Audit log reference
This article provides you with a comprehensive reference of available audit log services and events. By understanding which events are logged in the audit logs, your enterprise can monitor detailed Databricks usage patterns in your account.
To access and query your account's audit logs, use the audit log system table (Public Preview).
Audit log considerations
- The services in this reference are organized by
audit_level, with workspace-level actions presented first and account-level actions following. - Because account-level actions aren't specific to a single workspace, the
workspace_idin account-level logs is recorded as0. - Most audit logs are only accessible from the region in which they are recorded.
Workspace-level events
The following services log audit events at the workspace level.
Authentication events
These events are related to user authentication.
These events are logged under the service_name of accounts.
action_name | Description | request_params |
|---|---|---|
| An OAuth client is authenticated using an in-house OAuth token. |
|
| A user's account login code is authenticated. |
|
| A user logs in to Databricks using X509 certification. |
|
| User logs into Databricks using a JWT. |
|
| User logs into the workspace. |
|
| User logs out of the workspace. |
|
| User registers a new security key. | |
| User deletes a security key. |
|
| User logs into Databricks using MFA. |
|
| An in-house OAuth authorization code is minted. |
|
| An in-house OAuth token is minted. |
|
| A user logs in to Databricks using multi-factor authentication. |
|
| A user logs in to Databricks using an OpenID Connect browser workflow. |
|
| When an API call is authorized through a generic OIDC/OAuth token. |
|
| User logs in to Databricks through SAML SSO. |
|
| A user logs into Databricks using a token. |
|
| A user's workspace-scoped login code is authenticated. |
|
User and group management events
These events are related to user and group management.
These events are logged under the service_name of accounts.
action_name | Description | request_params |
|---|---|---|
| A user is reactivated after being deactivated. See Deactivate users in workspace. |
|
| A user is added to a Databricks workspace. |
|
| A user account is added using an X509 certificate for authentication. | |
| A user is added to a workspace-level group. |
|
| Multiple users are added to a workspace-level group. |
|
| A user's Databricks SQL permissions are changed. |
|
| Permissions to a workspace are changed. |
|
| Permissions to a workspace directory are changed. |
|
| A user's password is changed. |
|
| Password changing permissions are changed in the account. |
|
| When a service principal's permissions are changed. |
|
| A workspace-level group is created. |
|
| A user is deactivated in the workspace. See Deactivate users in workspace. |
|
| A user is deleted from the Databricks workspace. |
|
| A user's personally identifiable information is purged after they have not belonged to any running workspaces for at least 7 days. | |
| Cluster access control is disabled for the workspace. |
|
| Table access control is disabled for the workspace. |
|
| Workspace access control is disabled for the workspace. |
|
| Cluster access control is enabled for the workspace. |
|
| Table access control is enabled for the workspace. |
|
| Workspace access control is enabled for the workspace. |
|
| A user is revoked of workspace admin permissions. |
|
| A group is removed from the workspace. |
|
| A user is removed from a group. |
|
| Multiple users are removed from a workspace-level group. |
|
| A user's password is reset. |
|
| A user is granted account admin permissions. |
|
| A group's properties are updated. |
|
| An account admin updates a user's account. |
|
| A user sign-up attempt is denied because the email domain is not allowed. |
|
| When a user validates their email after account creation. |
|
Token management events
These events are related to token management.
These events are logged under the service_name of accounts.
action_name | Description | request_params |
|---|---|---|
| A batch operation reduces token scopes as part of automated scope enforcement. |
|
| Permissions on an access token are changed. |
|
| A Databricks access token is disabled. |
|
| A user runs a garbage collect command on expired tokens. |
|
| When someone generates a token from User Settings or when the service generates the token. |
|
| When the current number of non-expired tokens exceeds the token quota. | |
| A user's token is dropped from a workspace. Can be triggered by a user being removed from the Databricks account. |
|
| A Databricks access token is revoked because the token quota was exceeded. | |
| A Databricks access token is updated. |
|
| An on-behalf-of token is updated. |
|
IP access list events
These events are related to IP access lists.
These events are logged under the service_name of accounts.
action_name | Description | request_params |
|---|---|---|
| An IP access list is added to the workspace. |
|
| An IP access list is deleted from the workspace. |
|
| A user attempts to connect to the service through a denied IP. |
|
|
| |
| An IP access list is changed. |
|
Groups events
These events are logged at the workspace level. This service includes events related to account and workspace groups. These actions are related to legacy ACL groups. For actions related to account- and workspace-level groups, see Authentication events and Account-level authentication events.
These events are logged under the service_name of groups.
action_name | Description | request_params |
|---|---|---|
| An admin adds a user to a group. |
|
| An admin creates a group. |
|
| An admin views group members. |
|
| An admin views a list of groups | none |
| An admin views inherited groups | none |
| An admin removes a group. |
|
IAM role events
The following event is logged at the workspace level.
These events are logged under the service_name of iamRole.
action_name | Description | request_params |
|---|---|---|
| A workspace admin changes permissions for an IAM role. |
|
AI/BI dashboard events
These events are logged at the workspace level. This service includes events related to AI/BI dashboards.
These events are logged under the service_name of dashboards.
action_name | Description | request_params |
|---|---|---|
| A user accesses the draft version of a dashboard either by viewing it in the UI or requesting the dashboard definition using the API. Only workspace users can access the draft version of a dashboard. |
|
| A user accesses the published version of a dashboard by viewing in the UI or requesting the dashboard definition using the API. Includes activity from both workspace users and account users. Excludes receiving a PDF snapshot of a dashboard using scheduled email. |
|
| A user executes a query from a dashboard. |
|
| A user cancels a query from a dashboard. |
|
| A user receives the results of a query from a dashboard. |
|
| A user downloads a PDF snapshot of a dashboard. |
|
| A PDF snapshot of a dashboard is sent through a scheduled email or notification destination. |
|
| A user accesses details of a draft dashboard, such as datasets and widgets. |
|
| A user creates a new AI/BI dashboard using the UI or API. |
|
| A user makes an update to an AI/BI dashboard using the UI or API. |
|
| A user clones an AI/BI dashboard. |
|
| A user publishes an AI/BI dashboard with shared or individual data permissions using the UI or API. |
|
| A user unpublishes a published AI/BI dashboard using the UI or API. |
|
| A user moves a dashboard to the trash using the dashboard UI or Lakeview API commands. This event is logged only when performed through these channels, not for workspace actions. To audit workspace actions, see Workspace events. |
|
| A user restores an AI/BI dashboard from the trash using the dashboard UI or Lakeview API commands. This event is logged only when performed through these channels, not for workspace actions. To audit workspace actions, see Workspace events. |
|
| A user migrates a DBSQL dashboard to an AI/BI dashboard. |
|
| A user creates an email subscription schedule. |
|
| A user makes an update to an AI/BI dashboard's schedule. |
|
| A user deletes an AI/BI dashboard's schedule. |
|
| A user subscribes an email destination to an AI/BI dashboard schedule. |
|
| A user deletes an email destination from an AI/BI dashboard schedule. |
|
Alerts events
This feature is in Beta. Workspace admins can control access to this feature from the Previews page. See Manage Databricks previews.
These events are logged at the workspace level. This service includes events related to alerts.
This service does not record legacy alert events. Legacy alert events are logged under the databrickssql service.
These events are logged under the service_name of alerts.
action_name | Description | request_params |
|---|---|---|
| A user creates an alert using the Alerts V2 API. |
|
| A user gets an alert using the Alerts V2 API. |
|
| A user deletes an alert using the Alerts V2 API. |
|
| A user updates an alert using the Alerts V2 API. |
|
| A user clones an existing alert. |
|
| A user creates a new alert. |
|
| A user gets information about an alert using the UI. |
|
| The Test condition feature returns the results of the alert test. |
|
| A user uses the Test condition feature to preview and test their alert. |
|
| A user clicks the Run now button to run the alert query immediately. |
|
| A user updates the details of an alert. |
|
Clusters events
These events are logged at the workspace level. This service includes events related to classic clusters.
These events are logged under the service_name of clusters.
action_name | Description | request_params |
|---|---|---|
| A cluster is automatically updated. |
|
| A user changes the cluster ACL. |
|
| A user changes the owner of a cluster. |
|
| A user creates a cluster. |
|
| Results from cluster creation. In conjunction with |
|
| A cluster is terminated. |
|
| Results from cluster termination. In conjunction with |
|
| A user makes changes to cluster settings. This logs all changes except for changes in cluster size or autoscaling behavior. |
|
| A cluster is deleted from the UI. |
|
| Cluster resizes. This is logged on running clusters where the only property that changes is either the cluster size or autoscaling behavior. |
|
| Results from cluster resize. In conjunction with |
|
| A user restarts a running cluster. |
|
| Results from cluster restart. In conjunction with |
|
| A user starts a cluster. |
|
| Results from cluster start. In conjunction with |
|
Cluster libraries events
These events logged at the workspace level. This service includes events related to compute-scoped libraries.
These events are logged under the service_name of clusterLibraries.
action_name | Description | request_params |
|---|---|---|
| User installs a library on a cluster. |
|
| User uninstalls a library on a cluster. |
|
Cluster policy events
These events are logged at the workspace level. This service includes events related to compute policies.
These events are logged under the service_name of clusterPolicies.
action_name | Description | request_params |
|---|---|---|
| A user created a cluster policy. |
|
| A user edited a cluster policy. |
|
| A user deleted a cluster policy. |
|
| A workspace admin changes permissions for a cluster policy. |
|
Genie chat events
These events are logged at the workspace level. This service covers Genie chat conversation tooling and internal RPCs. It is separate from the aibiGenie service, which covers Genie Spaces.
These events are logged under the service_name of genieChat.
action_name | Description | request_params |
|---|---|---|
| A user cancels an in-progress Genie chat conversation. |
|
| A user creates a scheduled Genie chat task. |
|
| A user deletes a Genie chat conversation. |
|
| An administrator deletes all Genie chat data associated with a workspace. | |
| A user deletes a scheduled Genie chat task. |
|
| A user retrieves a Genie chat conversation. |
|
| A user retrieves a scheduled Genie chat task. |
|
| A user invokes a tool on an MCP (Model Context Protocol) server through Databricks. | |
| The Genie agent invokes an MCP tool. One event is logged per tool call. | |
| A user steers a Genie chat conversation. |
|
| A user submits feedback on a Genie chat conversation. |
|
| A user updates the sharing settings of a Genie chat conversation. |
|
| A user updates a scheduled Genie chat task. |
|
Genie Space events
These events are logged at the workspace level. This service includes events related to Genie Spaces.
These events are logged under the service_name of aibiGenie.
action_name | Description | request_params |
|---|---|---|
| A user creates a new Genie Space. The | |
| A user uploads a new file to a Genie conversation |
|
| A user deletes a file from a Genie conversation |
|
| A user accesses the Genie Space. |
|
| A user lists all available Genie Spaces. | |
| A user updates the settings of a Genie Space. This can include the title, description, warehouse, tables, sample questions, and the Run as setting, which determines if a shared space embeds the publisher's credentials or authenticates with the viewer's credentials. |
|
| A Genie Space is moved to trash. |
|
| A user clones a Genie Space. |
|
| A user adds data sources to a Genie Space. |
|
| A user removes data sources from a Genie Space. |
|
| A user updates column configurations for a Genie Space, including visibility, indexing, and sampling settings. |
|
| A user accesses details about a Genie Space using the API. |
|
| A user creates a new conversation thread in the Genie Space. |
|
| A user opens the list of conversations in the Genie Space. |
|
| A user starts a conversation thread with a message using the API. |
|
| A user opens a conversation thread in the Genie Space. |
|
| A user updates a conversation thread's title. |
|
| A user deletes a conversation thread in the Genie Space. |
|
| A user accesses the list of shares for a conversation. |
|
| A user accesses the details of a conversation share. |
|
| A user updates the sharing settings of a conversation. |
|
| A user submits a new message to the Genie Space. |
|
| A user creates a new message in a conversation using the API. |
|
| A user accesses a message in the Genie Space. |
|
| A user retrieves a specific message in a conversation using the API. |
|
| A user deletes an existing message. |
|
| A user regenerates a message response. |
|
| A user updates an existing message. |
|
| A user submits a feedback rating on a message. |
|
| A user creates an attachment on a message. |
|
| A user updates an attachment on a message. |
|
| A user cancels a running message in a Genie Space. |
|
| A user accesses the list of messages in a Genie Space. |
|
| A user accesses the list of their own messages in a Genie Space. |
|
| A user checks the status of a file upload job in a conversation. |
|
| Genie retrieves the query results associated with a message using the API. |
|
| A user retrieves the query results for message attachments using the API. |
|
| A user retrieves the full query results using the API (up to ~1GB in size). |
|
| Genie executes generated SQL to return query results, including refresh data actions using the API. |
|
| Genie executes a query for message attachment results using the API. |
|
| Genie retrieves the query results associated with a message. |
|
| A user executes a query in a Genie Space. |
|
| A user retrieves query results from a Genie Space. |
|
| A user executes a query associated with a message. |
|
| A user executes a query for a message attachment. |
|
| A user retrieves query results for a message attachment. |
|
| Genie summarizes the results of a SQL query execution. |
|
| A user cancels a running SQL statement in a Genie Space. |
|
| A user creates an instruction for a Genie Space. |
|
| A user navigates to the Instructions tab or the Data tab. |
|
| A user updates an instruction for a Genie Space. |
|
| A user deletes an instruction for a Genie Space. |
|
| A user updates the default sample questions for the space. |
|
| A user creates a sample question or benchmark question. |
|
| A user deletes a sample question or benchmark question. |
|
| A user accesses the list of sample questions or benchmark questions in a space. This is logged whenever users open a new chat, view benchmarks, or add sample questions. |
|
| A user updates a sample question or benchmark question. |
|
| Genie creates an evaluation result for a specific question in a benchmark run. |
|
| A user accesses the results for a specific question in a benchmark run. |
|
| A user accesses the query results for a specific question in a benchmark run. |
|
| A user updates their evaluation result for a specific question. |
|
| A user creates a new benchmark run. |
|
| A user accesses the list of results for an benchmark run. |
|
| A user accesses the list of all benchmark runs. |
|
| A user accesses the details of a specific benchmark run. |
|
| A user cancels a running benchmark run. |
|
| A user resumes a previously canceled benchmark run. |
|
| A user deletes an benchmark run. |
|
| A user starts generating benchmark suggestions for a Genie Space. |
|
| A user accesses debug information for a specific benchmark result. |
|
| A user adds a feedback comment to a message. |
|
| A user accesses a list of the feedback comments from a space. |
|
| A user deletes a feedback comment added to a message. |
|
Instance pool events
These events are logged at the workspace level. This service includes events related to pools.
These events are logged under the service_name of instancePools.
action_name | Description | request_params |
|---|---|---|
| A user changes an instance pool's permissions. |
|
| A user creates an instance pool. |
|
| A user deletes an instance pool. |
|
| A user edits an instance pool. |
|
Job events
These events are logged at the workspace level. This service includes events related to jobs.
These events are logged under the service_name of jobs.
action_name | Description | request_params |
|---|---|---|
| A job run is cancelled. |
|
| A user cancels all runs on a job. |
|
| A user updates permissions on a job. |
|
| A user creates a job. |
|
| A user deletes a job. |
|
| A user deletes a job run. |
|
| A user deletes task values for a job run. |
|
| A user makes an API call to get a run output. |
|
| A user repairs a job run. |
|
| A job is reset. |
|
| A user requests the change of a job's permissions. |
|
| Available when verbose audit logs are enabled. Emitted after a command in a notebook is executed by a job run. A command corresponds to a cell in a notebook. |
|
| A job run fails or is canceled. |
|
| A user triggers an on-demand job run. |
|
| Emitted when a job run starts after validation and cluster creation. The request parameters emitted from this event depend on the type of tasks in the job. In addition to the parameters listed, they can include: |
|
| A job run is successful. |
|
| A job schedule is triggered automatically according to its schedule or trigger. |
|
| A webhook is sent either when the job begins, completes, or fails. |
|
| A user sets values for a task. |
|
| A user submits a one-time run via the API. |
|
| A user edits a job's settings. |
|
Lakeflow Spark Declarative Pipelines events
These events are logged at the workspace level. This service includes events related to Lakeflow Spark Declarative Pipelines.
These events are logged under the service_name of deltaPipelines.
action_name | Description | request_params |
|---|---|---|
| A user changes permissions on a pipeline. |
|
| A user creates a declarative pipeline. |
|
| A user deletes a declarative pipeline. |
|
| A user edits a declarative pipeline. |
|
| A user restarts a declarative pipeline. |
|
| A user stops a declarative pipeline. |
|
Lakebase events
These events are logged at the workspace level. This service includes events related to Lakebase.
These events are logged under the service_name of databaseInstances.
action_name | Description | request_params |
|---|---|---|
| A user creates a new database instance. |
|
| A user queries for a database instance. |
|
| A user queries for all database instances. | none |
| A user updates properties on an existing instance. For example, its capacity or whether it is paused. |
|
| A user hard deletes an instance. |
|
| A user modifies permissions on a database instance. | none |
| A user creates and registers a catalog in Unity Catalog for an existing database. |
|
| A user unregisters a registered catalog from Unity Catalog. |
|
| A user queries for a database catalog. |
|
| A user creates a table inside a database on a database instance. |
|
| A user queries for a database table. |
|
| A user deletes a database table from Unity Catalog. |
|
| A user creates a synced table inside a database on a database instance. |
|
| A user queries for a synced table. |
|
| A user deletes a synced table from Unity Catalog. |
|
Cloud storage metadata events
These events are logged at the workspace level. This service includes events related to cloud storage metadata operations used by Auto Loader and file arrival triggers.
These events are logged under the service_name of cloudStorageMetadata.
action_name | Description | request_params |
|---|---|---|
| A user or Auto Loader job fetches a paginated list of file changes (new, updated, or deleted files) from a cloud storage location or Unity Catalog volume. Clients use continuation tokens to incrementally fetch only files that changed since their last read. |
|
| Validates that credentials and cloud resources (queues, subscriptions) are properly configured for file event notifications on a cloud storage location. Called when a user enables managed file notifications for an external location in Unity Catalog. |
|
Ingestion events
The following event is logged at the workspace level and is related to file uploads.
These events are logged under the service_name of ingestion.
action_name | Description | request_params |
|---|---|---|
| A user uploads a file to their Databricks workspace. |
|
Lineage tracking events
These events are logged at the workspace level. This service includes events related to data lineage.
These events are logged under the service_name of lineageTracking.
action_name | Description | request_params |
|---|---|---|
| A user accesses the list of the upstream or downstream columns of a column. |
|
| A user accesses the list of the upstream or downstream securables of a securable. |
|
| A user accesses the list of entities (notebooks, jobs, etc.) that write to or read a securable. |
|
| A user gets the column lineages for a table and its column. |
|
| A user gets the upstream and downstream lineages of a table. |
|
| A user gets the upstream and downstream table lineages of a job. |
|
| A user gets the upstream and downstream securables and entities (notebooks, jobs, etc.) of a function. |
|
| A user gets the upstream and downstream securables and entities (notebooks, jobs, etc.) of a model and its version. |
|
| A user gets the upstream and downstream tables of an entity (notebooks, jobs, etc.). |
|
| A user gets the frequently joined tables for a table. |
|
| A user gets the frequent queries for a table. |
|
| A user gets the frequent users for a table. |
|
| A user gets the popularity (query count) for a table for the past month. |
|
| A user gets the popular entities (notebooks, jobs, etc.) for a table. |
|
| A user gets the table popularity info for a list of tables. |
|
| A user lists custom lineages for an entity. |
|
| A user lists securables associated with entity events. |
|
Data monitoring events
These events are logged at the workspace level. This service includes events related to Data Quality Monitoring.
These events are logged under the service_name of dataMonitoring.
action_name | Description | request_params |
|---|---|---|
| User cancels a monitor refresh. |
|
| User creates a monitor. |
|
| User deletes a monitor. |
|
| User regenerates a monitor dashboard. |
|
| Monitor is refreshed, either by schedule or manually. |
|
| User makes an update to a monitor. |
|
Request for access events
These events are logged at the workspace level. This service includes events related to access request destinations (Public Preview).
These events are logged under the service_name of request-for-access.
action_name | Description | request_params |
|---|---|---|
| A user updates access request destinations for a Unity Catalog securable. |
|
| A user gets access request destinations for a Unity Catalog securable. |
|
| A user gets access request destinations for a Unity Catalog securable. This is a legacy version of the |
|
| A user gets status information for a Unity Catalog securable. Request for access is considered enabled for a Unity Catalog securable if at least one access request destination exists. |
|
| A user requests access for one or more Unity Catalog securables. |
|
| A user requests access for a single Unity Catalog securable. This is a legacy version of the |
|
| A user updates the status of a workspace-level setting that controls whether all Unity Catalog securables have a default destination assigned. | none |
| A user gets the status of the default destination setting. | none |
Domains events
These events are logged at the workspace level. This service includes events related to Domains.
These events are logged under the service_name of domains.
action_name | Description | request_params |
|---|---|---|
| User creates a domain. |
|
| User updates a domain. |
|
| User deletes a domain. |
|
| User lists available domains. |
Discover Page events
These events are logged at the workspace level. This service includes events related to the Discover Page.
These events are logged under the service_name of discover.
action_name | Description | request_params |
|---|---|---|
| User retrieves the draft version of the Discover Page. |
|
| User retrieves the published version of the Discover Page. |
|
| User updates the draft version of the Discover Page. |
|
| User updates the published version of the Discover Page. |
|
Uniform Iceberg REST API events
These events are logged at the workspace level. These events are logged when users interact with managed Apache Iceberg tables using an external Iceberg-compatible engine that supports the Iceberg REST Catalog API.
These events are logged under the service_name of uniformIcebergRestCatalog.
action_name | Description | request_params |
|---|---|---|
| User gets a catalog configuration. |
|
| User creates a namespace, with an optional set of properties. |
|
| User creates a new Iceberg table. |
|
| User deletes an existing namespace. |
|
| User deletes an existing table. |
|
| User gets properties of a namespace. |
|
| User makes a call to list all namespaces at a specified level. |
|
| User lists all tables under a given namespace. |
|
| User loads vended credentials for a table from the catalog. |
|
| User loads a table from the catalog. |
|
| User loads a view from the catalog. |
|
| User checks if a namespace exists. |
|
| User renames an existing table |
|
| User sends a metrics report |
|
| User checks if a table exists within a given namespace. |
|
| User updates properties for a namespace. |
|
| User updates table metadata. |
|
| User checks if a view exists within a given namespace. |
|
Predictive optimization events
These events are logged at the workspace level. This service includes events related to predictive optimization.
These events are logged under the service_name of predictiveOptimization.
action_name | Description | request_params |
|---|---|---|
| Recorded when predictive optimization updates table and workload metrics so the service can more intelligently schedule optimization operations. |
|
DBFS events
These events are logged at the workspace level. This service includes events related to DBFS.
There are two types of DBFS events: API calls and operational events.
DBFS API events
These audit events are only logged when written through the DBFS REST API.
These events are logged under the service_name of dbfs.
action_name | Description | request_params |
|---|---|---|
| User appends a block of data to the stream. This is used in conjunction with dbfs/create to stream data to DBFS. |
|
| User closes a stream specified by the input handle. |
|
| User opens a stream to write a file to DBFS. |
|
| User deletes the file or directory from DBFS. |
|
| User gets information for a file or directory. |
|
| User creates a new DBFS directory. |
|
| User moves a file from one location to another location within DBFS. |
|
| User uploads a file through the use of a multipart form post to DBFS. |
|
| User reads the contents of a file. |
|
DBFS operational events
These audit events occur at the compute plane.
These events are logged under the service_name of dbfs.
action_name | Description | request_params |
|---|---|---|
| User creates a mount point at a certain DBFS location. |
|
| User removes a mount point at a certain DBFS location. |
|
Files events
These events are logged at the workspace level. This service includes events related to file management, which includes interacting with files using the Files API or in the volumes UI.
These events are logged under the service_name of filesystem.
action_name | Description | request_params |
|---|---|---|
| A user deletes a directory using the Files API or the volumes UI. |
|
| A user lists the contents of a directory using the Files API or the volumes UI. |
|
| A user gets information about a directory using the Files API or the volumes UI. |
|
| A user creates a directory using the Files API or the volumes UI. |
|
| User deletes a file using the Files API or the volumes UI. |
|
| User downloads a file using the Files API or the volumes UI. |
|
| User gets information about a file using the Files API or the volumes UI. |
|
| User uploads a file using the Files API or the volumes UI. |
|
Workspace files events
These events are logged at the workspace level. This service includes events related to workspaces files.
These events are logged under the service_name of workspaceFiles.
action_name | Description | request_params |
|---|---|---|
| A workspace file is read by a user or programmatically as part of a workflow. |
|
| A workspace file is written to by a user or programmatically as part of a workflow. |
|
| A user imports a file into the workspace. |
|
Agent evaluation events
These events are logged at the workspace level. This service includes events related to agent evaluation, including production monitoring, evaluation datasets, human evaluation, and synthetic evaluation data generation.
Production monitoring events
These events are related to production monitoring, including scorers, metric backfill, and trace archival.
These events are logged under the service_name of agentEvaluation.
action_name | Description | request_params |
|---|---|---|
| A user requests LLM-judge assessments on an agent response. |
|
| A user requests an LLM to evaluate an agent response. For example, by invoking a judge created by make_judge. | none |
| A user creates scorers for an experiment. |
|
| A user retrieves scorers for an experiment. |
|
| A user updates scorers for an experiment. |
|
| A user deletes scorers for an experiment. |
|
| A user runs a metric backfill for an experiment. |
|
| A user starts trace archival for an experiment. |
|
| A user stops trace archival for an experiment. |
|
Evaluation dataset events
These events are related to evaluation datasets, including CRUD operations for datasets and dataset records, batch operations, and expectations management.
These events are logged under the service_name of agentEvaluation.
action_name | Description | request_params |
|---|---|---|
| A user creates an evaluation dataset. |
|
| A user retrieves an evaluation dataset. |
|
| A user lists evaluation datasets. |
|
| A user updates an evaluation dataset. |
|
| A user deletes an evaluation dataset. |
|
| A user creates a record in an evaluation dataset. |
|
| A user retrieves a record from an evaluation dataset. |
|
| A user lists records in an evaluation dataset. |
|
| A user updates a record in an evaluation dataset. |
|
| A user deletes a record from an evaluation dataset. |
|
| A user creates multiple records in an evaluation dataset in a single batch operation. |
|
| A user upserts expectations for a record in an evaluation dataset. |
|
Synthetic data generation events
These events are related to synthetic evaluation data generation.
These events are logged under the service_name of agentEvaluation.
action_name | Description | request_params |
|---|---|---|
| A user generates synthetic questions for evaluation. |
|
| A user generates synthetic answers for evaluation. |
|
Review app events
These events are related to review apps for human evaluation, including review app management, labeling sessions, and item management.
These events are logged under the service_name of agentEvaluation.
action_name | Description | request_params |
|---|---|---|
| A user creates a review app for human evaluation. |
|
| A user retrieves a review app. |
|
| A user lists review apps. | none |
| A user updates a review app. |
|
| A user creates a labeling session in a review app. |
|
| A user retrieves a labeling session from a review app. |
|
| A user lists labeling sessions in a review app. |
|
| A user updates a labeling session in a review app. |
|
| A user deletes a labeling session from a review app. |
|
| A user creates multiple items in a labeling session in a single batch operation. |
|
| A user retrieves an item from a labeling session. |
|
| A user lists items in a labeling session. |
|
| A user updates an item in a labeling session. |
|
| A user deletes multiple items from a labeling session in a single batch operation. |
|
Knowledge Assistant events
These events are logged at the workspace level. This service includes events related to managing Knowledge Assistants, their knowledge sources, and example questions, using the SDK or the Agent Bricks UI.
Knowledge Assistant management events
The following events are related to creating, retrieving, updating, listing, and deleting Knowledge Assistants, and to syncing their knowledge sources.
These events are logged under the service_name of knowledgeAssistant.
action_name | Description | request_params |
|---|---|---|
| A user creates a Knowledge Assistant. |
|
| A user retrieves a Knowledge Assistant. |
|
| A user updates a Knowledge Assistant. |
|
| A user deletes a Knowledge Assistant. |
|
| A user lists Knowledge Assistants. | none |
| A user starts a sync of the knowledge sources for a Knowledge Assistant. |
|
Knowledge source events
The following events are related to knowledge sources attached to a Knowledge Assistant.
These events are logged under the service_name of knowledgeAssistant.
action_name | Description | request_params |
|---|---|---|
| A user creates a knowledge source for a Knowledge Assistant. |
|
| A user retrieves a knowledge source. |
|
| A user lists knowledge sources for a Knowledge Assistant. |
|
| A user updates a knowledge source. |
|
| A user deletes a knowledge source. |
|
Example events
The following events are related to example questions and guidelines used to tune a Knowledge Assistant.
These events are logged under the service_name of supervisorAgent.
action_name | Description | request_params |
|---|---|---|
| A user creates an example for a Knowledge Assistant. |
|
| A user retrieves an example. |
|
| A user lists examples for a Knowledge Assistant. |
|
| A user updates an example. |
|
| A user deletes an example. |
|
| A user imports examples for a Knowledge Assistant from a Unity Catalog table. |
|
| A user exports examples for a Knowledge Assistant to a Unity Catalog table. |
|
Supervisor Agent events
These events are logged at the workspace level. This service includes events related to managing Supervisor Agents, their tools, and example questions, using the SDK or the Agent Bricks UI.
Supervisor Agent management events
The following events are related to creating, retrieving, updating, listing, and deleting Supervisor Agents.
These events are logged under the service_name of supervisorAgent.
action_name | Description | request_params |
|---|---|---|
| A user creates a Supervisor Agent. |
|
| A user retrieves a Supervisor Agent. |
|
| A user updates a Supervisor Agent. |
|
| A user deletes a Supervisor Agent. |
|
| A user lists Supervisor Agents. | none |
Tool events
The following events are related to tools attached to a Supervisor Agent.
These events are logged under the service_name of supervisorAgent.
action_name | Description | request_params |
|---|---|---|
| A user adds a tool to a Supervisor Agent. |
|
| A user retrieves a tool. |
|
| A user lists tools for a Supervisor Agent. |
|
| A user updates a tool. |
|
| A user deletes a tool. |
|
Example events
The following events are related to example questions and guidelines used to tune a Supervisor Agent.
These events are logged under the service_name of supervisorAgent.
action_name | Description | request_params |
|---|---|---|
| A user creates an example for a Supervisor Agent. |
|
| A user retrieves an example. |
|
| A user lists examples for a Supervisor Agent. |
|
| A user updates an example. |
|
| A user deletes an example. |
|
MLflow experiment events
These events are logged at the workspace level. This service includes events related to MLflow experiments.
These events are logged under the service_name of mlflowExperiment.
action_name | Description | request_params |
|---|---|---|
| A user creates an MLflow experiment. |
|
| A user deletes an MLflow experiment. |
|
| A user moves an MLflow experiment. |
|
| A user restores an MLflow experiment. |
|
| A user renames an MLflow experiment. |
|
MLflow artifacts with ACL events
These events are logged at the workspace level. This service includes events related to MLflow artifacts with ACLs.
These events are logged under the service_name of mlflowAcledArtifact.
action_name | Description | request_params |
|---|---|---|
| A user makes call to read an artifact. |
|
| A user makes call to write to an artifact. |
|
MLflow model registry events
These events are logged at the workspace level. This service includes events related to the workspace model registry. For activity logs for models in Unity Catalog, see Unity Catalog events.
These events are logged under the service_name of modelRegistry.
action_name | Description | request_params |
|---|---|---|
| A user approves a model version stage transition request. |
|
| A user updates permissions for a registered model. |
|
| A user posts a comment on a model version. |
|
| A user creates a model version. |
|
| A user creates a new registered model |
|
| User creates a webhook for Model Registry events. |
|
| A user creates a model version stage transition request. |
|
| A user deletes a comment on a model version. |
|
| A user deletes a model version. |
|
| A user deletes a model version tag. |
|
| A user deletes a registered model |
|
| A user deletes the tag for a registered model. |
|
| User deletes a Model Registry webhook. |
|
| A user cancels a model version stage transition request. |
|
| Completed asynchronous model copying. |
|
| Batch inference notebook is autogenerated. |
|
| Inference notebook for a declarative pipeline is autogenerated. |
|
| A user gets a URI to download the model version. |
|
| A user gets a URI to download a signed model version. |
|
| A user makes a call to list a model's artifacts. |
|
| A user makes a call to list all registry webhooks in the model. |
|
| A user rejects a model version stage transition request. |
|
| A user renames a registered model |
|
| A user updates the email subscription status for a registered model |
|
| A user sets a model version tag. |
|
| A user sets a model version tag. |
|
| A user updates their email notifications status for the whole registry. |
|
| A user tests the Model Registry webhook. |
|
| A user gets a list of all open stage transition requests for the model version. |
|
| A Model Registry webhook is triggered by an event. |
|
| A user post an edit to a comment on a model version. |
|
| A user updates a Model Registry webhook. |
|
Model serving events
These events are logged at the workspace level. This service includes events related to model serving.
These events are logged under the service_name of serverlessRealTimeInference.
action_name | Description | request_params |
|---|---|---|
| User cancels an in-progress update of a model serving endpoint. |
|
| User updates permissions for an inference endpoint. |
|
| User creates a model serving endpoint. |
|
| User deletes a model serving endpoint. |
|
| Users makes a call to get the query schema preview. |
|
| User updates the usage policy of a serving endpoint. |
|
| User updates the AI Gateway configuration for a serving endpoint, including rate limits, guardrails, inference tables, fallbacks, and usage tracking |
|
| User starts a model serving endpoint. |
|
| User stops a model serving endpoint. |
|
| User updates a model serving endpoint. |
|
Feature store events
These events are logged at the workspace level. This service includes events related to the Databricks Feature Store.
These events are logged under the service_name of featureStore.
action_name | Description | request_params |
|---|---|---|
| A consumer is added to the feature store. |
|
| A data source is added to a feature table. |
|
| A producer is added to a feature table. |
|
| Permissions are changed in a feature table. |
|
| A feature specification is created. |
|
| A feature table is created. |
|
| Features are created in a feature table. |
|
| A feature table is deleted. |
|
| Tags are deleted from a feature table. |
|
| A feature specification YAML is generated. |
|
| A user gets Brickstore online table metadata. |
|
| A user makes a call to get the consumers in a feature table. |
|
| A user gets feature store-wide permissions. | none |
| A user makes a call to get feature tables. |
|
| A user makes a call to get feature table IDs. |
|
| A user makes a call to get features. |
|
| A user makes a call to get Model Serving metadata. |
|
| A user gets online feature tables. |
|
| A user makes a call to get online store details. |
|
| A user gets online stores. |
|
| A user makes a call to get tags for a feature table. |
|
| A feature store client event is logged. |
|
| A feature table is published. |
|
| A user searches for feature tables. |
|
| Tags are added to a feature table. |
|
| A feature table is updated. |
|
Unity Catalog HTTP connection events
These events are logged at the workspace level when requests are proxied through a Unity Catalog HTTP connection, such as when calling external functions or connecting to external MCP servers.
These events are logged under the service_name of ucHttpConnection.
action_name | Description | request_params |
|---|---|---|
| A request is proxied through a Unity Catalog HTTP connection to an external endpoint. |
|
Vector search events
These events are logged at the workspace level. This service includes events related to Vector Search.
These events are logged under the service_name of vectorSearch.
action_name | Description | request_params |
|---|---|---|
| User creates a vector search endpoint. |
|
| User deletes a vector search endpoint. |
|
| User updates permissions on a vector search endpoint. |
|
| User creates a vector search index. |
|
| User deletes a vector search index. |
|
| User changes access control list for an endpoint. |
|
| User queries a vector search index. |
|
| User reads the paginated results of a vector search index query. |
|
| User scans all data in a vector search index. |
|
| User upserts data in a Direct Access vector search index. |
|
| User deletes data in a Direct Access vector search index. |
|
| User queries a vector search index using a low-latency API route. |
|
| User reads the paginated results of a vector search index query using a low-latency API route. |
|
| User scans all data in a vector search index using a low-latency API route. |
|
| User upserts data in a Direct Access vector search index using a low-latency API route. |
|
| User deletes data in a Direct Access vector search index using a low-latency API route. |
|
Databricks SQL events
These events are logged at the workspace level. This service includes events related to Databricks SQL.
If you manage your SQL warehouses using the legacy SQL endpoints API, your SQL warehouse audit events will have different action names. See SQL endpoint logs.
These events are logged under the service_name of databrickssql.
action_name | Description | request_params |
|---|---|---|
| A query execution is cancelled from the SQL editor UI. This does not include cancellations that originate from the Query History UI or Databricks SQL Execution API. |
|
| A warehouse manager updates permissions on a SQL warehouse. |
|
| A user clones a folder in the workspace browser. |
|
| Only in verbose audit logs. Generated when a command on a SQL warehouse completes or is canceled, regardless of the origin of the cancellation request. |
|
| Only in verbose audit logs. Generated when a command is submitted to a SQL warehouse, regardless of origin of the request. |
|
| A user creates a legacy alert. |
|
| A user creates a new query. |
|
| A user opens a query in SQL editor page or calls the Databricks SQL Get a query API. Only emitted when the legacy SQL editor or Databricks SQL REST API is used. |
|
| A user creates a query draft. Only emitted when the legacy SQL editor is used. |
|
| A user creates a query snippet. |
|
| A user generates a visualization using the SQL editor. Excludes default results tables and visualizations in notebooks that utilize SQL warehouses. Only emitted when the legacy SQL editor is used. |
|
| A user with the cluster create entitlement creates a SQL warehouse. |
|
| A user deletes a legacy alert through the API. Excludes deletions from the file browser UI or from the legacy alert interface. |
|
| A workspace admin deletes a notification destination. |
|
| A warehouse manager deletes a SQL warehouse. |
|
| A user deletes a query, either from the query interface or through API. Excludes deletion via the file browser UI. |
|
| A user deletes a query draft. Only emitted when the legacy SQL editor is used. |
|
| A user deletes a query snippet. |
|
| A user deletes a visualization from a query in the SQL Editor. Only emitted when the legacy SQL editor is used. |
|
| A user downloads a query result from the SQL Editor. Excludes downloads from dashboards. |
|
| A warehouse manager makes edits to a SQL warehouse. |
|
| Generated by one of the following: |
|
| A user runs a saved query. Only emitted when the legacy SQL editor is used. |
|
| A user favorites a query. |
|
| A user clones a query. |
|
| A user opens a legacy alert's details page or calls the legacy get alert API. |
|
| A user gets details for one or more query executions using lookup keys. |
|
| A user gets details for a query execution using the UI. |
|
| A user opens the query history page or calls the Query History List Queries API. |
|
| A user moves an legacy alert to the trash using the API. Excludes deletions from the file browser UI or from the legacy alert interface. |
|
| A user moves a query to the trash. |
|
| A user restores a legacy alert from the trash. |
|
| A user restores a query from the trash. |
|
| A workspace admin updates their workspace's SQL warehouse settings, including configuration parameters and data access properties. |
|
| A SQL warehouse is started. |
|
| A warehouse manager stops a SQL warehouse. Excludes autostopped warehouses. |
|
| A workspace admin transfers the ownership of a dashboard, query, or legacy alert to an active user through the transfer object ownership API. Ownership transfer done through the UI or update APIs is not captured by this audit log event. |
|
| A user removes a query from their favorites. |
|
| A user makes updates to a legacy alert. |
|
| A workspace admin makes an update to a notification destination. |
|
| A user updates a folder node in the workspace browser. |
|
| A workspace admin makes updates to the workspace's SQL settings. |
|
| A user makes an update to a query. |
|
| A user makes an update to a query draft. Only emitted when the legacy SQL editor is used. |
|
| A user makes an update to a query snippet. |
|
| A user updates a visualization from the SQL Editor. Only emitted when the legacy SQL editor is used. |
|
Notebook events
These events are logged at the workspace level. This service includes events related to notebooks.
These events are logged under the service_name of notebook.
action_name | Description | request_params |
|---|---|---|
| A notebook is attached to a cluster. Also emitted when the new SQL editor is attached to a SQL warehouse. |
|
| A user clones a notebook. |
|
| A notebook folder is created. |
|
| A notebook is created. |
|
| A notebook folder is deleted. |
|
| A notebook is deleted. |
|
| A repository is deleted. |
|
| A notebook is detached from a cluster. Also emitted when the new SQL editor is detached from a SQL warehouse. |
|
| A user downloads query results too large to display in the notebook. Also emitted when the new SQL editor is used to download query results. |
|
| A user downloads query results from a notebook or the new SQL editor. Also emitted when a user views a previous result in execution history. If the log is from a view, |
|
| A user imports a notebook. |
|
| A notebook is modified. |
|
| A notebook folder is moved from one location to another. |
|
| A notebook is moved from one location to another. |
|
| A user opens a notebook using the UI. |
|
| A notebook folder is renamed. |
|
| A notebook is renamed. |
|
| A deleted folder is restored. |
|
| A deleted notebook is restored. |
|
| A deleted repository is restored. |
|
| Available when verbose audit logs are enabled. Emitted after Databricks runs a command in a notebook or the new SQL editor. A command corresponds to a cell in a notebook or the query text in the new SQL editor. |
|
| Generated when a command is submitted for execution in a notebook or the new SQL editor. A command corresponds to a cell in a notebook or the query text in the new SQL editor. |
|
| Notebook snapshots are taken when either the job service or mlflow is run. |
|
Git folder events
These events are logged at the workspace level. This service includes events related to Databricks Git folders. See also gitCredentials.
These events are logged under the service_name of repos.
action_name | Description | request_params |
|---|---|---|
| A user checks out a branch on the repo. |
|
| A user commits and pushes to a repo. |
|
| A user creates a repo in the workspace |
|
| A user deletes a repo. |
|
| A user discards a commit to a repo. |
|
| A user makes a call to get information about a single repo. |
|
| A user makes a call to get all repos they have Manage permissions on. |
|
| A user pulls the latest commits from a repo. |
|
| A user updates the repo to a different branch or tag, or to the latest commit on the same branch. |
|
Git credential events
These events are logged at the workspace level. This service includes events related to Git credentials for Databricks Git folders.
These events are logged under the service_name of gitCredentials.
action_name | Description | request_params |
|---|---|---|
| A user creates a git credential. |
|
| A user deletes a git credential. |
|
| A user gets a git credentials. |
|
| A user links a git provider. |
|
| A user lists all git credentials |
|
| A user updates a git credential. |
|
Global init scripts events
These events are logged at the workspace level. This service includes events related global init scripts.
These events are logged under the service_name of globalInitScripts.
action_name | Description | request_params |
|---|---|---|
| A workspace admin reorders global initialization scripts. |
|
| A workspace admin creates a global initialization script. |
|
| A workspace admin updates a global initialization script. |
|
| A workspace admin deletes a global initialization script. |
|
Remote history service events
These events are logged at the workspace level. This service includes events related to adding and removing GitHub Credentials.
These events are logged under the service_name of RemoteHistoryService.
action_name | Description | request_params |
|---|---|---|
| User adds Github Credentials | none |
| User removes Github Credentials | none |
| User updates Github Credentials | none |
Workspace events
These events are logged at the workspace level. This service includes events related to workspace management.
These events are logged under the service_name of workspace.
action_name | Description | request_params |
|---|---|---|
| An account admin adds a principal to a workspace. |
|
| Permissions to the workspace are changed. |
|
| A workspace admin removes a principal from a workspace. |
|
| A setting is deleted from the workspace. |
|
| User creates a file in the workspace. |
|
| User deletes a file in the workspace. |
|
| User opens the file editor. |
|
| An account admin gets a workspace's permission assignments. |
|
| User gets a workspace's user roles. |
|
| Recorded when in-house OAuth authorization code is minted at the workspace level. |
|
| OAuth token is minted for workspace. |
|
| A workspace admin moves workspace node. |
|
| A workspace admin purges workspace nodes. |
|
| An existing home folder is re-attached for a user that is re-added to the workspace. |
|
| A workspace admin renames workspace nodes. |
|
| Home folder special attributes are removed when a user is removed from the workspace. |
|
| A workspace admin updates a workspace user's role. |
|
| A workspace admin adds a principal to the workspace. |
|
| A workspace admin configures a workspace setting. |
|
| Workspace admin makes updates to a setting, for example enabling verbose audit logs. |
|
| User exports a notebook from a workspace. |
|
| OAuth client is authenticated in workspace service. |
|
Secrets events
These events are logged at the workspace level. This service includes events related to secrets.
These events are logged under the service_name of secrets.
action_name | Description | request_params |
|---|---|---|
| User creates a secret scope. |
|
| User deletes ACLs for a secret scope. |
|
| User deletes a secret scope. |
|
| User deletes a secret from a scope. |
|
| User gets ACLs for a secret scope. |
|
| User gets a secret from a scope. |
|
| User makes a call to list ACLs for a secret scope. |
|
| User makes a call to list secret scopes | none |
| User makes a call to list secrets within a scope. |
|
| User changes ACLs for a secret scope. |
|
| User adds or edits a secret within a scope. |
|
SSH events
These events are logged at the workspace level. This service includes events related to SSH access.
These events are logged under the service_name of ssh.
action_name | Description | request_params |
|---|---|---|
| Agent login of SSH into Spark driver. |
|
| Agent logout of SSH from Spark driver. |
|
Web terminal events
These events are logged at the workspace level. This service includes events related to the web terminal feature.
These events are logged under the service_name of webTerminal.
action_name | Description | request_params |
|---|---|---|
| User starts a web terminal sessions. |
|
| User closes a web terminal session. |
|
Databricks Apps events
These events are logged at the workspace level. This service includes events related to Databricks Apps.
These events are logged under the service_name of apps.
action_name | Description | request_params |
|---|---|---|
| A user creates a custom app using the Apps UI or API. |
|
| A user installs a template app using the Apps UI or API. |
|
| A user updates an app using the Apps UI or API. |
|
| A user starts the app compute using the Apps UI or API. |
|
| A user stops the app compute using the Apps UI or API. |
|
| A user deploys an app using the Apps UI or API. |
|
| A user deletes an app using the Apps UI or API. |
|
| A user updates an app's access using the Apps UI or API. |
|
Marketplace consumer events
These events are logged at the workspace level. This service includes events related to consumer actions in Databricks Marketplace.
These events are logged under the service_name of marketplaceConsumer.
action_name | Description | request_params |
|---|---|---|
| A user gets access to a data product through the Databricks Marketplace. |
|
| A user requests access to a data product that requires provider approval. |
|
Marketplace provider events
These events are logged at the workspace level. This service includes events related to provider actions in Databricks Marketplace.
These events are logged under the service_name of marketplaceProvider.
action_name | Description | request_params |
|---|---|---|
| A metastore admin creates a listing in their provider profile. |
|
| A metastore admin makes an update to a listing in their provider profile. |
|
| A metastore admin deletes a listing in their provider profile. |
|
| A metastore admins approves or denies a data product request. |
|
| A metastore admin creates a provider profile. |
|
| A metastore admin makes an update to their provider profile. |
|
| A metastore admin deletes their provider profile. |
|
| A provider uploads a file to their provider profile. |
|
| A provider deletes a file from their provider profile. |
|
Webhook events
These events are logged at the workspace level. This service includes events related to notification destinations.
These events are logged under the service_name of webhookNotifications.
action_name | Description | request_params |
|---|---|---|
| An admin creates a new notification destination. |
|
| An admin deletes a notification destination. |
|
| A user views information about a notification destination using the UI or API. |
|
| A webhook is triggered and sends a notification payload to the target URL. |
|
| A test payload is sent to a webhook URL to verify the configuration and ensure it can receive notifications successfully. |
|
| An admin updates a notification destination. |
|
Partner Connect events
These events are logged at the workspace level. This service includes events related to Partner Connect.
These events are logged under the service_name of partnerHub.
action_name | Description | request_params |
|---|---|---|
| A workspace admin sets up a connection to a partner solution. |
|
| A workspace admin deletes a partner connection. |
|
| A workspace admin downloads the partner connection file. |
|
| A workspace admin sets up resources for a partner connection. |
|
Genie events
These events are logged at the workspace level. This service includes events related to remote workspace access by support personnel.
This service is unrelated to Genie Spaces. See Genie Space events.
These events are logged under the service_name of genie.
action_name | Description | request_params |
|---|---|---|
| A Databricks personnel is authorized to access a customer environment. |
|
Account-level services
The following services log audit events at the account level.
Account access control events
These events are logged at the account level and are related to the Account Access Control API (Public Preview).
These events are logged under the service_name of accountsAccessControl.
action_name | Description | request_params |
|---|---|---|
| A user updates a rule set using the Account Access Control API. |
|
Federation policy events
These events are logged at the account level and are related to federation policies.
These events are logged under the service_name of accounts.
action_name | Description | request_params |
|---|---|---|
| An account admin creates an account or service principal federation policy. |
|
| An account admin deletes an account or service principal federation policy. |
|
| An account admin updates an account or service principal federation policy. |
|
Account-level authentication events
These events are related to account console authentication.
These events are logged under the service_name of accounts.
action_name | Description | request_params |
|---|---|---|
| An OAuth client is authenticated. |
|
| A user's account login code is authenticated. |
|
| A user logs in through the accountless-to-account upgrade flow. |
|
| A user deletes a passkey credential. |
|
| A user deletes a TOTP authenticator app setup key. | |
| A user logs into the account console. |
|
| A user logs out of the account console. |
|
| A user logs in to the account console using multi-factor authentication. |
|
| Recorded when in-house OAuth authorization code is minted at the account level. |
|
| An account-level OAuth token is issued to the service principal. |
|
| A user logs in to the account console using multi-factor authentication. |
|
| A user's multi-factor authentication policy is updated. |
|
| A user logs into their account with the OpenID Connect browser workflow. |
|
| An OIDC token is authenticated for an account admin login. |
|
| A user registers a passkey credential for multi-factor authentication. | |
| A user registers a TOTP authenticator app credential for multi-factor authentication. | |
| A user skips multi-factor authentication registration. | |
| A user logs into Databricks using a token. |
|
Account-level user and group management events
These events are related to account-level user and group management.
These events are logged under the service_name of accounts.
action_name | Description | request_params |
|---|---|---|
| A user is reactivated after being deactivated. See Deactivate users in account. |
|
| A user is added to the Databricks account. |
|
| A user is added to an account-level group. |
|
| Users are added to an account-level group using SCIM provisioning. |
|
| An account-level group is created. |
|
| A user is deactivated. See Deactivate users in account. |
|
| A user is deleted from the Databricks account. |
|
| An account admin removes account admin permissions from another user. |
|
| A group is removed from the account. |
|
| A user is removed from an account-level group. |
|
| Users are removed from an account-level group using SCIM provisioning. |
|
| An account admin assigns the account admin role to another user. |
|
| An account admin updates an account-level group. |
|
| An account admin updates a user account. |
|
| A user sign-up attempt is denied because the email domain is not allowed. |
|
| When a user validates their email after account creation. |
|
Account-level token and settings events
These events are related to token management and account settings.
These events are logged under the service_name of accounts.
action_name | Description | request_params |
|---|---|---|
| IP permissions validation fails. Returns statusCode 403. |
|
| Account admin removes a setting from the Databricks account. |
|
| A user runs a garbage collect command on expired tokens. |
|
| User generates a token from User Settings or when the service generates the token. |
|
| An account admin updates an account-level setting. |
|
Service principal credentials events
These events are logged at the account level. These events are related to service credentials.
These events are logged under the service_name of servicePrincipalCredentials.
action_name | Description | request_params |
|---|---|---|
| Account admin generates an OAuth secret for the service principal. |
|
| Account admin lists all OAuth secrets under a service principal. |
|
| Account admin deletes a service principal's OAuth secret. |
|
Oauth SSO events
These events are logged at the account level and are related to OAuth SSO authentication to the account console.
These events are logged under the service_name of oauth2.
action_name | Description | request_params |
|---|---|---|
| A workspace admin creates custom app integration. |
|
| A workspace admin creates an app integration using a published app integration. |
|
| A workspace admin deletes custom app integration. |
|
| A workspace admin deletes published app integration. |
|
| A workspace admin enrolls account in OAuth. |
|
| A workspace admin updates custom app integration. |
|
| A workspace admin updates published app integration. |
|
Single-sign on events
These events are logged at the account level and are related to SSO authentication for the account console.
These events are logged under the service_name of ssoConfigBackend.
action_name | Description | request_params |
|---|---|---|
| Account admin created an account console SSO configuration. |
|
| Account admin requested details about an account console SSO configuration. |
|
| Account admin updated an account console SSO configuration. |
|
Account provisioning events
These events are logged at the account level. These events have to do with cloud configurations made by account admins in the account console.
Workspace provisioning events
These events are related to workspace configuration.
These events are logged under the service_name of accountsManager.
action_name | Description | request_params |
|---|---|---|
| Admin accepts a workspace's terms of service. |
|
| Account admin creates a new workspace. The |
|
| Account admin deleted a workspace. |
|
| Account admin requests details about a workspace. |
|
| Account admin lists all workspaces in the account. |
|
| An email was sent to a workspace admin to accept the Databricks Terms of Service. |
|
| Admin updated the configuration for a workspace. |
|
Infrastructure configuration events
These events are related to cloud infrastructure configuration, including credentials, storage, encryption keys, VPC endpoints, and private access settings.
These events are logged under the service_name of accountsManager.
action_name | Description | request_params |
|---|---|---|
| Account admin created a credentials configuration. |
|
| Account admin created a customer-managed key configuration. |
|
| Account admin created a private access settings configuration. |
|
| Account admin created a storage configuration. |
|
| Account admin created a VPC endpoint configuration. |
|
| Account admin deleted a credentials configuration. |
|
| Account admin deleted a customer-managed key configuration. |
|
| Account admin deleted a private access settings configuration. |
|
| Account admin deleted a storage configuration. |
|
| Account admin deleted a VPC endpoint configuration. |
|
| Account admin requests details about a credentials configuration. |
|
| Account admin requests details about a customer-managed key configuration. |
|
| Account admin requests details about a private access settings configuration. |
|
| Account admin requests details about a storage configuration. |
|
| Account admin requests details about a VPC endpoint configuration. |
|
| Account admin lists all credentials configurations in the account. |
|
| Account admin lists all customer-managed key configurations in the account. |
|
| Account admin lists all private access settings configurations in the account. |
|
| Account admin lists all storage configurations in the account. |
|
| Account admin listed all VPC endpoint configurations for the account. |
|
| Account admin lists all encryption key records in a specific workspace. |
|
| Account admin lists all encryption key records in the account. |
|
Network configuration events
These events are related to network configuration, including network connectivity and network policies.
These events are logged under the service_name of accountsManager.
action_name | Description | request_params |
|---|---|---|
| Account admin created a network configuration. |
|
| Account admin created a network connectivity configuration. |
|
| Account admin deleted a network configuration. |
|
| Account admin requests details about a network configuration. |
|
| Account admin lists all network configurations in the account. |
|
| Account admin created a network policy. |
|
| Account admin requests details about a network policy. |
|
| Account admin lists all network policies in the account. |
|
| Account admin updated a network policy. |
|
| Account admin deleted a network policy. |
|
| Account admin requests details about a workspace's network policies. |
|
| Account admin updated a workspace's network policy. |
|
Account administration events
These events are related to account administration.
These events are logged under the service_name of accountsManager.
action_name | Description | request_params |
|---|---|---|
| Account admin resets a users password. Also logs whether the user changed the password after the reset. |
|
| Account owner role is transferred to another account admin. |
|
| The account was consolidated with another account by Databricks. |
|
| Account admin lists all account billing subscriptions. |
|
| The account details were changed internally. |
|
| The account billing subscriptions were updated. |
|
Billable usage events
These events are logged at the account level. This service includes events related to billable usage access in the account console.
These events are logged under the service_name of accountBillableUsage.
action_name | Description | request_params |
|---|---|---|
| User accessed aggregated billable usage (usage per day) for the account via the Usage Graph feature. |
|
| User accessed detailed billable usage (usage for each cluster) for the account via the Usage Download feature. |
|
Serverless budget policy events
These events are logged at the account level and are related to serverless budget policies. See Attribute usage with serverless usage policies.
These events are logged under the service_name of budgetPolicyCentral.
action_name | Description | request_params |
|---|---|---|
| Workspace admin or billing admin creates a serverless budget policy. The new |
|
| Workspace admin, billing admin, or policy manager updates a serverless budget policy. |
|
| Workspace admin, billing admin, or policy manager deletes a serverless budget policy. |
|
Log delivery events
These events are logged at the account level. These events are related to audit and billing log delivery.
These events are logged under the service_name of logDelivery.
action_name | Description | request_params |
|---|---|---|
| Admin created a log delivery configuration. |
|
| Admin requested details about a log delivery configuration. |
|
| Admin listed all log delivery configurations in the account. |
|
| Admin updated a log delivery configuration. |
|
Unity Catalog events
The following audit events are related to Unity Catalog. Delta Sharing events are also logged under the unityCatalog service. For Delta Sharing events, see Delta Sharing events. Unity Catalog events are logged at the account level, so workspace_id is recorded as 0. The originating workspace ID is included in request_params.workspace_id.
These events are logged under the service_name of unityCatalog.
action_name | Description | request_params |
|---|---|---|
| Account admin creates a metastore. |
|
| Account admin requests metastore ID. |
|
| Account admin requests details about a metastore. |
|
| Account admin requests a list of all metastores in an account. |
|
| Account admin makes an update to a metastore. |
|
| Account admin deletes a metastore. |
|
| Account admin makes an update to a metastore's workspace assignment. |
|
| Account admin creates an external location. |
|
| Account admin requests details about an external location. |
|
| Account admin request list of all external locations in an account. |
|
| Account admin makes an update to an external location. |
|
| Account admin deletes an external location. |
|
| User creates a catalog. |
|
| User deletes a catalog. |
|
| User requests details about a catalog. |
|
| User updates a catalog. |
|
| User makes a call to list all catalogs in the metastore. |
|
| User creates a schema. |
|
| User deletes a schema. |
|
| User requests details about a schema. |
|
| User requests a list of all schemas in a catalog. |
|
| User updates a schema. |
|
|
| |
| User creates a table. The request parameters differ depending on the type of table created. |
|
| User deletes a table. |
|
| User requests details about a table. |
|
|
| |
| User makes a call to list all tables in a schema. |
|
| User gets an array of summaries for tables for a schema and catalog within the metastore. |
|
| User makes an update to a table. The request parameters displayed vary depending on the type of table updates made. |
|
| Account admin creates a storage credential. You might see an additional request parameter based on your cloud provider credentials. |
|
| Account admin makes a call to list all storage credentials in the account. |
|
| Account admin requests details about a storage credential. |
|
| Account admin makes an update to a storage credential. |
|
| Account admin deletes a storage credential. |
|
| Logged whenever a temporary credential is granted for a table. You can use this event to determine who queried what and when. |
|
| Logged whenever a temporary credential is granted for a path. |
|
| Logged whenever user permissions are checked for a given path. |
|
| User makes a call to get permission details for a securable object. This call doesn't return inherited permissions, only explicitly assigned permissions. |
|
| User makes a call to get all permission details for a securable object. An effective permissions call returns both explicitly assigned and inherited permissions. |
|
| User updates permissions on a securable object. |
|
| User queries the metadata from a previous table version. |
|
| User queries the metadata and permissions from a previous table version. |
|
| User updates the metadata from a previous table version. |
|
| User makes a call to get details about a foreign table. |
|
| User makes a call to get details about a schema. |
|
| User creates a constraint for a table. |
|
| User deletes a constraint for a table. |
|
| User creates a Unity Catalog pipeline. |
|
| User updates a Unity Catalog pipeline. |
|
| User requests details about a Unity Catalog pipeline. |
|
| User deletes a Unity Catalog pipeline. |
|
| Resource fails to delete | none |
| User creates a Unity Catalog volume. |
|
| User makes a call to get information on a Unity Catalog volume. |
|
| User updates a Unity Catalog volume's metadata with the |
|
| User deletes a Unity Catalog volume. |
|
| User makes a call to get a list of all Unity Catalog volumes in a schema. |
|
| A temporary credential is granted for a volume. |
|
| Tag assignments for a securable are fetched |
|
| Tag assignments for a subentity are fetched |
|
| Tag assignments for a securable are updated |
|
| Tag assignments for a subentity are updated |
|
| User creates a Unity Catalog registered model. |
|
| User makes a call to get information on a Unity Catalog registered model. |
|
| User updates a Unity Catalog registered model's metadata. |
|
| User deletes a Unity Catalog registered model. |
|
| User makes a call to get a list of Unity Catalog registered models in a schema, or list models across catalogs and schemas. |
|
| User creates a model version in Unity Catalog. |
|
| User makes a call to “finalize” a Unity Catalog model version after uploading model version files to its storage location, making it read-only and usable in inference workflows. |
|
| User makes a call to get details on a model version. |
|
| User makes a call to get details on a model version using the alias. |
|
| User updates a model version's metadata. |
|
| User deletes a model version. |
|
| User makes a call to get a list of Unity Catalog model versions in a registered model. |
|
| A temporary credential is generated when a user performs a write (during initial model version creaiton) or read (after the model version has been finalized) on a model version. You can use this event to determine who accessed a model version and when. |
|
| User sets an alias on a Unity Catalog registered model. |
|
| User deletes an alias on a Unity Catalog registered model. |
|
| User gets a Unity Catalog model version by alias. |
|
| A new foreign connection is created. |
|
| A foreign connection is deleted. |
|
| A foreign connection is retrieved. |
|
| A foreign connection is updated. |
|
| Foreign connections in a metastore are listed. |
|
| User creates a new function. |
|
| User updates a function. |
|
| User requests a list of all functions within a specific parent catalog or schema. |
|
| User requests a function from a parent catalog or schema. |
|
| User requests a function from a parent catalog or schema. |
|
| A temporary credential is generated to access a cloud service account from Databricks. |
|
| A metastore admin or object owner updates the workspace bindings of a catalog, external location, or storage credential. |
|
| A tag assignment is created on a securable. |
|
| A tag assignment is created on a subsecurable. |
|
| A tag assignment on a securable is deleted. |
|
| A tag assignment on a subsecurable is deleted. |
|
| A user requests a list of tag assignments on a securable. |
|
| A user requests a list of tag assignments on a subsecurable. |
|
| A tag assignment is created on a Unity Catalog entity. |
|
| A user requests details of a tag assignment on a Unity Catalog entity. |
|
| A user requests a list of tag assignments on a Unity Catalog entity. |
|
| A tag assignment on a Unity Catalog entity is updated. |
|
| A tag assignment on a Unity Catalog entity is deleted. |
|
| A user requests a list of tags on a securable. |
|
| ABAC policy is created. |
|
| ABAC policy is deleted. |
|
| User requests details about an ABAC policy. |
|
| User requests a list of ABAC policies. |
|
| ABAC policy is updated. |
|
| User requests workspace binding details for a securable object. |
|
| User updates workspace bindings for a catalog. |
|
| User creates a storage or service credential. |
|
| User deletes a storage or service credential. |
|
| User requests details about a storage or service credential. |
|
| User requests a list of storage and service credentials. |
|
| User updates a storage or service credential. |
|
| User validates a storage or service credential. |
|
| User creates a storage location. |
|
| Admin assigns a metastore to a workspace. |
|
| Admin removes a metastore assignment from a workspace. |
|
| User requests current metastore assignment details. |
|
| Admin enables a system schema. |
|
| Admin disables a system schema. |
|
| User requests a list of system schemas. |
|
| User requests details about a resource quota. |
|
| User requests a list of resource quotas. |
|
| User requests table details by table ID. |
|
| User requests a list of dropped tables. |
|
| User checks if a table exists. |
|
| User restores a dropped table. |
|
| User converts an external table to a managed table. |
|
| User requests a list of all volumes in a metastore. |
|
| User requests details about the artifact allowlist. |
|
| User updates the artifact allowlist. |
|
| Service principal is granted permissions to deploy a model. |
|
Delta Sharing events
Delta Sharing events are broken up into two sections: events recorded in the data provider's account and events recorded in the data recipient's account.
To learn how to use audit logs to monitor Delta Sharing events, see Audit and monitor data sharing.
Delta Sharing provider events
These audit log events are logged in the provider's account. Actions that are performed by recipients start with the deltaSharing prefix. Each of these logs also includes request_params.metastore_id, which is the metastore that manages the shared data, and userIdentity.email, which is the ID of the user who initiated the activity.
These events are logged under the service_name of unityCatalog.
action_name | Description | request_params |
|---|---|---|
| A data recipient requests a list of shares. |
|
| A data recipient requests details about a shares. |
|
| A data recipient requests a list of shared schemas. |
|
| A data recipient requests a list of all shared tables. |
|
| A data recipient requests a list of shared tables. |
|
| A data recipient requests a details about a table's metadata. |
|
| A data recipient requests a details about a table version. |
|
| Logged when a data recipient queries a shared table. |
|
| Logged when a data recipient queries change data for a table. |
|
| Logged after a data recipient gets a response to their query. The |
|
| Logged after a data recipient gets a response to their query. The |
|
| A data recipient requests a list of shared notebook files. |
|
| A data recipient queries a shared notebook file. |
|
| A data recipient requests a list of functions in a parent schema. |
|
| A data recipient requests a list of all shared functions. |
|
| A data recipient requests a list of function versions. |
|
| A data recipient requests a list of shared volumes in a schema. |
|
| A data recipient requests all shared volumes. |
|
| Provider updates their metastore. |
|
| Provider creates a data recipient. |
|
| Provider deletes a data recipient. |
|
| Provider requests details about a data recipient. |
|
| Provider requests a list of all their data recipients. | none |
| Provider rotates a recipient's token. |
|
| Provider updates a data recipient's attributes. |
|
| Provider updates a data recipient's attributes. |
|
| Provider updates a data recipient's attributes. |
|
| Provider requests details about a share. |
|
| Provider adds or removes data assets from a share. |
|
| Provider requests a list of their shares. | none |
| Provider requests details on a share's permissions. |
|
| Provider updates a share's permissions. |
|
| Provider requests details about a recipient's share permissions. |
|
| Provider requests details about activity on their activation link. |
|
| Temporary credential is generated for the recipient to access a shared volume. |
|
| Temporary credential is generated for the recipient to access a shared table. |
|
| Provider creates an OIDC federation policy for a recipient. |
|
| Provider deletes an OIDC federation policy for a recipient. |
|
| Provider deletes a recipient policy. |
|
| Provider requests details about a recipient's OIDC federation policy. |
|
| Provider requests recipient properties for a dependent object. |
|
| Provider requests a list of OIDC federation policies for a recipient. |
|
| Provider reconnects a Databricks-to-Databricks recipient account. |
|
| Recipient retrieves their bearer token for open sharing authentication. |
|
| Provider requests query information for a shared table. |
|
| Delta Sharing performs reconciliation for a shared table. |
|
| Recipient mounts a share to a catalog. |
|
| User requests a list of shares mounted in a catalog. |
|
| Recipient unmounts a share from a catalog. |
|
| User requests a list of assets in a provider's share. |
|
| Recipient requests a list of notebook files shared in a catalog. |
|
| Recipient requests details about a shared notebook file. |
|
| Provider requests a list of shared catalogs. |
|
Delta Sharing recipient events
These events are logged in the data recipient's account. These events record recipient access of shared data and AI assets, along with events associated with the management of providers. Each of these events also includes the following request parameters:
recipient_name: The name of the recipient in the data provider's system.metastore_id: The name of the metastore in the data provider's system.sourceIPAddress: The IP address where the request originated.
These events are logged under the service_name of unityCatalog.
action_name | Description | request_params |
|---|---|---|
| A data recipient requests details on a shared table version. |
|
| A data recipient requests details on a shared table's metadata. |
|
| A data recipient queries a shared table. |
|
| A data recipient queries change data for a table. |
|
| A data recipient creates a provider object. |
|
| A data recipient updates a provider object. |
|
| A data recipient deletes a provider object. |
|
| A data recipient requests details about a provider object. |
|
| A data recipient requests a list of providers. | none |
| A data recipient activates a provider object. |
|
| A data recipient requests a list of a provider's shares. |
|
Delta Sharing external Iceberg client events
This feature is in Public Preview.
These events are logged at the account level for external Iceberg clients accessing shared data using the Apache Iceberg REST Catalog API. To learn more, see Enable sharing to external Iceberg clients.
These events are logged when external Iceberg clients (such as Snowflake or other non-Databricks systems) access shared data.
These events are logged under the service_name of dataSharing.
action_name | Description | request_params |
|---|---|---|
| An external Iceberg client requests configuration information. |
|
| An external Iceberg client requests a list of namespaces. |
|
| An external Iceberg client requests details about a namespace. |
|
| An external Iceberg client requests a list of tables in a namespace. |
|
| An external Iceberg client loads table metadata. |
|
| An external Iceberg client reports metrics. |
|
Clean Rooms events
These events are logged at the account level. These events are related to Clean Rooms.
These events are logged under the service_name of clean-room.
action_name | Description | request_params |
|---|---|---|
| A user in your Databricks account creates a new clean room using the UI or API. |
|
| A user in your account creates a clean room asset. |
|
| A user in your Databricks account creates a review for a clean room asset using the UI or API. Currently, only notebooks are reviewable. |
|
| A user in your Databricks account creates an auto-approval rule for a clean room using the UI or API. The response includes a rule_id that is referenced in the clean_room_events system table. |
|
| A user in your Databricks account creates an output table in a clean room using the UI or API. |
|
| A user in your Databricks account deletes a clean room using the UI or API. |
|
| A user in your account deletes a clean room asset. |
|
| A user in your Databricks account deletes an auto-approval rule for a clean room using the UI or API. |
|
| A user in your account gets details about a clean room using the UI or API. |
|
| A user in your account views details about a clean room's data asset using the UI. |
|
| A user gets a list of assets within a clean room. |
|
| A user in your Databricks account lists auto-approval rules for a clean room using the UI or API. |
|
| A user gets a list of notebook task runs within a clean room. |
|
| A user gets a list of all clean rooms using the workspace UI or all clean rooms in the metastore using the API. |
|
| A user in your account updates a clean room's details or assets. |
|
| A user in your account updates a clean room asset. |
|
Additional security monitoring events
For Databricks compute resources in the classic compute plane, such as VMs for clusters and pro or classic SQL warehouses, the following features enable additional monitoring agents:
For serverless compute resources, the monitoring agents run if the compliance security profile is enabled and the complaince standard supports serverless compute resources. See Classic and serverless compute support by region and Compliance standards with serverless and standard compute availability.
File integrity monitoring events
These events are logged at the workspace level. This service includes events related to file integrity monitoring.
These events are logged under the service_name of capsule8-alerts-dataplane.
action_name | Description | request_params |
|---|---|---|
| A regular event to confirm the monitor is on. Currently runs every 10 minutes. |
|
| Memory is often marked executable in order to allow malicious code to execute when an application is being exploited. Alerts when a program sets heap or stack memory permissions to executable. This can cause false positives for certain application servers. |
|
| Monitors the integrity of important system files. Alerts on any unauthorized changes to those files. Databricks defines specific sets of system paths on the image, and this set of paths might change over time. |
|
| Changes to systemd units could result in security controls being relaxed or disabled, or the installation of a malicious service. Alerts whenever a |
|
| Repeated program crashes could indicate that an attacker is attempting to exploit a memory corruption vulnerability, or that there is a stability issue in the affected application. Alerts when more than 5 instances of an individual program crash via segmentation fault. |
|
| As containers are typically static workloads, this alert could indicate that an attacker has compromised the container and is attempting to install and run a backdoor. Alerts when a file that has been created or modified within 30 minutes is then executed within a container. |
|
| Memory is often marked executable in order to allow malicious code to execute when an application is being exploited. Alerts when a program sets heap or stack memory permissions to executable. This can cause false positives for certain application servers. |
|
| Interactive shells are rare occurrences on modern production infrastructure. Alerts when an interactive shell is started with arguments commonly used for reverse shells. |
|
| Evading command logging is common practice for attackers, but might also indicate that a legitimate user is performing unauthorized actions or trying to evade policy. Alerts when a change to user command history logging is detected, indicating that a user is attempting to evade command logging. |
|
| Detects some types of kernel backdoors. The loading of a new Berkeley Packet Filter (BPF) program could indicate that an attacker is loading a BPF-based rootkit to gain persistence and avoid detection. Alerts when a process loads a new privileged BPF program, if the process that is already part of an ongoing incident. |
|
| Attackers commonly load malicious kernel modules (rootkits) to evade detection and maintain persistence on a compromised node. Alerts when a kernel module is loaded, if the program is already part of an ongoing incident. |
|
| Attackers might create or rename malicious binaries to include a space at the end of the name in an effort to impersonate a legitimate system program or service. Alerts when a program is executed with a space after the program name. |
|
| Kernel privilege escalation exploits commonly enable an unprivileged user to gain root privileges without passing standard gates for privilege changes. Alerts when a program attempts to elevate privileges through unusual means. This can issue false positive alerts on nodes with significant workloads. |
|
| Internal kernel functions are not accessible to regular programs, and if called, are a strong indicator that a kernel exploit has executed and that the attacker has full control of the node. Alerts when a kernel function unexpectedly returns to user space. |
|
| SMEP and SMAP are processor-level protections that increase difficulty for kernel exploits to succeed, and disabling these restrictions is a common early step in kernel exploits. Alerts when a program tampers with the kernel SMEP/SMAP configuration. |
|
| Alerts when a program uses kernel functions commonly used in container escape exploits, indicating that an attacker is escalating privileges from container-access to node-access. |
|
| Privileged containers have direct access to host resources, leading to a greater impact when compromised. Alerts when a privileged container is launched, if the container isn't a known privileged image such as kube-proxy. This can issue unwanted alerts for legitimate privileged containers. |
|
| Many container escapes coerce the host to execute an in-container binary, resulting in the attacker gaining full control of the affected node. Alerts when a container-created file is executed from outside a container. |
|
| Modification of certain AppArmor attributes can only occur in-kernel, indicating that AppArmor has been disabled by a kernel exploit or rootkit. Alerts when the AppArmor state is changed from the AppArmor configuration detected when the sensor starts. |
|
| Attackers might attempt to disable enforcement of AppArmor profiles as part of evading detection. Alerts when a command for modifying an AppArmor profile is executed, if it was not executed by a user in an SSH session. |
|
| If not performed by a trusted source (such as a package manager or configuration management tool), modification of boot files could indicate an attacker modifying the kernel or its options in order to gain persistent access to a host. Alerts when changes are made to files in |
|
| Log deletion not performed by a log management tool could indicate that an attacker is trying to remove indicators of compromise. Alerts on deletion of system log files. |
|
| Newly created files from sources other than system update programs might be backdoors, kernel exploits, or part of an exploitation chain. Alerts when a file that has been created or modified within 30 minutes is then executed, excluding files created by system update programs. |
|
| Modification of the root certificate store could indicate the installation of a rogue certificate authority, enabling interception of network traffic or bypass of code signature verification. Alerts when a system CA certificate store is changed. |
|
| Setting |
|
| Attackers often create hidden files as a means of obscuring tools and payloads on a compromised host. Alerts when a hidden file is created by a process associated with an ongoing incident. |
|
| Attackers might modify system utilities in order to execute malicious payloads whenever these utilities are run. Alerts when a common system utility is modified by an unauthorized process. |
|
| An attacker or rogue user might use or install these programs to survey connected networks for additional nodes to compromise. Alerts when common network scanning program tools are executed. |
|
| Attackers might start a new network service to provide easy access to a host after compromise. Alerts when a program starts a new network service, if the program is already part of an ongoing incident. |
|
| An attacker or rogue user might execute network sniffing commands to capture credentials, personally-identifiable information (PII), or other sensitive information. Alerts when a program is executed that allows network capture. |
|
| Use of file transfer tools could indicate that an attacker is attempting to move toolsets to additional hosts or exfiltrate data to a remote system. Alerts when a program associated with remote file copying is executed, if the program is already part of an ongoing incident. |
|
| Command and Control channels and cryptocoin miners often create new outbound network connections on unusual ports. Alerts when a program initiates a new connection on an uncommon port, if the program is already part of an ongoing incident. |
|
| After gaining access to a system, an attacker might create a compressed archive of files to reduce the size of data for exfiltration. Alerts when a data compression program is executed, if the program is already part of an ongoing incident. |
|
| Use of process injection techniques commonly indicates that a user is debugging a program, but might also indicate that an attacker is reading secrets from or injecting code into other processes. Alerts when a program uses |
|
| Attackers often use account enumeration programs to determine their level of access and to see if other users are currently logged in to the node. Alerts when a program associated with account enumeration is executed, if the program is already part of an ongoing incident. |
|
| Exploring file systems is common post-exploitation behavior for an attacker looking for credentials and data of interest. Alerts when a program associated with file and directory enumeration is executed, if the program is already part of an ongoing incident. |
|
| Attackers can interrogate local network and route information to identify adjacent hosts and networks ahead of lateral movement. Alerts when a program associated with network configuration enumeration is executed, if the program is already part of an ongoing incident. |
|
| Attackers often list running programs in order to identify the purpose of a node and whether any security or monitoring tools are in place. Alerts when a program associated with process enumeration is executed, if the program is already part of an ongoing incident. |
|
| Attackers commonly execute system enumeration commands to determine Linux kernel and distribution versions and features, often to identify if the node is affected by specific vulnerabilities. Alerts when a program associated with system information enumeration is executed, if the program is already part of an ongoing incident. |
|
| Modifying scheduled tasks is a common method for establishing persistence on a compromised node. Alerts when the |
|
| Changes to systemd units could result in security controls being relaxed or disabled, or the installation of a malicious service. Alerts when the |
|
| Explicit escalation to the root user decreases the ability to correlate privileged activity to a specific user. Alerts when the |
|
| Alerts when the |
|
| Deleting the history file is unusual, commonly performed by attackers hiding activity, or by legitimate users intending to evade audit controls. Alerts when command line history files are deleted. |
|
| An attacker might add a new user to a host to provide a reliable method of access. Alerts if a new user entity is added to the local account management file |
|
| Attackers might directly modify identity-related files to add a new user to the system. Alerts when a file related to user passwords is modified by a program unrelated to updating existing user information. |
|
| Adding a new SSH public key is a common method for gaining persistent access to a compromised host. Alerts when an attempt to write to a user's SSH |
|
| Adding a new user is a common step for attackers when establishing persistence on a compromised node. Alerts when an identity management program is executed by a program other than a package manager. |
|
| Deleting the history file is unusual, commonly performed by attackers hiding activity, or by legitimate users intending to evade audit controls. Alerts when command line history files are deleted. |
|
| User profile and configuration files are often modified as a method of persistence in order to execute a program whenever a user logs in. Alerts when |
|
Antivirus monitoring events
The response JSON object in these audit logs always has a result field that includes one line of the original scan result. Each scan result is represented typically by multiple audit log records, one for each line of the original scan output. For details of what could appear in this file, see the following third-party documentation.
The following event is logged at the workspace level.
These events are logged under the service_name of clamAVScanService-dataplane.
action_name | Description | request_params |
|---|---|---|
| The antivirus monitoring performs a scan. A log will generate for each line of the original scan output. |
|
System log events
The response JSON object in the audit log has a result field that includes the original system log content.
The following event is logged at the workspace level.
These events are logged under the service_name of syslog.
action_name | Description | request_params |
|---|---|---|
| The system log processes an event. |
|
Process monitor log events
These events are logged at the workspace level.
These events are logged under the service_name of monit.
action_name | Description | request_params |
|---|---|---|
| The monitor is not running. |
|
| The monitor is restarting. |
|
| The monitor started. |
|
| The monitor is running. |
|
SQL table access events
The sqlPermissions service includes events related to the legacy Hive metastore table access control. Databricks recommends that you upgrade the tables managed by the Hive metastore to the Unity Catalog metastore.
These events are logged at the workspace level.
These events are logged under the service_name of sqlPermissions.
action_name | Description | request_params |
|---|---|---|
| Workspace admin or owner of an object transfers object ownership. |
|
| User creates a securable object. |
|
| Object owner denies privileges on a securable object. |
|
| Object owner grants permission on a securable object. |
|
| User drops a securable object. |
|
| User renames a securable object. |
|
| User requests permissions on a securable object. |
|
| Object owner revokes permissions on their securable object. |
|
| User views securable object permissions. |
|
Deprecated log events
Databricks has deprecated the following serverlessRealTimeInference audit events. These events were associated with Legacy MLflow Model Serving, which reached end of life on September 15, 2025.
enabledisable
Databricks has deprecated the following databrickssql audit events:
createAlertDestination(nowcreateNotificationDestination)deleteAlertDestination(nowdeleteNotificationDestination)updateAlertDestination(nowupdateNotificationDestination)muteAlertunmuteAlert
SQL endpoint logs
If you create SQL warehouses using the deprecated SQL endpoint API (the former name for SQL warehouses), the corresponding audit event name will include the word Endpoint instead of Warehouse. Besides the name, these events are identical to the SQL warehouse events. To view descriptions and request parameters of these events, see their corresponding warehouse events in Databricks SQL events.
The SQL endpoint events are:
changeEndpointAclscreateEndpointeditEndpointstartEndpointstopEndpointdeleteEndpointsetEndpointConfig