Audit log reference

Note

This feature requires the Premium plan or above.

This article provides you with a comprehensive reference of available audit log services and events. By understanding which events are logged in the audit logs, your enterprise can monitor detailed Databricks usage patterns in your account.

The easiest way to access and query your account’s audit logs is by using system tables (Public Preview).

If you’d like to configure a regular log delivery, see Configure audit log delivery.

Audit log services

The following services and their events are logged by default in audit logs.

Workspace-level services

Workspace-level audit logs are available for these services:

Service name

Description

accounts

Events related to accounts, users, groups, and IP access lists.

clusterPolicies

Events related to cluster policies.

clusters

Events related to clusters.

dashboards

Events related to AI/BI dashboard use.

databrickssql

Events related to Databricks SQL use.

dataMonitoring

Events related to Lakehouse Monitoring.

dbfs

Events related to DBFS.

deltaPipelines

Events related to Delta Live Table pipelines.

featureStore

Events related to the Databricks Feature Store.

filesystem

Events related to the Files API.

genie

Events related to workspace access by support personnel.

gitCredentials

Events related to Git credentials for Databricks Git folders. See also repos.

globalInitScripts

Events related to global init scripts.

groups

Events related to account and workspace groups.

iamRole

Events related to IAM role permissions.

ingestion

Events related to file uploads.

instancePools

Events related to pools.

jobs

Events related to jobs.

marketplaceConsumer

Events related to consumer actions in Databricks Marketplace.

marketplaceProvider

Events related to provider actions in Databricks Marketplace.

mlflowAcledArtifact

Events related to ML Flow artifacts with ACLs.

mlflowExperiment

Events related to ML Flow experiments.

modelRegistry

Events related to the workspace model registry. For activity logs for models in Unity Catalog, see Unity Catalog events.

notebook

Events related to notebooks.

partnerConnect

Events related to Partner Connect.

predictiveOptimization

Events related to predictive optimization.

remoteHistoryService

Events related to adding a removing GitHub Credentials.

repos

Events related to Databricks Git folders. See also gitCredentials.

secrets

Events related to secrets.

serverlessRealTimeInference

Events related to model serving.

sqlPermissions

Events related to the legacy Hive metastore table access control.

ssh

Events related to SSH access.

vectorSearch

Events related to Mosaic AI Vector Search.

webTerminal

Events related to the web terminal feature.

workspace

Events related to workspaces.

Account-level services

Account-level audit logs are available for these services:

Service name

Description

accountBillableUsage

Actions related to billable usage access in the account console.

accounts

Actions related to account-level access and identity management.

accountsAccessControl

Actions related to account-level access control rules.

accountsManager

Actions performed in the account console.

logDelivery

Log delivery configuration for such as billable usage or audit logs.

oauth2

Actions related to OAuth SSO authentication to the account console.

servicePrincipalCredentials

Actions related to service principal credentials.

ssoConfigBackend

Single sign-on settings for the account.

unityCatalog

Actions performed in Unity Catalog. This also includes Delta Sharing events, see Delta Sharing events.

Additional security monitoring services

There are additional services and associated actions for workspaces that use the compliance security profile (required for some compliance standards such as FedRAMP, PCI, and HIPAA) or Enhanced security monitoring.

These are workspace-level services that will only generate in your logs if you are using the compliance security profile or enhanced security monitoring:

Service name

Description

capsule8-alerts-dataplane

Actions related to file integrity monitoring.

clamAVScanService-dataplanel

Actions related to antivirus monitoring.

monit

Actions related to the process monitor.

syslog

Actions related to the system logs.

Audit log example schema

In Databricks, audit logs output events in a JSON format. The serviceName and actionName properties identify the event. The naming convention follows the Databricks REST API.

The following example is for a createMetastoreAssignment event.

  {
    "version":"2.0",
    "auditLevel":"ACCOUNT_LEVEL",
    "timestamp":1629775584891,
    "orgId":"3049056262456431186970",
    "shardName":"test-shard",
    "accountId":"77636e6d-ac57-484f-9302-f7922285b9a5",
    "sourceIPAddress":"10.2.91.100",
    "userAgent":"curl/7.64.1",
    "sessionId":"f836a03a-d360-4792-b081-baba525324312",
    "userIdentity":{
      "email":"crampton.rods@email.com",
      "subjectName":null
    },
    "serviceName":"unityCatalog",
    "actionName":"createMetastoreAssignment",
    "requestId":"ServiceMain-da7fa5878f40002",
    "requestParams":{
      "workspace_id":"30490590956351435170",
      "metastore_id":"abc123456-8398-4c25-91bb-b000b08739c7",
      "default_catalog_name":"main"
    },
    "response":{
      "statusCode":200,
      "errorMessage":null,
      "result":null
    },
    "MAX_LOG_MESSAGE_LENGTH":16384
  }

Audit log schema considerations

  • If actions take a long time, the request and response are logged separately but the request and response pair have the same requestId.

  • Automated actions, such as resizing a cluster due to autoscaling or launching a job due to scheduling, are performed by the user System-User.

  • The requestParams field is subject to truncation. If the size of its JSON representation exceeds 100 KB, values are truncated and the string ... truncated is appended to truncated entries. In rare cases where a truncated map is still larger than 100 KB, a single TRUNCATED key with an empty value is present instead.

Account events

The following are accounts events logged at the workspace level.

Service

Action

Description

Request parameters

accounts

activateUser

A user is reactivated after being deactivated. See Deactivate users in workspace.

  • targetUserName

  • endpoint

  • targetUserId

accounts

add

A user is added to a Databricks workspace.

  • targetUserName

  • endpoint

  • targetUserId

accounts

addPrincipalToGroup

A user is added to a workspace-level group.

  • targetGroupId

  • endpoint

  • targetUserId

  • targetGroupName

  • targetUserName

accounts

addX509

A user account is added using an X509 certificate for authentication

accounts

certLogin

A user logs in to Databricks using X509 certification.

  • user

accounts

changeDatabricksSqlAcl

A user’s Databricks SQL permissions are changed.

  • shardName

  • targetUserId

  • resourceId

  • aclPermissionSet

accounts

changeDatabricksWorkspaceAcl

Permissions to a workspace are changed.

  • shardName

  • targetUserId

  • resourceId

  • aclPermissionSet

accounts

changeDbTokenAcl

When permissions on a token are changed.

  • shardName

  • targetUserId

  • resourceId

  • aclPermissionSet

accounts

changePassword

A user’s password is changed.

  • newPasswordSource

  • targetUserId

  • serviceSource

  • wasPasswordChanged

  • userId

accounts

changePasswordAcl

Password changing permissions are changed in the account.

  • shardName

  • targetUserId

  • resourceId

  • aclPermissionSet

accounts

changeServicePrincipalAcls

When a service principal’s permissions are changed.

  • shardName

  • targetServicePrincipal

  • resourceId

  • aclPermissionSet

accounts

createGroup

A workspace-level group is created.

  • endpoint

  • targetGroupId

  • targetGroupName

accounts

createIpAccessList

An IP access list is added to the workspace.

  • ipAccessListId

  • userId

accounts

deactivateUser

A user is deactivated in the workspace. See Deactivate users in workspace.

  • targetUserName

  • endpoint

  • targetUserId

accounts

delete

A user is deleted from the Databricks workspace.

  • targetUserId

  • targetUserName

  • endpoint

accounts

deleteIpAccessList

An IP access list is deleted from the workspace.

  • ipAccessListId

  • userId

accounts

garbageCollectDbToken

A user runs a garbage collect command on expired tokens.

  • tokenExpirationTime

  • tokenClientId

  • userId

  • tokenCreationTime

  • tokenFirstAccessed

accounts

generateDbToken

When someone generates a token from User Settings or when the service generates the token.

  • tokenExpirationTime

  • tokenCreatedBy

  • tokenHash

  • userId

accounts

IpAccessDenied

A user attempts to connect to the service through a denied IP.

  • path

  • user

accounts

ipAccessListQuotaExceeded

  • userId

accounts

jwtLogin

User logs into Databricks using a JWT.

  • user

accounts

login

User logs into the workspace.

  • user

accounts

logout

User logs out of the workspace.

  • user

accounts

mfaAddKey

User registers a new security key.

accounts

mfaDeleteKey

User deletes a security key.

  • id

accounts

mfaLogin

User logs into Databricks using MFA.

  • user

accounts

oidcTokenAuthorization

When an API call is authorized through a generic OIDC/OAuth token.

  • user

accounts

passwordVerifyAuthentication

  • user

accounts

reachMaxQuotaDbToken

When the current number of non-expired tokens exceeds the token quota

accounts

removeAdmin

A user is revoked of workspace admin permissions.

  • targetUserName

  • endpoint

  • targetUserId

accounts

removeGroup

A group is removed from the workspace.

  • targetGroupId

  • targetGroupName

  • endpoint

accounts

removePrincipalFromGroup

A user is removed from a group.

  • targetGroupId

  • endpoint

  • targetUserId

  • targetGroupName

  • targetUserName

accounts

resetPassword

A user’s password is reset.

  • serviceSource

  • userId

  • endpoint

  • targetUserId

  • targetUserName

  • wasPasswordChanged

  • newPasswordSource

accounts

revokeDbToken

A user’s token is dropped from a workspace. Can be triggered by a user being removed from the Databricks account.

  • userId

accounts

samlLogin

User logs in to Databricks through SAML SSO.

  • user

accounts

setAdmin

A user is granted account admin permissions.

  • endpoint

  • targetUserName

  • targetUserId

accounts

tokenLogin

A user logs into Databricks using a token.

  • tokenId

  • user

accounts

updateIpAccessList

An IP access list is changed.

  • ipAccessListId

  • userId

accounts

updateUser

An account admin updates a user’s account.

  • targetUserName

  • endpoint

  • targetUserId

accounts

validateEmail

When a user validates their email after account creation.

  • endpoint

  • targetUserName

  • targetUserId

Clusters events

The following are cluster events logged at the workspace level.

Service

Action

Description

Request parameters

clusters

changeClusterAcl

A user changes the cluster ACL.

  • shardName

  • aclPermissionSet

  • targetUserId

  • resourceId

clusters

create

A user creates a cluster.

  • cluster_log_conf

  • num_workers

  • enable_elastic_disk

  • driver_node_type_id

  • start_cluster

  • docker_image

  • ssh_public_keys

  • aws_attributes

  • acl_path_prefix

  • node_type_id

  • instance_pool_id

  • spark_env_vars

  • init_scripts

  • spark_version

  • cluster_source

  • autotermination_minutes

  • cluster_name

  • autoscale

  • custom_tags

  • cluster_creator

  • enable_local_disk_encryption

  • idempotency_token

  • spark_conf

  • organization_id

  • no_driver_daemon

  • user_id

  • virtual_cluster_size

  • apply_policy_default_values

  • data_security_mode

  • runtime_engine

clusters

createResult

Results from cluster creation. In conjunction with create.

  • clusterName

  • clusterState

  • clusterId

  • clusterWorkers

  • clusterOwnerUserId

clusters

delete

A cluster is terminated.

  • cluster_id

clusters

deleteResult

Results from cluster termination. In conjunction with delete.

  • clusterName

  • clusterState

  • clusterId

  • clusterWorkers

  • clusterOwnerUserId

clusters

edit

A user makes changes to cluster settings. This logs all changes except for changes in cluster size or autoscaling behavior.

  • cluster_log_conf

  • num_workers

  • enable_elastic_disk

  • driver_node_type_id

  • start_cluster

  • docker_image

  • ssh_public_keys

  • aws_attributes

  • acl_path_prefix

  • node_type_id

  • instance_pool_id

  • spark_env_vars

  • init_scripts

  • spark_version

  • cluster_source

  • autotermination_minutes

  • cluster_name

  • autoscale

  • custom_tags

  • cluster_creator

  • enable_local_disk_encryption

  • idempotency_token

  • spark_conf

  • organization_id

  • no_driver_daemon

  • user_id

  • virtual_cluster_size

  • apply_policy_default_values

  • data_security_mode

  • runtime_engine

clusters

permanentDelete

A cluster is deleted from the UI.

  • cluster_id

clusters

resize

Cluster resizes. This is logged on running clusters where the only property that changes is either the cluster size or autoscaling behavior.

  • cluster_id

  • num_workers

  • autoscale

clusters

resizeResult

Results from cluster resize. In conjunction with resize.

  • clusterName

  • clusterState

  • clusterId

  • clusterWorkers

  • clusterOwnerUserId

clusters

restart

A user restarts a running cluster.

  • cluster_id

clusters

restartResult

Results from cluster restart. In conjunction with restart.

  • clusterName

  • clusterState

  • clusterId

  • clusterWorkers

  • clusterOwnerUserId

clusters

start

A user starts a cluster.

  • init_scripts_safe_mode

  • cluster_id

clusters

startResult

Results from cluster start. In conjunction with start.

  • clusterName

  • clusterState

  • clusterId

  • clusterWorkers

  • clusterOwnerUserId

Cluster libraries events

The following are clusterLibraries events logged at the workspace level.

Service

Action

Description

Request parameters

clusterLibraries

installLibraries

User installs a library on a cluster.

  • cluster_id

  • libraries

clusterLibraries

uninstallLibraries

User uninstalls a library on a cluster.

  • cluster_id

  • libraries

clusterLibraries

installLibraryOnAllClusters

A workspace admin schedules a library to install on all cluster.

  • user

  • library

clusterLibraries

uninstallLibraryOnAllClusters

A workspace admin removes a library from the list to install on all clusters.

  • user

  • library

Cluster policy events

The following are clusterPolicies events logged at the workspace level.

Service

Action

Description

Request parameters

clusterPolicies

create

A user created a cluster policy.

  • name

clusterPolicies

edit

A user edited a cluster policy.

  • policy_id

  • name

clusterPolicies

delete

A user deleted a cluster policy.

  • policy_id

clusterPolicies

changeClusterPolicyAcl

A workspace admin changes permissions for a cluster policy.

  • shardName

  • targetUserId

  • resourceId

  • aclPermissionSet

Dashboards events

The following are dashboards events logged at the workspace level.

Service

Action

Description

Request parameters

dashboards

getDashboard

A user accesses the draft version of a dashboard either by viewing it in the UI or requesting the dashboard definition using the API. Only workspace users can access the draft version of a dashboard.

  • dashboard_id

dashboards

getPublishedDashboard

A user accesses the published version of a dashboard by viewing in the UI or requesting the dashboard definition using the API. Includes activity from both workspace users and account users. Excludes receiving a PDF snapshot of a dashboard using scheduled email.

  • dashboard_id

  • credentials_embedded

dashboards

executeQuery

A user executes a query from a dashboard.

  • dashboard_id

  • statement_id

dashboards

cancelQuery

A user cancels a query from a dashboard.

  • dashboard_id

  • statement_id

dashboards

getQueryResult

A user receives the results of a query from a dashboard.

  • dashboard_id

  • statement_id

dashboards

sendDashboardSnapshot

A PDF snapshot of a dashboard is sent through a scheduled email.

The request parameters values depend on the type of recipient. For a Databricks notification destination, only the destination_id is shown. For a Databricks user, the subscriber’s user ID and email address are shown. If the recipient is an email address, only the email address is shown.

  • dashboard_id

  • subscriber_destination_id

  • subscriber_user_details: {

    user_id,

    email_address }

dashboards

getDashboardDetails

A user accesses details of a draft dashboard, such as datasets and widgets. getDashboardDetails is always emitted when a user views a draft dashboard using UI or requests the dashboard definition using the API.

  • dashboard_id

dashboards

createDashboard

A user creates a new AI/BI dashboard using the UI or API.

  • dashboard_id

dashboards

updateDashboard

A user makes an update to an AI/BI dashboard using the UI or API.

  • dashboard_id

dashboards

cloneDashboard

A user clones an AI/BI dashboard.

  • source_dashboard_id

  • new_dashboard_id

dashboards

publishDashboard

A user publishes an AI/BI dashboard with or without embedded credentials using the UI or API.

  • dashboard_id

  • credentials_embedded

  • warehouse_id

dashboards

unpublishDashboard

A user unpublishes a published AI/BI dashboard using the UI or API.

  • dashboard_id

dashboards

trashDashboard

A user moves an AI/BI dashboard to the trash using the UI or API.

  • dashboard_id

dashboards

restoreDashboard

A user restores an AI/BI dashboard from the trash.

  • dashboard_id

dashboards

migrateDashboard

A user migrates a DBSQL dashboard to an AI/BI dashboard.

  • source_dashboard_id

  • new_dashboard_id

dashboards

createSchedule

A user creates an email subscription schedule.

  • dashboard_id

  • schedule_id

dashboards

updateSchedule

A user makes an update to an AI/BI dashboard’s schedule.

  • dashboard_id

  • schedule_id

dashboards

deleteSchedule

A user deletes an AI/BI dashboard’s schedule.

  • dashboard_id

  • schedule_id

dashboards

createSubscription

A user subscribes an email destination to an AI/BI dashboard schedule.

  • dashboard_id

  • schedule_id

  • schedule

dashboards

deleteSubscription

A user deletes an email destination from an AI/BI dashboard schedule.

  • dashboard_id

  • schedule_id

Databricks SQL events

The following are databrickssql events logged at the workspace level.

Note

If you manage your SQL warehouses using the legacy SQL endpoints API, your SQL warehouse audit events will have different action names. See SQL endpoint logs.

Service

Action

Description

Request parameters

databrickssql

addDashboardWidget

A widget is added to a dashboard.

  • dashboardId

  • widgetId

databrickssql

cancelQueryExecution

A query execution is cancelled from the SQL editor UI. This does not include cancellations that originate from the Query History UI or Databricks SQL Execution API.

  • queryExecutionId

databrickssql

changeWarehouseAcls

A warehouse manager updates permissions on a SQL warehouse.

  • aclPermissionSet

  • resourceId

  • shardName

  • targetUserId

databrickssql

changePermissions

A user updates permissions on an object.

  • granteeAndPermission

  • objectId

  • objectType

databrickssql

cloneDashboard

A user clones a dashboard.

  • dashboardId

databrickssql

commandSubmit

Only in verbose audit logs. Generated when a command is submitted to a SQL warehouse, regardless of origin of the request.

  • warehouseId

  • commandId

  • validation

  • commandText

databrickssql

commandFinish

Only in verbose audit logs. Generated when a command on a SQL warehouse completes or is canceled, regardless of the origin of the cancellation request.

  • warehouseId

  • commandId

databrickssql

createAlert

A user creates an alert.

  • alertId

databrickssql

createNotificationDestination

A workspace admin creates a notification destination.

  • notificationDestinationId

  • notificationDestinationType

databrickssql

createDashboard

A user creates a dashboard.

  • dashboardId

databrickssql

createDataPreviewDashboard

A user creates a data preview dashboard.

  • dashboardId

databrickssql

createWarehouse

A user with the cluster create entitlement creates a SQL warehouse.

  • auto_resume

  • auto_stop_mins

  • channel

  • cluster_size

  • conf_pairs

  • custom_cluster_confs

  • enable_databricks_compute

  • enable_photon

  • enable_serverless_compute

  • instance_profile_arn

  • max_num_clusters

  • min_num_clusters

  • name

  • size

  • spot_instance_policy

  • tags

  • test_overrides

databrickssql

createQuery

A user creates a new query.

  • queryId

databrickssql

createQueryDraft

A user creates a query draft.

  • queryId

databrickssql

createQuerySnippet

A user creates a query snippet.

  • querySnippetId

databrickssql

createSampleDashboard

A user creates a sample dashboard.

  • sampleDashboardId

databrickssql

createVisualization

A user generates a visualization using the SQL editor. Excludes default results tables and visualizations in notebooks that utilize SQL warehouses.

  • queryId

  • visualizationId

databrickssql

deleteAlert

A user deletes an alert either from the alert interface or through API. Excludes deletions from the file browser UI.

  • alertId

databrickssql

deleteNotificationDestination

A workspace admin deletes a notification destination.

  • notificationDestinationId

databrickssql

deleteDashboard

A user deletes a dashboard either from the dashboard interface or through API. Excludes deletion via the file browser UI.

  • dashboardId

databrickssql

deleteDashboardWidget

A user deletes a dashboard widget.

  • widgetId

databrickssql

deleteWarehouse

A warehouse manager deletes a SQL warehouse.

  • id

databrickssql

deleteQuery

A user deletes a query, either from the query interface or through API. Excludes deletion via the file browser UI.

  • queryId

databrickssql

deleteQueryDraft

A user deletes a query draft.

  • queryId

databrickssql

deleteQuerySnippet

A user deletes a query snippet.

  • querySnippetId

databrickssql

deleteVisualization

A user deletes a visualization from a query in the SQL Editor.

  • visualizationId

databrickssql

downloadQueryResult

A user downloads a query result from the SQL Editor. Excludes downloads from dashboards.

  • fileType

  • queryId

  • queryResultId

  • credentialsEmbedded

  • credentialsEmbeddedId

databrickssql

editWarehouse

A warehouse manager makes edits to a SQL warehouse.

  • auto_stop_mins

  • channel

  • cluster_size

  • confs

  • enable_photon

  • enable_serverless_compute

  • id

  • instance_profile_arn

  • max_num_clusters

  • min_num_clusters

  • name

  • spot_instance_policy

  • tags

databrickssql

executeAdhocQuery

Generated by one of the following:

  • A user runs a query draft in the SQL editor

  • A query is executed from a visualization aggregation

  • A user loads a dashboard and executes underlying queries

  • dataSourceId

databrickssql

executeSavedQuery

A user runs a saved query.

  • queryId

databrickssql

executeWidgetQuery

Generated by any event that executes a query such that a dashboard panel refreshes. Some examples of applicable events include:

  • Refreshing a single panel

  • Refreshing an entire dashboard

  • Scheduled dashboard executions

  • Parameter or filter changes operating over more than 64,000 rows

  • widgetId

databrickssql

favoriteDashboard

A user favorites a dashboard.

  • dashboardId

databrickssql

favoriteQuery

A user favorites a query.

  • queryId

databrickssql

forkQuery

A user clones a query.

  • originalQueryId

  • queryId

databrickssql

listQueries

A user opens the query listing page or calls the list query API.

  • filter_by

  • include_metrics

  • max_results

  • page_token

databrickssql

moveAlertToTrash

A user moves an alert to the trash.

  • alertId

databrickssql

moveDashboardToTrash

A user moves a dashboard to the trash.

  • dashboardId

databrickssql

moveQueryToTrash

A user moves a query to the trash.

  • queryId

databrickssql

restoreAlert

A user restores an alert from the trash.

  • alertId

databrickssql

restoreDashboard

A user restores a dashboard from the trash.

  • dashboardId

databrickssql

restoreQuery

A user restores a query from the trash.

  • queryId

databrickssql

setWarehouseConfig

A warehouse manager sets the configuration for a SQL warehouse.

  • data_access_config

  • enable_serverless_compute

  • instance_profile_arn

  • security_policy

  • serverless_agreement

  • sql_configuration_parameters

  • try_create_databricks_managed_starter_warehouse

databrickssql

snapshotDashboard

A user requests a snapshot of a dashboard. Includes scheduled dashboard snapshots.

  • dashboardId

databrickssql

startWarehouse

A SQL warehouse is started.

  • id

databrickssql

stopWarehouse

A warehouse manager stops a SQL warehouse. Excludes autostopped warehouses.

  • id

databrickssql

transferObjectOwnership

A workspace admin transfers the ownership of a dashboard, query, or alert to an active user through the transfer object ownership API. Ownership transfer done through the UI or update APIs is not captured by this audit log event.

  • newOwner

  • objectId

  • objectType

databrickssql

unfavoriteDashboard

A user removes a dashboard from their favorites.

  • dashboardId

databrickssql

unfavoriteQuery

A user removes a query from their favorites.

  • queryId

databrickssql

updateAlert

A user makes updates to an alert. ownerUserName is populated if the alert ownership is transferred using the API.

  • alertId

  • queryId

  • ownerUserName

databrickssql

updateNotificationDestination

A workspace admin makes an update to a notification destination.

  • notificationDestinationId

databrickssql

updateDashboardWidget

A user makes an update to a dashboard widget. Excludes changes to axis scales. Examples of applicable updates include:

  • Change to widget size or placement

  • Adding or removing widget parameters

  • widgetId

databrickssql

updateDashboard

A user makes an update to a dashboard property. Excludes changes to schedules and subscriptions. Examples of applicable updates include:

  • Change in dashboard name

  • Change to the SQL warehouse

  • Change to Run As settings

  • dashboardId

databrickssql

updateOrganizationSetting

A workspace admin makes updates to the workspace’s SQL settings.

  • has_configured_data_access

  • has_explored_sql_warehouses

  • has_granted_permissions

databrickssql

updateQuery

A user makes an update to a query. ownerUserName is populated if the query ownership is transferred using the API.

  • queryId

  • ownerUserName

databrickssql

updateQueryDraft

A user makes an update to a query draft.

  • queryId

databrickssql

updateQuerySnippet

A user makes an update to a query snippet.

  • querySnippetId

databrickssql

updateVisualization

A user updates a visualization from either the SQL Editor or the dashboard.

  • visualizationId

Data monitoring events

The following dataMonitoring events are logged at the workspace level.

Service

Action

Description

Request parameters

dataMonitoring

CreateMonitor

User creates a monitor.

  • data_classification_config

  • full_table_name_arg

  • assets_dir

  • schedule

  • output_schema_name

  • notifications

  • inference_log

dataMonitoring

UpdateMonitor

User makes an update to a monitor.

  • data_classification_config

  • table_name

  • full_table_name_arg

  • drift_metrics_table_name

  • dashboard_id

  • custom_metrics

  • assets_dir

  • monitor_version

  • profile_metrics_table_name

  • baseline_table_name

  • status

  • output_schema_name

  • inference_log

  • slicing_exprs

dataMonitoring

DeleteMonitor

User deletes a monitor.

  • full_table_name_arg

dataMonitoring

RunRefresh

Monitor is refreshed, either by schedule or manually.

  • full_table_name_arg

DBFS events

The following tables include dbfs events logged at the workspace level.

There are two types of DBFS events: API calls and operational events.

DBFS API events

The following DBFS audit events are only logged when written through the DBFS REST API.

Service

Action

Description

Request parameters

dbfs

addBlock

User appends a block of data to the stream. This is used in conjunction with dbfs/create to stream data to DBFS.

  • handle

  • data_length

dbfs

create

User opens a stream to write a file to DBFs.

  • path

  • bufferSize

  • overwrite

dbfs

delete

User deletes the file or directory from DBFs.

  • recursive

  • path

dbfs

mkdirs

User creates a new DBFS directory.

  • path

dbfs

move

User moves a file from one location to another location within DBFs.

  • dst

  • source_path

  • src

  • destination_path

dbfs

put

User uploads a file through the use of multipart form post to DBFs.

  • path

  • overwrite

DBFS operational events

The following DBFS audit events occur at the compute plane.

Service

Action

Description

Request parameters

dbfs

mount

User creates a mount point at a certain DBFS location.

  • mountPoint

  • owner

dbfs

unmount

User removes a mount point at a certain DBFS location.

  • mountPoint

Delta pipelines events

Service

Action

Description

Request parameters

deltaPipelines

changePipelineAcls

A user changes permissions on a pipeline.

  • shardId

  • targetUserId

  • resourceId

  • aclPermissionSet

deltaPipelines

create

A user creates a Delta Live Tables pipeline.

  • allow_duplicate_names

  • clusters

  • configuration

  • continuous

  • development

  • dry_run

  • id

  • libraries

  • name

  • storage

  • target

  • channel

  • edition

  • photon

deltaPipelines

delete

A user deletes a Delta Live Tables pipeline.

  • pipeline_id

deltaPipelines

edit

A user edits a Delta Live Tables pipeline.

  • allow_duplicate_names

  • clusters

  • configuration

  • continuous

  • development

  • expected_last_modified

  • id

  • libraries

  • name

  • pipeline_id

  • storage

  • target

  • channel

  • edition

  • photon

deltaPipelines

startUpdate

A user restarts a Delta Live Tables pipeline.

  • cause

  • full_refresh

  • job_task

  • pipeline_id

deltaPipelines

stop

A user stops a Delta Live Tables pipeline.

  • pipeline_id

Feature store events

The following featureStore events are logged at the workspace level.

Service

Action

Description

Request parameters

featureStore

addConsumer

A consumer is added to the feature store.

  • features

  • job_run

  • notebook

featureStore

addDataSources

A data source is added to a feature table.

  • feature_table

  • paths, tables

featureStore

addProducer

A producer is added to a feature table.

  • feature_table

  • job_run

  • notebook

featureStore

changeFeatureTableAcl

Permissions are changed in a feature table.

  • aclPermissionSet

  • resourceId

  • shardName

  • targetUserId

featureStore

createFeatureTable

A feature table is created.

  • description

  • name

  • partition_keys

  • primary_keys

  • timestamp_keys

featureStore

createFeatures

Features are created in a feature table.

  • feature_table

  • features

featureStore

deleteFeatureTable

A feature table is deleted.

  • name

featureStore

deleteTags

Tags are deleted from a feature table.

  • feature_table_id

  • keys

featureStore

getConsumers

A user makes a call to get the consumers in a feature table.

  • feature_table

featureStore

getFeatureTable

A user makes a call to get feature tables.

  • name

featureStore

getFeatureTablesById

A user makes a call to get feature table IDs.

  • ids

featureStore

getFeatures

A user makes a call to get features.

  • feature_table

  • max_results

featureStore

getModelServingMetadata

A user makes a call to get Model Serving metadata.

  • feature_table_features

featureStore

getOnlineStore

A user makes a call to get online store details.

  • cloud

  • feature_table

  • online_table

  • store_type

featureStore

getTags

A user makes a call to get tags for a feature table.

  • feature_table_id

featureStore

publishFeatureTable

A feature table is published.

  • cloud

  • feature_table

  • host

  • online_table

  • port

  • read_secret_prefix

  • store_type

  • write_secret_prefix

featureStore

searchFeatureTables

A user searches for feature tables.

  • max_results

  • page_token

  • text

featureStore

setTags

Tags are added to a feature table.

  • feature_table_id

  • tags

featureStore

updateFeatureTable

A feature table is updated.

  • description

  • name

Files API events

The following filesystem events are logged at the workspace level.

Service

Action

Description

Request parameters

filesystem

filesGet

User downloads file.

  • path

  • transferredSize

filesystem

filesPut

User uploads file.

  • path

  • receivedSize

filesystem

filesDelete

User deletes file.

  • path

filesystem

filesHead

User gets information about file.

  • path

Genie events

The following genie events are logged at the workspace level.

Note

This service is unrelated to AI/BI Genie spaces.

Service

Action

Description

Request parameters

genie

databricksAccess

A Databricks personnel is authorized to access a customer environment.

  • duration

  • approver

  • reason

  • authType

  • user

Git credential events

The following gitCredentials events are logged at the workspace level.

Service

Action

Description

Request parameters

gitCredentials

getGitCredential

A user gets a git credentials.

  • id

gitCredentials

listGitCredentials

A user lists all git credentials

none

gitCredentials

deleteGitCredential

A user deletes a git credential.

  • id

gitCredentials

updateGitCredential

A user updates a git credential.

  • id

  • git_provider

  • git_username

gitCredentials

createGitCredential

A user creates a git credential.

  • git_provider

  • git_username

Global init scripts events

The following globalInitScripts events are logged at the workspace level.

Service

Action

Description

Request parameters

globalInitScripts

create

A workspace admin creates a global initialization script.

  • name

  • position

  • script-SHA256

  • enabled

globalInitScripts

update

A workspace admin updates a global initialization script.

  • script_id

  • name

  • position

  • script-SHA256

  • enabled

globalInitScripts

delete

A workspace admin deletes a global initialization script.

  • script_id

Groups events

The following groups events are logged at the workspace level. These actions are related to legacy ACL groups. For actions related to account- and workspace-level groups, see Account events and Account-level account events.

Service

Action

Description

Request parameters

groups

addPrincipalToGroup

An admin adds a user to a group.

  • user_name

  • parent_name

groups

createGroup

An admin creates a group.

  • group_name

groups

getGroupMembers

An admin views group members.

  • group_name

groups

getGroups

An admin views a list of groups

none

groups

getInheritedGroups

An admin views inherited groups

none

groups

removeGroup

An admin removes a group.

  • group_name

IAM role events

The following iamRole event is logged at the workspace level.

Service

Action

Description

Request parameters

iamRole

changeIamRoleAcl

A workspace admin changes permissions for an IAM role.

  • targetUserId

  • shardName

  • resourceId

  • aclPermissionSet

Ingestion events

The following ingestion event is logged at the workspace level.

Service

Action

Description

Request parameters

ingestion

proxyFileUpload

A user uploads a file to their Databricks workspace.

  • x-databricks-content-length-0

  • x-databricks-total-files

Instance pool events

The following instancePools events are logged at the workspace level.

Service

Action

Description

Request parameters

instancePools

changeInstancePoolAcl

A user changes an instance pool’s permissions.

  • shardName

  • resourceId

  • targetUserId

  • aclPermissionSet

instancePools

create

A user creates an instance pool.

  • enable_elastic_disk

  • preloaded_spark_versions

  • idle_instance_autotermination_minutes

  • instance_pool_name

  • node_type_id

  • custom_tags

  • max_capacity

  • min_idle_instances

  • aws_attributes

instancePools

delete

A user deletes an instance pool.

  • instance_pool_id

instancePools

edit

A user edits an instance pool.

  • instance_pool_name

  • idle_instance_autotermination_minutes

  • min_idle_instances

  • preloaded_spark_versions

  • max_capacity

  • enable_elastic_disk

  • node_type_id

  • instance_pool_id

  • aws_attributes

Job events

The following jobs events are logged at the workspace level.

Service

Action

Description

Request parameters

jobs

cancel

A job run is cancelled.

  • run_id

jobs

cancelAllRuns

A user cancels all runs on a job.

  • job_id

jobs

changeJobAcl

A user updates permissions on a job.

  • shardName

  • aclPermissionSet

  • resourceId

  • targetUserId

jobs

create

A user creates a job.

  • spark_jar_task

  • email_notifications

  • notebook_task

  • spark_submit_task

  • timeout_seconds

  • libraries

  • name

  • spark_python_task

  • job_type

  • new_cluster

  • existing_cluster_id

  • max_retries

  • schedule

  • run_as

jobs

delete

A user deletes a job.

  • job_id

jobs

deleteRun

A user deletes a job run.

  • run_id

jobs

getRunOutput

A user makes an API call to get a run output.

  • run_id

  • is_from_webapp

jobs

repairRun

A user repairs a job run.

  • run_id

  • latest_repair_id

  • rerun_tasks

jobs

reset

A job is reset.

  • job_id

  • new_settings

jobs

resetJobAcl

A user requests the change of a job’s permissions.

  • grants

  • job_id

jobs

runCommand

Available when verbose audit logs are enabled. Emitted after a command in a notebook is executed by a job run. A command corresponds to a cell in a notebook.

  • jobId

  • runId

  • notebookId

  • executionTime

  • status

  • commandId

  • commandText

jobs

runFailed

A job run fails.

  • jobClusterType

  • jobTriggerType

  • jobId

  • jobTaskType

  • runId

  • jobTerminalState

  • idInJob

  • orgId

  • runCreatorUserName

jobs

runNow

A user triggers an on-demand job run.

  • notebook_params

  • job_id

  • jar_params

  • workflow_context

jobs

runStart

Emitted when a job run starts after validation and cluster creation. The request parameters emitted from this event depend on the type of tasks in the job. In addition to the parameters listed, they can include:

  • dashboardId (for a SQL dashboard task)

  • filePath (for a SQL file task)

  • notebookPath (for a notebook task)

  • mainClassName (for a Spark JAR task)

  • pythonFile (for a Spark JAR task)

  • projectDirectory (for a dbt task)

  • commands (for a dbt task)

  • packageName (for a Python wheel task)

  • entryPoint (for a Python wheel task)

  • pipelineId (for a pipeline task)

  • queryIds (for a SQL query task)

  • alertId (for a SQL alert task)

  • taskDependencies

  • multitaskParentRunId

  • orgId

  • idInJob

  • jobId

  • jobTerminalState

  • taskKey

  • jobTriggerType

  • jobTaskType

  • runId

  • runCreatorUserName

jobs

runSucceeded

A job run is successful.

  • idInJob

  • jobId

  • jobTriggerType

  • orgId

  • runId

  • jobClusterType

  • jobTaskType

  • jobTerminalState

  • runCreatorUserName

jobs

runTriggered

A job schedule is triggered automatically according to its schedule or trigger.

  • jobId

  • jobTriggeredType

  • runId

jobs

sendRunWebhook

A webhook is sent either when the job begins, completes, or fails.

  • orgId

  • jobId

  • jobWebhookId

  • jobWebhookEvent

  • runId

jobs

setTaskValue

A user sets values for a task.

  • run_id

  • key

jobs

submitRun

A user submits a one-time run via the API.

  • shell_command_task

  • run_name

  • spark_python_task

  • existing_cluster_id

  • notebook_task

  • timeout_seconds

  • libraries

  • new_cluster

  • spark_jar_task

jobs

update

A user edits a job’s settings.

  • job_id

  • fields_to_remove

  • new_settings

  • is_from_dlt

Marketplace consumer events

The following marketplaceConsumer events are logged at the workspace level.

Service

Action

Description

Request parameters

marketplaceConsumer

getDataProduct

A user gets access to a data product through the Databricks Marketplace.

  • listing_id

  • listing_name

  • share_name

  • catalog_name

  • request_context: Array of information about the account and metastore that got access to the data product

marketplaceConsumer

requestDataProduct

A user requests access to a data product that requires provider approval.

  • listing_id

  • listing_name

  • catalog_name

  • request_context: Array of information about the account and metastore requesting access to the data product

Marketplace provider events

The following marketplaceProvider events are logged at the workspace level.

Service

Action

Description

Request parameters

marketplaceProvider

createListing

A metastore admin creates a listing in their provider profile.

  • listing: Array of details about the listing

  • request_context: Array of information about the provider’s account and metastore

marketplaceProvider

updateListing

A metastore admin makes an update to a listing in their provider profile.

  • id

  • listing: Array of details about the listing

  • request_context: Array of information about the provider’s account and metastore

marketplaceProvider

deleteListing

A metastore admin deletes a listing in their provider profile.

  • id

  • request_context: Array of details about the provider’s account and metastore

marketplaceProvider

updateConsumerRequestStatus

A metastore admins approves or denies a data product request.

  • listing_id

  • request_id

  • status

  • reason

  • share: Array of information about the share

  • request_context: Array of information about the provider’s account and metastore

marketplaceProvider

createProviderProfile

A metastore admin creates a provider profile.

  • provider: Array of information about the provider

  • request_context: Array of information about the provider’s account and metastore

marketplaceProvider

updateProviderProfile

A metastore admin makes an update to their provider profile.

  • id

  • provider: Array of information about the provider

  • request_context: Array of information about the provider’s account and metastore

marketplaceProvider

deleteProviderProfile

A metastore admin deletes their provider profile.

  • id

  • request_context: Array of information about the provider’s account and metastore

marketplaceProvider

uploadFile

A provider uploads a file to their provider profile.

  • request_context: Array of information about the provider’s account and metastore

  • marketplace_file_type

  • display_name

  • mime_type

  • file_parent: Array of file parent details

marketplaceProvider

deleteFile

A provider deletes a file from their provider profile.

  • file_id

  • request_context: Array of information about the provider’s account and metastore

MLflow artifacts with ACL events

The following mlflowAcledArtifact events are logged at the workspace level.

Service

Action

Description

Request parameters

mlflowAcledArtifact

readArtifact

A user makes call to read an artifact.

  • artifactLocation

  • experimentId

  • runId

mlflowAcledArtifact

writeArtifact

A user makes call to write to an artifact.

  • artifactLocation

  • experimentId

  • runId

MLflow experiment events

The following mlflowExperiment events are logged at the workspace level.

Service

Action

Description

Request parameters

mlflowExperiment

createMlflowExperiment

A user creates an MLflow experiment.

  • experimentId

  • path

  • experimentName

mlflowExperiment

deleteMlflowExperiment

A user deletes an MLflow experiment.

  • experimentId

  • path

  • experimentName

mlflowExperiment

moveMlflowExperiment

A user moves an MLflow experiment.

  • newPath

  • experimentId

  • oldPath

mlflowExperiment

restoreMlflowExperiment

A user restores an MLflow experiment.

  • experimentId

  • path

  • experimentName

mlflowExperiment

renameMlflowExperiment

A user renames an MLflow experiment.

  • oldName

  • newName

  • experimentId

  • parentPath

MLflow model registry events

The following mlflowModelRegistry events are logged at the workspace level.

Service

Action

Description

Request parameters

modelRegistry

approveTransitionRequest

A user approves a model version stage transition request.

  • name

  • version

  • stage

  • archive_existing_versions

modelRegistry

changeRegisteredModelAcl

A user updates permissions for a registered model.

  • registeredModelId

  • userId

modelRegistry

createComment

A user posts a comment on a model version.

  • name

  • version

modelRegistry

createModelVersion

A user creates a model version.

  • name

  • source

  • run_id

  • tags

  • run_link

modelRegistry

createRegisteredModel

A user creates a new registered model

  • name

  • tags

modelRegistry

createRegistryWebhook

User creates a webhook for Model Registry events.

  • orgId

  • registeredModelId

  • events

  • description

  • status

  • creatorId

  • httpUrlSpec

modelRegistry

createTransitionRequest

A user creates a model version stage transition request.

  • name

  • version

  • stage

modelRegistry

deleteComment

A user deletes a comment on a model version.

  • id

modelRegistry

deleteModelVersion

A user deletes a model version.

  • name

  • version

modelRegistry

deleteModelVersionTag

A user deletes a model version tag.

  • name

  • version

  • key

modelRegistry

deleteRegisteredModel

A user deletes a registered model

  • name

modelRegistry

deleteRegisteredModelTag

A user deletes the tag for a registered model.

  • name

  • key

modelRegistry

deleteRegistryWebhook

User deletes a Model Registry webhook.

  • orgId

  • webhookId

modelRegistry

deleteTransitionRequest

A user cancels a model version stage transition request.

  • name

  • version

  • stage

  • creator

modelRegistry

finishCreateModelVersionAsync

Completed asynchronous model copying.

  • name

  • version

modelRegistry

generateBatchInferenceNotebook

Batch inference notebook is autogenerated.

  • userId

  • orgId

  • modelName

  • inputTableOpt

  • outputTablePathOpt

  • stageOrVersion

  • modelVersionEntityOpt

  • notebookPath

modelRegistry

generateDltInferenceNotebook

Inference notebook for a Delta Live Tables pipeline is autogenerated.

  • userId

  • orgId

  • modelName

  • inputTable

  • outputTable

  • stageOrVersion

  • notebookPath

modelRegistry

getModelVersionDownloadUri

A user gets a URI to download the model version.

  • name

  • version

modelRegistry

getModelVersionSignedDownloadUri

A user gets a URI to download a signed model version.

  • name

  • version

  • path

modelRegistry

listModelArtifacts

A user makes a call to list a model’s artifacts.

  • name

  • version

  • path

  • page_token

modelRegistry

listRegistryWebhooks

A user makes a call to list all registry webhooks in the model.

  • orgId

  • registeredModelId

modelRegistry

rejectTransitionRequest

A user rejects a model version stage transition request.

  • name

  • version

  • stage

modelRegistry

renameRegisteredModel

A user renames a registered model

  • name

  • new_name

modelRegistry

setEmailSubscriptionStatus

A user updates the email subscription status for a registered model

modelRegistry

setModelVersionTag

A user sets a model version tag.

  • name

  • version

  • key

  • value

modelRegistry

setRegisteredModelTag

A user sets a model version tag.

  • name

  • key

  • value

modelRegistry

setUserLevelEmailSubscriptionStatus

A user updates their email notifications status for the whole registry.

  • orgId

  • userId

  • subscriptionStatus

modelRegistry

testRegistryWebhook

A user tests the Model Registry webhook.

  • orgId

  • webhookId

modelRegistry

transitionModelVersionStage

A user gets a list of all open stage transition requests for the model version.

  • name

  • version

  • stage

  • archive_existing_versions

modelRegistry

triggerRegistryWebhook

A Model Registry webhook is triggered by an event.

  • orgId

  • registeredModelId

  • events

  • status

modelRegistry

updateComment

A user post an edit to a comment on a model version.

  • id

modelRegistry

updateRegistryWebhook

A user updates a Model Registry webhook.

  • orgId

  • webhookId

Model serving events

The following serverlessRealTimeInference events are logged at the workspace level.

Service

Action

Description

Request parameters

serverlessRealTimeInference

changeInferenceEndpointAcl

User updates permissions for an inference endpoint.

  • shardName

  • targetUserId

  • resourceId

  • aclPermissionSet

serverlessRealTimeInference

createServingEndpoint

User creates a model serving endpoint.

  • name

  • config

serverlessRealTimeInference

deleteServingEndpoint

User deletes a model serving endpoint.

  • name

serverlessRealTimeInference

disable

User disables model serving for a registered model.

  • registered_mode_name

serverlessRealTimeInference

enable

User enables model serving for a registered model.

  • registered_mode_name

serverlessRealTimeInference

getQuerySchemaPreview

Users makes a call to get the query schema preview.

  • endpoint_name

serverlessRealTimeInference

updateServingEndpoint

User updates a model serving endpoint.

  • name

  • served_models

  • traffic_config

serverlessRealTimeInference

updateInferenceEndpointRateLimits

User updates the rate limits for an inference endpoint. Rate limits only apply to Foundation Model APIs pay-per-token and external model endpoints.

  • name

  • rate_limits

Notebook events

The following notebook events are logged at the workspace level.

Service

Action

Description

Request parameters

notebook

attachNotebook

A notebook is attached to a cluster.

  • path

  • clusterId

  • notebookId

notebook

cloneNotebook

A user clones a notebook.

  • notebookId

  • path

  • clonedNotebookId

  • destinationPath

notebook

createNotebook

A notebook is created.

  • notebookId

  • path

notebook

deleteFolder

A notebook folder is deleted.

  • path

notebook

deleteNotebook

A notebook is deleted.

  • notebookId

  • notebookName

  • path

notebook

detachNotebook

A notebook is detached from a cluster.

  • notebookId

  • clusterId

  • path

notebook

downloadLargeResults

A user downloads query results too large to display in the notebook.

  • notebookId

  • notebookFullPath

notebook

downloadPreviewResults

A user downloads the query results.

  • notebookId

  • notebookFullPath

notebook

importNotebook

A user imports a notebook.

  • path

notebook

moveFolder

A notebook folder is moved from one location to another.

  • oldPath

  • newPath

  • folderId

notebook

moveNotebook

A notebook is moved from one location to another.

  • newPath

  • oldPath

  • notebookId

notebook

renameNotebook

A notebook is renamed.

  • newName

  • oldName

  • parentPath

  • notebookId

notebook

restoreFolder

A deleted folder is restored.

  • path

notebook

restoreNotebook

A deleted notebook is restored.

  • path

  • notebookId

  • notebookName

notebook

runCommand

Available when verbose audit logs are enabled. Emitted after Databricks runs a command in a notebook. A command corresponds to a cell in a notebook.

executionTime is measured in seconds.

  • notebookId

  • executionTime

  • status

  • commandId

  • commandText

  • commandLanguage

notebook

takeNotebookSnapshot

Notebook snapshots are taken when either the job service or mlflow is run.

  • path

Partner Connect events

The following partnerHub events are logged at the workspace level.

Service

Action

Description

Request parameters

partnerHub

createOrReusePartnerConnection

A workspace admin sets up a connection to a partner solution.

  • partner_name

partnerHub

deletePartnerConnection

A workspace admin deletes a partner connection.

  • partner_name

partnerHub

downloadPartnerConnectionFile

A workspace admin downloads the partner connection file.

  • partner_name

partnerHub

setupResourcesForPartnerConnection

A workspace admin sets up resources for a partner connection.

  • partner_name

Predictive optimization events

The following predictiveOptimization events are logged at the workspace level.

Service

Action

Description

Request parameters

predictiveOptimization

PutMetrics

Recorded when predictive optimization updates table and workload metrics so the service can more intelligently schedule optimization operations.

  • table_metrics_list

  • start_time

  • end_time

predictiveOptimization

UpdatePredictiveOptimization

An account admin enables or disables predictive optimization for a metastore.

  • metastore_id

  • enable

Remote history service events

The following remoteHistoryService events are logged at the workspace level.

Service

Action

Description

Request parameters

remoteHistoryService

addUserGitHubCredentials

User adds Github Credentials

none

remoteHistoryService

deleteUserGitHubCredentials

User removes Github Credentials

none

remoteHistoryService

updateUserGitHubCredentials

User updates Github Credentials

none

Git folder events

The following repos events are logged at the workspace level.

Service

Action name

Description

Request parameters

repos

checkoutBranch

A user checks out a branch on the repo.

  • id

  • branch

repos

commitAndPush

A user commits and pushes to a repo.

  • id

  • message

  • files

  • checkSensitiveToken

repos

createRepo

A user creates a repo in the workspace

  • url

  • provider

  • path

repos

deleteRepo

A user deletes a repo.

  • id

repos

discard

A user discards a commit to a repo.

  • id

  • file_paths

repos

getRepo

A user makes a call to get information about a single repo.

  • id

repos

listRepos

A user makes a call to get all repos they have Manage permissions on.

  • path_prefix

  • next_page_token

repos

pull

A user pulls the latest commits from a repo.

  • id

repos

updateRepo

A user updates the repo to a different branch or tag, or to the latest commit on the same branch.

  • id

  • branch

  • tag

  • git_url

  • git_provider

Secrets events

The following secrets events are logged at the workspace level.

Service

Action name

Description

Request parameters

secrets

createScope

User creates a secret scope.

  • scope

  • initial_manage_principal

  • scope_backend_type

secrets

deleteAcl

User deletes ACLs for a secret scope.

  • scope

  • principal

secrets

deleteScope

User deletes a secret scope.

  • scope

secrets

deleteSecret

User deletes a secret from a scope.

  • key

  • scope

secrets

getAcl

User gets ACLs for a secret scope.

  • scope

  • principal

secrets

getSecret

User gets a secret from a scope.

  • key

  • scope

secrets

listAcls

User makes a call to list ACLs for a secret scope.

  • scope

secrets

listScopes

User makes a call to list secret scopes

none

secrets

listSecrets

User makes a call to list secrets within a scope.

  • scope

secrets

putAcl

User changes ACLs for a secret scope.

  • scope

  • principal

  • permission

secrets

putSecret

User adds or edits a secret within a scope.

  • string_value

  • key

  • scope

SQL table access events

Note

The sqlPermissions service includes events related to the legacy Hive metastore table access control. Databricks recommends that you upgrade the tables managed by the Hive metastore to the Unity Catalog metastore.

The following sqlPermissions events are logged at the workspace level.

Service

Action name

Description

Request parameters

sqlPermissions

changeSecurableOwner

Workspace admin or owner of an object transfers object ownership.

  • securable

  • principal

sqlPermissions

createSecurable

User creates a securable object.

  • securable

sqlPermissions

denyPermission

Object owner denies privileges on a securable object.

  • permission

sqlPermissions

grantPermission

Object owner grants permission on a securable object.

  • permission

sqlPermissions

removeAllPermissions

User drops a securable object.

  • securable

sqlPermissions

renameSecurable

User renames a securable object.

  • before

  • after

sqlPermissions

requestPermissions

User requests permissions on a securable object.

  • requests

sqlPermissions

revokePermission

Object owner revokes permissions on their securable object.

  • permission

sqlPermissions

showPermissions

User views securable object permissions.

  • securable

  • principal

SSH events

The following ssh events are logged at the workspace level.

Service

Action name

Description

Request parameters

ssh

login

Agent login of SSH into Spark driver.

  • containerId

  • userName

  • port

  • publicKey

  • instanceId

ssh

logout

Agent logout of SSH from Spark driver.

  • userName

  • containerId

  • instanceId

Vector search events

The following vectorSearch events are logged at the workspace level.

Service

Action

Description

Request parameters

vectorSearch

createEndpoint

User creates a vector search endpoint.

  • name

  • endpoint_type

vectorSearch

deleteEndpoint

User deletes a vector search endpoint.

  • name

vectorSearch

createVectorIndex

User creates a vector search index.

  • name

  • endpoint_name

  • primary_key

  • index_type

  • delta_sync_index_spec

  • direct_access_index_spec

vectorSearch

deleteVectorIndex

User deletes a vector search index.

  • name

  • endpoint_name

  • delete_embedding_writeback_table

Web terminal events

The following webTerminal events are logged at the workspace level.

Service

Action name

Description

Request parameters

webTerminal

startSession

User starts a web terminal sessions.

  • socketGUID

  • clusterId

  • serverPort

  • ProxyTargetURI

webTerminal

closeSession

User closes a web terminal session.

  • socketGUID

  • clusterId

  • serverPort

  • ProxyTargetURI

Workspace events

The following workspace events are logged at the workspace level.

Service

Action name

Description

Request parameters

workspace

changeWorkspaceAcl

Permissions to the workspace are changed.

  • shardName

  • targetUserId

  • aclPermissionSet

  • resourceId

workspace

deleteSetting

A setting is deleted from the workspace.

  • settingKeyTypeName

  • settingKeyName

  • settingTypeName

  • settingName

workspace

fileCreate

User creates a file in the workspace.

  • path

workspace

fileDelete

User deletes a file in the workspace.

  • path

workspace

fileEditorOpenEvent

User opens the file editor.

  • notebookId

  • path

workspace

getRoleAssignment

User gets a workspace’s user roles.

  • account_id

  • workspace_id

workspace

mintOAuthAuthorizationCode

Recorded when in-house OAuth authorization code is minted at the workspace level.

  • client_id

workspace

mintOAuthToken

OAuth token is minted for workspace.

  • grant_type

  • scope

  • expires_in

  • client_id

workspace

moveWorkspaceNode

A workspace admin moves workspace node.

  • destinationPath

  • path

workspace

purgeWorkspaceNodes

A workspace admin purges workspace nodes.

  • treestoreId

workspace

reattachHomeFolder

An existing home folder is re-attached for a user that is re-added to the workspace.

  • path

workspace

renameWorkspaceNode

A workspace admin renames workspace nodes.

  • path

  • destinationPath

workspace

unmarkHomeFolder

Home folder special attributes are removed when a user is removed from the workspace.

  • path

workspace

updateRoleAssignment

A workspace admin updates a workspace user’s role.

  • account_id

  • workspace_id

  • principal_id

workspace

updatePermissionAssignment

A workspace admin adds a principal to the workspace.

  • principal_id

  • permissions

workspace

setSetting

A workspace admin configures a workspace setting.

  • settingKeyTypeName

  • settingKeyName

  • settingTypeName

  • settingName

  • settingValueForAudit

workspace

workspaceConfEdit

Workspace admin makes updates to a setting, for example enabling verbose audit logs.

  • workspaceConfKeys

  • workspaceConfValues

workspace

workspaceExport

User exports a notebook from a workspace.

  • workspaceExportDirectDownload

  • workspaceExportFormat

  • notebookFullPath

workspace

workspaceInHouseOAuthClientAuthentication

OAuth client is authenticated in workspace service.

  • user

Billable usage events

The following accountBillableUsage events are logged at the account level.

Service

Action

Description

Request parameters

accountBillableUsage

getAggregatedUsage

User accessed aggregated billable usage (usage per day) for the account via the Usage Graph feature.

  • account_id

  • window_size

  • start_time

  • end_time

  • meter_name

  • workspace_ids_filter

accountBillableUsage

getDetailedUsage

User accessed detailed billable usage (usage for each cluster) for the account via the Usage Download feature.

  • account_id

  • start_month

  • end_month

  • with_pii

Account-level account events

The following accounts events are logged at the account level.

Service

Action

Description

Request parameters

accounts

accountInHouseOAuthClientAuthentication

An OAuth client is authenticated.

  • endpoint

accounts

accountIpAclsValidationFailed

IP permissions validation fails. Returns statusCode 403.

  • sourceIpAddress

  • user: logged as an email address

accounts

activateUser

A user is reactivated after being deactivated. See Deactivate users in account.

  • targetUserName

  • endpoint

  • targetUserId

accounts

add

A user is added to the Databricks account.

  • targetUserName

  • endpoint

  • targetUserId

accounts

addPrincipalToGroup

A user is added to an account-level group.

  • targetGroupId

  • endpoint

  • targetUserId

  • targetGroupName

  • targetUserName

accounts

addPrincipalsToGroup

Users are added to an account-level group using SCIM provisioning.

  • targetGroupId

  • endpoint

  • targetUserId

  • targetGroupName

  • targetUserName

accounts

createGroup

An account-level group is created.

  • endpoint

  • targetGroupId

  • targetGroupName

accounts

deactivateUser

A user is deactivated. See Deactivate users in account.

  • targetUserName

  • endpoint

  • targetUserId

accounts

delete

A user is deleted from the Databricks account.

  • targetUserId

  • targetUserName

  • endpoint

accounts

deleteSetting

Account admin removes a setting from the Databricks account.

  • settingKeyTypeName

  • settingKeyName

  • settingTypeName

  • settingName

  • settingValueForAudit

accounts

garbageCollectDbToken

A user runs a garbage collect command on expired tokens.

  • tokenExpirationTime

  • tokenClientId

  • userId

  • tokenCreationTime

  • tokenFirstAccessed

accounts

generateDbToken

User generates a token from User Settings or when the service generates the token.

  • tokenExpirationTime

  • tokenCreatedBy

  • tokenHash

  • userId

accounts

login

A user logs into the account console.

  • user

accounts

logout

A user logs out of the account console.

  • user

accounts

mintOAuthAuthorizationCode

Recorded when in-house OAuth authorization code is minted at the account level.

  • client_id

accounts

mintOAuthToken

An account-level OAuth token is issued to the service principal.

  • user

accounts

oidcBrowserLogin

A user logs into their account with the OpenID Connect browser workflow.

  • user

accounts

oidcTokenAuthorization

An OIDC token is authenticated for an account admin login.

  • user

accounts

passwordVerifyAuthentication

A user’s password is verified during account console login.

  • user

accounts

removeAccountAdmin

An account admin removes account admin permissions from another user.

  • targetUserName

  • endpoint

  • targetUserId

accounts

removeGroup

A group is removed from the account.

  • targetGroupId

  • targetGroupName

  • endpoint

accounts

removePrincipalFromGroup

A user is removed from an account-level group.

  • targetGroupId

  • endpoint

  • targetUserId

  • targetGroupName

  • targetUserName

accounts

removePrincipalsFromGroup

Users are removed from an account-level group using SCIM provisioning.

  • targetGroupId

  • endpoint

  • targetUserId

  • targetGroupName

  • targetUserName

accounts

setAccountAdmin

An account admin assigns the account admin role to another user.

  • targetUserName

  • endpoint

  • targetUserId

accounts

setSetting

An account admin updates an account-level setting.

  • settingKeyTypeName

  • settingKeyName

  • settingTypeName

  • settingName

  • settingValueForAudit

accounts

tokenLogin

A user logs into Databricks using a token.

  • tokenId

  • user

accounts

updateUser

An account admin updates a user account.

  • targetUserName

  • endpoint

  • targetUserId

accounts

updateGroup

An account admin updates an account-level group.

  • endpoint

  • targetGroupId

  • targetGroupName

accounts

validateEmail

When a user validates their email after account creation.

  • endpoint

  • targetUserName

  • targetUserId

Account-level access control events

The following accountsAccessControl event is logged at the account level.

Service

Action

Description

Request parameters

accountsAccessControl

updateRuleSet

When a rule set is changed.

  • account_id

  • name

  • rule_set

Account management events

The following accountsManager events are logged at the account level. These events have to do with configurations made by account admins in the account console.

Service

Action

Description

Request parameters

accountsManager

acceptTos

Admin accepts a workspace’s terms of service.

  • workspace_id

accountsManager

accountUserResetPassword

Account admin resets a users password. Also logs whether the user changed the password after the reset.

  • wasPasswordChanged

  • serviceSource

  • targetUserId

  • userId

  • newPasswordSource

accountsManager

changeAccountOwner

Account owner role is transferred to another account admin.

  • account_id

  • first_name

  • last_name

  • email

accountsManager

consolidateAccounts

The account was consolidated with another account by Databricks.

  • target_account_id

  • account_ids_to_consolidate

accountsManager

createCredentialsConfiguration

Account admin created a credentials configuration.

  • credentials

accountsManager

createCustomerManagedKeyConfiguration

Account admin created a customer-managed key configuration.

  • customer_managed_key

accountsManager

createNetworkConfiguration

Account admin created a network configuration.

  • network

accountsManager

createPrivateAccessSettings

Account admin created a private access settings configuration.

  • private_access_settings

accountsManager

createStorageConfiguration

Account admin created a storage configuration.

  • storage_configuration

accountsManager

createVpcEndpoint

Account admin created a VPC endpoint configuration.

  • vpc_endpoint

accountsManager

createWorkspaceConfiguration

Account admin creates a new workspace. The workspace request parameter is an array of deployment information including workspace_name. You can find the workspace_id in the response.result parameter.

  • workspace

accountsManager

deleteCredentialsConfiguration

Account admin deleted a credentials configuration.

  • account_id

  • credentials_id

accountsManager

deleteCustomerManagedKeyConfiguration

Account admin deleted a customer-managed key configuration.

  • account_id

  • customer_managed_key_id

accountsManager

deleteNetworkConfiguration

Account admin deleted a network configuration.

  • account_id

  • network_id

accountsManager

deletePrivateAccessSettings

Account admin deleted a private access settings configuration.

  • account_id

  • private_access_settings_id

accountsManager

deleteStorageConfiguration

Account admin deleted a storage configuration.

  • account_id

  • storage_configuration_id

accountsManager

deleteVpcEndpoint

Account admin deleted a VPC endpoint configuration.

  • account_id

  • vpc_endpoint_id

accountsManager

deleteWorkspaceConfiguration

Account admin deleted a workspace.

  • account_id

  • workspace_id

accountsManager

getCredentialsConfiguration

Account admin requests details about a credentials configuration.

  • account_id

  • credentials_id

accountsManager

getCustomerManagedKeyConfiguration

Account admin requests details about a customer-managed key configuration.

  • account_id

  • customer_managed_key_id

accountsManager

getNetworkConfiguration

Account admin requests details about a network configuration.

  • account_id

  • network_id

accountsManager

getPrivateAccessSettings

Account admin requests details about a private access settings configuration.

  • account_id

  • private_access_settings_id

accountsManager

getStorageConfiguration

Account admin requests details about a storage configuration.

  • account_id

  • storage_configuration_id

accountsManager

getVpcEndpoint

Account admin requests details about a VPC endpoint configuration.

  • account_id

  • vpc_endpoint_id

accountsManager

getWorkspaceConfiguration

Account admin requests details about a workspace.

  • account_id

  • workspace_id

accountsManager

listCredentialsConfigurations

Account admin lists all credentials configurations in the account.

  • account_id

accountsManager

listCustomerManagedKeyConfigurations

Account admin lists all customer-managed key configurations in the account.

  • account_id

accountsManager

listNetworkConfigurations

Account admin lists all network configurations in the account.

  • account_id

accountsManager

listPrivateAccessSettings

Account admin lists all private access settings configurations in the account.

  • account_id

accountsManager

listStorageConfigurations

Account admin lists all storage configurations in the account.

  • account_id

accountsManager

listSubscriptions

Account admin lists all account billing subscriptions.

  • account_id

accountsManager

listVpcEndpoints

Account admin listed all VPC endpoint configurations for the account.

  • account_id

accountsManager

listWorkspaceConfigurations

Account admin lists all workspace in the account.

  • account_id

accountsManager

listWorkspaceEncryptionKeyRecords

Account admin lists all encryption key records in a specific workspace.

  • account_id

  • workspace_id

accountsManager

listWorkspaceEncryptionKeyRecordsForAccount

Account admin lists all encryption key records in the account.

  • account_id

accountsManager

sendTos

An email was sent to a workspace admin to accept the Databricks Terms of Service.

  • account_id

  • workspace_id

accountsManager

updateAccount

The account details were changed internally.

  • account_id

  • account

accountsManager

updateSubscription

The account billing subscriptions were updated.

  • account_id

  • subscription_id

  • subscription

accountsManager

updateWorkspaceConfiguration

Admin updated the configuration for a workspace.

  • account_id

  • workspace_id

Log delivery events

The following logDelivery events are logged at the account level.

Service

Action

Description

Request parameters

logDelivery

createLogDeliveryConfiguration

Admin created a log delivery configuration.

  • account_id

  • config_id

logDelivery

getLogDeliveryConfiguration

Admin requested details about a log delivery configuration.

  • log_delivery_configuration

logDelivery

listLogDeliveryConfigurations

Admin listed all log delivery configurations in the account.

  • account_id

  • storage_configuration_id

  • credentials_id

  • status

logDelivery

updateLogDeliveryConfiguration

Admin updated a log delivery configuration.

  • config_id

  • account_id

  • status

Oauth SSO events

The following oauth2 events are logged at the account level and are related to OAuth SSO authentication to the account console.

Service

Action

Description

Request parameters

oauth2

createCustomAppIntegration

A workspace admin creates custom app integration.

  • redirect_url

  • name

  • token_access_policy

  • confidential

oauth2

createPublishedAppIntegration

A workspace admin creates an app integration using a published app integration.

  • app_id

oauth2

deleteCustomAppIntegration

A workspace admin deletes custom app integration.

  • integration_id

oauth2

deletePublishedAppIntegration

A workspace admin deletes published app integration.

  • integration_id

oauth2

enrollOAuth

A workspace admin enrolls account in OAuth.

  • enable_all_published_apps

oauth2

updateCustomAppIntegration

A workspace admin updates custom app integration.

  • redirect_url

  • name

  • token_access_policy

  • confidential

oauth2

updatePublishedAppIntegration

A workspace admin updates published app integration.

  • token_access_policy

Service principal credentials events (Public Preview)

The following servicePrincipalCredentials events are logged at the account level.

Service

Action

Description

Request parameters

servicePrincipalCredentials

create

Account admin generates an OAuth secret for the service principal.

  • account_id

  • service_principal

  • secret_id

servicePrincipalCredentials

list

Account admin lists all OAuth secrets under a service principal.

  • account_id

  • service_principal

servicePrincipalCredentials

delete

Account admin deletes a service principal’s OAuth secret.

  • account_id

  • service_principal

  • secret_id

Single-sign on events

The following ssoConfigBackend events are logged at the account level and are related to SSO authentication for the account console.

Service

Action

Description

Request parameters

ssoConfigBackend

create

Account admin created an account console SSO configuration.

  • account_id

  • sso_type

  • config

ssoConfigBackend

get

Account admin requested details about an account console SSO configuration.

  • account_id

  • sso_type

ssoConfigBackend

update

Account admin updated an account console SSO configuration.

  • account_id

  • sso_type

  • config

Unity Catalog events

The following audit events are related to Unity Catalog. Delta Sharing events are also logged under the unityCatalog service. For Delta Sharing events, see Delta Sharing events. Unity Catalog audit events can be logged at the workspace level or account level depending on the event.

Service

Action

Description

Request parameters

unityCatalog

createMetastore

Account admin creates a metastore.

  • name

  • storage_root

  • workspace_id

  • metastore_id

unityCatalog

getMetastore

Account admin requests metastore ID.

  • id

  • workspace_id

  • metastore_id

unityCatalog

getMetastoreSummary

Account admin requests details about a metastore.

  • workspace_id

  • metastore_id

unityCatalog

listMetastores

Account admin requests a list of all metastores in an account.

  • workspace_id

unityCatalog

updateMetastore

Account admin makes an update to a metastore.

  • id

  • owner

  • workspace_id

  • metastore_id

unityCatalog

deleteMetastore

Account admin deletes a metastore.

  • id

  • force

  • workspace_id

  • metastore_id

unityCatalog

updateMetastoreAssignment

Account admin makes an update to a metastore’s workspace assignment.

  • workspace_id

  • metastore_id

  • default_catalog_name

unityCatalog

createExternalLocation

Account admin creates an external location.

  • name

  • skip_validation

  • url

  • credential_name

  • workspace_id

  • metastore_id

unityCatalog

getExternalLocation

Account admin requests details about an external location.

  • name_arg

  • include_browse

  • workspace_id

  • metastore_id

unityCatalog

listExternalLocations

Account admin request list of all external locations in an account.

  • url

  • max_results

  • workspace_id

  • metastore_id

unityCatalog

updateExternalLocation

Account admin makes an update to an external location.

  • name_arg

  • owner

  • workspace_id

  • metastore_id

unityCatalog

deleteExternalLocation

Account admin deletes an external location.

  • name_arg

  • force

  • workspace_id

  • metastore_id

unityCatalog

createCatalog

User creates a catalog.

  • name

  • comment

  • workspace_id

  • metastore_id

unityCatalog

deleteCatalog

User deletes a catalog.

  • name_arg

  • workspace_id

  • metastore_id

unityCatalog

getCatalog

User requests details about a catalog.

  • name_arg

  • dependent

  • workspace_id

  • metastore_id

unityCatalog

updateCatalog

User updates a catalog.

  • name_arg

  • isolation_mode

  • comment

  • workspace_id

  • metastore_id

unityCatalog

listCatalog

User makes a call to list all catalogs in the metastore.

  • name_arg

  • workspace_id

  • metastore_id

unityCatalog

createSchema

User creates a schema.

  • name

  • catalog_name

  • comment

  • workspace_id

  • metastore_id

unityCatalog

deleteSchema

User deletes a schema.

  • full_name_arg

  • force

  • workspace_id

  • metastore_id

unityCatalog

getSchema

User requests details about a schema.

  • full_name_arg

  • dependent

  • workspace_id

  • metastore_id

unityCatalog

listSchema

User requests a list of all schemas in a catalog.

  • catalog_name

unityCatalog

updateSchema

User updates a schema.

  • full_name_arg

  • name

  • workspace_id

  • metastore_id

  • comment

unityCatalog

createStagingTable

  • name

  • catalog_name

  • schema_name

  • workspace_id

  • metastore_id

unityCatalog

createTable

User creates a table. The request parameters differ depending on the type of table created.

  • name

  • data_source_format

  • catalog_name

  • schema_name

  • storage_location

  • columns

  • dry_run

  • table_type

  • view_dependencies

  • view_definition

  • sql_path

  • comment

unityCatalog

deleteTable

User deletes a table.

  • full_name_arg

  • workspace_id

  • metastore_id

unityCatalog

getTable

User requests details about a table.

  • include_delta_metadata

  • full_name_arg

  • dependent

  • workspace_id

  • metastore_id

unityCatalog

privilegedGetTable

  • full_name_arg

unityCatalog

listTables

User makes a call to list all tables in a schema.

  • catalog_name

  • schema_name

  • workspace_id

  • metastore_id

  • include_browse

unityCatalog

listTableSummaries

User gets an array of summaries for tables for a schema and catalog within the metastore.

  • catalog_name

  • schema_name_pattern

  • workspace_id

  • metastore_id

unityCatalog

updateTables

User makes an update to a table. The request parameters displayed vary depending on the type of table updates made.

  • full_name_arg

  • table_type

  • table_constraint_list

  • data_source_format

  • columns

  • dependent

  • row_filter

  • storage_location

  • sql_path

  • view_definition

  • view_dependencies

  • owner

  • comment

  • workspace_id

  • metastore_id

unityCatalog

createStorageCredential

Account admin creates a storage credential. You might see an additional request parameter based on your cloud provider credentials.

  • name

  • comment

  • workspace_id

  • metastore_id

unityCatalog

listStorageCredentials

Account admin makes a call to list all storage credentials in the account.

  • workspace_id

  • metastore_id

unityCatalog

getStorageCredential

Account admin requests details about a storage credential.

  • name_arg

  • workspace_id

  • metastore_id

unityCatalog

updateStorageCredential

Account admin makes an update to a storage credential.

  • name_arg

  • owner

  • workspace_id

  • metastore_id

unityCatalog

deleteStorageCredential

Account admin deletes a storage credential.

  • name_arg

  • workspace_id

  • metastore_id

unityCatalog

generateTemporaryTableCredential

Logged whenever a temporary credential is granted for a table. You can use this event to determine who queried what and when.

  • credential_id

  • credential_type

  • is_permissions_enforcing_client

  • table_full_name

  • operation

  • table_id

  • workspace_id

  • table_url

  • metastore_id

unityCatalog

generateTemporaryPathCredential

Logged whenever a temporary credential is granted for a path.

  • url

  • operation

  • make_path_only_parent

  • workspace_id

  • metastore_id

unityCatalog

getPermissions

User makes a call to get permission details for a securable object. This call doesn’t return inherited permissions, only explicitly assigned permissions.

  • securable_type

  • securable_full_name

  • workspace_id

  • metastore_id

unityCatalog

getEffectivePermissions

User makes a call to get all permission details for a securable object. An effective permissions call returns both explicitly assigned and inherited permissions.

  • securable_type

  • securable_full_name

  • workspace_id

  • metastore_id

unityCatalog

updatePermissions

User updates permissions on a securable object.

  • securable_type

  • changes

  • securable_full_name

  • workspace_id

  • metastore_id

unityCatalog

metadataSnapshot

User queries the metadata from a previous table version.

  • securables

  • include_delta_metadata

  • workspace_id

  • metastore_id

unityCatalog

metadataAndPermissionsSnapshot

User queries the metadata and permissions from a previous table version.

  • securables

  • include_delta_metadata

  • workspace_id

  • metastore_id

unityCatalog

updateMetadataSnapshot

User updates the metadata from a previous table version.

  • table_list_snapshots

  • schema_list_snapshots

  • workspace_id

  • metastore_id

unityCatalog

getForeignCredentials

User makes a call to get details about a foreign key.

  • securables

  • workspace_id

  • metastore_id

unityCatalog

getInformationSchema

User makes a call to get details about a schema.

  • table_name

  • page_token

  • required_column_names

  • row_set_type

  • required_column_names

  • workspace_id

  • metastore_id

unityCatalog

createConstraint

User creates a constraint for a table.

  • full_name_arg

  • constraint

  • workspace_id

  • metastore_id

unityCatalog

deleteConstraint

User deletes a constraint for a table.

  • full_name_arg

  • constraint

  • workspace_id

  • metastore_id

unityCatalog

createPipeline

User creates a Unity Catalog pipeline.

  • target_catalog_name

  • has_workspace_definition

  • id

  • workspace_id

  • metastore_id

unityCatalog

updatePipeline

User updates a Unity Catalog pipeline.

  • id_arg

  • definition_json

  • id

  • workspace_id

  • metastore_id

unityCatalog

getPipeline

User requests details about a Unity Catalog pipeline.

  • id

  • workspace_id

  • metastore_id

unityCatalog

deletePipeline

User deletes a Unity Catalog pipeline.

  • id

  • workspace_id

  • metastore_id

unityCatalog

deleteResourceFailure

Resource fails to delete

none

unityCatalog

createVolume

User creates a Unity Catalog volume.

  • name

  • catalog_name

  • schema_name

  • volume_type

  • storage_location

  • owner

  • comment

  • workspace_id

  • metastore_id

unityCatalog

getVolume

User makes a call to get information on a Unity Catalog volume.

  • volume_full_name

  • workspace_id

  • metastore_id

unityCatalog

updateVolume

User updates a Unity Catalog volume’s metadata with the ALTER VOLUME or COMMENT ON calls.

  • volume_full_name

  • name

  • owner

  • comment

  • workspace_id

  • metastore_id

unityCatalog

deleteVolume

User deletes a Unity Catalog volume.

  • volume_full_name

  • workspace_id

  • metastore_id

unityCatalog

listVolumes

User makes a call to get a list of all Unity Catalog volumes in a schema.

  • catalog_name

  • schema_name

  • workspace_id

  • metastore_id

unityCatalog

generateTemporaryVolumeCredential

A temporary credential is generated when a user performs a read or write on a volume. You can use this event to determine who accessed a volume and when.

  • volume_id

  • volume_full_name

  • operation

  • volume_storage_location

  • credential_id

  • credential_type

  • workspace_id

  • metastore_id

unityCatalog

getTagSecurableAssignments

Tag assignments for a securable are fetched

  • securable_type

  • securable_full_name

  • workspace_id

  • metastore_id

unityCatalog

getTagSubentityAssignments

Tag assignments for a subentity are fetched

  • securable_type

  • securable_full_name

  • workspace_id

  • metastore_id

  • subentity_name

unityCatalog

UpdateTagSecurableAssignments

Tag assignments for a securable are updated

  • securable_type

  • securable_full_name

  • workspace_id

  • metastore_id

  • changes

unityCatalog

UpdateTagSubentityAssignments

Tag assignments for a subentity are updated

  • securable_type

  • securable_full_name

  • workspace_id

  • metastore_id

  • subentity_name

  • changes

unityCatalog

createRegisteredModel

User creates a Unity Catalog registered model.

  • name

  • catalog_name

  • schema_name

  • owner

  • comment

  • workspace_id

  • metastore_id

unityCatalog

getRegisteredModel

User makes a call to get information on a Unity Catalog registered model.

  • full_name_arg

  • workspace_id

  • metastore_id

unityCatalog

updateRegisteredModel

User updates a Unity Catalog registered model’s metadata.

  • full_name_arg

  • name

  • owner

  • comment

  • workspace_id

  • metastore_id

unityCatalog

deleteRegisteredModel

User deletes a Unity Catalog registered model.

  • full_name_arg

  • workspace_id

  • metastore_id

unityCatalog

listRegisteredModels

User makes a call to get a list of Unity Catalog registered models in a schema, or list models across catalogs and schemas.

  • catalog_name

  • schema_name

  • max_results

  • page_token

  • workspace_id

  • metastore_id

unityCatalog

createModelVersion

User creates a model version in Unity Catalog.

  • catalog_name

  • schema_name

  • model_name

  • source

  • comment

  • workspace_id

  • metastore_id

unityCatalog

finalizeModelVersion

User makes a call to “finalize” a Unity Catalog model version after uploading model version files to its storage location, making it read-only and usable in inference workflows.

  • full_name_arg

  • version_arg

  • workspace_id

  • metastore_id

unityCatalog

getModelVersion

User makes a call to get details on a model version.

  • full_name_arg

  • version_arg

  • workspace_id

  • metastore_id

unityCatalog

getModelVersionByAlias

User makes a call to get details on a model version using the alias.

  • full_name_arg

  • include_aliases

  • alias_arg

  • workspace_id

  • metastore_id

unityCatalog

updateModelVersion

User updates a model version’s metadata.

  • full_name_arg

  • version_arg

  • name

  • owner

  • comment

  • workspace_id

  • metastore_id

unityCatalog

deleteModelVersion

User deletes a model version.

  • full_name_arg

  • version_arg

  • workspace_id

  • metastore_id

unityCatalog

listModelVersions

User makes a call to get a list of Unity Catalog model versions in a registered model.

  • catalog_name

  • schema_name

  • model_name

  • max_results

  • page_token

  • workspace_id

  • metastore_id

unityCatalog

generateTemporaryModelVersionCredential

A temporary credential is generated when a user performs a write (during initial model version creaiton) or read (after the model version has been finalized) on a model version. You can use this event to determine who accessed a model version and when.

  • full_name_arg

  • version_arg

  • operation

  • model_version_url

  • credential_id

  • credential_type

  • workspace_id

  • metastore_id

unityCatalog

setRegisteredModelAlias

User sets an alias on a Unity Catalog registered model.

  • full_name_arg

  • alias_arg

  • version

unityCatalog

deleteRegisteredModelAlias

User deletes an alias on a Unity Catalog registered model.

  • full_name_arg

  • alias_arg

unityCatalog

getModelVersionByAlias

User gets a Unity Catalog model version by alias.

  • full_name_arg

  • alias_arg

unityCatalog

createConnection

A new foreign connection is created.

  • name

  • connection_type

  • workspace_id

  • metastore_id

unityCatalog

deleteConnection

A foreign connection is deleted.

  • name_arg

  • workspace_id

  • metastore_id

unityCatalog

getConnection

A foreign connection is retrieved.

  • name_arg

  • workspace_id

  • metastore_id

unityCatalog

updateConnection

A foreign connection is updated.

  • name_arg

  • owner

  • workspace_id

  • metastore_id

unityCatalog

listConnections

Foreign connections in a metastore are listed.

  • workspace_id

  • metastore_id

unityCatalog

createFunction

User creates a new function.

  • function_info

  • workspace_id

  • metastore_id

unityCatalog

updateFunction

User updates a function.

  • full_name_arg

  • owner

  • workspace_id

  • metastore_id

unityCatalog

listFunctions

User requests a list of all functions within a specific parent catalog or schema.

  • catalog_name

  • schema_name

  • include_browse

  • workspace_id

  • metastore_id

unityCatalog

getFunction

User requests a function from a parent catalog or schema.

  • full_name_arg

  • workspace_id

  • metastore_id

unityCatalog

deleteFunction

User requests a function from a parent catalog or schema.

  • full_name_arg

  • workspace_id

  • metastore_id

unityCatalog

createShareMarketplaceListingLink

  • links_infos

  • metastore_id

unityCatalog

deleteShareMarketplaceListingLink

  • links_infos

  • metastore_id

Delta Sharing events

Delta Sharing events are broken up into two sections: events recorded in the data provider’s account and events recorded in the data recipient’s account.

Delta Sharing provider events

The following audit log events are logged in the provider’s account. Actions that are performed by recipients start with the deltaSharing prefix. Each of these logs also includes request_params.metastore_id, which is the metastore that manages the shared data, and userIdentity.email, which is the ID of the user who initiated the activity.

Service

Action

Description

Request parameters

unityCatalog

deltaSharingListShares

A data recipient requests a list of shares.

  • options: The pagination options provided with this request.

  • recipient_name: Indicates the recipient executing the action.

  • is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.

unityCatalog

deltaSharingGetShare

A data recipient requests details about a shares.

  • share: The name of the share.

  • recipient_name: Indicates the recipient executing the action.

  • is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.

unityCatalog

deltaSharingListSchemas

A data recipient requests a list of shared schemas.

  • share: The name of the share.

  • recipient_name: Indicates the recipient executing the action.

  • options: The pagination options provided with this request.

  • is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.

unityCatalog

deltaSharingListAllTables

A data recipient requests a list of all shared tables.

  • share: The name of the share.

  • recipient_name: Indicates the recipient executing the action.

  • is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.

unityCatalog

deltaSharingListTables

A data recipient requests a list of shared tables.

  • share: The name of the share.

  • recipient_name: Indicates the recipient executing the action.

  • options: The pagination options provided with this request.

  • is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.

unityCatalog

deltaSharingGetTableMetadata

A data recipient requests a details about a table’s metadata.

  • share: The name of the share.

  • recipient_name: Indicates the recipient executing the action.

  • schema: The name of the schema.

  • name: The name of the table.

  • predicateHints: The predicates included in the query.

  • limitHints: The maximum number of rows to return.

  • is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.

unityCatalog

deltaSharingGetTableVersion

A data recipient requests a details about a table version.

  • share: The name of the share.

  • recipient_name: Indicates the recipient executing the action.

  • schema: The name of the schema.

  • name: The name of the table.

  • is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.

unityCatalog

deltaSharingQueryTable

Logged when a data recipient queries a shared table.

  • share: The name of the share.

  • recipient_name: Indicates the recipient executing the action.

  • schema: The name of the schema.

  • name: The name of the table.

  • predicateHints: The predicates included in the query.

  • limitHints: The maximum number of rows to return.

  • is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.

unityCatalog

deltaSharingQueryTableChanges

Logged when a data recipient queries change data for a table.

  • share: The name of the share.

  • recipient_name: Indicates the recipient executing the action.

  • schema: The name of the schema.

  • name: The name of the table.

  • cdf_options: Change data feed options.

  • is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.

unityCatalog

deltaSharingQueriedTable

Logged after a data recipient gets a response to their query. The response.result field includes more information on the recipient’s query (see Audit and monitor data sharing)

  • recipient_name: Indicates the recipient executing the action.

  • is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.

unityCatalog

deltaSharingQueriedTableChanges

Logged after a data recipient gets a response to their query. The response.result field includes more information on the recipient’s query (see Audit and monitor data sharing).

  • recipient_name: Indicates the recipient executing the action.

  • is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.

unityCatalog

deltaSharingListNotebookFiles

A data recipient requests a list of shared notebook files.

  • share: The name of the share.

  • recipient_name: Indicates the recipient executing the action.

  • is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.

unityCatalog

deltaSharingQueryNotebookFile

A data recipient queries a shared notebook file.

  • file_name: The name of the notebook file.

  • recipient_name: Indicates the recipient executing the action.

  • is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.

unityCatalog

deltaSharingListFunctions

A data recipient requests a list of functions in a parent schema.

  • share: The name of the share.

  • schema: The name of the parent schema of the function.

  • recipient_name: Indicates the recipient executing the action.

  • is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.

unityCatalog

deltaSharingListAllFunctions

A data recipient requests a list of all shared functions.

  • share: The name of the share.

  • schema: The name of the parent schema of the function.

  • recipient_name: Indicates the recipient executing the action.

  • is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.

unityCatalog

deltaSharingListFunctionVersions

A data recipient requests a list of function versions.

  • share: The name of the share.

  • schema: The name of the parent schema of the function.

  • function: The name of the function.

  • recipient_name: Indicates the recipient executing the action.

  • is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.

unityCatalog

deltaSharingListVolumes

A data recipient requests a list of shared volumes in a schema.

  • share: The name of the share.

  • schema: The parents schema of the volumes.

  • recipient_name: Indicates the recipient executing the action.

  • is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.

unityCatalog

deltaSharingListAllVolumes

A data recipient requests all shared volumes.

  • share: The name of the share.

  • recipient_name: Indicates the recipient executing the action.

  • is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.

unityCatalog

updateMetastore

Provider updates their metastore.

  • delta_sharing_scope: Values can be INTERNAL or INTERNAL_AND_EXTERNAL.

  • delta_sharing_recipient_token_lifetime_in_seconds: If present, indicates that the recipient token lifetime was updated.

unityCatalog

createRecipient

Provider creates a data recipient.

  • name: The name of the recipient.

  • comment: The comment for the recipient.

  • ip_access_list.allowed_ip_addresses: Recipient IP address allowlist.

unityCatalog

deleteRecipient

Provider deletes a data recipient.

  • name: The name of the recipient.

unityCatalog

getRecipient

Provider requests details about a data recipient.

  • name: The name of the recipient.

unityCatalog

listRecipients

Provider requests a list of all their data recipients.

none

unityCatalog

rotateRecipientToken

Provider rotates a recipient’s token.

  • name: The name of the recipient.

  • comment: The comment given in the rotation command.

unityCatalog

updateRecipient

Provider updates a data recipient’s attributes.

  • name: The name of the recipient.

  • updates: A JSON representation of recipient attributes that were added or removed from the share.

unityCatalog

createShare

Provider updates a data recipient’s attributes.

  • name: The name of the share.

  • comment: The comment for the share.

unityCatalog

deleteShare

Provider updates a data recipient’s attributes.

  • name: The name of the share.

unityCatalog

getShare

Provider requests details about a share.

  • name: The name of the share.

  • include_shared_objects: Whether the share’s table names were included in the request.

unityCatalog

updateShare

Provider adds or removes data assets from a share.

  • name: The name of the share.

  • updates: A JSON representation of data assets that were added or removed from the share. Each item includes action (add or remove), name (the actual name of the table), shared_as (the name the asset was shared as, if different from the actual name), and partition_specification (if a partition specification was provided).

unityCatalog

listShares

Provider requests a list of their shares.

none

unityCatalog

getSharePermissions

Provider requests details on a share’s permissions.

  • name: The name of the share.

unityCatalog

updateSharePermissions

Provider updates a share’s permissions.

  • name: The name of the share.

  • changes: A JSON representation of the updated permissions. Each change includes principal (the user or group to whom permission is granted or revoked), add (the list of permissions that were granted), and remove (the list of permissions that were revoked).

unityCatalog

getRecipientSharePermissions

Provider requests details about a recipient’s share permissions.

  • name: The name of the share.

unityCatalog

getActivationUrlInfo

Provider requests details about activity on their activation link.

  • recipient_name: The name of the recipient who opened the activation URL.

  • is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.

unityCatalog

generateTemporaryVolumeCredential

Temporary credential is generated for the recipient to access a shared volume.

  • share_name: The name of the share through which the recipient requests.

  • share_id: The ID of the share.

  • share_owner: The owner of the share.

  • recipient_name: The name of the recipient who requests the credential.

  • recipient_id: The ID of the recipient.

  • volume_full_name: The full 3-level name of the volume.

  • volume_id: The ID of the volume.

  • volume_storage_location: The cloud path of the volume root.

  • operation: Either READ_VOLUME or WRITE_VOLUME. For volume sharing, only READ_VOLUME is supported.

  • credential_id: The ID of the credential.

  • credential_type: The type of the credential. Value is always StorageCredential.

  • workspace_id: Value is always 0 when the request is for shared volumes.

unityCatalog

generateTemporaryTableCredential

Temporary credential is generated for the recipient to access a shared table.

  • share_name: The name of the share through which the recipient requests.

  • share_id: The ID of the share.

  • share_owner: The owner of the share.

  • recipient_name: The name of the recipient who requests the credential.

  • recipient_id: The ID of the recipient.

  • table_full_name: The full 3-level name of the table.

  • table_id: The ID of the table.

  • table_url: The cloud path of the table root.

  • operation: Either READ or READ_WRITE.

  • credential_id: The ID of the credential.

  • credential_type: The type of the credential. Value is always StorageCredential.

  • workspace_id: Value is always 0 when the request is for shared tables.

Delta Sharing recipient events

The following events are logged in the data recipient’s account. These events record recipient access of shared data and AI assets, along with events associated with the management of providers. Each of these events also includes the following request parameters:

  • recipient_name: The name of the recipient in the data provider’s system.

  • metastore_id: The name of the metastore in the data provider’s system.

  • sourceIPAddress: The IP address where the request originated.

Service

Action

Description

Request parameters

unityCatalog

deltaSharingProxyGetTableVersion

A data recipient requests a details on a shared table version.

  • share: The name of the share.

  • schema: The name of the table’s parent schema.

  • name: The name of the table.

unityCatalog

deltaSharingProxyGetTableMetadata

A data recipient requests a details on a shared table’s metadata.

  • share: The name of the share.

  • schema: The name of the table’s parent schema.

  • name: The name of the table.

unityCatalog

deltaSharingProxyQueryTable

A data recipient queries a shared table.

  • share: The name of the share.

  • schema: The name of the table’s parent schema.

  • name: The name of the table.

  • limitHints: The maximum number of rows to return.

  • predicateHints: The predicates included in the query.

  • version: Table version, if change data feed is enabled.

unityCatalog

deltaSharingProxyQueryTableChanges

A data recipient queries change data for a table.

  • share: The name of the share.

  • schema: The name of the table’s parent schema.

  • name: The name of the table.

  • cdf_options: Change data feed options.

unityCatalog

createProvider

A data recipient creates a provider object.

  • name: The name of the provider.

  • comment: The comment for the provider.

unityCatalog

updateProvider

A data recipient updates a provider object.

  • name: The name of the provider.

  • updates: A JSON representation of provider attributes that were added or removed from the share. Each item includes action (add or remove) and can include name (the new provider name), owner (new owner), and comment.

unityCatalog

deleteProvider

A data recipient deletes a provider object.

  • name: The name of the provider.

unityCatalog

getProvider

A data recipient requests details about a provider object.

  • name: The name of the provider.

unityCatalog

listProviders

A data recipient requests a list of providers.

none

unityCatalog

activateProvider

A data recipient activates a provider object.

  • name: The name of the provider.

unityCatalog

listProviderShares

A data recipient requests a list of a provider’s shares.

  • name: The name of the provider.

unityCatalog

generateTemporaryVolumeCredential

Temporary credential is generated for the recipient to access a shared volume.

  • share_name: The name of the share through which the recipient requests.

  • volume_full_name: The full 3-level name of the volume.

  • volume_id: The ID of the volume.

  • operation: Either READ_VOLUME or WRITE_VOLUME. For volume sharing, only READ_VOLUME is supported.

  • workspace_id: The ID of the workspace that receives the user request.

unityCatalog

generateTemporaryTableCredential

Temporary credential is generated for the recipient to access a shared table.

  • share_name: The name of the share through which the recipient requests.

  • table_full_name: The full 3-level name of the table.

  • table_id: The ID of the table.

  • operation: Either READ or READ_WRITE.

  • workspace_id: The ID of the workspace that receives the user request.

System log events

Note

The response JSON object in the audit log has a result field that includes the original system log content.

The following syslog event is logged at the workspace level.

Service

Action

Description

Request parameters

syslog

processEvent

The system log processes an event.

  • instanceId

  • processName

Process monitor log events

The following monit events are logged at the workspace level.

Service

Action

Description

Request parameters

monit

processNotRunning

The monitor is not running.

  • instanceId

  • processName

monit

processRestarting

The monitor is restarting.

  • instanceId

  • processName

monit

processStarted

The monitor started.

  • instanceId

  • processName

monit

processRunning

The monitor is running.

  • instanceId

  • processName

Additional security monitoring events

For Databricks compute resources in the classic compute plane, such as VMs for clusters and pro or classic SQL warehouses, the following features enable additional monitoring agents:

For serverless compute resources, the monitoring agents run if the compliance security profile is enabled and the complaince standard supports serverless compute resources. See Which compute resources get enhanced security and Compliance security profile compliance standards with serverless compute availability.

File integrity monitoring events

The following capsule8-alerts-dataplane events are logged at the workspace level.

Service

Action

Description

Request parameters

capsule8-alerts-dataplane

Heartbeat

A regular event to confirm the monitor is on. Currently runs every 10 minutes.

  • instanceId

capsule8-alerts-dataplane

Memory Marked Executable

Memory is often marked executable in order to allow malicious code to execute when an application is being exploited. Alerts when a program sets heap or stack memory permissions to executable. This can cause false positives for certain application servers.

  • instanceId

capsule8-alerts-dataplane

File Integrity Monitor

Monitors the integrity of important system files. Alerts on any unauthorized changes to those files. Databricks defines specific sets of system paths on the image, and this set of paths might change over time.

  • instanceId

capsule8-alerts-dataplane

Systemd Unit File Modified

Changes to systemd units could result in security controls being relaxed or disabled, or the installation of a malicious service. Alerts whenever a systemd unit file is modified by a program other than systemctl.

  • instanceId

capsule8-alerts-dataplane

Repeated Program Crashes

Repeated program crashes could indicate that an attacker is attempting to exploit a memory corruption vulnerability, or that there is a stability issue in the affected application. Alerts when more than 5 instances of an individual program crash via segmentation fault.

  • instanceId

capsule8-alerts-dataplane

Userfaultfd Usage

As containers are typically static workloads, this alert could indicate that an attacker has compromised the container and is attempting to install and run a backdoor. Alerts when a file that has been created or modified within 30 minutes is then executed within a container.

  • instanceId

capsule8-alerts-dataplane

New File Executed in Container

Memory is often marked executable in order to allow malicious code to execute when an application is being exploited. Alerts when a program sets heap or stack memory permissions to executable. This can cause false positives for certain application servers.

  • instanceId

capsule8-alerts-dataplane

Suspicious Interactive Shell

Interactive shells are rare occurrences on modern production infrastructure. Alerts when an interactive shell is started with arguments commonly used for reverse shells.

  • instanceId

capsule8-alerts-dataplane

User Command Logging Evasion

Evading command logging is common practice for attackers, but might also indicate that a legitimate user is performing unauthorized actions or trying to evade policy. Alerts when a change to user command history logging is detected, indicating that a user is attempting to evade command logging.

  • instanceId

capsule8-alerts-dataplane

BPF Program Executed

Detects some types of kernel backdoors. The loading of a new Berkeley Packet Filter (BPF) program could indicate that an attacker is loading a BPF-based rootkit to gain persistence and avoid detection. Alerts when a process loads a new privileged BPF program, if the process that is already part of an ongoing incident.

  • instanceId

capsule8-alerts-dataplane

Kernel Module Loaded

Attackers commonly load malicious kernel modules (rootkits) to evade detection and maintain persistence on a compromised node. Alerts when a kernel module is loaded, if the program is already part of an ongoing incident.

  • instanceId

capsule8-alerts-dataplane

Suspicious Program Name Executed-Space After File

Attackers might create or rename malicious binaries to include a space at the end of the name in an effort to impersonate a legitimate system program or service. Alerts when a program is executed with a space after the program name.

  • instanceId

capsule8-alerts-dataplane

Illegal Elevation Of Privileges

Kernel privilege escalation exploits commonly enable an unprivileged user to gain root privileges without passing standard gates for privilege changes. Alerts when a program attempts to elevate privileges through unusual means. This can issue false positive alerts on nodes with significant workloads.

  • instanceId

capsule8-alerts-dataplane

Kernel Exploit

Internal kernel functions are not accessible to regular programs, and if called, are a strong indicator that a kernel exploit has executed and that the attacker has full control of the node. Alerts when a kernel function unexpectedly returns to user space.

  • instanceId

capsule8-alerts-dataplane

Processor-Level Protections Disabled

SMEP and SMAP are processor-level protections that increase difficulty for kernel exploits to succeed, and disabling these restrictions is a common early step in kernel exploits. Alerts when a program tampers with the kernel SMEP/SMAP configuration.

  • instanceId

capsule8-alerts-dataplane

Container Escape via Kernel Exploitation

Alerts when a program uses kernel functions commonly used in container escape exploits, indicating that an attacker is escalating privileges from container-access to node-access.

  • instanceId

capsule8-alerts-dataplane

Privileged Container Launched

Privileged containers have direct access to host resources, leading to a greater impact when compromised. Alerts when a privileged container is launched, if the container isn’t a known privileged image such as kube-proxy. This can issue unwanted alerts for legitimate privileged containers.

  • instanceId

capsule8-alerts-dataplane

Userland Container Escape

Many container escapes coerce the host to execute an in-container binary, resulting in the attacker gaining full control of the affected node. Alerts when a container-created file is executed from outside a container.

  • instanceId

capsule8-alerts-dataplane

AppArmor Disabled In Kernel

Modification of certain AppArmor attributes can only occur in-kernel, indicating that AppArmor has been disabled by a kernel exploit or rootkit. Alerts when the AppArmor state is changed from the AppArmor configuration detected when the sensor starts.

  • instanceId

capsule8-alerts-dataplane

AppArmor Profile Modified

Attackers might attempt to disable enforcement of AppArmor profiles as part of evading detection. Alerts when a command for modifying an AppArmor profile is executed, if it was not executed by a user in an SSH session.

  • instanceId

capsule8-alerts-dataplane

Boot Files Modified

If not performed by a trusted source (such as a package manager or configuration management tool), modification of boot files could indicate an attacker modifying the kernel or its options in order to gain persistent access to a host. Alerts when changes are made to files in /boot, indicating installation of a new kernel or boot configuration.

  • instanceId

capsule8-alerts-dataplane

Log Files Deleted

Log deletion not performed by a log management tool could indicate that an attacker is trying to remove indicators of compromise. Alerts on deletion of system log files.

  • instanceId

capsule8-alerts-dataplane

New File Executed

Newly created files from sources other than system update programs might be backdoors, kernel exploits, or part of an exploitation chain. Alerts when a file that has been created or modified within 30 minutes is then executed, excluding files created by system update programs.

  • instanceId

capsule8-alerts-dataplane

Root Certificate Store Modified

Modification of the root certificate store could indicate the installation of a rogue certificate authority, enabling interception of network traffic or bypass of code signature verification. Alerts when a system CA certificate store is changed.

  • instanceId

capsule8-alerts-dataplane

Setuid/Setgid Bit Set On File

Setting setuid/setgid bits can be used to provide a persistent method for privilege escalation on a node. Alerts when the setuid or setgid bit is set on a file with the chmod family of system calls.

  • instanceId

capsule8-alerts-dataplane

Hidden File Created

Attackers often create hidden files as a means of obscuring tools and payloads on a compromised host. Alerts when a hidden file is created by a process associated with an ongoing incident.

  • instanceId

capsule8-alerts-dataplane

Modification Of Common System Utilities

Attackers might modify system utilities in order to execute malicious payloads whenever these utilities are run. Alerts when a common system utility is modified by an unauthorized process.

  • instanceId

capsule8-alerts-dataplane

Network Service Scanner Executed

An attacker or rogue user might use or install these programs to survey connected networks for additional nodes to compromise. Alerts when common network scanning program tools are executed.

  • instanceId

capsule8-alerts-dataplane

Network Service Created

Attackers might start a new network service to provide easy access to a host after compromise. Alerts when a program starts a new network service, if the program is already part of an ongoing incident.

  • instanceId

capsule8-alerts-dataplane

Network Sniffing Program Executed

An attacker or rogue user might execute network sniffing commands to capture credentials, personally-identifiable information (PII), or other sensitive information. Alerts when a program is executed that allows network capture.

  • instanceId

capsule8-alerts-dataplane

Remote File Copy Detected

Use of file transfer tools could indicate that an attacker is attempting to move toolsets to additional hosts or exfiltrate data to a remote system. Alerts when a program associated with remote file copying is executed, if the program is already part of an ongoing incident.

  • instanceId

capsule8-alerts-dataplane

Unusual Outbound Connection Detected

Command and Control channels and cryptocoin miners often create new outbound network connections on unusual ports. Alerts when a program initiates a new connection on an uncommon port, if the program is already part of an ongoing incident.

  • instanceId

capsule8-alerts-dataplane

Data Archived Via Program

After gaining access to a system, an attacker might create a compressed archive of files to reduce the size of data for exfiltration. Alerts when a data compression program is executed, if the program is already part of an ongoing incident.

  • instanceId

capsule8-alerts-dataplane

Process Injection

Use of process injection techniques commonly indicates that a user is debugging a program, but might also indicate that an attacker is reading secrets from or injecting code into other processes. Alerts when a program uses ptrace (debugging) mechanisms to interact with another process.

  • instanceId

capsule8-alerts-dataplane

Account Enumeration Via Program

Attackers often use account enumeration programs to determine their level of access and to see if other users are currently logged in to the node. Alerts when a program associated with account enumeration is executed, if the program is already part of an ongoing incident.

  • instanceId

capsule8-alerts-dataplane

File and Directory Discovery Via Program

Exploring file systems is common post-exploitation behavior for an attacker looking for credentials and data of interest. Alerts when a program associated with file and directory enumeration is executed, if the program is already part of an ongoing incident.

  • instanceId

capsule8-alerts-dataplane

Network Configuration Enumeration Via Program

Attackers can interrogate local network and route information to identify adjacent hosts and networks ahead of lateral movement. Alerts when a program associated with network configuration enumeration is executed, if the program is already part of an ongoing incident.

  • instanceId

capsule8-alerts-dataplane

Process Enumeration Via Program

Attackers often list running programs in order to identify the purpose of a node and whether any security or monitoring tools are in place. Alerts when a program associated with process enumeration is executed, if the program is already part of an ongoing incident.

  • instanceId

capsule8-alerts-dataplane

System Information Enumeration Via Program

Attackers commonly execute system enumeration commands to determine Linux kernel and distribution versions and features, often to identify if the node is affected by specific vulnerabilities. Alerts when a program associated with system information enumeration is executed, if the program is already part of an ongoing incident.

  • instanceId

capsule8-alerts-dataplane

Scheduled Tasks Modified Via Program

Modifying scheduled tasks is a common method for establishing persistence on a compromised node. Alerts when the crontab, at, or batch commands are used to modify scheduled task configurations.

  • instanceId

capsule8-alerts-dataplane

Systemctl Usage Detected

Changes to systemd units could result in security controls being relaxed or disabled, or the installation of a malicious service. Alerts when the systemctl command is used to modify systemd units.

  • instanceId

capsule8-alerts-dataplane

User Execution Of su Command

Explicit escalation to the root user decreases the ability to correlate privileged activity to a specific user. Alerts when the su command is executed.

  • instanceId

capsule8-alerts-dataplane

User Execution Of sudo Command

Alerts when the sudo command is executed.

  • instanceId

capsule8-alerts-dataplane

User Command History Cleared

Deleting the history file is unusual, commonly performed by attackers hiding activity, or by legitimate users intending to evade audit controls. Alerts when command line history files are deleted.

  • instanceId

capsule8-alerts-dataplane

New System User Added

An attacker might add a new user to a host to provide a reliable method of access. Alerts if a new user entity is added to the local account management file /etc/passwd, if the entity is not added by a system update program.

  • instanceId

capsule8-alerts-dataplane

Password Database Modification

Attackers might directly modify identity-related files to add a new user to the system. Alerts when a file related to user passwords is modified by a program unrelated to updating existing user information.

  • instanceId

capsule8-alerts-dataplane

SSH Authorized Keys Modification

Adding a new SSH public key is a common method for gaining persistent access to a compromised host. Alerts when an attempt to write to a user’s SSH authorized_keys file is observed, if the program is already part of an ongoing incident.

  • instanceId

capsule8-alerts-dataplane

User Account Created Via CLI

Adding a new user is a common step for attackers when establishing persistence on a compromised node. Alerts when an identity management program is executed by a program other than a package manager.

  • instanceId

capsule8-alerts-dataplane

User Configuration Changes

Deleting the history file is unusual, commonly performed by attackers hiding activity, or by legitimate users intending to evade audit controls. Alerts when command line history files are deleted.

  • instanceId

capsule8-alerts-dataplane

New System User Added

User profile and configuration files are often modified as a method of persistence in order to execute a program whenever a user logs in. Alerts when .bash_profile and bashrc (as well as related files) are modified by a program other than a system update tool.

  • instanceId

Antivirus monitoring events

Note

The response JSON object in these audit logs always has a result field that includes one line of the original scan result. Each scan result is represented typically by multiple audit log records, one for each line of the original scan output. For details of what could appear in this file, see the following third-party documentation.

The following clamAVScanService-dataplane event is logged at the workspace level.

Service

Action

Description

Request parameters

clamAVScanService-dataplane

clamAVScanAction

The antivirus monitoring performs a scan. A log will generate for each line of the original scan output.

  • instanceId

Deprecated log events

Databricks has deprecated the following databrickssql audit events:

  • createAlertDestination (now createNotificationDestination)

  • deleteAlertDestination (now deleteNotificationDestination)

  • updateAlertDestination (now updateNotificationDestination)

  • muteAlert

  • unmuteAlert

SQL endpoint logs

If you create SQL warehouses using the deprecated SQL endpoint API (the former name for SQL warehouses), the corresponding audit event name will include the word Endpoint instead of Warehouse. Besides the name, these events are identical to the SQL warehouse events. To view descriptions and request parameters of these events, see their corresponding warehouse events in Databricks SQL events.

The SQL endpoint events are:

  • changeEndpointAcls

  • createEndpoint

  • editEndpoint

  • startEndpoint

  • stopEndpoint

  • deleteEndpoint

  • setEndpointConfig