Network access events system table reference

Preview

This system table is in Public Preview.

The network access events tables record events where network access is denied. Each row represents an individual event, such as a blocked outbound request to an external domain or a blocked inbound request from a restricted IP.

Outbound network access events system table schema

The outbound network access events table records events where outbound access from a workspace to an external destination is denied by an egress policy. For example, if a user attempts to access "google.com" from a notebook and fails, the event is logged.

Table path: This system table is located at system.access.outbound_network.

Column name	Data type	Description	Example
account_id	string	The ID of the Databricks account	7af234db-66d7-4db3-bbf0-956098224879
workspace_id	string	The ID of the workspace where the event occurred	1234567890123456
event_id	string	The ID of the event	db52a413-7a0a-4d49-b742-7ae5f06bc4b2
destination_type	string	The type of destination. Possible values are DNS, IP, and STORAGE	DNS
destination	string	Details of the blocked destination. Depending on the destination type, the value could be a domain name, IP address, or storage location.	google.com
dns_event	struct	Details about the DNS destination. Only populates for DNS destinations, otherwise the field is NULL.	{ "domain_name":"google.com", "rcode": 3 }
storage_event	struct	Details about the storage destination. Only populates for storage destinations, otherwise the field is NULL.	{ "hostname":"s3://some-bucket", "path": "/some-path", "rejection_reason": "storage-bucket-path-denied" }
event_time	timestamp	Timestamp when the event took place	2024-05-01T01:01:01.123
access_type	string	Type of access event that occurred.	DROP
network_source_type	string	The specific product or service used within the workspace where the event occurred.	DBSQL, General Compute, MLServing, ML Build, Apps

Sample queries

The following sample queries help you gain insight into denial logs in your account:

• Get all the denial logs for a given workspace for a given time range.
• To drill down for a given error

Get all the denial logs for a given workspace for a given time range.

SQL

SELECT
    event_id, destination_type, destination
    COUNT(*) AS destination_count
FROM
    system.access.outbound_network
WHERE
    event_time > '2024-09-25'
    AND event_time < '2024-09-26'
    AND account_id = <id>
    AND workspace_id = <id>
GROUP BY
    destination;

To drill down for a given error

SQL

SELECT
    storage_event.hostname, storage_event.path, storage_event.rejection_reason
FROM
    system.access.outbound_network AS storage_event
WHERE
    event_time > '2024-09-25'
    AND event_time < '2024-09-26'
    AND account_id = <id>
    AND workspace_id = <id>
    AND destination = 'storage path';

Inbound network access events system table schema

The inbound network access events table records events where inbound access to a workspace is denied by an ingress policy. For example, if a user attempts to connect to a workspace from a blocked IP address, the failed attempt is logged. Context-based ingress control is in Beta.

Table path: This system table is located at system.access.inbound_network.

Column name	Data type	Description	Example
account_id	string	The ID of the Databricks account.	7af234db-66d7-4db3-bbf0-956098224879
workspace_id	string	The ID of the workspace where the event occurred.	1234567890123456
event_id	string	The ID of the event.	db52a413-7a0a-4d49-b742-7ae5f06bc4b2
request_path	string	The destination of the request.	/compute
source	struct	The source of the request. Contains IP, private link, and related attributes.	{ "ip": "10.0.0.1", "private-link": "some-pl-id" }
authenticated_as	string	The authenticated identity of the request. Must be one of the following: <user>@<domain-name> <sp-application-id> group_name	user@databricks.com
policy_id	string	The ID of the ingress policy that evaluated the request.	fbc3a2a1-ef12-43b8-9e88-f024ac219ba5
event_time	timestamp	Timestamp when the event took place.	2024-05-01T01:01:01.123
policy_outcome	string	Type of access event outcome. Possible values are DENY or DENY_DRY_RUN.	DENY

Sample queries

The following sample queries help you analyze ingress denial logs in your account:

Get all denied inbound requests for the last 2 hours

SQL

SELECT *
FROM system.access.inbound_network
WHERE event_time >= current_timestamp() - interval 2 hour
ORDER BY event_time DESC;

Count denied requests by source IP

SQL

SELECT
    source.ip,
    COUNT(*) AS deny_count
FROM
    system.access.inbound_network
WHERE
    event_time >= '2025-09-01'
    AND event_time < '2025-09-02'
    AND account_id = <id>
    AND workspace_id = <id>
GROUP BY
    source.ip
ORDER BY
    deny_count DESC;

To drill down for a given error

SQL

SELECT
    request_path,
    source.ip AS source_ip,
    authenticated_as,
    policy_outcome
FROM
    system.access.inbound_network
WHERE
    event_time > '2025-09-01'
    AND event_time < '2025-09-02'
    AND account_id = <id>
    AND workspace_id = <id>
    AND request_path = '/compute';