Network access events system table reference
This system table is in Public Preview.
The network access events tables record events where network access is denied. Each row represents an individual event, such as a blocked outbound request to an external domain or a blocked inbound request from a restricted IP.
Outbound network access events system table schema
The outbound network access events table records events where outbound access from a workspace to an external destination is denied by an egress policy. For example, if a user attempts to access "google.com" from a notebook and fails, the event is logged.
Table path: This system table is located at system.access.outbound_network
.
Column name | Data type | Description | Example |
---|---|---|---|
| string | The ID of the Databricks account |
|
| string | The ID of the workspace where the event occurred |
|
| string | The ID of the event |
|
| string | The type of destination. Possible values are |
|
| string | Details of the blocked destination. Depending on the destination type, the value could be a domain name, IP address, or storage location. |
|
| struct | Details about the DNS destination. Only populates for DNS destinations, otherwise the field is |
|
| struct | Details about the storage destination. Only populates for storage destinations, otherwise the field is |
|
| timestamp | Timestamp when the event took place |
|
| string | Type of access event that occurred. |
|
| string | The specific product or service used within the workspace where the event occurred. |
|
Sample queries
The following sample queries help you gain insight into denial logs in your account:
- Get all the denial logs for a given workspace for a given time range.
- To drill down for a given error
Get all the denial logs for a given workspace for a given time range.
SELECT
event_id, destination_type, destination
COUNT(*) AS destination_count
FROM
system.access.outbound_network
WHERE
event_time > '2024-09-25'
AND event_time < '2024-09-26'
AND account_id = <id>
AND workspace_id = <id>
GROUP BY
destination;
To drill down for a given error
SELECT
storage_event.hostname, storage_event.path, storage_event.rejection_reason
FROM
system.access.outbound_network AS storage_event
WHERE
event_time > '2024-09-25'
AND event_time < '2024-09-26'
AND account_id = <id>
AND workspace_id = <id>
AND destination = 'storage path';
Inbound network access events system table schema
The inbound network access events table records events where inbound access to a workspace is denied by an ingress policy. For example, if a user attempts to connect to a workspace from a blocked IP address, the failed attempt is logged. Context-based ingress control is in Beta.
Table path: This system table is located at system.access.inbound_network
.
Column name | Data type | Description | Example |
---|---|---|---|
| string | The ID of the Databricks account. |
|
| string | The ID of the workspace where the event occurred. |
|
| string | The ID of the event. |
|
| string | The destination of the request. |
|
| struct | The source of the request. Contains IP, private link, and related attributes. |
|
| string | The authenticated identity of the request. Must be one of the following:
|
|
| string | The ID of the ingress policy that evaluated the request. |
|
| timestamp | Timestamp when the event took place. |
|
| string | Type of access event outcome. Possible values are |
|
Sample queries
The following sample queries help you analyze ingress denial logs in your account:
Get all denied inbound requests for the last 2 hours
SELECT *
FROM system.access.inbound_network
WHERE event_time >= current_timestamp() - interval 2 hour
ORDER BY event_time DESC;
Count denied requests by source IP
SELECT
source.ip,
COUNT(*) AS deny_count
FROM
system.access.inbound_network
WHERE
event_time >= '2025-09-01'
AND event_time < '2025-09-02'
AND account_id = <id>
AND workspace_id = <id>
GROUP BY
source.ip
ORDER BY
deny_count DESC;
To drill down for a given error
SELECT
request_path,
source.ip AS source_ip,
authenticated_as,
policy_outcome
FROM
system.access.inbound_network
WHERE
event_time > '2025-09-01'
AND event_time < '2025-09-02'
AND account_id = <id>
AND workspace_id = <id>
AND request_path = '/compute';