Diagnostic log reference

Note

This feature requires the Premium plan.

This article provides you with a comprehensive reference of audit log services and events. The availability of these services depends on how you access the logs:

  • The audit log system table records all events and services listed in this article.
  • Azure Monitor’s diagnostic settings service does not log all of these services. Services that are unavailable on Azure’s diagnostic settings are labeled accordingly.

Note

Azure Databricks retains a copy of audit logs for up to 1 year for security and fraud analysis purposes.

Diagnostic log services

The following services and their events are logged by default in diagnostic logs.

Note

The workspace-level and account-level designations only apply to the audit logs system table. Azure diagnostic logs do not include account-level events.

Workspace-level services

Service name Description
accounts Events related to accounts, users, groups, and IP access lists.
aibiGenie Events related to AI/BI Genie spaces.
clusters Events related to clusters.
clusterPolicies Events related to cluster policies.
dashboards Events related to AI/BI dashboard use.
databrickssql Events related to Databricks SQL use.
dataMonitoring Events related to Lakehouse Monitoring.
dbfs Events related to DBFS.
deltaPipelines Events related to Delta Live Table pipelines.
featureStore Events related to the Databricks Feature Store.
filesystem Events related to file management, which includes interacting with files using the Files API or in the volumes UI.
genie Events related to workspace access by support personnel. Not related AI/BI Genie spaces.
gitCredentials Events related to Git credentials for Databricks Git folders. See also repos.
globalInitScripts Events related to global init scripts.
groups Events related to account and workspace groups.
iamRole Events related to IAM role permissions.
ingestion Events related to file uploads.
instancePools Events related to pools.
jobs Events related to jobs.
lineageTracking Events related to data lineage.
marketplaceConsumer Events related to consumer actions in Databricks Marketplace.
marketplaceProvider Events related to provider actions in Databricks Marketplace.
mlflowAcledArtifact Events related to ML Flow artifacts with ACLs.
mlflowExperiment Events related to ML Flow experiments.
modelRegistry Events related to the model registry.
notebook Events related to notebooks.
partnerConnect Events related to Partner Connect.
predictiveOptimization Events related to predictive optimization.
remoteHistoryService Events related to adding a removing GitHub Credentials.
repos Events related to Databricks Git folders. See also gitCredentials.
secrets Events related to secrets.
serverlessRealTimeInference Events related to model serving.
sqlPermissions Events related to the legacy Hive metastore table access control.
ssh Events related to SSH access.
vectorSearch Events related to Vector Search.
webTerminal Events related to the web terminal feature.
workspace Events related to workspaces.

Account-level services

Account-level audit logs are available for these services:

Service name Description
accountBillableUsage Actions related to billable usage access in the account console.
accountsAccessControl Actions related to account-level access control rules.
accountsManager Actions related to network connectivity configurations.
budgetPolicyCentral Actions related to managing budget policies.
unityCatalog Actions performed in Unity Catalog. This also includes Delta Sharing events, see Delta Sharing events.

Additional security monitoring services

There are additional services and associated actions for workspaces that use the compliance security profile (required for some compliance standards such as FedRAMP, PCI, and HIPAA) or Enhanced security monitoring.

These are workspace-level services that will only generate in your logs if you are using the compliance security profile or enhanced security monitoring:

Service name Description
capsule8-alerts-dataplane Actions related to file integrity monitoring.
clamAVScanService-dataplane Actions related to antivirus monitoring.

Diagnostic log example schema

In Azure Databricks, diagnostic logs output events in a JSON format. In Azure Databricks, audit logs output events in a JSON format. The serviceName and actionName properties identify the event. The naming convention follows the Databricks REST API.

The following JSON sample is an example of an event logged when a user created a job:

{
    "TenantId": "<your-tenant-id>",
    "SourceSystem": "|Databricks|",
    "TimeGenerated": "2019-05-01T00:18:58Z",
    "ResourceId": "/SUBSCRIPTIONS/SUBSCRIPTION_ID/RESOURCEGROUPS/RESOURCE_GROUP/PROVIDERS/MICROSOFT.DATABRICKS/WORKSPACES/PAID-VNET-ADB-PORTAL",
    "OperationName": "Microsoft.Databricks/jobs/create",
    "OperationVersion": "1.0.0",
    "Category": "jobs",
    "Identity": {
        "email": "mail@contoso.com",
        "subjectName": null
    },
    "SourceIPAddress": "131.0.0.0",
    "LogId": "201b6d83-396a-4f3c-9dee-65c971ddeb2b",
    "ServiceName": "jobs",
    "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36",
    "SessionId": "webapp-cons-webapp-01exaj6u94682b1an89u7g166c",
    "ActionName": "create",
    "RequestId": "ServiceMain-206b2474f0620002",
    "Response": {
        "statusCode": 200,
        "result": "{\"job_id\":1}"
    },
    "RequestParams": {
        "name": "Untitled",
        "new_cluster": "{\"node_type_id\":\"Standard_DS3_v2\",\"spark_version\":\"5.2.x-scala2.11\",\"num_workers\":8,\"spark_conf\":{\"spark.databricks.delta.preview.enabled\":\"true\"},\"cluster_creator\":\"JOB_LAUNCHER\",\"spark_env_vars\":{\"PYSPARK_PYTHON\":\"/databricks/python3/bin/python3\"},\"enable_elastic_disk\":true}"
    },
    "Type": "DatabricksJobs"
}

Diagnostic log schema considerations

  • If actions take a long time, the request and response are logged separately but the request and response pair have the same requestId.
  • Automated actions, such as resizing a cluster due to autoscaling or launching a job due to scheduling, are performed by the user System-User.
  • The requestParams field is subject to truncation. If the size of its JSON representation exceeds 100 KB, values are truncated and the string ... truncated is appended to truncated entries. In rare cases where a truncated map is still larger than 100 KB, a single TRUNCATED key with an empty value is present instead.

Account events

The following are accounts events logged at the workspace level.

Service Action Description Request parameters
accounts activateUser A user is reactivated after being deactivated. See Deactivate users in workspace. - targetUserName
- endpoint
- targetUserId
accounts aadBrowserLogin A user logs in to Databricks using a Microsoft Entra ID browser workflow. - user
accounts aadTokenLogin A user logs in to Databricks through the Microsoft Entra ID token. - user
accounts accountInHouseOAuthClientAuthentication An OAuth client is authenticated. - endpoint
accounts activateUser Admin adds a user to the Databricks account from the Azure portal. - warehouse
- targetUserName
- targetUserId
accounts add A user is added to a Azure Databricks workspace. - targetUserName
- endpoint
- targetUserId
accounts addPrincipalToGroup A user is added to a workspace-level group. - targetGroupId
- endpoint
- targetUserId
- targetGroupName
- targetUserName
accounts changeDatabricksSqlAcl A user’s Databricks SQL permissions are changed. - shardName
- targetUserId
- resourceId
- aclPermissionSet
accounts changeDatabricksWorkspaceAcl Permissions to a workspace are changed. - shardName
- targetUserId
- resourceId
- aclPermissionSet
accounts changeDbTokenAcl When permissions on a token are changed. - shardName
- targetUserId
- resourceId
- aclPermissionSet
accounts changeServicePrincipalAcls When a service principal’s permissions are changed. - shardName
- targetServicePrincipal
- resourceId
- aclPermissionSet
accounts createGroup A workspace-level group is created. - endpoint
- targetGroupId
- targetGroupName
accounts createIpAccessList An IP access list is added to the workspace. - ipAccessListId
- userId
accounts deactivateUser A user is deactivated in the workspace. See Deactivate users in workspace. - targetUserName
- endpoint
- targetUserId
accounts delete A user is deleted from the Azure Databricks workspace. - targetUserId
- targetUserName
- endpoint
accounts deleteIpAccessList An IP access list is deleted from the workspace. - ipAccessListId
- userId
accounts garbageCollectDbToken A user runs a garbage collect command on expired tokens. - tokenExpirationTime
- tokenClientId
- userId
- tokenCreationTime
- tokenFirstAccessed
accounts generateDbToken When someone generates a token from User Settings or when the service generates the token. - tokenExpirationTime
- tokenCreatedBy
- tokenHash
- userId
accounts IpAccessDenied A user attempts to connect to the service through a denied IP. - path
- userName
accounts ipAccessListQuotaExceeded - userId
accounts jwtLogin User logs into Databricks using a JWT. - user
accounts login User logs into the workspace. - user
accounts logout User logs out of the workspace. - user
accounts oidcTokenAuthorization When an API call is authorized through a generic OIDC/OAuth token. - user
accounts passwordVerifyAuthentication - user
accounts reachMaxQuotaDbToken When the current number of non-expired tokens exceeds the token quota
accounts removeAdmin A user is revoked of workspace admin permissions. - targetUserName
- endpoint
- targetUserId
accounts removeGroup A group is removed from the workspace. - targetGroupId
- targetGroupName
- endpoint
accounts removePrincipalFromGroup A user is removed from a group. - targetGroupId
- endpoint
- targetUserId
- targetGroupName
- targetUserName
accounts revokeDbToken A user’s token is dropped from a workspace. Can be triggered by a user being removed from the Databricks account. - userId
accounts setAdmin A user is granted account admin permissions. - endpoint
- targetUserName
- targetUserId
accounts tokenLogin A user logs into Databricks using a token. - tokenId
- user
accounts updateIpAccessList An IP access list is changed. - ipAccessListId
- userId
accounts updateUser A change is made to a user’s account. - warehouse
- targetUserName
- targetUserId
accounts validateEmail When a user validates their email after account creation. - endpoint
- targetUserName
- targetUserId

AI/BI Genie events

The following are aibiGenie events logged at the workspace level.

| Service | Action | Description | Request parameters | |---------------|---------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------| | aibiGenie | createSpace | A user creates a new Genie space. The space_id of the new space is logged in the response column. | | | aibiGenie | getSpace | A user accesses the Genie space. | - space_id | | aibiGenie | updateSpace | A user updates the settings of a Genie space. Possible settings include the title, description, warehouse, tables, and sample questions. | - space_id
- display_name
- description
- warehouse_id
- table_identifiers | | aibiGenie | trashSpace | A Genie space is moved to trash. | - space_id | | aibiGenie | cloneSpace | A user clones a Genie space. | - space_id | | aibiGenie | createConversation | A user creates a new conversation thread in the Genie space. | - space_id | | aibiGenie | listConversations | A user opens the list of conversations in the Genie space. | - space_id | | aibiGenie | getConversation | A user opens a conversation thread in the Genie space. | - conversation_id
- space_id | | aibiGenie | updateConversation | A user updates a conversation thread’s title. | - conversation_id
- space_id | | aibiGenie | deleteConversation | A user deletes a conversation thread in the Genie space. | - conversation_id
- space_id | | aibiGenie | listGenieSpaceMessages | A user with CAN MANAGE permissions accesses the Genie space’s history, which includes messages submitted by all users. | - space_id | | aibiGenie | listGenieSpaceUserMessages | A user with at least CAN VIEW permissions accesses the Genie space’s history and views their own previously submitted messages. | - space_id | | aibiGenie | executeFullQueryResult | A user retrieves the full query results (up to ~1GB in size). | - space_id
- conversation_id
- message_id | | aibiGenie | getMessageQueryResult | Genie retrieves the query results associated with a conversation message. | - conversation_id
- space_id, message_id | | aibiGenie | updateMessageAttachment | A user updates and reruns a query in a message. | - conversation_id
- space_id
- message_id
- attachment_id | | aibiGenie | createConversationMessage | A user submits a new message to the Genie space. | - conversation_id
- space_id | | aibiGenie | getConversationMessage | A user accesses a message in the Genie space. | - conversation_id
- space_id
- message_id | | aibiGenie | deleteConversationMessage | A user deletes an existing message. | - conversation_id
- space_id
- message_id | | aibiGenie | regenerateConversationMessage | A user regenerates a Genie response to an existing message. | - conversation_id
- space_id
- message_id | | aibiGenie | updateConversationMessage | A user updates an attribute of a message in the Genie space. For example, they might request a review or edit the SQL in the response. | - conversation_id
- space_id
- message_id | | aibiGenie | updateConversationMessageFeedback | A user updates feedback to a Genie answer. | - conversation_id
- space_id
- message_id | | aibiGenie | executeMessageQuery | Genie executes generated SQL to return query results, including refresh data actions. | - conversation_id
- space_id
- message_id | | aibiGenie | cancelMessage | A user cancels a message before Genie finishes responding. | - conversation_id
- space_id
- message_id | | aibiGenie | createInstruction | A user creates an instruction for a Genie space. | - space_id
- instruction_type | | aibiGenie | listInstructions | A user navigates to the Instructions tab or the Data tab. | - space_id | | aibiGenie | updateInstruction | A user updates an instruction for a Genie space. | - space_id
- instruction_id | | aibiGenie | deleteInstruction | A user deletes an instruction for a Genie space. | - space_id
- instruction_id | | aibiGenie | updateSampleQuestions | A user updates the default sample questions for the space. | - space_id | | aibiGenie | createCuratedQuestion | A user creates a sample question or benchmark question. | - space_id | | aibiGenie | deleteCuratedQuestion | A user deletes a sample question or benchmark question. | - space_id
- curated_question_id | | aibiGenie | listCuratedQuestions | A user accesses the list of sample questions or benchmark questions in a space. This is logged whenever users open a new chat, view benchmarks, or add sample questions. | - space_id | | aibiGenie | updateCuratedQuestion | A user updates a sample question or benchmark question. | - space_id
- `curated_question_id | |aibiGenie|createEvaluationResult | Genie creates an evaluation result for a specific question in an evaluation run. | -space_id<br/>- eval_id | |aibiGenie|getEvaluationResult | A user accesses the results for a specific question in an evaluation run. | -space_id<br/>- eval_id | |aibiGenie|getEvaluationResultDetails | A user accesses the query results for a specific question in an evaluation run. | -space_id<br/>- eval_id | |aibiGenie|updateEvaluationResult | A user updates their evaluation result for a specific question. | -space_id<br/>- eval_id | |aibiGenie|createEvaluationRun | A user creates a new evaluation run. | -space_id | |aibiGenie|listEvaluationResults | A user accesses the list of results for an evaluation run. | -space_id<br/>- run_id | |aibiGenie|listEvaluationRuns | A user accesses the list of all evaluation runs. | -space_id | |aibiGenie|createConversationMessageComment | A user adds a feedback comment to a conversation message. | -conversation_id<br/>- space_id<br/>- message_id | |aibiGenie|listConversationMessageComments | A user accesses a list of the feedback comments from a space. | -space_id<br/>- conversation_ids<br/>- message_ids<br/>- user_ids<br/>- comment_types | |aibiGenie|deleteConversationMessageComment | A user deletes a feedback comment added to a conversation message. | -conversation_id<br/>- space_id<br/>- message_id<br/>- message_comment_id`` |

Clusters events

The following are cluster events logged at the workspace level.

Service Action Description Request parameters
clusters changeClusterAcl A user changes the cluster ACL. - shardName
- aclPermissionSet
- targetUserId
- resourceId
clusters create A user creates a cluster. - cluster_log_conf
- num_workers
- enable_elastic_disk
- driver_node_type_id
- start_cluster
- docker_image
- ssh_public_keys
- aws_attributes
- acl_path_prefix
- node_type_id
- instance_pool_id
- spark_env_vars
- init_scripts
- spark_version
- cluster_source
- autotermination_minutes
- cluster_name
- autoscale
- custom_tags
- cluster_creator
- enable_local_disk_encryption
- idempotency_token
- spark_conf
- organization_id
- no_driver_daemon
- user_id
- virtual_cluster_size
- apply_policy_default_values
- data_security_mode
clusters createResult Results from cluster creation. In conjunction with create. - clusterName
- clusterState
- clusterId
- clusterWorkers
- clusterOwnerUserId
clusters delete A cluster is terminated. - cluster_id
clusters deleteResult Results from cluster termination. In conjunction with delete. - clusterName
- clusterState
- clusterId
- clusterWorkers
- clusterOwnerUserId
clusters edit A user makes changes to cluster settings. This logs all changes except for changes in cluster size or autoscaling behavior. - cluster_log_conf
- num_workers
- enable_elastic_disk
- driver_node_type_id
- start_cluster
- docker_image
- ssh_public_keys
- aws_attributes
- acl_path_prefix
- node_type_id
- instance_pool_id
- spark_env_vars
- init_scripts
- spark_version
- cluster_source
- autotermination_minutes
- cluster_name
- autoscale
- custom_tags
- cluster_creator
- enable_local_disk_encryption
- idempotency_token
- spark_conf
- organization_id
- no_driver_daemon
- user_id
- virtual_cluster_size
- apply_policy_default_values
- data_security_mode
clusters permanentDelete A cluster is deleted from the UI. - cluster_id
clusters resize Cluster resizes. This is logged on running clusters where the only property that changes is either the cluster size or autoscaling behavior. - cluster_id
- num_workers
- autoscale
clusters resizeResult Results from cluster resize. In conjunction with resize. - clusterName
- clusterState
- clusterId
- clusterWorkers
- clusterOwnerUserId
clusters restart A user restarts a running cluster. - cluster_id
clusters restartResult Results from cluster restart. In conjunction with restart. - clusterName
- clusterState
- clusterId
- clusterWorkers
- clusterOwnerUserId
clusters start A user starts a cluster. - init_scripts_safe_mode
- cluster_id
clusters startResult Results from cluster start. In conjunction with start. - clusterName
- clusterState
- clusterId
- clusterWorkers
- clusterOwnerUserId

Cluster libraries events

The following are clusterLibraries events logged at the workspace level.

Service Action Description Request parameters
clusterLibraries installLibraries User installs a library on a cluster. - cluster_id
- libraries
clusterLibraries uninstallLibraries User uninstalls a library on a cluster. - cluster_id
- libraries
clusterLibraries installLibraryOnAllClusters A workspace admin schedules a library to install on all cluster. - user
- library
clusterLibraries uninstallLibraryOnAllClusters A workspace admin removes a library from the list to install on all clusters. - user
- library

Cluster policy events

Note

This service is unavailable through Azure diagnostic settings. Enable the audit log system table to access these events.

The following are clusterPolicies events logged at the workspace level.

Service Action Description Request parameters
clusterPolicies create A user created a cluster policy. - name
clusterPolicies edit A user edited a cluster policy. - policy_id
- name
clusterPolicies delete A user deleted a cluster policy. - policy_id
clusterPolicies changeClusterPolicyAcl A workspace admin changes permissions for a cluster policy. - shardName
- targetUserId
- resourceId
- aclPermissionSet

Dashboards events

The following are dashboards events logged at the workspace level.

Service Action Description Request parameters
dashboards getDashboard A user accesses the draft version of a dashboard either by viewing it in the UI or requesting the dashboard definition using the API. Only workspace users can access the draft version of a dashboard. - dashboard_id
dashboards getPublishedDashboard A user accesses the published version of a dashboard by viewing in the UI or requesting the dashboard definition using the API. Includes activity from both workspace users and account users. Excludes receiving a PDF snapshot of a dashboard using scheduled email. - dashboard_id
- credentials_embedded
dashboards executeQuery A user executes a query from a dashboard. - dashboard_id
- statement_id
dashboards cancelQuery A user cancels a query from a dashboard. - dashboard_id
- statement_id
dashboards getQueryResult A user receives the results of a query from a dashboard. - dashboard_id
- statement_id
dashboards sendDashboardSnapshot A PDF snapshot of a dashboard is sent through a scheduled email.

The request parameters values depend on the type of recipient. For a Databricks notification destination, only the destination_id is shown. For a Databricks user, the subscriber’s user ID and email address are shown. If the recipient is an email address, only the email address is shown.
- dashboard_id
- subscriber_destination_id
- subscriber_user_details: {

user_id,

email_address }
dashboards getDashboardDetails A user accesses details of a draft dashboard, such as datasets and widgets. getDashboardDetails is always emitted when a user views a draft dashboard using UI or requests the dashboard definition using the API. - dashboard_id
dashboards createDashboard A user creates a new AI/BI dashboard using the UI or API. - dashboard_id
dashboards updateDashboard A user makes an update to an AI/BI dashboard using the UI or API. - dashboard_id
dashboards cloneDashboard A user clones an AI/BI dashboard. - source_dashboard_id
- new_dashboard_id
dashboards publishDashboard A user publishes an AI/BI dashboard with or without embedded credentials using the UI or API. - dashboard_id
- credentials_embedded
- warehouse_id
dashboards unpublishDashboard A user unpublishes a published AI/BI dashboard using the UI or API. - dashboard_id
dashboards trashDashboard A user moves an AI/BI dashboard to the trash using the UI or API. - dashboard_id
dashboards restoreDashboard A user restores an AI/BI dashboard from the trash. - dashboard_id
dashboards migrateDashboard A user migrates a DBSQL dashboard to an AI/BI dashboard. - source_dashboard_id
- new_dashboard_id
dashboards createSchedule A user creates an email subscription schedule. - dashboard_id
- schedule_id
dashboards updateSchedule A user makes an update to an AI/BI dashboard’s schedule. - dashboard_id
- schedule_id
dashboards deleteSchedule A user deletes an AI/BI dashboard’s schedule. - dashboard_id
- schedule_id
dashboards createSubscription A user subscribes an email destination to an AI/BI dashboard schedule. - dashboard_id
- schedule_id
- schedule
dashboards deleteSubscription A user deletes an email destination from an AI/BI dashboard schedule. - dashboard_id
- schedule_id

Databricks SQL events

The following are databrickssql events logged at the workspace level.

Note

If you manage your SQL warehouses using the legacy SQL endpoints API, your SQL warehouse audit events will have different action names. See SQL endpoint logs.

Service Action Description Request parameters
databrickssql addDashboardWidget A widget is added to a dashboard. - dashboardId
- widgetId
databrickssql cancelQueryExecution A query execution is cancelled from the SQL editor UI. This does not include cancellations that originate from the Query History UI or Databricks SQL Execution API. - queryExecutionId
databrickssql changeWarehouseAcls A warehouse manager updates permissions on a SQL warehouse. - aclPermissionSet
- resourceId
- shardName
- targetUserId
databrickssql changePermissions A user updates permissions on an object. - granteeAndPermission
- objectId
- objectType
databrickssql cloneDashboard A user clones a dashboard. - dashboardId
databrickssql commandSubmit Only in verbose audit logs. Generated when a command is submitted to a SQL warehouse, regardless of origin of the request. - warehouseId
- commandId
- validation
- commandText
databrickssql commandFinish Only in verbose audit logs. Generated when a command on a SQL warehouse completes or is canceled, regardless of the origin of the cancellation request. - warehouseId
- commandId
databrickssql createAlert A user creates an alert. - alertId
databrickssql createNotificationDestination A workspace admin creates a notification destination. - notificationDestinationId
- notificationDestinationType
databrickssql createDashboard A user creates a dashboard. - dashboardId
databrickssql createDataPreviewDashboard A user creates a data preview dashboard. - dashboardId
databrickssql createWarehouse A user with the cluster create entitlement creates a SQL warehouse. - auto_resume
- auto_stop_mins
- channel
- cluster_size
- conf_pairs
- custom_cluster_confs
- enable_databricks_compute
- enable_photon
- enable_serverless_compute
- instance_profile_arn
- max_num_clusters
- min_num_clusters
- name
- size
- spot_instance_policy
- tags
- test_overrides
databrickssql createQuery A user creates a new query. - queryId
databrickssql createQueryDraft A user creates a query draft. - queryId
databrickssql createQuerySnippet A user creates a query snippet. - querySnippetId
databrickssql createSampleDashboard A user creates a sample dashboard. - sampleDashboardId
databrickssql createVisualization A user generates a visualization using the SQL editor. Excludes default results tables and visualizations in notebooks that utilize SQL warehouses. - queryId
- visualizationId
databrickssql deleteAlert A user deletes an alert either from the alert interface or through API. Excludes deletions from the file browser UI. - alertId
databrickssql deleteNotificationDestination A workspace admin deletes a notification destination. - notificationDestinationId
databrickssql deleteDashboard A user deletes a dashboard either from the dashboard interface or through API. Excludes deletion via the file browser UI. - dashboardId
databrickssql deleteDashboardWidget A user deletes a dashboard widget. - widgetId
databrickssql deleteWarehouse A warehouse manager deletes a SQL warehouse. - id
databrickssql deleteQuery A user deletes a query, either from the query interface or through API. Excludes deletion via the file browser UI. - queryId
databrickssql deleteQueryDraft A user deletes a query draft. - queryId
databrickssql deleteQuerySnippet A user deletes a query snippet. - querySnippetId
databrickssql deleteVisualization A user deletes a visualization from a query in the SQL Editor. - visualizationId
databrickssql downloadQueryResult A user downloads a query result from the SQL Editor. Excludes downloads from dashboards. - fileType
- queryId
- queryResultId
- credentialsEmbedded
- credentialsEmbeddedId
databrickssql editWarehouse A warehouse manager makes edits to a SQL warehouse. - auto_stop_mins
- channel
- cluster_size
- confs
- enable_photon
- enable_serverless_compute
- id
- instance_profile_arn
- max_num_clusters
- min_num_clusters
- name
- spot_instance_policy
- tags
databrickssql executeAdhocQuery Generated by one of the following:

- A user runs a query draft in the SQL editor
- A query is executed from a visualization aggregation
- A user loads a dashboard and executes underlying queries
- dataSourceId
databrickssql executeSavedQuery A user runs a saved query. - queryId
databrickssql executeWidgetQuery Generated by any event that executes a query such that a dashboard panel refreshes. Some examples of applicable events include:

- Refreshing a single panel
- Refreshing an entire dashboard
- Scheduled dashboard executions
- Parameter or filter changes operating over more than 64,000 rows
- widgetId
databrickssql favoriteDashboard A user favorites a dashboard. - dashboardId
databrickssql favoriteQuery A user favorites a query. - queryId
databrickssql forkQuery A user clones a query. - originalQueryId
- queryId
databrickssql listQueries A user opens the query listing page or calls the list query API. - filter_by
- include_metrics
- max_results
- page_token
databrickssql moveAlertToTrash A user moves an alert to the trash. - alertId
databrickssql moveDashboardToTrash A user moves a dashboard to the trash. - dashboardId
databrickssql moveQueryToTrash A user moves a query to the trash. - queryId
databrickssql restoreAlert A user restores an alert from the trash. - alertId
databrickssql restoreDashboard A user restores a dashboard from the trash. - dashboardId
databrickssql restoreQuery A user restores a query from the trash. - queryId
databrickssql setWarehouseConfig A warehouse manager sets the configuration for a SQL warehouse. - data_access_config
- enable_serverless_compute
- instance_profile_arn
- security_policy
- serverless_agreement
- sql_configuration_parameters
- try_create_databricks_managed_starter_warehouse
databrickssql snapshotDashboard A user requests a snapshot of a dashboard. Includes scheduled dashboard snapshots. - dashboardId
databrickssql startWarehouse A SQL warehouse is started. - id
databrickssql stopWarehouse A warehouse manager stops a SQL warehouse. Excludes autostopped warehouses. - id
databrickssql transferObjectOwnership A workspace admin transfers the ownership of a dashboard, query, or alert to an active user through the transfer object ownership API. Ownership transfer done through the UI or update APIs is not captured by this audit log event. - newOwner
- objectId
- objectType
databrickssql unfavoriteDashboard A user removes a dashboard from their favorites. - dashboardId
databrickssql unfavoriteQuery A user removes a query from their favorites. - queryId
databrickssql updateAlert A user makes updates to an alert. ownerUserName is populated if the alert ownership is transferred using the API. - alertId
- queryId
- ownerUserName
databrickssql updateNotificationDestination A workspace admin makes an update to a notification destination. - notificationDestinationId
databrickssql updateDashboardWidget A user makes an update to a dashboard widget. Excludes changes to axis scales. Examples of applicable updates include:

- Change to widget size or placement
- Adding or removing widget parameters
- widgetId
databrickssql updateDashboard A user makes an update to a dashboard property. Excludes changes to schedules and subscriptions. Examples of applicable updates include:

- Change in dashboard name
- Change to the SQL warehouse
- Change to Run As settings
- dashboardId
databrickssql updateOrganizationSetting A workspace admin makes updates to the workspace’s SQL settings. - has_configured_data_access
- has_explored_sql_warehouses
- has_granted_permissions
databrickssql updateQuery A user makes an update to a query. ownerUserName is populated if the query ownership is transferred using the API. - queryId
- ownerUserName
databrickssql updateQueryDraft A user makes an update to a query draft. - queryId
databrickssql updateQuerySnippet A user makes an update to a query snippet. - querySnippetId
databrickssql updateVisualization A user updates a visualization from either the SQL Editor or the dashboard. - visualizationId

Data monitoring events

The following dataMonitoring events are logged at the workspace level.

Service Action Description Request parameters
dataMonitoring CreateMonitor User creates a monitor. - data_classification_config
- full_table_name_arg
- assets_dir
- schedule
- output_schema_name
- notifications
- inference_log
dataMonitoring UpdateMonitor User makes an update to a monitor. - data_classification_config
- table_name
- full_table_name_arg
- drift_metrics_table_name
- dashboard_id
- custom_metrics
- assets_dir
- monitor_version
- profile_metrics_table_name
- baseline_table_name
- status
- output_schema_name
- inference_log
- slicing_exprs
dataMonitoring DeleteMonitor User deletes a monitor. - full_table_name_arg
dataMonitoring RunRefresh Monitor is refreshed, either by schedule or manually. - full_table_name_arg

DBFS events

The following tables include dbfs events logged at the workspace level.

There are two types of DBFS events: API calls and operational events.

DBFS API events

The following DBFS audit events are only logged when written through the DBFS REST API.

Service Action Description Request parameters
dbfs addBlock User appends a block of data to the stream. This is used in conjunction with dbfs/create to stream data to DBFS. - handle
- data_length
dbfs create User opens a stream to write a file to DBFs. - path
- bufferSize
- overwrite
dbfs delete User deletes the file or directory from DBFs. - recursive
- path
dbfs mkdirs User creates a new DBFS directory. - path
dbfs move User moves a file from one location to another location within DBFs. - dst
- source_path
- src
- destination_path
dbfs put User uploads a file through the use of multipart form post to DBFs. - path
- overwrite

DBFS operational events

The following DBFS audit events occur at the compute plane.

Service Action Description Request parameters
dbfs mount User creates a mount point at a certain DBFS location. - mountPoint
- owner
dbfs unmount User removes a mount point at a certain DBFS location. - mountPoint

Delta pipelines events

Service Action Description Request parameters
deltaPipelines changePipelineAcls A user changes permissions on a pipeline. - shardId
- targetUserId
- resourceId
- aclPermissionSet
deltaPipelines create A user creates a Delta Live Tables pipeline. - allow_duplicate_names
- clusters
- configuration
- continuous
- development
- dry_run
- id
- libraries
- name
- storage
- target
- channel
- edition
- photon
deltaPipelines delete A user deletes a Delta Live Tables pipeline. - pipeline_id
deltaPipelines edit A user edits a Delta Live Tables pipeline. - allow_duplicate_names
- clusters
- configuration
- continuous
- development
- expected_last_modified
- id
- libraries
- name
- pipeline_id
- storage
- target
- channel
- edition
- photon
deltaPipelines startUpdate A user restarts a Delta Live Tables pipeline. - cause
- full_refresh
- job_task
- pipeline_id
deltaPipelines stop A user stops a Delta Live Tables pipeline. - pipeline_id

Feature store events

The following featureStore events are logged at the workspace level.

Service Action Description Request parameters
featureStore addConsumer A consumer is added to the feature store. - features
- job_run
- notebook
featureStore addDataSources A data source is added to a feature table. - feature_table
- paths, tables
featureStore addProducer A producer is added to a feature table. - feature_table
- job_run
- notebook
featureStore changeFeatureTableAcl Permissions are changed in a feature table. - aclPermissionSet
- resourceId
- shardName
- targetUserId
featureStore createFeatureTable A feature table is created. - description
- name
- partition_keys
- primary_keys
- timestamp_keys
featureStore createFeatures Features are created in a feature table. - feature_table
- features
featureStore deleteFeatureTable A feature table is deleted. - name
featureStore deleteTags Tags are deleted from a feature table. - feature_table_id
- keys
featureStore getConsumers A user makes a call to get the consumers in a feature table. - feature_table
featureStore getFeatureTable A user makes a call to get feature tables. - name
featureStore getFeatureTablesById A user makes a call to get feature table IDs. - ids
featureStore getFeatures A user makes a call to get features. - feature_table
- max_results
featureStore getModelServingMetadata A user makes a call to get Model Serving metadata. - feature_table_features
featureStore getOnlineStore A user makes a call to get online store details. - cloud
- feature_table
- online_table
- store_type
featureStore getTags A user makes a call to get tags for a feature table. - feature_table_id
featureStore publishFeatureTable A feature table is published. - cloud
- feature_table
- host
- online_table
- port
- read_secret_prefix
- store_type
- write_secret_prefix
featureStore searchFeatureTables A user searches for feature tables. - max_results
- page_token
- text
featureStore setTags Tags are added to a feature table. - feature_table_id
- tags
featureStore updateFeatureTable A feature table is updated. - description
- name

Files events

The following filesystem events are logged at the workspace level.

Service Action Description Request parameters
filesystem filesGet User downloads a file using the Files API or the volumes UI. - path
- transferredSize
filesystem filesPut User uploads a file using the Files API or the volumes UI. - path
- receivedSize
filesystem filesDelete User deletes a file using the Files API or the volumes UI. - path
filesystem filesHead User gets information about a file using the Files API or the volumes UI. - path

Genie events

The following genie events are logged at the workspace level.

Note

This service is unrelated to AI/BI Genie spaces. See AI/BI Genie events.

Service Action Description Request parameters
genie databricksAccess A Databricks personnel is authorized to access a customer environment. - duration
- approver
- reason
- authType
- user

Git credential events

The following gitCredentials events are logged at the workspace level.

Service Action Description Request parameters
gitCredentials getGitCredential A user gets a git credentials. - id
gitCredentials listGitCredentials A user lists all git credentials none
gitCredentials deleteGitCredential A user deletes a git credential. - id
gitCredentials updateGitCredential A user updates a git credential. - id
- git_provider
- git_username
gitCredentials createGitCredential A user creates a git credential. - git_provider
- git_username

Global init scripts events

The following globalInitScripts events are logged at the workspace level.

Service Action Description Request parameters
globalInitScripts create A workspace admin creates a global initialization script. - name
- position
- script-SHA256
- enabled
globalInitScripts update A workspace admin updates a global initialization script. - script_id
- name
- position
- script-SHA256
- enabled
globalInitScripts delete A workspace admin deletes a global initialization script. - script_id

Groups events

Note

This service is unavailable through Azure diagnostic settings. Enable the audit log system table to access these events.

The following groups events are logged at the workspace level. These actions are related to legacy ACL groups. For actions related to account- and workspace-level groups, see Account events and Account-level account events.

Service Action Description Request parameters
groups addPrincipalToGroup An admin adds a user to a group. - user_name
- parent_name
groups createGroup An admin creates a group. - group_name
groups getGroupMembers An admin views group members. - group_name
groups getGroups An admin views a list of groups none
groups getInheritedGroups An admin views inherited groups none
groups removeGroup An admin removes a group. - group_name

IAM role events

The following iamRole event is logged at the workspace level.

Service Action Description Request parameters
iamRole changeIamRoleAcl A workspace admin changes permissions for an IAM role. - targetUserId
- shardName
- resourceId
- aclPermissionSet

Ingestion events

The following ingestion event is logged at the workspace level.

Service Action Description Request parameters
ingestion proxyFileUpload A user uploads a file to their Azure Databricks workspace. - x-databricks-content-length-0
- x-databricks-total-files

Instance pool events

The following instancePools events are logged at the workspace level.

Service Action Description Request parameters
instancePools changeInstancePoolAcl A user changes an instance pool’s permissions. - shardName
- resourceId
- targetUserId
- aclPermissionSet
instancePools create A user creates an instance pool. - enable_elastic_disk
- preloaded_spark_versions
- idle_instance_autotermination_minutes
- instance_pool_name
- node_type_id
- custom_tags
- max_capacity
- min_idle_instances
- aws_attributes
instancePools delete A user deletes an instance pool. - instance_pool_id
instancePools edit A user edits an instance pool. - instance_pool_name
- idle_instance_autotermination_minutes
- min_idle_instances
- preloaded_spark_versions
- max_capacity
- enable_elastic_disk
- node_type_id
- instance_pool_id
- aws_attributes

Job events

The following jobs events are logged at the workspace level.

Service Action Description Request parameters
jobs cancel A job run is cancelled. - run_id
jobs cancelAllRuns A user cancels all runs on a job. - job_id
jobs changeJobAcl A user updates permissions on a job. - shardName
- aclPermissionSet
- resourceId
- targetUserId
jobs create A user creates a job. - spark_jar_task
- email_notifications
- notebook_task
- spark_submit_task
- timeout_seconds
- libraries
- name
- spark_python_task
- job_type
- new_cluster
- existing_cluster_id
- max_retries
- schedule
- run_as
jobs delete A user deletes a job. - job_id
jobs deleteRun A user deletes a job run. - run_id
jobs getRunOutput A user makes an API call to get a run output. - run_id
- is_from_webapp
jobs repairRun A user repairs a job run. - run_id
- latest_repair_id
- rerun_tasks
jobs reset A job is reset. - job_id
- new_settings
jobs resetJobAcl A user requests the change of a job’s permissions. - grants
- job_id
jobs runCommand Available when verbose audit logs are enabled. Emitted after a command in a notebook is executed by a job run. A command corresponds to a cell in a notebook. - jobId
- runId
- notebookId
- executionTime
- status
- commandId
- commandText
jobs runFailed A job run fails. - jobClusterType
- jobTriggerType
- jobId
- jobTaskType
- runId
- jobTerminalState
- idInJob
- orgId
- runCreatorUserName
jobs runNow A user triggers an on-demand job run. - notebook_params
- job_id
- jar_params
- workflow_context
jobs runStart Emitted when a job run starts after validation and cluster creation. The request parameters emitted from this event depend on the type of tasks in the job. In addition to the parameters listed, they can include:

- dashboardId (for a SQL dashboard task)
- filePath (for a SQL file task)
- notebookPath (for a notebook task)
- mainClassName (for a Spark JAR task)
- pythonFile (for a Spark JAR task)
- projectDirectory (for a dbt task)
- commands (for a dbt task)
- packageName (for a Python wheel task)
- entryPoint (for a Python wheel task)
- pipelineId (for a pipeline task)
- queryIds (for a SQL query task)
- alertId (for a SQL alert task)
- taskDependencies
- multitaskParentRunId
- orgId
- idInJob
- jobId
- jobTerminalState
- taskKey
- jobTriggerType
- jobTaskType
- runId
- runCreatorUserName
jobs runSucceeded A job run is successful. - idInJob
- jobId
- jobTriggerType
- orgId
- runId
- jobClusterType
- jobTaskType
- jobTerminalState
- runCreatorUserName
jobs runTriggered A job schedule is triggered automatically according to its schedule or trigger. - jobId
- jobTriggeredType
- runId
jobs sendRunWebhook A webhook is sent either when the job begins, completes, or fails. - orgId
- jobId
- jobWebhookId
- jobWebhookEvent
- runId
jobs setTaskValue A user sets values for a task. - run_id
- key
jobs submitRun A user submits a one-time run via the API. - shell_command_task
- run_name
- spark_python_task
- existing_cluster_id
- notebook_task
- timeout_seconds
- libraries
- new_cluster
- spark_jar_task
jobs update A user edits a job’s settings. - job_id
- fields_to_remove
- new_settings
- is_from_dlt

Lineage tracking events

The following lineageTracking events are logged at the workspace level.

Service Action Description Request parameters
lineageTracking listColumnLineages A user accesses the list of the upstream or downstream columns of a column. - table_name
- column_name
- lineage_direction: The lineage direction (UPSTREAM or DOWNSTREAM).
lineageTracking listSecurableLineagesBySecurable A user accesses the list of the upstream or downstream securables of a securable. - securable_full_name
- securable_type
- lineage_direction: The lineage direction (UPSTREAM or DOWNSTREAM).
lineageTracking listEntityLineagesBySecurable A user accesses the list of entities (notebooks, jobs, etc.) that write to or read a securable. - securable_full_name
- securable_type
- lineage_direction: The lineage direction (UPSTREAM or DOWNSTREAM).
- entity_response_filter: The entity type (notebook, job, dashboard, pipeline, query, serving endpoint, etc.).
lineageTracking getColumnLineages A user gets the column lineages for a table and its column. - table_name
- column_name
lineageTracking getTableEntityLineages A user gets the upstream and downstream lineages of a table. - table_name
- include_entity_lineage
lineageTracking getJobTableLineages A user gets the upstream and downstream table lineages of a job. - job_id
lineageTracking getFunctionLineages A user gets the upstream and downstream securables and entities (notebooks, jobs, etc.) of a function. - function_name
lineageTracking getModelVersionLineages A user gets the upstream and downstream securables and entities (notebooks, jobs, etc.) of a model and its version. - model_name
- version
lineageTracking getEntityTableLineages A user gets the upstream and downstream tables of an entity (notebooks, jobs, etc.). - entity_type
- entity_id
lineageTracking getFrequentlyJoinedTables A user gets the frequently joined tables for a table. - table_name
lineageTracking getFrequentQueryByTable A user gets the frequent queries for a table. - source_table_name
lineageTracking getFrequentUserByTable A user gets the frequent users for a table. - table_name
lineageTracking getTablePopularityByDate A user gets the popularity (query count) for a table for the past month. - table_name
lineageTracking getPopularEntities A user gets the popular entities (notebooks, jobs, etc.) for a table. - scope: Specifies the scope for retrieving popular entities, either from the workspace or table name.
- table_name
lineageTracking getPopularTables A user gets the table popularity info for a list of tables. - scope: Specifies the scope for retrieving popular tables, either from the metastore or the table list.
- table_name_list

Marketplace consumer events

The following marketplaceConsumer events are logged at the workspace level.

Service Action Description Request parameters
marketplaceConsumer getDataProduct A user gets access to a data product through the Databricks Marketplace. - listing_id
- listing_name
- share_name
- catalog_name
- request_context: Array of information about the account and metastore that got access to the data product
marketplaceConsumer requestDataProduct A user requests access to a data product that requires provider approval. - listing_id
- listing_name
- catalog_name
- request_context: Array of information about the account and metastore requesting access to the data product

Marketplace provider events

Note

This service is unavailable through Azure diagnostic settings. Enable the audit log system table to access these events.

The following marketplaceProvider events are logged at the workspace level.

Service Action Description Request parameters
marketplaceProvider createListing A metastore admin creates a listing in their provider profile. - listing: Array of details about the listing
- request_context: Array of information about the provider’s account and metastore
marketplaceProvider updateListing A metastore admin makes an update to a listing in their provider profile. - id
- listing: Array of details about the listing
- request_context: Array of information about the provider’s account and metastore
marketplaceProvider deleteListing A metastore admin deletes a listing in their provider profile. - id
- request_context: Array of details about the provider’s account and metastore
marketplaceProvider updateConsumerRequestStatus A metastore admins approves or denies a data product request. - listing_id
- request_id
- status
- reason
- share: Array of information about the share
- request_context: Array of information about the provider’s account and metastore
marketplaceProvider createProviderProfile A metastore admin creates a provider profile. - provider: Array of information about the provider
- request_context: Array of information about the provider’s account and metastore
marketplaceProvider updateProviderProfile A metastore admin makes an update to their provider profile. - id
- provider: Array of information about the provider
- request_context: Array of information about the provider’s account and metastore
marketplaceProvider deleteProviderProfile A metastore admin deletes their provider profile. - id
- request_context: Array of information about the provider’s account and metastore
marketplaceProvider uploadFile A provider uploads a file to their provider profile. - request_context: Array of information about the provider’s account and metastore
- marketplace_file_type
- display_name
- mime_type
- file_parent: Array of file parent details
marketplaceProvider deleteFile A provider deletes a file from their provider profile. - file_id
- request_context: Array of information about the provider’s account and metastore

MLflow artifacts with ACL events

The following mlflowAcledArtifact events are logged at the workspace level.

Service Action Description Request parameters
mlflowAcledArtifact readArtifact A user makes call to read an artifact. - artifactLocation
- experimentId
- runId
mlflowAcledArtifact writeArtifact A user makes call to write to an artifact. - artifactLocation
- experimentId
- runId

MLflow experiment events

The following mlflowExperiment events are logged at the workspace level.

Service Action Description Request parameters
mlflowExperiment createMlflowExperiment A user creates an MLflow experiment. - experimentId
- path
- experimentName
mlflowExperiment deleteMlflowExperiment A user deletes an MLflow experiment. - experimentId
- path
- experimentName
mlflowExperiment moveMlflowExperiment A user moves an MLflow experiment. - newPath
- experimentId
- oldPath
mlflowExperiment restoreMlflowExperiment A user restores an MLflow experiment. - experimentId
- path
- experimentName
mlflowExperiment renameMlflowExperiment A user renames an MLflow experiment. - oldName
- newName
- experimentId
- parentPath

MLflow model registry events

The following mlflowModelRegistry events are logged at the workspace level.

Service Action Description Request parameters
modelRegistry approveTransitionRequest A user approves a model version stage transition request. - name
- version
- stage
- archive_existing_versions
modelRegistry changeRegisteredModelAcl A user updates permissions for a registered model. - registeredModelId
- userId
modelRegistry createComment A user posts a comment on a model version. - name
- version
modelRegistry createModelVersion A user creates a model version. - name
- source
- run_id
- tags
- run_link
modelRegistry createRegisteredModel A user creates a new registered model - name
- tags
modelRegistry createRegistryWebhook User creates a webhook for Model Registry events. - orgId
- registeredModelId
- events
- description
- status
- creatorId
- httpUrlSpec
modelRegistry createTransitionRequest A user creates a model version stage transition request. - name
- version
- stage
modelRegistry deleteComment A user deletes a comment on a model version. - id
modelRegistry deleteModelVersion A user deletes a model version. - name
- version
modelRegistry deleteModelVersionTag A user deletes a model version tag. - name
- version
- key
modelRegistry deleteRegisteredModel A user deletes a registered model - name
modelRegistry deleteRegisteredModelTag A user deletes the tag for a registered model. - name
- key
modelRegistry deleteRegistryWebhook User deletes a Model Registry webhook. - orgId
- webhookId
modelRegistry deleteTransitionRequest A user cancels a model version stage transition request. - name
- version
- stage
- creator
modelRegistry finishCreateModelVersionAsync Completed asynchronous model copying. - name
- version
modelRegistry generateBatchInferenceNotebook Batch inference notebook is autogenerated. - userId
- orgId
- modelName
- inputTableOpt
- outputTablePathOpt
- stageOrVersion
- modelVersionEntityOpt
- notebookPath
modelRegistry generateDltInferenceNotebook Inference notebook for a Delta Live Tables pipeline is autogenerated. - userId
- orgId
- modelName
- inputTable
- outputTable
- stageOrVersion
- notebookPath
modelRegistry getModelVersionDownloadUri A user gets a URI to download the model version. - name
- version
modelRegistry getModelVersionSignedDownloadUri A user gets a URI to download a signed model version. - name
- version
- path
modelRegistry listModelArtifacts A user makes a call to list a model’s artifacts. - name
- version
- path
- page_token
modelRegistry listRegistryWebhooks A user makes a call to list all registry webhooks in the model. - orgId
- registeredModelId
modelRegistry rejectTransitionRequest A user rejects a model version stage transition request. - name
- version
- stage
modelRegistry renameRegisteredModel A user renames a registered model - name
- new_name
modelRegistry setEmailSubscriptionStatus A user updates the email subscription status for a registered model
modelRegistry setModelVersionTag A user sets a model version tag. - name
- version
- key
- value
modelRegistry setRegisteredModelTag A user sets a model version tag. - name
- key
- value
modelRegistry setUserLevelEmailSubscriptionStatus A user updates their email notifications status for the whole registry. - orgId
- userId
- subscriptionStatus
modelRegistry testRegistryWebhook A user tests the Model Registry webhook. - orgId
- webhookId
modelRegistry transitionModelVersionStage A user gets a list of all open stage transition requests for the model version. - name
- version
- stage
- archive_existing_versions
modelRegistry triggerRegistryWebhook A Model Registry webhook is triggered by an event. - orgId
- registeredModelId
- events
- status
modelRegistry updateComment A user post an edit to a comment on a model version. - id
modelRegistry updateRegistryWebhook A user updates a Model Registry webhook. - orgId
- webhookId

Model serving events

The following serverlessRealTimeInference events are logged at the workspace level.

Service Action Description Request parameters
serverlessRealTimeInference changeInferenceEndpointAcl User updates permissions for an inference endpoint. - shardName
- targetUserId
- resourceId
- aclPermissionSet
serverlessRealTimeInference createServingEndpoint User creates a model serving endpoint. - name
- config
serverlessRealTimeInference deleteServingEndpoint User deletes a model serving endpoint. - name
serverlessRealTimeInference disable User disables model serving for a registered model. - registered_mode_name
serverlessRealTimeInference enable User enables model serving for a registered model. - registered_mode_name
serverlessRealTimeInference getQuerySchemaPreview Users makes a call to get the query schema preview. - endpoint_name
serverlessRealTimeInference updateServingEndpoint User updates a model serving endpoint. - name
- served_models
- traffic_config
serverlessRealTimeInference updateInferenceEndpointRateLimits User updates the rate limits for an inference endpoint. Rate limits only apply to Foundation Model APIs pay-per-token and external model endpoints. - name
- rate_limits

Notebook events

The following notebook events are logged at the workspace level.

Service Action Description Request parameters
notebook attachNotebook A notebook is attached to a cluster. - path
- clusterId
- notebookId
notebook cloneNotebook A user clones a notebook. - notebookId
- path
- clonedNotebookId
- destinationPath
notebook createNotebook A notebook is created. - notebookId
- path
notebook deleteFolder A notebook folder is deleted. - path
notebook deleteNotebook A notebook is deleted. - notebookId
- notebookName
- path
notebook detachNotebook A notebook is detached from a cluster. - notebookId
- clusterId
- path
notebook downloadLargeResults A user downloads query results too large to display in the notebook. - notebookId
- notebookFullPath
notebook downloadPreviewResults A user downloads the query results. - notebookId
- notebookFullPath
notebook importNotebook A user imports a notebook. - path
notebook moveFolder A notebook folder is moved from one location to another. - oldPath
- newPath
- folderId
notebook moveNotebook A notebook is moved from one location to another. - newPath
- oldPath
- notebookId
notebook renameNotebook A notebook is renamed. - newName
- oldName
- parentPath
- notebookId
notebook restoreFolder A deleted folder is restored. - path
notebook restoreNotebook A deleted notebook is restored. - path
- notebookId
- notebookName
notebook runCommand Available when verbose audit logs are enabled. Emitted after Databricks runs a command in a notebook. A command corresponds to a cell in a notebook.

executionTime is measured in seconds.
- notebookId
- executionTime
- status
- commandId
- commandText
- commandLanguage
notebook takeNotebookSnapshot Notebook snapshots are taken when either the job service or mlflow is run. - path

Partner Connect events

The following partnerHub events are logged at the workspace level.

Service Action Description Request parameters
partnerHub createOrReusePartnerConnection A workspace admin sets up a connection to a partner solution. - partner_name
partnerHub deletePartnerConnection A workspace admin deletes a partner connection. - partner_name
partnerHub downloadPartnerConnectionFile A workspace admin downloads the partner connection file. - partner_name
partnerHub setupResourcesForPartnerConnection A workspace admin sets up resources for a partner connection. - partner_name

Predictive optimization events

The following predictiveOptimization events are logged at the workspace level.

Service Action Description Request parameters
predictiveOptimization PutMetrics Recorded when predictive optimization updates table and workload metrics so the service can more intelligently schedule optimization operations. - table_metrics_list
- start_time
- end_time
predictiveOptimization UpdatePredictiveOptimization An account admin enables or disables predictive optimization for a metastore. - metastore_id
- enable

Remote history service events

The following remoteHistoryService events are logged at the workspace level.

Service Action Description Request parameters
remoteHistoryService addUserGitHubCredentials User adds Github Credentials none
remoteHistoryService deleteUserGitHubCredentials User removes Github Credentials none
remoteHistoryService updateUserGitHubCredentials User updates Github Credentials none

Git folder events

The following repos events are logged at the workspace level.

Service Action name Description Request parameters
repos checkoutBranch A user checks out a branch on the repo. - id
- branch
repos commitAndPush A user commits and pushes to a repo. - id
- message
- files
- checkSensitiveToken
repos createRepo A user creates a repo in the workspace - url
- provider
- path
repos deleteRepo A user deletes a repo. - id
repos discard A user discards a commit to a repo. - id
- file_paths
repos getRepo A user makes a call to get information about a single repo. - id
repos listRepos A user makes a call to get all repos they have Manage permissions on. - path_prefix
- next_page_token
repos pull A user pulls the latest commits from a repo. - id
repos updateRepo A user updates the repo to a different branch or tag, or to the latest commit on the same branch. - id
- branch
- tag
- git_url
- git_provider

Secrets events

The following secrets events are logged at the workspace level.

Service Action name Description Request parameters
secrets createScope User creates a secret scope. - scope
- initial_manage_principal
- scope_backend_type
secrets deleteAcl User deletes ACLs for a secret scope. - scope
- principal
secrets deleteScope User deletes a secret scope. - scope
secrets deleteSecret User deletes a secret from a scope. - key
- scope
secrets getAcl User gets ACLs for a secret scope. - scope
- principal
secrets getSecret User gets a secret from a scope. - key
- scope
secrets listAcls User makes a call to list ACLs for a secret scope. - scope
secrets listScopes User makes a call to list secret scopes none
secrets listSecrets User makes a call to list secrets within a scope. - scope
secrets putAcl User changes ACLs for a secret scope. - scope
- principal
- permission
secrets putSecret User adds or edits a secret within a scope. - string_value
- key
- scope

SQL table access events

Note

The sqlPermissions service includes events related to the legacy Hive metastore table access control. Databricks recommends that you upgrade the tables managed by the Hive metastore to the Unity Catalog metastore.

The following sqlPermissions events are logged at the workspace level.

Service Action name Description Request parameters
sqlPermissions changeSecurableOwner Workspace admin or owner of an object transfers object ownership. - securable
- principal
sqlPermissions createSecurable User creates a securable object. - securable
sqlPermissions denyPermission Object owner denies privileges on a securable object. - permission
sqlPermissions grantPermission Object owner grants permission on a securable object. - permission
sqlPermissions removeAllPermissions User drops a securable object. - securable
sqlPermissions renameSecurable User renames a securable object. - before
- after
sqlPermissions requestPermissions User requests permissions on a securable object. - requests
sqlPermissions revokePermission Object owner revokes permissions on their securable object. - permission
sqlPermissions showPermissions User views securable object permissions. - securable
- principal

SSH events

The following ssh events are logged at the workspace level.

Service Action name Description Request parameters
ssh login Agent login of SSH into Spark driver. - containerId
- userName
- port
- publicKey
- instanceId
ssh logout Agent logout of SSH from Spark driver. - userName
- containerId
- instanceId

Note

This service is unavailable through Azure diagnostic settings. Enable the audit log system table to access these events.

The following vectorSearch events are logged at the workspace level.

Service Action Description Request parameters
vectorSearch createEndpoint User creates a vector search endpoint. - name
- endpoint_type
vectorSearch deleteEndpoint User deletes a vector search endpoint. - name
vectorSearch createVectorIndex User creates a vector search index. - name
- endpoint_name
- primary_key
- index_type
- delta_sync_index_spec
- direct_access_index_spec
vectorSearch deleteVectorIndex User deletes a vector search index. - name
- endpoint_name
- delete_embedding_writeback_table

Web terminal events

The following webTerminal events are logged at the workspace level.

Service Action name Description Request parameters
webTerminal startSession User starts a web terminal sessions. - socketGUID
- clusterId
- serverPort
- ProxyTargetURI
webTerminal closeSession User closes a web terminal session. - socketGUID
- clusterId
- serverPort
- ProxyTargetURI

Workspace events

The following workspace events are logged at the workspace level.

Service Action name Description Request parameters
workspace changeWorkspaceAcl Permissions to the workspace are changed. - shardName
- targetUserId
- aclPermissionSet
- resourceId
workspace deleteSetting A setting is deleted from the workspace. - settingKeyTypeName
- settingKeyName
- settingTypeName
- settingName
workspace fileCreate User creates a file in the workspace. - path
workspace fileDelete User deletes a file in the workspace. - path
workspace fileEditorOpenEvent User opens the file editor. - notebookId
- path
workspace getRoleAssignment User gets a workspace’s user roles. - account_id
- workspace_id
workspace mintOAuthAuthorizationCode Recorded when in-house OAuth authorization code is minted at the workspace level. - client_id
workspace mintOAuthToken OAuth token is minted for workspace. - grant_type
- scope
- expires_in
- client_id
workspace moveWorkspaceNode A workspace admin moves workspace node. - destinationPath
- path
workspace purgeWorkspaceNodes A workspace admin purges workspace nodes. - treestoreId
workspace reattachHomeFolder An existing home folder is re-attached for a user that is re-added to the workspace. - path
workspace renameWorkspaceNode A workspace admin renames workspace nodes. - path
- destinationPath
workspace unmarkHomeFolder Home folder special attributes are removed when a user is removed from the workspace. - path
workspace updateRoleAssignment A workspace admin updates a workspace user’s role. - account_id
- workspace_id
- principal_id
workspace updatePermissionAssignment A workspace admin adds a principal to the workspace. - principal_id
- permissions
workspace setSetting A workspace admin configures a workspace setting. - settingKeyTypeName
- settingKeyName
- settingTypeName
- settingName
- settingValueForAudit
workspace workspaceConfEdit Workspace admin makes updates to a setting, for example enabling verbose audit logs. - workspaceConfKeys
- workspaceConfValues
workspace workspaceExport User exports a notebook from a workspace. - workspaceExportDirectDownload
- workspaceExportFormat
- notebookFullPath
workspace workspaceInHouseOAuthClientAuthentication OAuth client is authenticated in workspace service. - user

Billable usage events

Note

This service is unavailable through Azure diagnostic settings. Enable the audit log system table to access these events.

The following accountBillableUsage events are logged at the account level.

Service Action Description Request parameters
accountBillableUsage getAggregatedUsage User accessed aggregated billable usage (usage per day) for the account via the Usage Graph feature. - account_id
- window_size
- start_time
- end_time
- meter_name
- workspace_ids_filter
accountBillableUsage getDetailedUsage User accessed detailed billable usage (usage for each cluster) for the account via the Usage Download feature. - account_id
- start_month
- end_month
- with_pii

Account-level account events

Note

This service is unavailable through Azure diagnostic settings. Enable the audit log system table to access these events.

The following accounts events are logged at the account level.

Service Action Description Request parameters
accounts accountInHouseOAuthClientAuthentication An OAuth client is authenticated. - endpoint
accounts accountIpAclsValidationFailed IP permissions validation fails. Returns statusCode 403. - sourceIpAddress
- user: logged as an email address
accounts activateUser A user is reactivated after being deactivated. See Deactivate users in account. - targetUserName
- endpoint
- targetUserId
accounts add A user is added to the Azure Databricks account. - targetUserName
- endpoint
- targetUserId
accounts addPrincipalToGroup A user is added to an account-level group. - targetGroupId
- endpoint
- targetUserId
- targetGroupName
- targetUserName
accounts addPrincipalsToGroup Users are added to an account-level group using SCIM provisioning. - targetGroupId
- endpoint
- targetUserId
- targetGroupName
- targetUserName
accounts createGroup An account-level group is created. - endpoint
- targetGroupId
- targetGroupName
accounts deactivateUser A user is deactivated. See Deactivate users in account. - targetUserName
- endpoint
- targetUserId
accounts delete A user is deleted from the Azure Databricks account. - targetUserId
- targetUserName
- endpoint
accounts deleteSetting Account admin removes a setting from the Azure Databricks account. - settingKeyTypeName
- settingKeyName
- settingTypeName
- settingName
- settingValueForAudit
accounts garbageCollectDbToken A user runs a garbage collect command on expired tokens. - tokenExpirationTime
- tokenClientId
- userId
- tokenCreationTime
- tokenFirstAccessed
accounts generateDbToken User generates a token from User Settings or when the service generates the token. - tokenExpirationTime
- tokenCreatedBy
- tokenHash
- userId
accounts login A user logs into the account console. - user
accounts logout A user logs out of the account console. - user
accounts oidcBrowserLogin A user logs into their account with the OpenID Connect browser workflow. - user
accounts oidcTokenAuthorization An OIDC token is authenticated for an account admin login. - user
accounts removeAccountAdmin An account admin removes account admin permissions from another user. - targetUserName
- endpoint
- targetUserId
accounts removeGroup A group is removed from the account. - targetGroupId
- targetGroupName
- endpoint
accounts removePrincipalFromGroup A user is removed from an account-level group. - targetGroupId
- endpoint
- targetUserId
- targetGroupName
- targetUserName
accounts removePrincipalsFromGroup Users are removed from an account-level group using SCIM provisioning. - targetGroupId
- endpoint
- targetUserId
- targetGroupName
- targetUserName
accounts setAccountAdmin An account admin assigns the account admin role to another user. - targetUserName
- endpoint
- targetUserId
accounts setSetting An account admin updates an account-level setting. - settingKeyTypeName
- settingKeyName
- settingTypeName
- settingName
- settingValueForAudit
accounts tokenLogin A user logs into Databricks using a token. - tokenId
- user
accounts updateUser An account admin updates a user account. - targetUserName
- endpoint
- targetUserId
accounts updateGroup An account admin updates an account-level group. - endpoint
- targetGroupId
- targetGroupName
accounts validateEmail When a user validates their email after account creation. - endpoint
- targetUserName
- targetUserId

Account-level access control events

Note

This service is unavailable through Azure diagnostic settings. Enable the audit log system table to access these events.

The following accountsAccessControl event is logged at the account level.

Service Action Description Request parameters
accountsAccessControl updateRuleSet When a rule set is changed. - account_id
- name
- rule_set

Account management events

Note

This service is unavailable through Azure diagnostic settings. Enable the audit log system table to access these events.

The following accountsManager events are logged at the account level. These events have to do with configurations made by account admins in the account console.

Service Action Description Request parameters
accountsManager createNetworkConnectivityConfig Account admin created a network connectivity configuration. - network_connectivity_config
accountsManager getNetworkConnectivityConfig Account admin requests details about a network connectivity configuration. - account_id
- network_connectivity_config_id
accountsManager listNetworkConnectivityConfigs Account admin lists all network connectivity configurations in the account. - account_id
accountsManager deleteNetworkConnectivityConfig Account admin deleted a network connectivity configuration. - account_id
- network_connectivity_config_id
accountsManager createNetworkConnectivityConfigPrivateEndpointRule Account admin created a private endpoint rule. - account_id
- network_connectivity_config_id
- azure_private_endpoint_rule
accountsManager getNetworkConnectivityConfigPrivateEndpointRule Account admin requests details about a private endpoint rule. - account_id
- network_connectivity_config_id
- rule_id
accountsManager listNetworkConnectivityConfigPrivateEndpointRules Account admin lists all private endpoint rules under a network connectivity config. - account_id
- network_connectivity_config_id
accountsManager deleteNetworkConnectivityConfigPrivateEndpointRule Account admin deleted a private endpoint rule. - account_id
- network_connectivity_config_id
- rule_id
accountsManager updateNetworkConnectivityConfigPrivateEndpointRule Account admin updated a private endpoint rule. - account_id
- network_connectivity_config_id
- rule_id
- azure_private_endpoint_rule

Budget policy events

The following budgetPolicyCentral events are logged at the account level and are related to budget policies. See Attribute serverless usage with budget policies.

Service Action Description Request parameters
budgetPolicyCentral createBudgetPolicy Workspace admin or billing admin creates a budget policy. The new policy_id is logged in the response column. - policy_name
budgetPolicyCentral updateBudgetPolicy Workspace admin, billing admin, or policy manager updates a budget policy. - policy.policy_id
- policy.policy_name
budgetPolicyCentral updateBudgetPolicy Workspace admin, billing admin, or policy manager deletes a budget policy. - policy_id

Unity Catalog events

Note

This service is unavailable through Azure diagnostic settings. Enable the audit log system table to access these events.

The following diagnostic events are related to Unity Catalog. Delta Sharing events are also logged under the unityCatalog service. For Delta Sharing events, see Delta Sharing events. Unity Catalog audit events can be logged at the workspace level or account level depending on the event.

Service Action Description Request parameters
unityCatalog createMetastore Account admin creates a metastore. - name
- storage_root
- workspace_id
- metastore_id
unityCatalog getMetastore Account admin requests metastore ID. - id
- workspace_id
- metastore_id
unityCatalog getMetastoreSummary Account admin requests details about a metastore. - workspace_id
- metastore_id
unityCatalog listMetastores Account admin requests a list of all metastores in an account. - workspace_id
unityCatalog updateMetastore Account admin makes an update to a metastore. - id
- owner
- workspace_id
- metastore_id
unityCatalog deleteMetastore Account admin deletes a metastore. - id
- force
- workspace_id
- metastore_id
unityCatalog updateMetastoreAssignment Account admin makes an update to a metastore’s workspace assignment. - workspace_id
- metastore_id
- default_catalog_name
unityCatalog createExternalLocation Account admin creates an external location. - name
- skip_validation
- url
- credential_name
- workspace_id
- metastore_id
unityCatalog getExternalLocation Account admin requests details about an external location. - name_arg
- include_browse
- workspace_id
- metastore_id
unityCatalog listExternalLocations Account admin request list of all external locations in an account. - url
- max_results
- workspace_id
- metastore_id
unityCatalog updateExternalLocation Account admin makes an update to an external location. - name_arg
- owner
- workspace_id
- metastore_id
unityCatalog deleteExternalLocation Account admin deletes an external location. - name_arg
- force
- workspace_id
- metastore_id
unityCatalog createCatalog User creates a catalog. - name
- comment
- workspace_id
- metastore_id
unityCatalog deleteCatalog User deletes a catalog. - name_arg
- workspace_id
- metastore_id
unityCatalog getCatalog User requests details about a catalog. - name_arg
- dependent
- workspace_id
- metastore_id
unityCatalog updateCatalog User updates a catalog. - name_arg
- isolation_mode
- comment
- workspace_id
- metastore_id
unityCatalog listCatalog User makes a call to list all catalogs in the metastore. - name_arg
- workspace_id
- metastore_id
unityCatalog createSchema User creates a schema. - name
- catalog_name
- comment
- workspace_id
- metastore_id
unityCatalog deleteSchema User deletes a schema. - full_name_arg
- force
- workspace_id
- metastore_id
unityCatalog getSchema User requests details about a schema. - full_name_arg
- dependent
- workspace_id
- metastore_id
unityCatalog listSchema User requests a list of all schemas in a catalog. - catalog_name
unityCatalog updateSchema User updates a schema. - full_name_arg
- name
- workspace_id
- metastore_id
- comment
unityCatalog createStagingTable - name
- catalog_name
- schema_name
- workspace_id
- metastore_id
unityCatalog createTable User creates a table. The request parameters differ depending on the type of table created. - name
- data_source_format
- catalog_name
- schema_name
- storage_location
- columns
- dry_run
- table_type
- view_dependencies
- view_definition
- sql_path
- comment
unityCatalog deleteTable User deletes a table. - full_name_arg
- workspace_id
- metastore_id
unityCatalog getTable User requests details about a table. - include_delta_metadata
- full_name_arg
- dependent
- workspace_id
- metastore_id
unityCatalog privilegedGetTable - full_name_arg
unityCatalog listTables User makes a call to list all tables in a schema. - catalog_name
- schema_name
- workspace_id
- metastore_id
- include_browse
unityCatalog listTableSummaries User gets an array of summaries for tables for a schema and catalog within the metastore. - catalog_name
- schema_name_pattern
- workspace_id
- metastore_id
unityCatalog updateTables User makes an update to a table. The request parameters displayed vary depending on the type of table updates made. - full_name_arg
- table_type
- table_constraint_list
- data_source_format
- columns
- dependent
- row_filter
- storage_location
- sql_path
- view_definition
- view_dependencies
- owner
- comment
- workspace_id
- metastore_id
unityCatalog createStorageCredential Account admin creates a storage credential. You might see an additional request parameter based on your cloud provider credentials. - name
- comment
- workspace_id
- metastore_id
unityCatalog listStorageCredentials Account admin makes a call to list all storage credentials in the account. - workspace_id
- metastore_id
unityCatalog getStorageCredential Account admin requests details about a storage credential. - name_arg
- workspace_id
- metastore_id
unityCatalog updateStorageCredential Account admin makes an update to a storage credential. - name_arg
- owner
- workspace_id
- metastore_id
unityCatalog deleteStorageCredential Account admin deletes a storage credential. - name_arg
- workspace_id
- metastore_id
unityCatalog generateTemporaryTableCredential Logged whenever a temporary credential is granted for a table. You can use this event to determine who queried what and when. - credential_id
- credential_type
- credential_kind
- is_permissions_enforcing_client
- table_full_name
- operation
- table_id
- workspace_id
- table_url
- metastore_id
unityCatalog generateTemporaryPathCredential Logged whenever a temporary credential is granted for a path. - url
- operation
- make_path_only_parent
- credential_kind
- workspace_id
- metastore_id
unityCatalog getPermissions User makes a call to get permission details for a securable object. This call doesn’t return inherited permissions, only explicitly assigned permissions. - securable_type
- securable_full_name
- workspace_id
- metastore_id
unityCatalog getEffectivePermissions User makes a call to get all permission details for a securable object. An effective permissions call returns both explicitly assigned and inherited permissions. - securable_type
- securable_full_name
- workspace_id
- metastore_id
unityCatalog updatePermissions User updates permissions on a securable object. - securable_type
- changes
- securable_full_name
- workspace_id
- metastore_id
unityCatalog metadataSnapshot User queries the metadata from a previous table version. - securables
- include_delta_metadata
- workspace_id
- metastore_id
unityCatalog metadataAndPermissionsSnapshot User queries the metadata and permissions from a previous table version. - securables
- include_delta_metadata
- workspace_id
- metastore_id
unityCatalog updateMetadataSnapshot User updates the metadata from a previous table version. - table_list_snapshots
- schema_list_snapshots
- workspace_id
- metastore_id
unityCatalog getForeignCredentials User makes a call to get details about a foreign key. - securables
- workspace_id
- metastore_id
unityCatalog getInformationSchema User makes a call to get details about a schema. - table_name
- page_token
- required_column_names
- row_set_type
- required_column_names
- workspace_id
- metastore_id
unityCatalog createConstraint User creates a constraint for a table. - full_name_arg
- constraint
- workspace_id
- metastore_id
unityCatalog deleteConstraint User deletes a constraint for a table. - full_name_arg
- constraint
- workspace_id
- metastore_id
unityCatalog createPipeline User creates a Unity Catalog pipeline. - target_catalog_name
- has_workspace_definition
- id
- workspace_id
- metastore_id
unityCatalog updatePipeline User updates a Unity Catalog pipeline. - id_arg
- definition_json
- id
- workspace_id
- metastore_id
unityCatalog getPipeline User requests details about a Unity Catalog pipeline. - id
- workspace_id
- metastore_id
unityCatalog deletePipeline User deletes a Unity Catalog pipeline. - id
- workspace_id
- metastore_id
unityCatalog deleteResourceFailure Resource fails to delete none
unityCatalog createVolume User creates a Unity Catalog volume. - name
- catalog_name
- schema_name
- volume_type
- storage_location
- owner
- comment
- workspace_id
- metastore_id
unityCatalog getVolume User makes a call to get information on a Unity Catalog volume. - volume_full_name
- workspace_id
- metastore_id
unityCatalog updateVolume User updates a Unity Catalog volume’s metadata with the ALTER VOLUME or COMMENT ON calls. - volume_full_name
- name
- owner
- comment
- workspace_id
- metastore_id
unityCatalog deleteVolume User deletes a Unity Catalog volume. - volume_full_name
- workspace_id
- metastore_id
unityCatalog listVolumes User makes a call to get a list of all Unity Catalog volumes in a schema. - catalog_name
- schema_name
- workspace_id
- metastore_id
unityCatalog generateTemporaryVolumeCredential A temporary credential is generated when a user performs a read or write on a volume. You can use this event to determine who accessed a volume and when. - volume_id
- volume_full_name
- operation
- volume_storage_location
- credential_id
- credential_type
- credential_kind
- workspace_id
- metastore_id
unityCatalog getTagSecurableAssignments Tag assignments for a securable are fetched - securable_type
- securable_full_name
- workspace_id
- metastore_id
unityCatalog getTagSubentityAssignments Tag assignments for a subentity are fetched - securable_type
- securable_full_name
- workspace_id
- metastore_id
- subentity_name
unityCatalog UpdateTagSecurableAssignments Tag assignments for a securable are updated - securable_type
- securable_full_name
- workspace_id
- metastore_id
- changes
unityCatalog UpdateTagSubentityAssignments Tag assignments for a subentity are updated - securable_type
- securable_full_name
- workspace_id
- metastore_id
- subentity_name
- changes
unityCatalog createRegisteredModel User creates a Unity Catalog registered model. - name
- catalog_name
- schema_name
- owner
- comment
- workspace_id
- metastore_id
unityCatalog getRegisteredModel User makes a call to get information on a Unity Catalog registered model. - full_name_arg
- workspace_id
- metastore_id
unityCatalog updateRegisteredModel User updates a Unity Catalog registered model’s metadata. - full_name_arg
- name
- owner
- comment
- workspace_id
- metastore_id
unityCatalog deleteRegisteredModel User deletes a Unity Catalog registered model. - full_name_arg
- workspace_id
- metastore_id
unityCatalog listRegisteredModels User makes a call to get a list of Unity Catalog registered models in a schema, or list models across catalogs and schemas. - catalog_name
- schema_name
- max_results
- page_token
- workspace_id
- metastore_id
unityCatalog createModelVersion User creates a model version in Unity Catalog. - catalog_name
- schema_name
- model_name
- source
- comment
- workspace_id
- metastore_id
unityCatalog finalizeModelVersion User makes a call to “finalize” a Unity Catalog model version after uploading model version files to its storage location, making it read-only and usable in inference workflows. - full_name_arg
- version_arg
- workspace_id
- metastore_id
unityCatalog getModelVersion User makes a call to get details on a model version. - full_name_arg
- version_arg
- workspace_id
- metastore_id
unityCatalog getModelVersionByAlias User makes a call to get details on a model version using the alias. - full_name_arg
- include_aliases
- alias_arg
- workspace_id
- metastore_id
unityCatalog updateModelVersion User updates a model version’s metadata. - full_name_arg
- version_arg
- name
- owner
- comment
- workspace_id
- metastore_id
unityCatalog deleteModelVersion User deletes a model version. - full_name_arg
- version_arg
- workspace_id
- metastore_id
unityCatalog listModelVersions User makes a call to get a list of Unity Catalog model versions in a registered model. - catalog_name
- schema_name
- model_name
- max_results
- page_token
- workspace_id
- metastore_id
unityCatalog generateTemporaryModelVersionCredential A temporary credential is generated when a user performs a write (during initial model version creaiton) or read (after the model version has been finalized) on a model version. You can use this event to determine who accessed a model version and when. - full_name_arg
- version_arg
- operation
- model_version_url
- credential_id
- credential_type
- credential_kind
- workspace_id
- metastore_id
unityCatalog setRegisteredModelAlias User sets an alias on a Unity Catalog registered model. - full_name_arg
- alias_arg
- version
unityCatalog deleteRegisteredModelAlias User deletes an alias on a Unity Catalog registered model. - full_name_arg
- alias_arg
unityCatalog getModelVersionByAlias User gets a Unity Catalog model version by alias. - full_name_arg
- alias_arg
unityCatalog createConnection A new foreign connection is created. - name
- connection_type
- workspace_id
- metastore_id
unityCatalog deleteConnection A foreign connection is deleted. - name_arg
- workspace_id
- metastore_id
unityCatalog getConnection A foreign connection is retrieved. - name_arg
- workspace_id
- metastore_id
unityCatalog updateConnection A foreign connection is updated. - name_arg
- owner
- workspace_id
- metastore_id
unityCatalog listConnections Foreign connections in a metastore are listed. - workspace_id
- metastore_id
unityCatalog createFunction User creates a new function. - function_info
- workspace_id
- metastore_id
unityCatalog updateFunction User updates a function. - full_name_arg
- owner
- workspace_id
- metastore_id
unityCatalog listFunctions User requests a list of all functions within a specific parent catalog or schema. - catalog_name
- schema_name
- include_browse
- workspace_id
- metastore_id
unityCatalog getFunction User requests a function from a parent catalog or schema. - full_name_arg
- workspace_id
- metastore_id
unityCatalog deleteFunction User requests a function from a parent catalog or schema. - full_name_arg
- workspace_id
- metastore_id
unityCatalog createShareMarketplaceListingLink - links_infos
- metastore_id
unityCatalog deleteShareMarketplaceListingLink - links_infos
- metastore_id
unityCatalog generateTemporaryServiceCredential A temporary credential is generated to access a cloud service account from Databricks. - credential_id
- credential_type
- credential_kind
- workspace_id
- metastore_id

Delta Sharing events

Note

This service is unavailable through Azure diagnostic settings. Enable the audit log system table to access these events.

Delta Sharing events are broken up into two sections: events recorded in the data provider’s account and events recorded in the data recipient’s account.

Delta Sharing provider events

The following audit log events are logged in the provider’s account. Actions that are performed by recipients start with the deltaSharing prefix. Each of these logs also includes request_params.metastore_id, which is the metastore that manages the shared data, and userIdentity.email, which is the ID of the user who initiated the activity.

Service Action Description Request parameters
unityCatalog deltaSharingListShares A data recipient requests a list of shares. - options: The pagination options provided with this request.
- recipient_name: Indicates the recipient executing the action.
- is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog deltaSharingGetShare A data recipient requests details about a shares. - share: The name of the share.
- recipient_name: Indicates the recipient executing the action.
- is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog deltaSharingListSchemas A data recipient requests a list of shared schemas. - share: The name of the share.
- recipient_name: Indicates the recipient executing the action.
- options: The pagination options provided with this request.
- is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog deltaSharingListAllTables A data recipient requests a list of all shared tables. - share: The name of the share.
- recipient_name: Indicates the recipient executing the action.
- is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog deltaSharingListTables A data recipient requests a list of shared tables. - share: The name of the share.
- recipient_name: Indicates the recipient executing the action.
- options: The pagination options provided with this request.
- is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog deltaSharingGetTableMetadata A data recipient requests a details about a table’s metadata. - share: The name of the share.
- recipient_name: Indicates the recipient executing the action.
- schema: The name of the schema.
- name: The name of the table.
- predicateHints: The predicates included in the query.
- limitHints: The maximum number of rows to return.
- is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog deltaSharingGetTableVersion A data recipient requests a details about a table version. - share: The name of the share.
- recipient_name: Indicates the recipient executing the action.
- schema: The name of the schema.
- name: The name of the table.
- is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog deltaSharingQueryTable Logged when a data recipient queries a shared table. - share: The name of the share.
- recipient_name: Indicates the recipient executing the action.
- schema: The name of the schema.
- name: The name of the table.
- predicateHints: The predicates included in the query.
- limitHints: The maximum number of rows to return.
- is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog deltaSharingQueryTableChanges Logged when a data recipient queries change data for a table. - share: The name of the share.
- recipient_name: Indicates the recipient executing the action.
- schema: The name of the schema.
- name: The name of the table.
- cdf_options: Change data feed options.
- is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog deltaSharingQueriedTable Logged after a data recipient gets a response to their query. The response.result field includes more information on the recipient’s query (see Audit and monitor data sharing) - recipient_name: Indicates the recipient executing the action.
- is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog deltaSharingQueriedTableChanges Logged after a data recipient gets a response to their query. The response.result field includes more information on the recipient’s query (see Audit and monitor data sharing). - recipient_name: Indicates the recipient executing the action.
- is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog deltaSharingListNotebookFiles A data recipient requests a list of shared notebook files. - share: The name of the share.
- recipient_name: Indicates the recipient executing the action.
- is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog deltaSharingQueryNotebookFile A data recipient queries a shared notebook file. - file_name: The name of the notebook file.
- recipient_name: Indicates the recipient executing the action.
- is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog deltaSharingListFunctions A data recipient requests a list of functions in a parent schema. - share: The name of the share.
- schema: The name of the parent schema of the function.
- recipient_name: Indicates the recipient executing the action.
- is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog deltaSharingListAllFunctions A data recipient requests a list of all shared functions. - share: The name of the share.
- schema: The name of the parent schema of the function.
- recipient_name: Indicates the recipient executing the action.
- is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog deltaSharingListFunctionVersions A data recipient requests a list of function versions. - share: The name of the share.
- schema: The name of the parent schema of the function.
- function: The name of the function.
- recipient_name: Indicates the recipient executing the action.
- is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog deltaSharingListVolumes A data recipient requests a list of shared volumes in a schema. - share: The name of the share.
- schema: The parents schema of the volumes.
- recipient_name: Indicates the recipient executing the action.
- is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog deltaSharingListAllVolumes A data recipient requests all shared volumes. - share: The name of the share.
- recipient_name: Indicates the recipient executing the action.
- is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog updateMetastore Provider updates their metastore. - delta_sharing_scope: Values can be INTERNAL or INTERNAL_AND_EXTERNAL.
- delta_sharing_recipient_token_lifetime_in_seconds: If present, indicates that the recipient token lifetime was updated.
unityCatalog createRecipient Provider creates a data recipient. - name: The name of the recipient.
- comment: The comment for the recipient.
- ip_access_list.allowed_ip_addresses: Recipient IP address allowlist.
unityCatalog deleteRecipient Provider deletes a data recipient. - name: The name of the recipient.
unityCatalog getRecipient Provider requests details about a data recipient. - name: The name of the recipient.
unityCatalog listRecipients Provider requests a list of all their data recipients. none
unityCatalog rotateRecipientToken Provider rotates a recipient’s token. - name: The name of the recipient.
- comment: The comment given in the rotation command.
unityCatalog updateRecipient Provider updates a data recipient’s attributes. - name: The name of the recipient.
- updates: A JSON representation of recipient attributes that were added or removed from the share.
unityCatalog createShare Provider updates a data recipient’s attributes. - name: The name of the share.
- comment: The comment for the share.
unityCatalog deleteShare Provider updates a data recipient’s attributes. - name: The name of the share.
unityCatalog getShare Provider requests details about a share. - name: The name of the share.
- include_shared_objects: Whether the share’s table names were included in the request.
unityCatalog updateShare Provider adds or removes data assets from a share. - name: The name of the share.
- updates: A JSON representation of data assets that were added or removed from the share. Each item includes action (add or remove), name (the actual name of the table), shared_as (the name the asset was shared as, if different from the actual name), and partition_specification (if a partition specification was provided).
unityCatalog listShares Provider requests a list of their shares. none
unityCatalog getSharePermissions Provider requests details on a share’s permissions. - name: The name of the share.
unityCatalog updateSharePermissions Provider updates a share’s permissions. - name: The name of the share.
- changes: A JSON representation of the updated permissions. Each change includes principal (the user or group to whom permission is granted or revoked), add (the list of permissions that were granted), and remove (the list of permissions that were revoked).
unityCatalog getRecipientSharePermissions Provider requests details about a recipient’s share permissions. - name: The name of the share.
unityCatalog getActivationUrlInfo Provider requests details about activity on their activation link. - recipient_name: The name of the recipient who opened the activation URL.
- is_ip_access_denied: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. sourceIPaddress is the recipient IP address.
unityCatalog generateTemporaryVolumeCredential Temporary credential is generated for the recipient to access a shared volume. - share_name: The name of the share through which the recipient requests.
- share_id: The ID of the share.
- share_owner: The owner of the share.
- recipient_name: The name of the recipient who requests the credential.
- recipient_id: The ID of the recipient.
- volume_full_name: The full 3-level name of the volume.
- volume_id: The ID of the volume.
- volume_storage_location: The cloud path of the volume root.
- operation: Either READ_VOLUME or WRITE_VOLUME. For volume sharing, only READ_VOLUME is supported.
- credential_id: The ID of the credential.
- credential_type: The type of the credential. Value is always StorageCredential.
- credential_kind: The method used to authorize access.
- workspace_id: Value is always 0 when the request is for shared volumes.
unityCatalog generateTemporaryTableCredential Temporary credential is generated for the recipient to access a shared table. - share_name: The name of the share through which the recipient requests.
- share_id: The ID of the share.
- share_owner: The owner of the share.
- recipient_name: The name of the recipient who requests the credential.
- recipient_id: The ID of the recipient.
- table_full_name: The full 3-level name of the table.
- table_id: The ID of the table.
- table_url: The cloud path of the table root.
- operation: Either READ or READ_WRITE.
- credential_id: The ID of the credential.
- credential_type: The type of the credential. Value is always StorageCredential.
- credential_kind: The method used to authorize access.
- workspace_id: Value is always 0 when the request is for shared tables.

Delta Sharing recipient events

The following events are logged in the data recipient’s account. These events record recipient access of shared data and AI assets, along with events associated with the management of providers. Each of these events also includes the following request parameters:

  • recipient_name: The name of the recipient in the data provider’s system.
  • metastore_id: The name of the metastore in the data provider’s system.
  • sourceIPAddress: The IP address where the request originated.
Service Action Description Request parameters
unityCatalog deltaSharingProxyGetTableVersion A data recipient requests a details on a shared table version. - share: The name of the share.
- schema: The name of the table’s parent schema.
- name: The name of the table.
unityCatalog deltaSharingProxyGetTableMetadata A data recipient requests a details on a shared table’s metadata. - share: The name of the share.
- schema: The name of the table’s parent schema.
- name: The name of the table.
unityCatalog deltaSharingProxyQueryTable A data recipient queries a shared table. - share: The name of the share.
- schema: The name of the table’s parent schema.
- name: The name of the table.
- limitHints: The maximum number of rows to return.
- predicateHints: The predicates included in the query.
- version: Table version, if change data feed is enabled.
unityCatalog deltaSharingProxyQueryTableChanges A data recipient queries change data for a table. - share: The name of the share.
- schema: The name of the table’s parent schema.
- name: The name of the table.
- cdf_options: Change data feed options.
unityCatalog createProvider A data recipient creates a provider object. - name: The name of the provider.
- comment: The comment for the provider.
unityCatalog updateProvider A data recipient updates a provider object. - name: The name of the provider.
- updates: A JSON representation of provider attributes that were added or removed from the share. Each item includes action (add or remove) and can include name (the new provider name), owner (new owner), and comment.
unityCatalog deleteProvider A data recipient deletes a provider object. - name: The name of the provider.
unityCatalog getProvider A data recipient requests details about a provider object. - name: The name of the provider.
unityCatalog listProviders A data recipient requests a list of providers. none
unityCatalog activateProvider A data recipient activates a provider object. - name: The name of the provider.
unityCatalog listProviderShares A data recipient requests a list of a provider’s shares. - name: The name of the provider.
unityCatalog generateTemporaryVolumeCredential Temporary credential is generated for the recipient to access a shared volume. - share_name: The name of the share through which the recipient requests.
- volume_full_name: The full 3-level name of the volume.
- volume_id: The ID of the volume.
- operation: Either READ_VOLUME or WRITE_VOLUME. For volume sharing, only READ_VOLUME is supported.
- workspace_id: The ID of the workspace that receives the user request.
unityCatalog generateTemporaryTableCredential Temporary credential is generated for the recipient to access a shared table. - share_name: The name of the share through which the recipient requests.
- table_full_name: The full 3-level name of the table.
- table_id: The ID of the table.
- operation: Either READ or READ_WRITE.
- workspace_id: The ID of the workspace that receives the user request.

Additional security monitoring events

For Azure Databricks compute resources in the classic compute plane, such as VMs for clusters and pro or classic SQL warehouses, the following features enable additional monitoring agents:

File integrity monitoring events

The following capsule8-alerts-dataplane events are logged at the workspace level.

Service Action Description Request parameters
capsule8-alerts-dataplane Heartbeat A regular event to confirm the monitor is on. Currently runs every 10 minutes. - instanceId
capsule8-alerts-dataplane Memory Marked Executable Memory is often marked executable in order to allow malicious code to execute when an application is being exploited. Alerts when a program sets heap or stack memory permissions to executable. This can cause false positives for certain application servers. - instanceId
capsule8-alerts-dataplane File Integrity Monitor Monitors the integrity of important system files. Alerts on any unauthorized changes to those files. Databricks defines specific sets of system paths on the image, and this set of paths might change over time. - instanceId
capsule8-alerts-dataplane Systemd Unit File Modified Changes to systemd units could result in security controls being relaxed or disabled, or the installation of a malicious service. Alerts whenever a systemd unit file is modified by a program other than systemctl. - instanceId
capsule8-alerts-dataplane Repeated Program Crashes Repeated program crashes could indicate that an attacker is attempting to exploit a memory corruption vulnerability, or that there is a stability issue in the affected application. Alerts when more than 5 instances of an individual program crash via segmentation fault. - instanceId
capsule8-alerts-dataplane Userfaultfd Usage As containers are typically static workloads, this alert could indicate that an attacker has compromised the container and is attempting to install and run a backdoor. Alerts when a file that has been created or modified within 30 minutes is then executed within a container. - instanceId
capsule8-alerts-dataplane New File Executed in Container Memory is often marked executable in order to allow malicious code to execute when an application is being exploited. Alerts when a program sets heap or stack memory permissions to executable. This can cause false positives for certain application servers. - instanceId
capsule8-alerts-dataplane Suspicious Interactive Shell Interactive shells are rare occurrences on modern production infrastructure. Alerts when an interactive shell is started with arguments commonly used for reverse shells. - instanceId
capsule8-alerts-dataplane User Command Logging Evasion Evading command logging is common practice for attackers, but might also indicate that a legitimate user is performing unauthorized actions or trying to evade policy. Alerts when a change to user command history logging is detected, indicating that a user is attempting to evade command logging. - instanceId
capsule8-alerts-dataplane BPF Program Executed Detects some types of kernel backdoors. The loading of a new Berkeley Packet Filter (BPF) program could indicate that an attacker is loading a BPF-based rootkit to gain persistence and avoid detection. Alerts when a process loads a new privileged BPF program, if the process that is already part of an ongoing incident. - instanceId
capsule8-alerts-dataplane Kernel Module Loaded Attackers commonly load malicious kernel modules (rootkits) to evade detection and maintain persistence on a compromised node. Alerts when a kernel module is loaded, if the program is already part of an ongoing incident. - instanceId
capsule8-alerts-dataplane Suspicious Program Name Executed-Space After File Attackers might create or rename malicious binaries to include a space at the end of the name in an effort to impersonate a legitimate system program or service. Alerts when a program is executed with a space after the program name. - instanceId
capsule8-alerts-dataplane Illegal Elevation Of Privileges Kernel privilege escalation exploits commonly enable an unprivileged user to gain root privileges without passing standard gates for privilege changes. Alerts when a program attempts to elevate privileges through unusual means. This can issue false positive alerts on nodes with significant workloads. - instanceId
capsule8-alerts-dataplane Kernel Exploit Internal kernel functions are not accessible to regular programs, and if called, are a strong indicator that a kernel exploit has executed and that the attacker has full control of the node. Alerts when a kernel function unexpectedly returns to user space. - instanceId
capsule8-alerts-dataplane Processor-Level Protections Disabled SMEP and SMAP are processor-level protections that increase difficulty for kernel exploits to succeed, and disabling these restrictions is a common early step in kernel exploits. Alerts when a program tampers with the kernel SMEP/SMAP configuration. - instanceId
capsule8-alerts-dataplane Container Escape via Kernel Exploitation Alerts when a program uses kernel functions commonly used in container escape exploits, indicating that an attacker is escalating privileges from container-access to node-access. - instanceId
capsule8-alerts-dataplane Privileged Container Launched Privileged containers have direct access to host resources, leading to a greater impact when compromised. Alerts when a privileged container is launched, if the container isn’t a known privileged image such as kube-proxy. This can issue unwanted alerts for legitimate privileged containers. - instanceId
capsule8-alerts-dataplane Userland Container Escape Many container escapes coerce the host to execute an in-container binary, resulting in the attacker gaining full control of the affected node. Alerts when a container-created file is executed from outside a container. - instanceId
capsule8-alerts-dataplane AppArmor Disabled In Kernel Modification of certain AppArmor attributes can only occur in-kernel, indicating that AppArmor has been disabled by a kernel exploit or rootkit. Alerts when the AppArmor state is changed from the AppArmor configuration detected when the sensor starts. - instanceId
capsule8-alerts-dataplane AppArmor Profile Modified Attackers might attempt to disable enforcement of AppArmor profiles as part of evading detection. Alerts when a command for modifying an AppArmor profile is executed, if it was not executed by a user in an SSH session. - instanceId
capsule8-alerts-dataplane Boot Files Modified If not performed by a trusted source (such as a package manager or configuration management tool), modification of boot files could indicate an attacker modifying the kernel or its options in order to gain persistent access to a host. Alerts when changes are made to files in /boot, indicating installation of a new kernel or boot configuration. - instanceId
capsule8-alerts-dataplane Log Files Deleted Log deletion not performed by a log management tool could indicate that an attacker is trying to remove indicators of compromise. Alerts on deletion of system log files. - instanceId
capsule8-alerts-dataplane New File Executed Newly created files from sources other than system update programs might be backdoors, kernel exploits, or part of an exploitation chain. Alerts when a file that has been created or modified within 30 minutes is then executed, excluding files created by system update programs. - instanceId
capsule8-alerts-dataplane Root Certificate Store Modified Modification of the root certificate store could indicate the installation of a rogue certificate authority, enabling interception of network traffic or bypass of code signature verification. Alerts when a system CA certificate store is changed. - instanceId
capsule8-alerts-dataplane Setuid/Setgid Bit Set On File Setting setuid/setgid bits can be used to provide a persistent method for privilege escalation on a node. Alerts when the setuid or setgid bit is set on a file with the chmod family of system calls. - instanceId
capsule8-alerts-dataplane Hidden File Created Attackers often create hidden files as a means of obscuring tools and payloads on a compromised host. Alerts when a hidden file is created by a process associated with an ongoing incident. - instanceId
capsule8-alerts-dataplane Modification Of Common System Utilities Attackers might modify system utilities in order to execute malicious payloads whenever these utilities are run. Alerts when a common system utility is modified by an unauthorized process. - instanceId
capsule8-alerts-dataplane Network Service Scanner Executed An attacker or rogue user might use or install these programs to survey connected networks for additional nodes to compromise. Alerts when common network scanning program tools are executed. - instanceId
capsule8-alerts-dataplane Network Service Created Attackers might start a new network service to provide easy access to a host after compromise. Alerts when a program starts a new network service, if the program is already part of an ongoing incident. - instanceId
capsule8-alerts-dataplane Network Sniffing Program Executed An attacker or rogue user might execute network sniffing commands to capture credentials, personally-identifiable information (PII), or other sensitive information. Alerts when a program is executed that allows network capture. - instanceId
capsule8-alerts-dataplane Remote File Copy Detected Use of file transfer tools could indicate that an attacker is attempting to move toolsets to additional hosts or exfiltrate data to a remote system. Alerts when a program associated with remote file copying is executed, if the program is already part of an ongoing incident. - instanceId
capsule8-alerts-dataplane Unusual Outbound Connection Detected Command and Control channels and cryptocoin miners often create new outbound network connections on unusual ports. Alerts when a program initiates a new connection on an uncommon port, if the program is already part of an ongoing incident. - instanceId
capsule8-alerts-dataplane Data Archived Via Program After gaining access to a system, an attacker might create a compressed archive of files to reduce the size of data for exfiltration. Alerts when a data compression program is executed, if the program is already part of an ongoing incident. - instanceId
capsule8-alerts-dataplane Process Injection Use of process injection techniques commonly indicates that a user is debugging a program, but might also indicate that an attacker is reading secrets from or injecting code into other processes. Alerts when a program uses ptrace (debugging) mechanisms to interact with another process. - instanceId
capsule8-alerts-dataplane Account Enumeration Via Program Attackers often use account enumeration programs to determine their level of access and to see if other users are currently logged in to the node. Alerts when a program associated with account enumeration is executed, if the program is already part of an ongoing incident. - instanceId
capsule8-alerts-dataplane File and Directory Discovery Via Program Exploring file systems is common post-exploitation behavior for an attacker looking for credentials and data of interest. Alerts when a program associated with file and directory enumeration is executed, if the program is already part of an ongoing incident. - instanceId
capsule8-alerts-dataplane Network Configuration Enumeration Via Program Attackers can interrogate local network and route information to identify adjacent hosts and networks ahead of lateral movement. Alerts when a program associated with network configuration enumeration is executed, if the program is already part of an ongoing incident. - instanceId
capsule8-alerts-dataplane Process Enumeration Via Program Attackers often list running programs in order to identify the purpose of a node and whether any security or monitoring tools are in place. Alerts when a program associated with process enumeration is executed, if the program is already part of an ongoing incident. - instanceId
capsule8-alerts-dataplane System Information Enumeration Via Program Attackers commonly execute system enumeration commands to determine Linux kernel and distribution versions and features, often to identify if the node is affected by specific vulnerabilities. Alerts when a program associated with system information enumeration is executed, if the program is already part of an ongoing incident. - instanceId
capsule8-alerts-dataplane Scheduled Tasks Modified Via Program Modifying scheduled tasks is a common method for establishing persistence on a compromised node. Alerts when the crontab, at, or batch commands are used to modify scheduled task configurations. - instanceId
capsule8-alerts-dataplane Systemctl Usage Detected Changes to systemd units could result in security controls being relaxed or disabled, or the installation of a malicious service. Alerts when the systemctl command is used to modify systemd units. - instanceId
capsule8-alerts-dataplane User Execution Of su Command Explicit escalation to the root user decreases the ability to correlate privileged activity to a specific user. Alerts when the su command is executed. - instanceId
capsule8-alerts-dataplane User Execution Of sudo Command Alerts when the sudo command is executed. - instanceId
capsule8-alerts-dataplane User Command History Cleared Deleting the history file is unusual, commonly performed by attackers hiding activity, or by legitimate users intending to evade audit controls. Alerts when command line history files are deleted. - instanceId
capsule8-alerts-dataplane New System User Added An attacker might add a new user to a host to provide a reliable method of access. Alerts if a new user entity is added to the local account management file /etc/passwd, if the entity is not added by a system update program. - instanceId
capsule8-alerts-dataplane Password Database Modification Attackers might directly modify identity-related files to add a new user to the system. Alerts when a file related to user passwords is modified by a program unrelated to updating existing user information. - instanceId
capsule8-alerts-dataplane SSH Authorized Keys Modification Adding a new SSH public key is a common method for gaining persistent access to a compromised host. Alerts when an attempt to write to a user’s SSH authorized_keys file is observed, if the program is already part of an ongoing incident. - instanceId
capsule8-alerts-dataplane User Account Created Via CLI Adding a new user is a common step for attackers when establishing persistence on a compromised node. Alerts when an identity management program is executed by a program other than a package manager. - instanceId
capsule8-alerts-dataplane User Configuration Changes Deleting the history file is unusual, commonly performed by attackers hiding activity, or by legitimate users intending to evade audit controls. Alerts when command line history files are deleted. - instanceId
capsule8-alerts-dataplane New System User Added User profile and configuration files are often modified as a method of persistence in order to execute a program whenever a user logs in. Alerts when .bash_profile and bashrc (as well as related files) are modified by a program other than a system update tool. - instanceId

Antivirus monitoring events

Note

The response JSON object in these audit logs always has a result field that includes one line of the original scan result. Each scan result is represented typically by multiple audit log records, one for each line of the original scan output. For details of what could appear in this file, see the following third-party documentation.

The following clamAVScanService-dataplane event is logged at the workspace level.

Service Action Description Request parameters
clamAVScanService-dataplane clamAVScanAction The antivirus monitoring performs a scan. A log will generate for each line of the original scan output. - instanceId

Deprecated log events

Databricks has deprecated the following databrickssql diagnostic events:

  • createAlertDestination (now createNotificationDestination)
  • deleteAlertDestination (now deleteNotificationDestination)
  • updateAlertDestination (now updateNotificationDestination)
  • muteAlert
  • unmuteAlert

SQL endpoint logs

If you create SQL warehouses using the deprecated SQL endpoint API (the former name for SQL warehouses), the corresponding audit event name will include the word Endpoint instead of Warehouse. Besides the name, these events are identical to the SQL warehouse events. To view descriptions and request parameters of these events, see their corresponding warehouse events in Databricks SQL events.

The SQL endpoint events are:

  • changeEndpointAcls
  • createEndpoint
  • editEndpoint
  • startEndpoint
  • stopEndpoint
  • deleteEndpoint
  • setEndpointConfig