time
predictiveOptimization	UpdatePredictiveOptimization	An account admin enables or disables predictive optimization for a metastore.	metastore_id enable

Remote history service events

The following remoteHistoryService events are logged at the workspace level.

Service	Action	Description	Request parameters
remoteHistoryService	addUserGitHubCredentials	User adds Github Credentials	none
remoteHistoryService	deleteUserGitHubCredentials	User removes Github Credentials	none
remoteHistoryService	updateUserGitHubCredentials	User updates Github Credentials	none

Git folder events

The following repos events are logged at the workspace level.

Service	Action name	Description	Request parameters
repos	checkoutBranch	A user checks out a branch on the repo.	id branch
repos	commitAndPush	A user commits and pushes to a repo.	id message files checkSensitiveToken
repos	createRepo	A user creates a repo in the workspace	url provider path
repos	deleteRepo	A user deletes a repo.	id
repos	discard	A user discards a commit to a repo.	id file_paths
repos	getRepo	A user makes a call to get information about a single repo.	id
repos	listRepos	A user makes a call to get all repos they have Manage permissions on.	path_prefix next_page_token
repos	pull	A user pulls the latest commits from a repo.	id
repos	updateRepo	A user updates the repo to a different branch or tag, or to the latest commit on the same branch.	id branch tag git_url git_provider

Secrets events

The following secrets events are logged at the workspace level.

Service	Action name	Description	Request parameters
secrets	createScope	User creates a secret scope.	scope initial_manage_principal scope_backend_type
secrets	deleteAcl	User deletes ACLs for a secret scope.	scope principal
secrets	deleteScope	User deletes a secret scope.	scope
secrets	deleteSecret	User deletes a secret from a scope.	key scope
secrets	getAcl	User gets ACLs for a secret scope.	scope principal
secrets	getSecret	User gets a secret from a scope.	key scope
secrets	listAcls	User makes a call to list ACLs for a secret scope.	scope
secrets	listScopes	User makes a call to list secret scopes	none
secrets	listSecrets	User makes a call to list secrets within a scope.	scope
secrets	putAcl	User changes ACLs for a secret scope.	scope principal permission
secrets	putSecret	User adds or edits a secret within a scope.	string_value key scope

SQL table access events

Note

The sqlPermissions service includes events related to the legacy Hive metastore table access control. Databricks recommends that you upgrade the tables managed by the Hive metastore to the Unity Catalog metastore.

The following sqlPermissions events are logged at the workspace level.

Service	Action name	Description	Request parameters
sqlPermissions	changeSecurableOwner	Workspace admin or owner of an object transfers object ownership.	securable principal
sqlPermissions	createSecurable	User creates a securable object.	securable
sqlPermissions	denyPermission	Object owner denies privileges on a securable object.	permission
sqlPermissions	grantPermission	Object owner grants permission on a securable object.	permission
sqlPermissions	removeAllPermissions	User drops a securable object.	securable
sqlPermissions	renameSecurable	User renames a securable object.	before after
sqlPermissions	requestPermissions	User requests permissions on a securable object.	requests
sqlPermissions	revokePermission	Object owner revokes permissions on their securable object.	permission
sqlPermissions	showPermissions	User views securable object permissions.	securable principal

SSH events

The following ssh events are logged at the workspace level.

Service	Action name	Description	Request parameters
ssh	login	Agent login of SSH into Spark driver.	containerId userName port publicKey instanceId
ssh	logout	Agent logout of SSH from Spark driver.	userName containerId instanceId

Vector search events

The following vectorSearch events are logged at the workspace level.

Service	Action	Description	Request parameters
vectorSearch	createEndpoint	User creates a vector search endpoint.	name endpoint_type
vectorSearch	deleteEndpoint	User deletes a vector search endpoint.	name
vectorSearch	createVectorIndex	User creates a vector search index.	name endpoint_name primary_key index_type delta_sync_index_spec direct_access_index_spec
vectorSearch	deleteVectorIndex	User deletes a vector search index.	name endpoint_name delete_embedding_writeback_table

Web terminal events

The following webTerminal events are logged at the workspace level.

Service	Action name	Description	Request parameters
webTerminal	startSession	User starts a web terminal sessions.	socketGUID clusterId serverPort ProxyTargetURI
webTerminal	closeSession	User closes a web terminal session.	socketGUID clusterId serverPort ProxyTargetURI

Workspace events

The following workspace events are logged at the workspace level.

Service	Action name	Description	Request parameters
workspace	changeWorkspaceAcl	Permissions to the workspace are changed.	shardName targetUserId aclPermissionSet resourceId
workspace	deleteSetting	A setting is deleted from the workspace.	settingKeyTypeName settingKeyName settingTypeName settingName
workspace	fileCreate	User creates a file in the workspace.	path
workspace	fileDelete	User deletes a file in the workspace.	path
workspace	fileEditorOpenEvent	User opens the file editor.	notebookId path
workspace	getRoleAssignment	User gets a workspace’s user roles.	account_id workspace_id
workspace	mintOAuthAuthorizationCode	Recorded when in-house OAuth authorization code is minted at the workspace level.	client_id
workspace	mintOAuthToken	OAuth token is minted for workspace.	grant_type scope expires_in client_id
workspace	moveWorkspaceNode	A workspace admin moves workspace node.	destinationPath path
workspace	purgeWorkspaceNodes	A workspace admin purges workspace nodes.	treestoreId
workspace	reattachHomeFolder	An existing home folder is re-attached for a user that is re-added to the workspace.	path
workspace	renameWorkspaceNode	A workspace admin renames workspace nodes.	path destinationPath
workspace	unmarkHomeFolder	Home folder special attributes are removed when a user is removed from the workspace.	path
workspace	updateRoleAssignment	A workspace admin updates a workspace user’s role.	account_id workspace_id principal_id
workspace	updatePermissionAssignment	A workspace admin adds a principal to the workspace.	principal_id permissions
workspace	setSetting	A workspace admin configures a workspace setting.	settingKeyTypeName settingKeyName settingTypeName settingName settingValueForAudit
workspace	workspaceConfEdit	Workspace admin makes updates to a setting, for example enabling verbose audit logs.	workspaceConfKeys workspaceConfValues
workspace	workspaceExport	User exports a notebook from a workspace.	workspaceExportDirectDownload workspaceExportFormat notebookFullPath
workspace	workspaceInHouseOAuthClientAuthentication	OAuth client is authenticated in workspace service.	user

Billable usage events

The following accountBillableUsage events are logged at the account level.

Service	Action	Description	Request parameters
accountBillableUsage	getAggregatedUsage	User accessed aggregated billable usage (usage per day) for the account via the Usage Graph feature.	account_id window_size start_time end_time meter_name workspace_ids_filter
accountBillableUsage	getDetailedUsage	User accessed detailed billable usage (usage for each cluster) for the account via the Usage Download feature.	account_id start_month end_month with_pii

Account-level account events

The following accounts events are logged at the account level.

Service	Action	Description	Request parameters
accounts	accountInHouseOAuthClientAuthentication	An OAuth client is authenticated.	endpoint
accounts	accountIpAclsValidationFailed	IP permissions validation fails. Returns statusCode 403.	sourceIpAddress user: logged as an email address
accounts	activateUser	A user is reactivated after being deactivated. See Deactivate users in account.	targetUserName endpoint targetUserId
accounts	add	A user is added to the Databricks account.	targetUserName endpoint targetUserId
accounts	addPrincipalToGroup	A user is added to an account-level group.	targetGroupId endpoint targetUserId targetGroupName targetUserName
accounts	addPrincipalsToGroup	Users are added to an account-level group using SCIM provisioning.	targetGroupId endpoint targetUserId targetGroupName targetUserName
accounts	createGroup	An account-level group is created.	endpoint targetGroupId targetGroupName
accounts	deactivateUser	A user is deactivated. See Deactivate users in account.	targetUserName endpoint targetUserId
accounts	delete	A user is deleted from the Databricks account.	targetUserId targetUserName endpoint
accounts	deleteSetting	Account admin removes a setting from the Databricks account.	settingKeyTypeName settingKeyName settingTypeName settingName settingValueForAudit
accounts	garbageCollectDbToken	A user runs a garbage collect command on expired tokens.	tokenExpirationTime tokenClientId userId tokenCreationTime tokenFirstAccessed
accounts	generateDbToken	User generates a token from User Settings or when the service generates the token.	tokenExpirationTime tokenCreatedBy tokenHash userId
accounts	login	A user logs into the account console.	user
accounts	logout	A user logs out of the account console.	user
accounts	mintOAuthAuthorizationCode	Recorded when in-house OAuth authorization code is minted at the account level.	client_id
accounts	mintOAuthToken	An account-level OAuth token is issued to the service principal.	user
accounts	oidcBrowserLogin	A user logs into their account with the OpenID Connect browser workflow.	user
accounts	oidcTokenAuthorization	An OIDC token is authenticated for an account admin login.	user
accounts	passwordVerifyAuthentication	A user’s password is verified during account console login.	user
accounts	removeAccountAdmin	An account admin removes account admin permissions from another user.	targetUserName endpoint targetUserId
accounts	removeGroup	A group is removed from the account.	targetGroupId targetGroupName endpoint
accounts	removePrincipalFromGroup	A user is removed from an account-level group.	targetGroupId endpoint targetUserId targetGroupName targetUserName
accounts	removePrincipalsFromGroup	Users are removed from an account-level group using SCIM provisioning.	targetGroupId endpoint targetUserId targetGroupName targetUserName
accounts	setAccountAdmin	An account admin assigns the account admin role to another user.	targetUserName endpoint targetUserId
accounts	setSetting	An account admin updates an account-level setting.	settingKeyTypeName settingKeyName settingTypeName settingName settingValueForAudit
accounts	tokenLogin	A user logs into Databricks using a token.	tokenId user
accounts	updateUser	An account admin updates a user account.	targetUserName endpoint targetUserId
accounts	updateGroup	An account admin updates an account-level group.	endpoint targetGroupId targetGroupName
accounts	validateEmail	When a user validates their email after account creation.	endpoint targetUserName targetUserId

Account-level access control events

The following accountsAccessControl event is logged at the account level.

Service	Action	Description	Request parameters
accountsAccessControl	updateRuleSet	When a rule set is changed.	account_id name rule_set

Account management events

The following accountsManager events are logged at the account level. These events have to do with configurations made by account admins in the account console.

Service	Action	Description	Request parameters
accountsManager	acceptTos	Admin accepts a workspace’s terms of service.	workspace_id
accountsManager	accountUserResetPassword	Account admin resets a users password. Also logs whether the user changed the password after the reset.	wasPasswordChanged serviceSource targetUserId userId newPasswordSource
accountsManager	changeAccountOwner	Account owner role is transferred to another account admin.	account_id first_name last_name email
accountsManager	consolidateAccounts	The account was consolidated with another account by Databricks.	target_account_id account_ids_to_consolidate
accountsManager	createCredentialsConfiguration	Account admin created a credentials configuration.	credentials
accountsManager	createCustomerManagedKeyConfiguration	Account admin created a customer-managed key configuration.	customer_managed_key
accountsManager	createNetworkConfiguration	Account admin created a network configuration.	network
accountsManager	createPrivateAccessSettings	Account admin created a private access settings configuration.	private_access_settings
accountsManager	createStorageConfiguration	Account admin created a storage configuration.	storage_configuration
accountsManager	createVpcEndpoint	Account admin created a VPC endpoint configuration.	vpc_endpoint
accountsManager	createWorkspaceConfiguration	Account admin creates a new workspace. The workspace request parameter is an array of deployment information including workspace_name. You can find the workspace_id in the response.result parameter.	workspace
accountsManager	deleteCredentialsConfiguration	Account admin deleted a credentials configuration.	account_id credentials_id
accountsManager	deleteCustomerManagedKeyConfiguration	Account admin deleted a customer-managed key configuration.	account_id customer_managed_key_id
accountsManager	deleteNetworkConfiguration	Account admin deleted a network configuration.	account_id network_id
accountsManager	deletePrivateAccessSettings	Account admin deleted a private access settings configuration.	account_id private_access_settings_id
accountsManager	deleteStorageConfiguration	Account admin deleted a storage configuration.	account_id storage_configuration_id
accountsManager	deleteVpcEndpoint	Account admin deleted a VPC endpoint configuration.	account_id vpc_endpoint_id
accountsManager	deleteWorkspaceConfiguration	Account admin deleted a workspace.	account_id workspace_id
accountsManager	getCredentialsConfiguration	Account admin requests details about a credentials configuration.	account_id credentials_id
accountsManager	getCustomerManagedKeyConfiguration	Account admin requests details about a customer-managed key configuration.	account_id customer_managed_key_id
accountsManager	getNetworkConfiguration	Account admin requests details about a network configuration.	account_id network_id
accountsManager	getPrivateAccessSettings	Account admin requests details about a private access settings configuration.	account_id private_access_settings_id
accountsManager	getStorageConfiguration	Account admin requests details about a storage configuration.	account_id storage_configuration_id
accountsManager	getVpcEndpoint	Account admin requests details about a VPC endpoint configuration.	account_id vpc_endpoint_id
accountsManager	getWorkspaceConfiguration	Account admin requests details about a workspace.	account_id workspace_id
accountsManager	listCredentialsConfigurations	Account admin lists all credentials configurations in the account.	account_id
accountsManager	listCustomerManagedKeyConfigurations	Account admin lists all customer-managed key configurations in the account.	account_id
accountsManager	listNetworkConfigurations	Account admin lists all network configurations in the account.	account_id
accountsManager	listPrivateAccessSettings	Account admin lists all private access settings configurations in the account.	account_id
accountsManager	listStorageConfigurations	Account admin lists all storage configurations in the account.	account_id
accountsManager	listSubscriptions	Account admin lists all account billing subscriptions.	account_id
accountsManager	listVpcEndpoints	Account admin listed all VPC endpoint configurations for the account.	account_id
accountsManager	listWorkspaceConfigurations	Account admin lists all workspace in the account.	account_id
accountsManager	listWorkspaceEncryptionKeyRecords	Account admin lists all encryption key records in a specific workspace.	account_id workspace_id
accountsManager	listWorkspaceEncryptionKeyRecordsForAccount	Account admin lists all encryption key records in the account.	account_id
accountsManager	sendTos	An email was sent to a workspace admin to accept the Databricks Terms of Service.	account_id workspace_id
accountsManager	updateAccount	The account details were changed internally.	account_id account
accountsManager	updateSubscription	The account billing subscriptions were updated.	account_id subscription_id subscription
accountsManager	updateWorkspaceConfiguration	Admin updated the configuration for a workspace.	account_id workspace_id

Budget policy events

The following budgetPolicyCentral events are logged at the account level and are related to budget policies. See Attribute serverless usage with budget policies.

Service	Action	Description	Request parameters
budgetPolicyCentral	createBudgetPolicy	Workspace admin or billing admin creates a budget policy. The new policy_id is logged in the response column.	policy_name
budgetPolicyCentral	updateBudgetPolicy	Workspace admin, billing admin, or policy manager updates a budget policy.	policy.policy_id policy.policy_name
budgetPolicyCentral	updateBudgetPolicy	Workspace admin, billing admin, or policy manager deletes a budget policy.	policy_id

Log delivery events

The following logDelivery events are logged at the account level.

Service	Action	Description	Request parameters
logDelivery	createLogDeliveryConfiguration	Admin created a log delivery configuration.	account_id config_id
logDelivery	getLogDeliveryConfiguration	Admin requested details about a log delivery configuration.	log_delivery_configuration
logDelivery	listLogDeliveryConfigurations	Admin listed all log delivery configurations in the account.	account_id storage_configuration_id credentials_id status
logDelivery	updateLogDeliveryConfiguration	Admin updated a log delivery configuration.	config_id account_id status

Oauth SSO events

The following oauth2 events are logged at the account level and are related to OAuth SSO authentication to the account console.

Service	Action	Description	Request parameters
oauth2	createCustomAppIntegration	A workspace admin creates custom app integration.	redirect_url name token_access_policy confidential
oauth2	createPublishedAppIntegration	A workspace admin creates an app integration using a published app integration.	app_id
oauth2	deleteCustomAppIntegration	A workspace admin deletes custom app integration.	integration_id
oauth2	deletePublishedAppIntegration	A workspace admin deletes published app integration.	integration_id
oauth2	enrollOAuth	A workspace admin enrolls account in OAuth.	enable_all_published_apps
oauth2	updateCustomAppIntegration	A workspace admin updates custom app integration.	redirect_url name token_access_policy confidential
oauth2	updatePublishedAppIntegration	A workspace admin updates published app integration.	token_access_policy

Service principal credentials events (Public Preview)

The following servicePrincipalCredentials events are logged at the account level.

Service	Action	Description	Request parameters
servicePrincipalCredentials	create	Account admin generates an OAuth secret for the service principal.	account_id service_principal secret_id
servicePrincipalCredentials	list	Account admin lists all OAuth secrets under a service principal.	account_id service_principal
servicePrincipalCredentials	delete	Account admin deletes a service principal’s OAuth secret.	account_id service_principal secret_id

Single-sign on events

The following ssoConfigBackend events are logged at the account level and are related to SSO authentication for the account console.

Service	Action	Description	Request parameters
ssoConfigBackend	create	Account admin created an account console SSO configuration.	account_id sso_type config
ssoConfigBackend	get	Account admin requested details about an account console SSO configuration.	account_id sso_type
ssoConfigBackend	update	Account admin updated an account console SSO configuration.	account_id sso_type config

Unity Catalog events

The following audit events are related to Unity Catalog. Delta Sharing events are also logged under the unityCatalog service. For Delta Sharing events, see Delta Sharing events. Unity Catalog audit events can be logged at the workspace level or account level depending on the event.

Service	Action	Description	Request parameters
unityCatalog	createMetastore	Account admin creates a metastore.	name storage_root workspace_id metastore_id
unityCatalog	getMetastore	Account admin requests metastore ID.	id workspace_id metastore_id
unityCatalog	getMetastoreSummary	Account admin requests details about a metastore.	workspace_id metastore_id
unityCatalog	listMetastores	Account admin requests a list of all metastores in an account.	workspace_id
unityCatalog	updateMetastore	Account admin makes an update to a metastore.	id owner workspace_id metastore_id
unityCatalog	deleteMetastore	Account admin deletes a metastore.	id force workspace_id metastore_id
unityCatalog	updateMetastoreAssignment	Account admin makes an update to a metastore’s workspace assignment.	workspace_id metastore_id default_catalog_name
unityCatalog	createExternalLocation	Account admin creates an external location.	name skip_validation url credential_name workspace_id metastore_id
unityCatalog	getExternalLocation	Account admin requests details about an external location.	name_arg include_browse workspace_id metastore_id
unityCatalog	listExternalLocations	Account admin request list of all external locations in an account.	url max_results workspace_id metastore_id
unityCatalog	updateExternalLocation	Account admin makes an update to an external location.	name_arg owner workspace_id metastore_id
unityCatalog	deleteExternalLocation	Account admin deletes an external location.	name_arg force workspace_id metastore_id
unityCatalog	createCatalog	User creates a catalog.	name comment workspace_id metastore_id
unityCatalog	deleteCatalog	User deletes a catalog.	name_arg workspace_id metastore_id
unityCatalog	getCatalog	User requests details about a catalog.	name_arg dependent workspace_id metastore_id
unityCatalog	updateCatalog	User updates a catalog.	name_arg isolation_mode comment workspace_id metastore_id
unityCatalog	listCatalog	User makes a call to list all catalogs in the metastore.	name_arg workspace_id metastore_id
unityCatalog	createSchema	User creates a schema.	name catalog_name comment workspace_id metastore_id
unityCatalog	deleteSchema	User deletes a schema.	full_name_arg force workspace_id metastore_id
unityCatalog	getSchema	User requests details about a schema.	full_name_arg dependent workspace_id metastore_id
unityCatalog	listSchema	User requests a list of all schemas in a catalog.	catalog_name
unityCatalog	updateSchema	User updates a schema.	full_name_arg name workspace_id metastore_id comment
unityCatalog	createStagingTable		name catalog_name schema_name workspace_id metastore_id
unityCatalog	createTable	User creates a table. The request parameters differ depending on the type of table created.	name data_source_format catalog_name schema_name storage_location columns dry_run table_type view_dependencies view_definition sql_path comment
unityCatalog	deleteTable	User deletes a table.	full_name_arg workspace_id metastore_id
unityCatalog	getTable	User requests details about a table.	include_delta_metadata full_name_arg dependent workspace_id metastore_id
unityCatalog	privilegedGetTable		full_name_arg
unityCatalog	listTables	User makes a call to list all tables in a schema.	catalog_name schema_name workspace_id metastore_id include_browse
unityCatalog	listTableSummaries	User gets an array of summaries for tables for a schema and catalog within the metastore.	catalog_name schema_name_pattern workspace_id metastore_id
unityCatalog	updateTables	User makes an update to a table. The request parameters displayed vary depending on the type of table updates made.	full_name_arg table_type table_constraint_list data_source_format columns dependent row_filter storage_location sql_path view_definition view_dependencies owner comment workspace_id metastore_id
unityCatalog	createStorageCredential	Account admin creates a storage credential. You might see an additional request parameter based on your cloud provider credentials.	name comment workspace_id metastore_id
unityCatalog	listStorageCredentials	Account admin makes a call to list all storage credentials in the account.	workspace_id metastore_id
unityCatalog	getStorageCredential	Account admin requests details about a storage credential.	name_arg workspace_id metastore_id
unityCatalog	updateStorageCredential	Account admin makes an update to a storage credential.	name_arg owner workspace_id metastore_id
unityCatalog	deleteStorageCredential	Account admin deletes a storage credential.	name_arg workspace_id metastore_id
unityCatalog	generateTemporaryTableCredential	Logged whenever a temporary credential is granted for a table. You can use this event to determine who queried what and when.	credential_id credential_type is_permissions_enforcing_client table_full_name operation table_id workspace_id table_url metastore_id
unityCatalog	generateTemporaryPathCredential	Logged whenever a temporary credential is granted for a path.	url operation make_path_only_parent workspace_id metastore_id
unityCatalog	getPermissions	User makes a call to get permission details for a securable object. This call doesn’t return inherited permissions, only explicitly assigned permissions.	securable_type securable_full_name workspace_id metastore_id
unityCatalog	getEffectivePermissions	User makes a call to get all permission details for a securable object. An effective permissions call returns both explicitly assigned and inherited permissions.	securable_type securable_full_name workspace_id metastore_id
unityCatalog	updatePermissions	User updates permissions on a securable object.	securable_type changes securable_full_name workspace_id metastore_id
unityCatalog	metadataSnapshot	User queries the metadata from a previous table version.	securables include_delta_metadata workspace_id metastore_id
unityCatalog	metadataAndPermissionsSnapshot	User queries the metadata and permissions from a previous table version.	securables include_delta_metadata workspace_id metastore_id
unityCatalog	updateMetadataSnapshot	User updates the metadata from a previous table version.	table_list_snapshots schema_list_snapshots workspace_id metastore_id
unityCatalog	getForeignCredentials	User makes a call to get details about a foreign key.	securables workspace_id metastore_id
unityCatalog	getInformationSchema	User makes a call to get details about a schema.	table_name page_token required_column_names row_set_type required_column_names workspace_id metastore_id
unityCatalog	createConstraint	User creates a constraint for a table.	full_name_arg constraint workspace_id metastore_id
unityCatalog	deleteConstraint	User deletes a constraint for a table.	full_name_arg constraint workspace_id metastore_id
unityCatalog	createPipeline	User creates a Unity Catalog pipeline.	target_catalog_name has_workspace_definition id workspace_id metastore_id
unityCatalog	updatePipeline	User updates a Unity Catalog pipeline.	id_arg definition_json id workspace_id metastore_id
unityCatalog	getPipeline	User requests details about a Unity Catalog pipeline.	id workspace_id metastore_id
unityCatalog	deletePipeline	User deletes a Unity Catalog pipeline.	id workspace_id metastore_id
unityCatalog	deleteResourceFailure	Resource fails to delete	none
unityCatalog	createVolume	User creates a Unity Catalog volume.	name catalog_name schema_name volume_type storage_location owner comment workspace_id metastore_id
unityCatalog	getVolume	User makes a call to get information on a Unity Catalog volume.	volume_full_name workspace_id metastore_id
unityCatalog	updateVolume	User updates a Unity Catalog volume’s metadata with the ALTER VOLUME or COMMENT ON calls.	volume_full_name name owner comment workspace_id metastore_id
unityCatalog	deleteVolume	User deletes a Unity Catalog volume.	volume_full_name workspace_id metastore_id
unityCatalog	listVolumes	User makes a call to get a list of all Unity Catalog volumes in a schema.	catalog_name schema_name workspace_id metastore_id
unityCatalog	generateTemporaryVolumeCredential	A temporary credential is generated when a user performs a read or write on a volume. You can use this event to determine who accessed a volume and when.	volume_id volume_full_name operation volume_storage_location credential_id credential_type workspace_id metastore_id
unityCatalog	getTagSecurableAssignments	Tag assignments for a securable are fetched	securable_type securable_full_name workspace_id metastore_id
unityCatalog	getTagSubentityAssignments	Tag assignments for a subentity are fetched	securable_type securable_full_name workspace_id metastore_id subentity_name
unityCatalog	UpdateTagSecurableAssignments	Tag assignments for a securable are updated	securable_type securable_full_name workspace_id metastore_id changes
unityCatalog	UpdateTagSubentityAssignments	Tag assignments for a subentity are updated	securable_type securable_full_name workspace_id metastore_id subentity_name changes
unityCatalog	createRegisteredModel	User creates a Unity Catalog registered model.	name catalog_name schema_name owner comment workspace_id metastore_id
unityCatalog	getRegisteredModel	User makes a call to get information on a Unity Catalog registered model.	full_name_arg workspace_id metastore_id
unityCatalog	updateRegisteredModel	User updates a Unity Catalog registered model’s metadata.	full_name_arg name owner comment workspace_id metastore_id
unityCatalog	deleteRegisteredModel	User deletes a Unity Catalog registered model.	full_name_arg workspace_id metastore_id
unityCatalog	listRegisteredModels	User makes a call to get a list of Unity Catalog registered models in a schema, or list models across catalogs and schemas.	catalog_name schema_name max_results page_token workspace_id metastore_id
unityCatalog	createModelVersion	User creates a model version in Unity Catalog.	catalog_name schema_name model_name source comment workspace_id metastore_id
unityCatalog	finalizeModelVersion	User makes a call to “finalize” a Unity Catalog model version after uploading model version files to its storage location, making it read-only and usable in inference workflows.	full_name_arg version_arg workspace_id metastore_id
unityCatalog	getModelVersion	User makes a call to get details on a model version.	full_name_arg version_arg workspace_id metastore_id
unityCatalog	getModelVersionByAlias	User makes a call to get details on a model version using the alias.	full_name_arg include_aliases alias_arg workspace_id metastore_id
unityCatalog	updateModelVersion	User updates a model version’s metadata.	full_name_arg version_arg name owner comment workspace_id metastore_id
unityCatalog	deleteModelVersion	User deletes a model version.	full_name_arg version_arg workspace_id metastore_id
unityCatalog	listModelVersions	User makes a call to get a list of Unity Catalog model versions in a registered model.	catalog_name schema_name model_name max_results page_token workspace_id metastore_id
unityCatalog	generateTemporaryModelVersionCredential	A temporary credential is generated when a user performs a write (during initial model version creaiton) or read (after the model version has been finalized) on a model version. You can use this event to determine who accessed a model version and when.	full_name_arg version_arg operation model_version_url credential_id credential_type workspace_id metastore_id
unityCatalog	setRegisteredModelAlias	User sets an alias on a Unity Catalog registered model.	full_name_arg alias_arg version
unityCatalog	deleteRegisteredModelAlias	User deletes an alias on a Unity Catalog registered model.	full_name_arg alias_arg
unityCatalog	getModelVersionByAlias	User gets a Unity Catalog model version by alias.	full_name_arg alias_arg
unityCatalog	createConnection	A new foreign connection is created.	name connection_type workspace_id metastore_id
unityCatalog	deleteConnection	A foreign connection is deleted.	name_arg workspace_id metastore_id
unityCatalog	getConnection	A foreign connection is retrieved.	name_arg workspace_id metastore_id
unityCatalog	updateConnection	A foreign connection is updated.	name_arg owner workspace_id metastore_id
unityCatalog	listConnections	Foreign connections in a metastore are listed.	workspace_id metastore_id
unityCatalog	createFunction	User creates a new function.	function_info workspace_id metastore_id
unityCatalog	updateFunction	User updates a function.	full_name_arg owner workspace_id metastore_id
unityCatalog	listFunctions	User requests a list of all functions within a specific parent catalog or schema.	catalog_name schema_name include_browse workspace_id metastore_id
unityCatalog	getFunction	User requests a function from a parent catalog or schema.	full_name_arg workspace_id metastore_id
unityCatalog	deleteFunction	User requests a function from a parent catalog or schema.	full_name_arg workspace_id metastore_id
unityCatalog	createShareMarketplaceListingLink		links_infos metastore_id
unityCatalog	deleteShareMarketplaceListingLink		links_infos metastore_id

Delta Sharing events

Delta Sharing events are broken up into two sections: events recorded in the data provider’s account and events recorded in the data recipient’s account.

Delta Sharing provider events

The following audit log events are logged in the provider’s account. Actions that are performed by recipients start with the deltaSharing prefix. Each of these logs also includes request_params.metastore_id, which is the metastore that manages the shared data, and userIdentity.email, which is the ID of the user who initiated the activity.

Service	Action	Description	Request parameters
unityCatalog	deltaSharingListShares	A data recipient requests a list of shares.	options: The pagination options provided with this request. recipient_name: Indicates the recipient executing the action. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog	deltaSharingGetShare	A data recipient requests details about a shares.	share: The name of the share. recipient_name: Indicates the recipient executing the action. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog	deltaSharingListSchemas	A data recipient requests a list of shared schemas.	share: The name of the share. recipient_name: Indicates the recipient executing the action. options: The pagination options provided with this request. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog	deltaSharingListAllTables	A data recipient requests a list of all shared tables.	share: The name of the share. recipient_name: Indicates the recipient executing the action. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog	deltaSharingListTables	A data recipient requests a list of shared tables.	share: The name of the share. recipient_name: Indicates the recipient executing the action. options: The pagination options provided with this request. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog	deltaSharingGetTableMetadata	A data recipient requests a details about a table’s metadata.	share: The name of the share. recipient_name: Indicates the recipient executing the action. schema: The name of the schema. name: The name of the table. predicateHints: The predicates included in the query. limitHints: The maximum number of rows to return. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog	deltaSharingGetTableVersion	A data recipient requests a details about a table version.	share: The name of the share. recipient_name: Indicates the recipient executing the action. schema: The name of the schema. name: The name of the table. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog	deltaSharingQueryTable	Logged when a data recipient queries a shared table.	share: The name of the share. recipient_name: Indicates the recipient executing the action. schema: The name of the schema. name: The name of the table. predicateHints: The predicates included in the query. limitHints: The maximum number of rows to return. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog	deltaSharingQueryTableChanges	Logged when a data recipient queries change data for a table.	share: The name of the share. recipient_name: Indicates the recipient executing the action. schema: The name of the schema. name: The name of the table. cdf_options: Change data feed options. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog	deltaSharingQueriedTable	Logged after a data recipient gets a response to their query. The response.result field includes more information on the recipient’s query (see Audit and monitor data sharing)	recipient_name: Indicates the recipient executing the action. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog	deltaSharingQueriedTableChanges	Logged after a data recipient gets a response to their query. The response.result field includes more information on the recipient’s query (see Audit and monitor data sharing).	recipient_name: Indicates the recipient executing the action. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog	deltaSharingListNotebookFiles	A data recipient requests a list of shared notebook files.	share: The name of the share. recipient_name: Indicates the recipient executing the action. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog	deltaSharingQueryNotebookFile	A data recipient queries a shared notebook file.	file_name: The name of the notebook file. recipient_name: Indicates the recipient executing the action. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog	deltaSharingListFunctions	A data recipient requests a list of functions in a parent schema.	share: The name of the share. schema: The name of the parent schema of the function. recipient_name: Indicates the recipient executing the action. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog	deltaSharingListAllFunctions	A data recipient requests a list of all shared functions.	share: The name of the share. schema: The name of the parent schema of the function. recipient_name: Indicates the recipient executing the action. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog	deltaSharingListFunctionVersions	A data recipient requests a list of function versions.	share: The name of the share. schema: The name of the parent schema of the function. function: The name of the function. recipient_name: Indicates the recipient executing the action. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog	deltaSharingListVolumes	A data recipient requests a list of shared volumes in a schema.	share: The name of the share. schema: The parents schema of the volumes. recipient_name: Indicates the recipient executing the action. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog	deltaSharingListAllVolumes	A data recipient requests all shared volumes.	share: The name of the share. recipient_name: Indicates the recipient executing the action. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog	updateMetastore	Provider updates their metastore.	delta_sharing_scope: Values can be INTERNAL or INTERNAL_AND_EXTERNAL. delta_sharing_recipient_token_lifetime_in_seconds: If present, indicates that the recipient token lifetime was updated.
unityCatalog	createRecipient	Provider creates a data recipient.	name: The name of the recipient. comment: The comment for the recipient. ip_access_list.allowed_ip_addresses: Recipient IP address allowlist.
unityCatalog	deleteRecipient	Provider deletes a data recipient.	name: The name of the recipient.
unityCatalog	getRecipient	Provider requests details about a data recipient.	name: The name of the recipient.
unityCatalog	listRecipients	Provider requests a list of all their data recipients.	none
unityCatalog	rotateRecipientToken	Provider rotates a recipient’s token.	name: The name of the recipient. comment: The comment given in the rotation command.
unityCatalog	updateRecipient	Provider updates a data recipient’s attributes.	name: The name of the recipient. updates: A JSON representation of recipient attributes that were added or removed from the share.
unityCatalog	createShare	Provider updates a data recipient’s attributes.	name: The name of the share. comment: The comment for the share.
unityCatalog	deleteShare	Provider updates a data recipient’s attributes.	name: The name of the share.
unityCatalog	getShare	Provider requests details about a share.	name: The name of the share. include_shared_objects: Whether the share’s table names were included in the request.
unityCatalog	updateShare	Provider adds or removes data assets from a share.	name: The name of the share. updates: A JSON representation of data assets that were added or removed from the share. Each item includes action (add or remove), name (the actual name of the table), shared_as (the name the asset was shared as, if different from the actual name), and partition_specification (if a partition specification was provided).
unityCatalog	listShares	Provider requests a list of their shares.	none
unityCatalog	getSharePermissions	Provider requests details on a share’s permissions.	name: The name of the share.
unityCatalog	updateSharePermissions	Provider updates a share’s permissions.	name: The name of the share. changes: A JSON representation of the updated permissions. Each change includes principal (the user or group to whom permission is granted or revoked), add (the list of permissions that were granted), and remove (the list of permissions that were revoked).
unityCatalog	getRecipientSharePermissions	Provider requests details about a recipient’s share permissions.	name: The name of the share.
unityCatalog	getActivationUrlInfo	Provider requests details about activity on their activation link.	recipient_name: The name of the recipient who opened the activation URL. is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog	generateTemporaryVolumeCredential	Temporary credential is generated for the recipient to access a shared volume.	share_name: The name of the share through which the recipient requests. share_id: The ID of the share. share_owner: The owner of the share. recipient_name: The name of the recipient who requests the credential. recipient_id: The ID of the recipient. volume_full_name: The full 3-level name of the volume. volume_id: The ID of the volume. volume_storage_location: The cloud path of the volume root. operation: Either READ_VOLUME or WRITE_VOLUME. For volume sharing, only READ_VOLUME is supported. credential_id: The ID of the credential. credential_type: The type of the credential. Value is always StorageCredential. workspace_id: Value is always 0 when the request is for shared volumes.
unityCatalog	generateTemporaryTableCredential	Temporary credential is generated for the recipient to access a shared table.	share_name: The name of the share through which the recipient requests. share_id: The ID of the share. share_owner: The owner of the share. recipient_name: The name of the recipient who requests the credential. recipient_id: The ID of the recipient. table_full_name: The full 3-level name of the table. table_id: The ID of the table. table_url: The cloud path of the table root. operation: Either READ or READ_WRITE. credential_id: The ID of the credential. credential_type: The type of the credential. Value is always StorageCredential. workspace_id: Value is always 0 when the request is for shared tables.

Delta Sharing recipient events

The following events are logged in the data recipient’s account. These events record recipient access of shared data and AI assets, along with events associated with the management of providers. Each of these events also includes the following request parameters:

• recipient_name: The name of the recipient in the data provider’s system.

• metastore_id: The name of the metastore in the data provider’s system.

• sourceIPAddress: The IP address where the request originated.

Service	Action	Description	Request parameters
unityCatalog	deltaSharingProxyGetTableVersion	A data recipient requests a details on a shared table version.	share: The name of the share. schema: The name of the table’s parent schema. name: The name of the table.
unityCatalog	deltaSharingProxyGetTableMetadata	A data recipient requests a details on a shared table’s metadata.	share: The name of the share. schema: The name of the table’s parent schema. name: The name of the table.
unityCatalog	deltaSharingProxyQueryTable	A data recipient queries a shared table.	share: The name of the share. schema: The name of the table’s parent schema. name: The name of the table. limitHints: The maximum number of rows to return. predicateHints: The predicates included in the query. version: Table version, if change data feed is enabled.
unityCatalog	deltaSharingProxyQueryTableChanges	A data recipient queries change data for a table.	share: The name of the share. schema: The name of the table’s parent schema. name: The name of the table. cdf_options: Change data feed options.
unityCatalog	createProvider	A data recipient creates a provider object.	name: The name of the provider. comment: The comment for the provider.
unityCatalog	updateProvider	A data recipient updates a provider object.	name: The name of the provider. updates: A JSON representation of provider attributes that were added or removed from the share. Each item includes action (add or remove) and can include name (the new provider name), owner (new owner), and comment.
unityCatalog	deleteProvider	A data recipient deletes a provider object.	name: The name of the provider.
unityCatalog	getProvider	A data recipient requests details about a provider object.	name: The name of the provider.
unityCatalog	listProviders	A data recipient requests a list of providers.	none
unityCatalog	activateProvider	A data recipient activates a provider object.	name: The name of the provider.
unityCatalog	listProviderShares	A data recipient requests a list of a provider’s shares.	name: The name of the provider.
unityCatalog	generateTemporaryVolumeCredential	Temporary credential is generated for the recipient to access a shared volume.	share_name: The name of the share through which the recipient requests. volume_full_name: The full 3-level name of the volume. volume_id: The ID of the volume. operation: Either READ_VOLUME or WRITE_VOLUME. For volume sharing, only READ_VOLUME is supported. workspace_id: The ID of the workspace that receives the user request.
unityCatalog	generateTemporaryTableCredential	Temporary credential is generated for the recipient to access a shared table.	share_name: The name of the share through which the recipient requests. table_full_name: The full 3-level name of the table. table_id: The ID of the table. operation: Either READ or READ_WRITE. workspace_id: The ID of the workspace that receives the user request.

System log events

Note

The response JSON object in the audit log has a result field that includes the original system log content.

The following syslog event is logged at the workspace level.

Service	Action	Description	Request parameters
syslog	processEvent	The system log processes an event.	instanceId processName

Process monitor log events

The following monit events are logged at the workspace level.

Service	Action	Description	Request parameters
monit	processNotRunning	The monitor is not running.	instanceId processName
monit	processRestarting	The monitor is restarting.	instanceId processName
monit	processStarted	The monitor started.	instanceId processName
monit	processRunning	The monitor is running.	instanceId processName

Additional security monitoring events

For Databricks compute resources in the classic compute plane, such as VMs for clusters and pro or classic SQL warehouses, the following features enable additional monitoring agents:

• Enhanced security monitoring

• Compliance security profile. The compliance security profile is required for the compliance controls for PCI-DSS, HIPAA, and FedRAMP Moderate.

For serverless compute resources, the monitoring agents run if the compliance security profile is enabled and the complaince standard supports serverless compute resources. See Which compute resources get enhanced security and Compliance security profile compliance standards with serverless compute availability.

File integrity monitoring events

The following capsule8-alerts-dataplane events are logged at the workspace level.

Service	Action	Description	Request parameters
capsule8-alerts-dataplane	Heartbeat	A regular event to confirm the monitor is on. Currently runs every 10 minutes.	instanceId
capsule8-alerts-dataplane	Memory Marked Executable	Memory is often marked executable in order to allow malicious code to execute when an application is being exploited. Alerts when a program sets heap or stack memory permissions to executable. This can cause false positives for certain application servers.	instanceId
capsule8-alerts-dataplane	File Integrity Monitor	Monitors the integrity of important system files. Alerts on any unauthorized changes to those files. Databricks defines specific sets of system paths on the image, and this set of paths might change over time.	instanceId
capsule8-alerts-dataplane	Systemd Unit File Modified	Changes to systemd units could result in security controls being relaxed or disabled, or the installation of a malicious service. Alerts whenever a systemd unit file is modified by a program other than systemctl.	instanceId
capsule8-alerts-dataplane	Repeated Program Crashes	Repeated program crashes could indicate that an attacker is attempting to exploit a memory corruption vulnerability, or that there is a stability issue in the affected application. Alerts when more than 5 instances of an individual program crash via segmentation fault.	instanceId
capsule8-alerts-dataplane	Userfaultfd Usage	As containers are typically static workloads, this alert could indicate that an attacker has compromised the container and is attempting to install and run a backdoor. Alerts when a file that has been created or modified within 30 minutes is then executed within a container.	instanceId
capsule8-alerts-dataplane	New File Executed in Container	Memory is often marked executable in order to allow malicious code to execute when an application is being exploited. Alerts when a program sets heap or stack memory permissions to executable. This can cause false positives for certain application servers.	instanceId
capsule8-alerts-dataplane	Suspicious Interactive Shell	Interactive shells are rare occurrences on modern production infrastructure. Alerts when an interactive shell is started with arguments commonly used for reverse shells.	instanceId
capsule8-alerts-dataplane	User Command Logging Evasion	Evading command logging is common practice for attackers, but might also indicate that a legitimate user is performing unauthorized actions or trying to evade policy. Alerts when a change to user command history logging is detected, indicating that a user is attempting to evade command logging.	instanceId
capsule8-alerts-dataplane	BPF Program Executed	Detects some types of kernel backdoors. The loading of a new Berkeley Packet Filter (BPF) program could indicate that an attacker is loading a BPF-based rootkit to gain persistence and avoid detection. Alerts when a process loads a new privileged BPF program, if the process that is already part of an ongoing incident.	instanceId
capsule8-alerts-dataplane	Kernel Module Loaded	Attackers commonly load malicious kernel modules (rootkits) to evade detection and maintain persistence on a compromised node. Alerts when a kernel module is loaded, if the program is already part of an ongoing incident.	instanceId
capsule8-alerts-dataplane	Suspicious Program Name Executed-Space After File	Attackers might create or rename malicious binaries to include a space at the end of the name in an effort to impersonate a legitimate system program or service. Alerts when a program is executed with a space after the program name.	instanceId
capsule8-alerts-dataplane	Illegal Elevation Of Privileges	Kernel privilege escalation exploits commonly enable an unprivileged user to gain root privileges without passing standard gates for privilege changes. Alerts when a program attempts to elevate privileges through unusual means. This can issue false positive alerts on nodes with significant workloads.	instanceId
capsule8-alerts-dataplane	Kernel Exploit	Internal kernel functions are not accessible to regular programs, and if called, are a strong indicator that a kernel exploit has executed and that the attacker has full control of the node. Alerts when a kernel function unexpectedly returns to user space.	instanceId
capsule8-alerts-dataplane	Processor-Level Protections Disabled	SMEP and SMAP are processor-level protections that increase difficulty for kernel exploits to succeed, and disabling these restrictions is a common early step in kernel exploits. Alerts when a program tampers with the kernel SMEP/SMAP configuration.	instanceId
capsule8-alerts-dataplane	Container Escape via Kernel Exploitation	Alerts when a program uses kernel functions commonly used in container escape exploits, indicating that an attacker is escalating privileges from container-access to node-access.	instanceId
capsule8-alerts-dataplane	Privileged Container Launched	Privileged containers have direct access to host resources, leading to a greater impact when compromised. Alerts when a privileged container is launched, if the container isn’t a known privileged image such as kube-proxy. This can issue unwanted alerts for legitimate privileged containers.	instanceId
capsule8-alerts-dataplane	Userland Container Escape	Many container escapes coerce the host to execute an in-container binary, resulting in the attacker gaining full control of the affected node. Alerts when a container-created file is executed from outside a container.	instanceId
capsule8-alerts-dataplane	AppArmor Disabled In Kernel	Modification of certain AppArmor attributes can only occur in-kernel, indicating that AppArmor has been disabled by a kernel exploit or rootkit. Alerts when the AppArmor state is changed from the AppArmor configuration detected when the sensor starts.	instanceId
capsule8-alerts-dataplane	AppArmor Profile Modified	Attackers might attempt to disable enforcement of AppArmor profiles as part of evading detection. Alerts when a command for modifying an AppArmor profile is executed, if it was not executed by a user in an SSH session.	instanceId
capsule8-alerts-dataplane	Boot Files Modified	If not performed by a trusted source (such as a package manager or configuration management tool), modification of boot files could indicate an attacker modifying the kernel or its options in order to gain persistent access to a host. Alerts when changes are made to files in /boot, indicating installation of a new kernel or boot configuration.	instanceId
capsule8-alerts-dataplane	Log Files Deleted	Log deletion not performed by a log management tool could indicate that an attacker is trying to remove indicators of compromise. Alerts on deletion of system log files.	instanceId
capsule8-alerts-dataplane	New File Executed	Newly created files from sources other than system update programs might be backdoors, kernel exploits, or part of an exploitation chain. Alerts when a file that has been created or modified within 30 minutes is then executed, excluding files created by system update programs.	instanceId
capsule8-alerts-dataplane	Root Certificate Store Modified	Modification of the root certificate store could indicate the installation of a rogue certificate authority, enabling interception of network traffic or bypass of code signature verification. Alerts when a system CA certificate store is changed.	instanceId
capsule8-alerts-dataplane	Setuid/Setgid Bit Set On File	Setting setuid/setgid bits can be used to provide a persistent method for privilege escalation on a node. Alerts when the setuid or setgid bit is set on a file with the chmod family of system calls.	instanceId
capsule8-alerts-dataplane	Hidden File Created	Attackers often create hidden files as a means of obscuring tools and payloads on a compromised host. Alerts when a hidden file is created by a process associated with an ongoing incident.	instanceId
capsule8-alerts-dataplane	Modification Of Common System Utilities	Attackers might modify system utilities in order to execute malicious payloads whenever these utilities are run. Alerts when a common system utility is modified by an unauthorized process.	instanceId
capsule8-alerts-dataplane	Network Service Scanner Executed	An attacker or rogue user might use or install these programs to survey connected networks for additional nodes to compromise. Alerts when common network scanning program tools are executed.	instanceId
capsule8-alerts-dataplane	Network Service Created	Attackers might start a new network service to provide easy access to a host after compromise. Alerts when a program starts a new network service, if the program is already part of an ongoing incident.	instanceId
capsule8-alerts-dataplane	Network Sniffing Program Executed	An attacker or rogue user might execute network sniffing commands to capture credentials, personally-identifiable information (PII), or other sensitive information. Alerts when a program is executed that allows network capture.	instanceId
capsule8-alerts-dataplane	Remote File Copy Detected	Use of file transfer tools could indicate that an attacker is attempting to move toolsets to additional hosts or exfiltrate data to a remote system. Alerts when a program associated with remote file copying is executed, if the program is already part of an ongoing incident.	instanceId
capsule8-alerts-dataplane	Unusual Outbound Connection Detected	Command and Control channels and cryptocoin miners often create new outbound network connections on unusual ports. Alerts when a program initiates a new connection on an uncommon port, if the program is already part of an ongoing incident.	instanceId
capsule8-alerts-dataplane	Data Archived Via Program	After gaining access to a system, an attacker might create a compressed archive of files to reduce the size of data for exfiltration. Alerts when a data compression program is executed, if the program is already part of an ongoing incident.	instanceId
capsule8-alerts-dataplane	Process Injection	Use of process injection techniques commonly indicates that a user is debugging a program, but might also indicate that an attacker is reading secrets from or injecting code into other processes. Alerts when a program uses ptrace (debugging) mechanisms to interact with another process.	instanceId
capsule8-alerts-dataplane	Account Enumeration Via Program	Attackers often use account enumeration programs to determine their level of access and to see if other users are currently logged in to the node. Alerts when a program associated with account enumeration is executed, if the program is already part of an ongoing incident.	instanceId
capsule8-alerts-dataplane	File and Directory Discovery Via Program	Exploring file systems is common post-exploitation behavior for an attacker looking for credentials and data of interest. Alerts when a program associated with file and directory enumeration is executed, if the program is already part of an ongoing incident.	instanceId
capsule8-alerts-dataplane	Network Configuration Enumeration Via Program	Attackers can interrogate local network and route information to identify adjacent hosts and networks ahead of lateral movement. Alerts when a program associated with network configuration enumeration is executed, if the program is already part of an ongoing incident.	instanceId
capsule8-alerts-dataplane	Process Enumeration Via Program	Attackers often list running programs in order to identify the purpose of a node and whether any security or monitoring tools are in place. Alerts when a program associated with process enumeration is executed, if the program is already part of an ongoing incident.	instanceId
capsule8-alerts-dataplane	System Information Enumeration Via Program	Attackers commonly execute system enumeration commands to determine Linux kernel and distribution versions and features, often to identify if the node is affected by specific vulnerabilities. Alerts when a program associated with system information enumeration is executed, if the program is already part of an ongoing incident.	instanceId
capsule8-alerts-dataplane	Scheduled Tasks Modified Via Program	Modifying scheduled tasks is a common method for establishing persistence on a compromised node. Alerts when the crontab, at, or batch commands are used to modify scheduled task configurations.	instanceId
capsule8-alerts-dataplane	Systemctl Usage Detected	Changes to systemd units could result in security controls being relaxed or disabled, or the installation of a malicious service. Alerts when the systemctl command is used to modify systemd units.	instanceId
capsule8-alerts-dataplane	User Execution Of su Command	Explicit escalation to the root user decreases the ability to correlate privileged activity to a specific user. Alerts when the su command is executed.	instanceId
capsule8-alerts-dataplane	User Execution Of sudo Command	Alerts when the sudo command is executed.	instanceId
capsule8-alerts-dataplane	User Command History Cleared	Deleting the history file is unusual, commonly performed by attackers hiding activity, or by legitimate users intending to evade audit controls. Alerts when command line history files are deleted.	instanceId
capsule8-alerts-dataplane	New System User Added	An attacker might add a new user to a host to provide a reliable method of access. Alerts if a new user entity is added to the local account management file /etc/passwd, if the entity is not added by a system update program.	instanceId
capsule8-alerts-dataplane	Password Database Modification	Attackers might directly modify identity-related files to add a new user to the system. Alerts when a file related to user passwords is modified by a program unrelated to updating existing user information.	instanceId
capsule8-alerts-dataplane	SSH Authorized Keys Modification	Adding a new SSH public key is a common method for gaining persistent access to a compromised host. Alerts when an attempt to write to a user’s SSH authorized_keys file is observed, if the program is already part of an ongoing incident.	instanceId
capsule8-alerts-dataplane	User Account Created Via CLI	Adding a new user is a common step for attackers when establishing persistence on a compromised node. Alerts when an identity management program is executed by a program other than a package manager.	instanceId
capsule8-alerts-dataplane	User Configuration Changes	Deleting the history file is unusual, commonly performed by attackers hiding activity, or by legitimate users intending to evade audit controls. Alerts when command line history files are deleted.	instanceId
capsule8-alerts-dataplane	New System User Added	User profile and configuration files are often modified as a method of persistence in order to execute a program whenever a user logs in. Alerts when .bash_profile and bashrc (as well as related files) are modified by a program other than a system update tool.	instanceId

Antivirus monitoring events

Note

The response JSON object in these audit logs always has a result field that includes one line of the original scan result. Each scan result is represented typically by multiple audit log records, one for each line of the original scan output. For details of what could appear in this file, see the following third-party documentation.

The following clamAVScanService-dataplane event is logged at the workspace level.

Service	Action	Description	Request parameters
clamAVScanService-dataplane	clamAVScanAction	The antivirus monitoring performs a scan. A log will generate for each line of the original scan output.	instanceId

Deprecated log events

Databricks has deprecated the following databrickssql audit events:

• createAlertDestination (now createNotificationDestination)

• deleteAlertDestination (now deleteNotificationDestination)

• updateAlertDestination (now updateNotificationDestination)

• muteAlert

• unmuteAlert

SQL endpoint logs

If you create SQL warehouses using the deprecated SQL endpoint API (the former name for SQL warehouses), the corresponding audit event name will include the word Endpoint instead of Warehouse. Besides the name, these events are identical to the SQL warehouse events. To view descriptions and request parameters of these events, see their corresponding warehouse events in Databricks SQL events.

The SQL endpoint events are:

• changeEndpointAcls

• createEndpoint

• editEndpoint

• startEndpoint

• stopEndpoint

• deleteEndpoint

• setEndpointConfig