Skip to main content

Network access events system table reference

Preview

This system table is in Public Preview.

The network access events tables record events where network access is denied. Each row represents an individual event, such as a blocked outbound request to an external domain or a blocked inbound request from a restricted IP.

Outbound network access events system table schema

The outbound network access events table records events where outbound access from a workspace to an external destination is denied by an egress policy. For example, if a user attempts to access "google.com" from a notebook and fails, the event is logged.

Table path: This system table is located at system.access.outbound_network.

Column name

Data type

Description

Example

account_id

string

The ID of the Databricks account

7af234db-66d7-4db3-bbf0-956098224879

workspace_id

string

The ID of the workspace where the event occurred

1234567890123456

event_id

string

The ID of the event

db52a413-7a0a-4d49-b742-7ae5f06bc4b2

destination_type

string

The type of destination. Possible values are DNS, IP, and STORAGE

DNS

destination

string

Details of the blocked destination. Depending on the destination type, the value could be a domain name, IP address, or storage location.

google.com

dns_event

struct

Details about the DNS destination. Only populates for DNS destinations, otherwise the field is NULL.

{ "domain_name":"google.com", "rcode": 3 }

storage_event

struct

Details about the storage destination. Only populates for storage destinations, otherwise the field is NULL.

{ "hostname":"s3://some-bucket", "path": "/some-path", "rejection_reason": "storage-bucket-path-denied" }

event_time

timestamp

Timestamp when the event took place

2024-05-01T01:01:01.123

access_type

string

Type of access event that occurred.

DROP

network_source_type

string

The specific product or service used within the workspace where the event occurred.

DBSQL, General Compute, MLServing, ML Build, Apps

Sample queries

The following sample queries help you gain insight into denial logs in your account:

Get all the denial logs for a given workspace for a given time range.

SQL
SELECT
event_id, destination_type, destination
COUNT(*) AS destination_count
FROM
system.access.outbound_network
WHERE
event_time > '2024-09-25'
AND event_time < '2024-09-26'
AND account_id = <id>
AND workspace_id = <id>
GROUP BY
destination;

To drill down for a given error

SQL
SELECT
storage_event.hostname, storage_event.path, storage_event.rejection_reason
FROM
system.access.outbound_network AS storage_event
WHERE
event_time > '2024-09-25'
AND event_time < '2024-09-26'
AND account_id = <id>
AND workspace_id = <id>
AND destination = 'storage path';

Inbound network access events system table schema

The inbound network access events table records events where inbound access to a workspace is denied by an ingress policy. For example, if a user attempts to connect to a workspace from a blocked IP address, the failed attempt is logged. Context-based ingress control is in Beta.

Table path: This system table is located at system.access.inbound_network.

Column name

Data type

Description

Example

account_id

string

The ID of the Databricks account.

7af234db-66d7-4db3-bbf0-956098224879

workspace_id

string

The ID of the workspace where the event occurred.

1234567890123456

event_id

string

The ID of the event.

db52a413-7a0a-4d49-b742-7ae5f06bc4b2

request_path

string

The destination of the request.

/compute

source

struct

The source of the request. Contains IP, private link, and related attributes.

{ "ip": "10.0.0.1", "private-link": "some-pl-id" }

authenticated_as

string

The authenticated identity of the request. Must be one of the following:

  • <user>@<domain-name>

  • <sp-application-id>

  • group_name

user@databricks.com

policy_id

string

The ID of the ingress policy that evaluated the request.

fbc3a2a1-ef12-43b8-9e88-f024ac219ba5

event_time

timestamp

Timestamp when the event took place.

2024-05-01T01:01:01.123

policy_outcome

string

Type of access event outcome. Possible values are DENY or DENY_DRY_RUN.

DENY

Sample queries

The following sample queries help you analyze ingress denial logs in your account:

Get all denied inbound requests for the last 2 hours

SQL
SELECT *
FROM system.access.inbound_network
WHERE event_time >= current_timestamp() - interval 2 hour
ORDER BY event_time DESC;

Count denied requests by source IP

SQL
SELECT
source.ip,
COUNT(*) AS deny_count
FROM
system.access.inbound_network
WHERE
event_time >= '2025-09-01'
AND event_time < '2025-09-02'
AND account_id = <id>
AND workspace_id = <id>
GROUP BY
source.ip
ORDER BY
deny_count DESC;

To drill down for a given error

SQL
SELECT
request_path,
source.ip AS source_ip,
authenticated_as,
policy_outcome
FROM
system.access.inbound_network
WHERE
event_time > '2025-09-01'
AND event_time < '2025-09-02'
AND account_id = <id>
AND workspace_id = <id>
AND request_path = '/compute';