Diagnostic log reference

Article
11/13/2024

Note

This feature requires the Premium plan.

This article provides you with a comprehensive reference of audit log services and events. The availability of these services depends on how you access the logs:

Azure Monitor's diagnostic settings service does not log all of these services. Services that are unavailable on Azure's diagnostic settings are labeled accordingly.

Note

Azure Databricks retains a copy of audit logs for up to 1 year for security and fraud analysis purposes.

Diagnostic log services

The following services and their events are logged by default in diagnostic logs.

Note

The workspace-level and account-level designations only apply to the audit logs system table. Azure diagnostic logs do not include account-level events.

Workspace-level services

Service name	Description
accounts	Events related to accounts, users, groups, and IP access lists.
clusters	Events related to clusters.
clusterPolicies	Events related to cluster policies.
dashboards	Events related to AI/BI dashboard use.
databrickssql	Events related to Databricks SQL use.
dbfs	Events related to DBFS.
deltaPipelines	Events related to Delta Live Table pipelines.
featureStore	Events related to the Databricks Feature Store.
filesystem	Events related to the Files API.
gitCredentials	Events related to Git credentials for Databricks Git folders. See also `repos`.
globalInitScripts	Events related to global init scripts.
groups	Events related to account and workspace groups.
iamRole	Events related to IAM role permissions.
ingestion	Events related to file uploads.
instancePools	Events related to pools.
jobs	Events related to jobs.
mlflowAcledArtifact	Events related to ML Flow artifacts with ACLs.
mlflowExperiment	Events related to ML Flow experiments.
modelRegistry	Events related to the model registry.
notebook	Events related to notebooks.
remoteHistoryService	Events related to adding a removing GitHub Credentials.
repos	Events related to Databricks Git folders. See also `gitCredentials`.
secrets	Events related to secrets.
sqlPermissions	Events related to the legacy Hive metastore table access control.
ssh	Events related to SSH access.
webTerminal	Events related to the web terminal feature.
workspace	Events related to workspaces.

Account-level services

Account-level audit logs are available for these services:

Service name	Description
accountBillableUsage	Actions related to billable usage access in the account console.
accountsAccessControl	Actions related to account-level access control rules.
accountsManager	Actions related to network connectivity configurations.
unityCatalog	Actions performed in Unity Catalog. This also includes Delta Sharing events, see Delta Sharing events.

Diagnostic log example schema

In Azure Databricks, diagnostic logs output events in a JSON format. In Azure Databricks, audit logs output events in a JSON format. The serviceName and actionName properties identify the event. The naming convention follows the Databricks REST API.

The following JSON sample is an example of an event logged when a user created a job:

{
    "TenantId": "<your-tenant-id>",
    "SourceSystem": "|Databricks|",
    "TimeGenerated": "2019-05-01T00:18:58Z",
    "ResourceId": "/SUBSCRIPTIONS/SUBSCRIPTION_ID/RESOURCEGROUPS/RESOURCE_GROUP/PROVIDERS/MICROSOFT.DATABRICKS/WORKSPACES/PAID-VNET-ADB-PORTAL",
    "OperationName": "Microsoft.Databricks/jobs/create",
    "OperationVersion": "1.0.0",
    "Category": "jobs",
    "Identity": {
        "email": "mail@contoso.com",
        "subjectName": null
    },
    "SourceIPAddress": "131.0.0.0",
    "LogId": "201b6d83-396a-4f3c-9dee-65c971ddeb2b",
    "ServiceName": "jobs",
    "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36",
    "SessionId": "webapp-cons-webapp-01exaj6u94682b1an89u7g166c",
    "ActionName": "create",
    "RequestId": "ServiceMain-206b2474f0620002",
    "Response": {
        "statusCode": 200,
        "result": "{\"job_id\":1}"
    },
    "RequestParams": {
        "name": "Untitled",
        "new_cluster": "{\"node_type_id\":\"Standard_DS3_v2\",\"spark_version\":\"5.2.x-scala2.11\",\"num_workers\":8,\"spark_conf\":{\"spark.databricks.delta.preview.enabled\":\"true\"},\"cluster_creator\":\"JOB_LAUNCHER\",\"spark_env_vars\":{\"PYSPARK_PYTHON\":\"/databricks/python3/bin/python3\"},\"enable_elastic_disk\":true}"
    },
    "Type": "DatabricksJobs"
}

Diagnostic log schema considerations

If actions take a long time, the request and response are logged separately but the request and response pair have the same requestId.
Automated actions, such as resizing a cluster due to autoscaling or launching a job due to scheduling, are performed by the user System-User.
The requestParams field is subject to truncation. If the size of its JSON representation exceeds 100 KB, values are truncated and the string ... truncated is appended to truncated entries. In rare cases where a truncated map is still larger than 100 KB, a single TRUNCATED key with an empty value is present instead.

Account events

The following are accounts events logged at the workspace level.

Service	Action	Description	Request parameters
`accounts`	`activateUser`	A user is reactivated after being deactivated. See Deactivate users in workspace.	- `targetUserName` - `endpoint` - `targetUserId`
`accounts`	`aadBrowserLogin`	A user logs in to Databricks using a Microsoft Entra ID browser workflow.	- `user`
`accounts`	`aadTokenLogin`	A user logs in to Databricks through the Microsoft Entra ID token.	- `user`
`accounts`	`accountInHouseOAuthClientAuthentication`	An OAuth client is authenticated.	- `endpoint`
`accounts`	`activateUser`	Admin adds a user to the Databricks account from the Azure portal.	- `warehouse` - `targetUserName` - `targetUserId`
`accounts`	`add`	A user is added to an Azure Databricks workspace.	- `targetUserName` - `endpoint` - `targetUserId`
`accounts`	`addPrincipalToGroup`	A user is added to a workspace-level group.	- `targetGroupId` - `endpoint` - `targetUserId` - `targetGroupName` - `targetUserName`
`accounts`	`changeDatabricksSqlAcl`	A user's Databricks SQL permissions are changed.	- `shardName` - `targetUserId` - `resourceId` - `aclPermissionSet`
`accounts`	`changeDatabricksWorkspaceAcl`	Permissions to a workspace are changed.	- `shardName` - `targetUserId` - `resourceId` - `aclPermissionSet`
`accounts`	`changeDbTokenAcl`	When permissions on a token are changed.	- `shardName` - `targetUserId` - `resourceId` - `aclPermissionSet`
`accounts`	`changeServicePrincipalAcls`	When a service principal's permissions are changed.	- `shardName` - `targetServicePrincipal` - `resourceId` - `aclPermissionSet`
`accounts`	`createGroup`	A workspace-level group is created.	- `endpoint` - `targetGroupId` - `targetGroupName`
`accounts`	`createIpAccessList`	An IP access list is added to the workspace.	- `ipAccessListId` - `userId`
`accounts`	`deactivateUser`	A user is deactivated in the workspace. See Deactivate users in workspace.	- `targetUserName` - `endpoint` - `targetUserId`
`accounts`	`delete`	A user is deleted from the Azure Databricks workspace.	- `targetUserId` - `targetUserName` - `endpoint`
`accounts`	`deleteIpAccessList`	An IP access list is deleted from the workspace.	- `ipAccessListId` - `userId`
`accounts`	`garbageCollectDbToken`	A user runs a garbage collect command on expired tokens.	- `tokenExpirationTime` - `tokenClientId` - `userId` - `tokenCreationTime` - `tokenFirstAccessed`
`accounts`	`generateDbToken`	When someone generates a token from User Settings or when the service generates the token.	- `tokenExpirationTime` - `tokenCreatedBy` - `tokenHash` - `userId`
`accounts`	`IpAccessDenied`	A user attempts to connect to the service through a denied IP.	- `path` - `userName`
`accounts`	`ipAccessListQuotaExceeded`		- `userId`
`accounts`	`jwtLogin`	User logs into Databricks using a JWT.	- `user`
`accounts`	`login`	User logs into the workspace.	- `user`
`accounts`	`logout`	User logs out of the workspace.	- `user`
`accounts`	`oidcTokenAuthorization`	When an API call is authorized through a generic OIDC/OAuth token.	- `user`
`accounts`	`passwordVerifyAuthentication`		- `user`
`accounts`	`reachMaxQuotaDbToken`	When the current number of non-expired tokens exceeds the token quota
`accounts`	`removeAdmin`	A user is revoked of workspace admin permissions.	- `targetUserName` - `endpoint` - `targetUserId`
`accounts`	`removeGroup`	A group is removed from the workspace.	- `targetGroupId` - `targetGroupName` - `endpoint`
`accounts`	`removePrincipalFromGroup`	A user is removed from a group.	- `targetGroupId` - `endpoint` - `targetUserId` - `targetGroupName` - `targetUserName`
`accounts`	`revokeDbToken`	A user's token is dropped from a workspace. Can be triggered by a user being removed from the Databricks account.	- `userId`
`accounts`	`setAdmin`	A user is granted account admin permissions.	- `endpoint` - `targetUserName` - `targetUserId`
`accounts`	`tokenLogin`	A user logs into Databricks using a token.	- `tokenId` - `user`
`accounts`	`updateIpAccessList`	An IP access list is changed.	- `ipAccessListId` - `userId`
`accounts`	`updateUser`	A change is made to a user's account.	- `warehouse` - `targetUserName` - `targetUserId`
`accounts`	`validateEmail`	When a user validates their email after account creation.	- `endpoint` - `targetUserName` - `targetUserId`

Clusters events

The following are cluster events logged at the workspace level.

Service	Action	Description	Request parameters
`clusters`	`changeClusterAcl`	A user changes the cluster ACL.	- `shardName` - `aclPermissionSet` - `targetUserId` - `resourceId`
`clusters`	`create`	A user creates a cluster.	- `cluster_log_conf` - `num_workers` - `enable_elastic_disk` - `driver_node_type_id` - `start_cluster` - `docker_image` - `ssh_public_keys` - `aws_attributes` - `acl_path_prefix` - `node_type_id` - `instance_pool_id` - `spark_env_vars` - `init_scripts` - `spark_version` - `cluster_source` - `autotermination_minutes` - `cluster_name` - `autoscale` - `custom_tags` - `cluster_creator` - `enable_local_disk_encryption` - `idempotency_token` - `spark_conf` - `organization_id` - `no_driver_daemon` - `user_id` - `virtual_cluster_size` - `apply_policy_default_values` - `data_security_mode`
`clusters`	`createResult`	Results from cluster creation. In conjunction with `create`.	- `clusterName` - `clusterState` - `clusterId` - `clusterWorkers` - `clusterOwnerUserId`
`clusters`	`delete`	A cluster is terminated.	- `cluster_id`
`clusters`	`deleteResult`	Results from cluster termination. In conjunction with `delete`.	- `clusterName` - `clusterState` - `clusterId` - `clusterWorkers` - `clusterOwnerUserId`
`clusters`	`edit`	A user makes changes to cluster settings. This logs all changes except for changes in cluster size or autoscaling behavior.	- `cluster_log_conf` - `num_workers` - `enable_elastic_disk` - `driver_node_type_id` - `start_cluster` - `docker_image` - `ssh_public_keys` - `aws_attributes` - `acl_path_prefix` - `node_type_id` - `instance_pool_id` - `spark_env_vars` - `init_scripts` - `spark_version` - `cluster_source` - `autotermination_minutes` - `cluster_name` - `autoscale` - `custom_tags` - `cluster_creator` - `enable_local_disk_encryption` - `idempotency_token` - `spark_conf` - `organization_id` - `no_driver_daemon` - `user_id` - `virtual_cluster_size` - `apply_policy_default_values` - `data_security_mode`
`clusters`	`permanentDelete`	A cluster is deleted from the UI.	- `cluster_id`
`clusters`	`resize`	Cluster resizes. This is logged on running clusters where the only property that changes is either the cluster size or autoscaling behavior.	- `cluster_id` - `num_workers` - `autoscale`
`clusters`	`resizeResult`	Results from cluster resize. In conjunction with `resize`.	- `clusterName` - `clusterState` - `clusterId` - `clusterWorkers` - `clusterOwnerUserId`
`clusters`	`restart`	A user restarts a running cluster.	- `cluster_id`
`clusters`	`restartResult`	Results from cluster restart. In conjunction with `restart`.	- `clusterName` - `clusterState` - `clusterId` - `clusterWorkers` - `clusterOwnerUserId`
`clusters`	`start`	A user starts a cluster.	- `init_scripts_safe_mode` - `cluster_id`
`clusters`	`startResult`	Results from cluster start. In conjunction with `start`.	- `clusterName` - `clusterState` - `clusterId` - `clusterWorkers` - `clusterOwnerUserId`

Cluster libraries events

The following are clusterLibraries events logged at the workspace level.

Service	Action	Description	Request parameters
`clusterLibraries`	`installLibraries`	User installs a library on a cluster.	- `cluster_id` - `libraries`
`clusterLibraries`	`uninstallLibraries`	User uninstalls a library on a cluster.	- `cluster_id` - `libraries`
`clusterLibraries`	`installLibraryOnAllClusters`	A workspace admin schedules a library to install on all cluster.	- `user` - `library`
`clusterLibraries`	`uninstallLibraryOnAllClusters`	A workspace admin removes a library from the list to install on all clusters.	- `user` - `library`

Dashboards events

The following are dashboards events logged at the workspace level.

Service	Action	Description	Request parameters
`dashboards`	`getDashboard`	A user accesses the draft version of a dashboard either by viewing it in the UI or requesting the dashboard definition using the API. Only workspace users can access the draft version of a dashboard.	- `dashboard_id`
`dashboards`	`getPublishedDashboard`	A user accesses the published version of a dashboard by viewing in the UI or requesting the dashboard definition using the API. Includes activity from both workspace users and account users. Excludes receiving a PDF snapshot of a dashboard using scheduled email.	- `dashboard_id` - `credentials_embedded`
`dashboards`	`executeQuery`	A user executes a query from a dashboard.	- `dashboard_id` - `statement_id`
`dashboards`	`cancelQuery`	A user cancels a query from a dashboard.	- `dashboard_id` - `statement_id`
`dashboards`	`getQueryResult`	A user receives the results of a query from a dashboard.	- `dashboard_id` - `statement_id`
`dashboards`	`sendDashboardSnapshot`	A PDF snapshot of a dashboard is sent through a scheduled email. The request parameters values depend on the type of recipient. For a Databricks notification destination, only the `destination_id` is shown. For a Databricks user, the subscriber's user ID and email address are shown. If the recipient is an email address, only the email address is shown.	- `dashboard_id` - `subscriber_destination_id` - `subscriber_user_details: {` `user_id`, `email_address }`
`dashboards`	`getDashboardDetails`	A user accesses details of a draft dashboard, such as datasets and widgets. `getDashboardDetails` is always emitted when a user views a draft dashboard using UI or requests the dashboard definition using the API.	- `dashboard_id`
`dashboards`	`createDashboard`	A user creates a new AI/BI dashboard using the UI or API.	- `dashboard_id`
`dashboards`	`updateDashboard`	A user makes an update to an AI/BI dashboard using the UI or API.	- `dashboard_id`
`dashboards`	`cloneDashboard`	A user clones an AI/BI dashboard.	- `source_dashboard_id` - `new_dashboard_id`
`dashboards`	`publishDashboard`	A user publishes an AI/BI dashboard with or without embedded credentials using the UI or API.	- `dashboard_id` - `credentials_embedded` - `warehouse_id`
`dashboards`	`unpublishDashboard`	A user unpublishes a published AI/BI dashboard using the UI or API.	- `dashboard_id`
`dashboards`	`trashDashboard`	A user moves an AI/BI dashboard to the trash using the UI or API.	- `dashboard_id`
`dashboards`	`restoreDashboard`	A user restores an AI/BI dashboard from the trash.	- `dashboard_id`
`dashboards`	`migrateDashboard`	A user migrates a DBSQL dashboard to an AI/BI dashboard.	- `source_dashboard_id` - `new_dashboard_id`
`dashboards`	`createSchedule`	A user creates an email subscription schedule.	- `dashboard_id` - `schedule_id`
`dashboards`	`updateSchedule`	A user makes an update to an AI/BI dashboard's schedule.	- `dashboard_id` - `schedule_id`
`dashboards`	`deleteSchedule`	A user deletes an AI/BI dashboard's schedule.	- `dashboard_id` - `schedule_id`
`dashboards`	`createSubscription`	A user subscribes an email destination to an AI/BI dashboard schedule.	- `dashboard_id` - `schedule_id` - `schedule`
`dashboards`	`deleteSubscription`	A user deletes an email destination from an AI/BI dashboard schedule.	- `dashboard_id` - `schedule_id`

Databricks SQL events

The following are databrickssql events logged at the workspace level.

Note

If you manage your SQL warehouses using the legacy SQL endpoints API, your SQL warehouse audit events will have different action names. See SQL endpoint logs.

Service	Action	Description	Request parameters
`databrickssql`	`addDashboardWidget`	A widget is added to a dashboard.	- `dashboardId` - `widgetId`
`databrickssql`	`cancelQueryExecution`	A query execution is cancelled from the SQL editor UI. This does not include cancellations that originate from the Query History UI or Databricks SQL Execution API.	- `queryExecutionId`
`databrickssql`	`changeWarehouseAcls`	A warehouse manager updates permissions on a SQL warehouse.	- `aclPermissionSet` - `resourceId` - `shardName` - `targetUserId`
`databrickssql`	`changePermissions`	A user updates permissions on an object.	- `granteeAndPermission` - `objectId` - `objectType`
`databrickssql`	`cloneDashboard`	A user clones a dashboard.	- `dashboardId`
`databrickssql`	`commandSubmit`	Only in verbose audit logs. Generated when a command is submitted to a SQL warehouse, regardless of origin of the request.	- `warehouseId` - `commandId` - `validation` - `commandText`
`databrickssql`	`commandFinish`	Only in verbose audit logs. Generated when a command on a SQL warehouse completes or is canceled, regardless of the origin of the cancellation request.	- `warehouseId` - `commandId`
`databrickssql`	`createAlert`	A user creates an alert.	- `alertId`
`databrickssql`	`createNotificationDestination`	A workspace admin creates a notification destination.	- `notificationDestinationId` - `notificationDestinationType`
`databrickssql`	`createDashboard`	A user creates a dashboard.	- `dashboardId`
`databrickssql`	`createDataPreviewDashboard`	A user creates a data preview dashboard.	- `dashboardId`
`databrickssql`	`createWarehouse`	A user with the cluster create entitlement creates a SQL warehouse.	- `auto_resume` - `auto_stop_mins` - `channel` - `cluster_size` - `conf_pairs` - `custom_cluster_confs` - `enable_databricks_compute` - `enable_photon` - `enable_serverless_compute` - `instance_profile_arn` - `max_num_clusters` - `min_num_clusters` - `name` - `size` - `spot_instance_policy` - `tags` - `test_overrides`
`databrickssql`	`createQuery`	A user creates a new query.	- `queryId`
`databrickssql`	`createQueryDraft`	A user creates a query draft.	- `queryId`
`databrickssql`	`createQuerySnippet`	A user creates a query snippet.	- `querySnippetId`
`databrickssql`	`createSampleDashboard`	A user creates a sample dashboard.	- `sampleDashboardId`
`databrickssql`	`createVisualization`	A user generates a visualization using the SQL editor. Excludes default results tables and visualizations in notebooks that utilize SQL warehouses.	- `queryId` - `visualizationId`
`databrickssql`	`deleteAlert`	A user deletes an alert either from the alert interface or through API. Excludes deletions from the file browser UI.	- `alertId`
`databrickssql`	`deleteNotificationDestination`	A workspace admin deletes a notification destination.	- `notificationDestinationId`
`databrickssql`	`deleteDashboard`	A user deletes a dashboard either from the dashboard interface or through API. Excludes deletion via the file browser UI.	- `dashboardId`
`databrickssql`	`deleteDashboardWidget`	A user deletes a dashboard widget.	- `widgetId`
`databrickssql`	`deleteWarehouse`	A warehouse manager deletes a SQL warehouse.	- `id`
`databrickssql`	`deleteQuery`	A user deletes a query, either from the query interface or through API. Excludes deletion via the file browser UI.	- `queryId`
`databrickssql`	`deleteQueryDraft`	A user deletes a query draft.	- `queryId`
`databrickssql`	`deleteQuerySnippet`	A user deletes a query snippet.	- `querySnippetId`
`databrickssql`	`deleteVisualization`	A user deletes a visualization from a query in the SQL Editor.	- `visualizationId`
`databrickssql`	`downloadQueryResult`	A user downloads a query result from the SQL Editor. Excludes downloads from dashboards.	- `fileType` - `queryId` - `queryResultId` - `credentialsEmbedded` - `credentialsEmbeddedId`
`databrickssql`	`editWarehouse`	A warehouse manager makes edits to a SQL warehouse.	- `auto_stop_mins` - `channel` - `cluster_size` - `confs` - `enable_photon` - `enable_serverless_compute` - `id` - `instance_profile_arn` - `max_num_clusters` - `min_num_clusters` - `name` - `spot_instance_policy` - `tags`
`databrickssql`	`executeAdhocQuery`	Generated by one of the following: - A user runs a query draft in the SQL editor - A query is executed from a visualization aggregation - A user loads a dashboard and executes underlying queries	- `dataSourceId`
`databrickssql`	`executeSavedQuery`	A user runs a saved query.	- `queryId`
`databrickssql`	`executeWidgetQuery`	Generated by any event that executes a query such that a dashboard panel refreshes. Some examples of applicable events include: - Refreshing a single panel - Refreshing an entire dashboard - Scheduled dashboard executions - Parameter or filter changes operating over more than 64,000 rows	- `widgetId`
`databrickssql`	`favoriteDashboard`	A user favorites a dashboard.	- `dashboardId`
`databrickssql`	`favoriteQuery`	A user favorites a query.	- `queryId`
`databrickssql`	`forkQuery`	A user clones a query.	- `originalQueryId` - `queryId`
`databrickssql`	`listQueries`	A user opens the query listing page or calls the list query API.	- `filter_by` - `include_metrics` - `max_results` - `page_token`
`databrickssql`	`moveAlertToTrash`	A user moves an alert to the trash.	- `alertId`
`databrickssql`	`moveDashboardToTrash`	A user moves a dashboard to the trash.	- `dashboardId`
`databrickssql`	`moveQueryToTrash`	A user moves a query to the trash.	- `queryId`
`databrickssql`	`restoreAlert`	A user restores an alert from the trash.	- `alertId`
`databrickssql`	`restoreDashboard`	A user restores a dashboard from the trash.	- `dashboardId`
`databrickssql`	`restoreQuery`	A user restores a query from the trash.	- `queryId`
`databrickssql`	`setWarehouseConfig`	A warehouse manager sets the configuration for a SQL warehouse.	- `data_access_config` - `enable_serverless_compute` - `instance_profile_arn` - `security_policy` - `serverless_agreement` - `sql_configuration_parameters` - `try_create_databricks_managed_starter_warehouse`
`databrickssql`	`snapshotDashboard`	A user requests a snapshot of a dashboard. Includes scheduled dashboard snapshots.	- `dashboardId`
`databrickssql`	`startWarehouse`	A SQL warehouse is started.	- `id`
`databrickssql`	`stopWarehouse`	A warehouse manager stops a SQL warehouse. Excludes autostopped warehouses.	- `id`
`databrickssql`	`transferObjectOwnership`	A workspace admin transfers the ownership of a dashboard, query, or alert to an active user through the transfer object ownership API. Ownership transfer done through the UI or update APIs is not captured by this audit log event.	- `newOwner` - `objectId` - `objectType`
`databrickssql`	`unfavoriteDashboard`	A user removes a dashboard from their favorites.	- `dashboardId`
`databrickssql`	`unfavoriteQuery`	A user removes a query from their favorites.	- `queryId`
`databrickssql`	`updateAlert`	A user makes updates to an alert. `ownerUserName` is populated if the alert ownership is transferred using the API.	- `alertId` - `queryId` - `ownerUserName`
`databrickssql`	`updateNotificationDestination`	A workspace admin makes an update to a notification destination.	- `notificationDestinationId`
`databrickssql`	`updateDashboardWidget`	A user makes an update to a dashboard widget. Excludes changes to axis scales. Examples of applicable updates include: - Change to widget size or placement - Adding or removing widget parameters	- `widgetId`
`databrickssql`	`updateDashboard`	A user makes an update to a dashboard property. Excludes changes to schedules and subscriptions. Examples of applicable updates include: - Change in dashboard name - Change to the SQL warehouse - Change to Run As settings	- `dashboardId`
`databrickssql`	`updateOrganizationSetting`	A workspace admin makes updates to the workspace's SQL settings.	- `has_configured_data_access` - `has_explored_sql_warehouses` - `has_granted_permissions`
`databrickssql`	`updateQuery`	A user makes an update to a query. `ownerUserName` is populated if the query ownership is transferred using the API.	- `queryId` - `ownerUserName`
`databrickssql`	`updateQueryDraft`	A user makes an update to a query draft.	- `queryId`
`databrickssql`	`updateQuerySnippet`	A user makes an update to a query snippet.	- `querySnippetId`
`databrickssql`	`updateVisualization`	A user updates a visualization from either the SQL Editor or the dashboard.	- `visualizationId`

Data monitoring events

The following dataMonitoring events are logged at the workspace level.

Service	Action	Description	Request parameters
`dataMonitoring`	`CreateMonitor`	User creates a monitor.	- `data_classification_config` - `full_table_name_arg` - `assets_dir` - `schedule` - `output_schema_name` - `notifications` - `inference_log`
`dataMonitoring`	`UpdateMonitor`	User makes an update to a monitor.	- `data_classification_config` - `table_name` - `full_table_name_arg` - `drift_metrics_table_name` - `dashboard_id` - `custom_metrics` - `assets_dir` - `monitor_version` - `profile_metrics_table_name` - `baseline_table_name` - `status` - `output_schema_name` - `inference_log` - `slicing_exprs`
`dataMonitoring`	`DeleteMonitor`	User deletes a monitor.	- `full_table_name_arg`
`dataMonitoring`	`RunRefresh`	Monitor is refreshed, either by schedule or manually.	- `full_table_name_arg`

DBFS events

The following tables include dbfs events logged at the workspace level.

There are two types of DBFS events: API calls and operational events.

DBFS API events

The following DBFS audit events are only logged when written through the DBFS REST API.

Service	Action	Description	Request parameters
`dbfs`	`addBlock`	User appends a block of data to the stream. This is used in conjunction with dbfs/create to stream data to DBFS.	- `handle` - `data_length`
`dbfs`	`create`	User opens a stream to write a file to DBFs.	- `path` - `bufferSize` - `overwrite`
`dbfs`	`delete`	User deletes the file or directory from DBFs.	- `recursive` - `path`
`dbfs`	`mkdirs`	User creates a new DBFS directory.	- `path`
`dbfs`	`move`	User moves a file from one location to another location within DBFs.	- `dst` - `source_path` - `src` - `destination_path`
`dbfs`	`put`	User uploads a file through the use of multipart form post to DBFs.	- `path` - `overwrite`

DBFS operational events

The following DBFS audit events occur at the compute plane.

Service	Action	Description	Request parameters
`dbfs`	`mount`	User creates a mount point at a certain DBFS location.	- `mountPoint` - `owner`
`dbfs`	`unmount`	User removes a mount point at a certain DBFS location.	- `mountPoint`

Delta pipelines events

Service	Action	Description	Request parameters
`deltaPipelines`	`changePipelineAcls`	A user changes permissions on a pipeline.	- `shardId` - `targetUserId` - `resourceId` - `aclPermissionSet`
`deltaPipelines`	`create`	A user creates a Delta Live Tables pipeline.	- `allow_duplicate_names` - `clusters` - `configuration` - `continuous` - `development` - `dry_run` - `id` - `libraries` - `name` - `storage` - `target` - `channel` - `edition` - `photon`
`deltaPipelines`	`delete`	A user deletes a Delta Live Tables pipeline.	- `pipeline_id`
`deltaPipelines`	`edit`	A user edits a Delta Live Tables pipeline.	- `allow_duplicate_names` - `clusters` - `configuration` - `continuous` - `development` - `expected_last_modified` - `id` - `libraries` - `name` - `pipeline_id` - `storage` - `target` - `channel` - `edition` - `photon`
`deltaPipelines`	`startUpdate`	A user restarts a Delta Live Tables pipeline.	- `cause` - `full_refresh` - `job_task` - `pipeline_id`
`deltaPipelines`	`stop`	A user stops a Delta Live Tables pipeline.	- `pipeline_id`

Feature store events

The following featureStore events are logged at the workspace level.

Service	Action	Description	Request parameters
`featureStore`	`addConsumer`	A consumer is added to the feature store.	- `features` - `job_run` - `notebook`
`featureStore`	`addDataSources`	A data source is added to a feature table.	- `feature_table` - `paths, tables`
`featureStore`	`addProducer`	A producer is added to a feature table.	- `feature_table` - `job_run` - `notebook`
`featureStore`	`changeFeatureTableAcl`	Permissions are changed in a feature table.	- `aclPermissionSet` - `resourceId` - `shardName` - `targetUserId`
`featureStore`	`createFeatureTable`	A feature table is created.	- `description` - `name` - `partition_keys` - `primary_keys` - `timestamp_keys`
`featureStore`	`createFeatures`	Features are created in a feature table.	- `feature_table` - `features`
`featureStore`	`deleteFeatureTable`	A feature table is deleted.	- `name`
`featureStore`	`deleteTags`	Tags are deleted from a feature table.	- `feature_table_id` - `keys`
`featureStore`	`getConsumers`	A user makes a call to get the consumers in a feature table.	- `feature_table`
`featureStore`	`getFeatureTable`	A user makes a call to get feature tables.	- `name`
`featureStore`	`getFeatureTablesById`	A user makes a call to get feature table IDs.	- `ids`
`featureStore`	`getFeatures`	A user makes a call to get features.	- `feature_table` - `max_results`
`featureStore`	`getModelServingMetadata`	A user makes a call to get Model Serving metadata.	- `feature_table_features`
`featureStore`	`getOnlineStore`	A user makes a call to get online store details.	- `cloud` - `feature_table` - `online_table` - `store_type`
`featureStore`	`getTags`	A user makes a call to get tags for a feature table.	- `feature_table_id`
`featureStore`	`publishFeatureTable`	A feature table is published.	- `cloud` - `feature_table` - `host` - `online_table` - `port` - `read_secret_prefix` - `store_type` - `write_secret_prefix`
`featureStore`	`searchFeatureTables`	A user searches for feature tables.	- `max_results` - `page_token` - `text`
`featureStore`	`setTags`	Tags are added to a feature table.	- `feature_table_id` - `tags`
`featureStore`	`updateFeatureTable`	A feature table is updated.	- `description` - `name`

Files API events

The following filesystem events are logged at the workspace level.

Service	Action	Description	Request parameters
`filesystem`	`filesGet`	User downloads file.	- `path` - `transferredSize`
`filesystem`	`filesPut`	User uploads file.	- `path` - `receivedSize`
`filesystem`	`filesDelete`	User deletes file.	- `path`
`filesystem`	`filesHead`	User gets information about file.	- `path`

Git credential events

The following gitCredentials events are logged at the workspace level.

Service	Action	Description	Request parameters
`gitCredentials`	`getGitCredential`	A user gets a git credentials.	- `id`
`gitCredentials`	`listGitCredentials`	A user lists all git credentials	none
`gitCredentials`	`deleteGitCredential`	A user deletes a git credential.	- `id`
`gitCredentials`	`updateGitCredential`	A user updates a git credential.	- `id` - `git_provider` - `git_username`
`gitCredentials`	`createGitCredential`	A user creates a git credential.	- `git_provider` - `git_username`

Global init scripts events

The following globalInitScripts events are logged at the workspace level.

Service	Action	Description	Request parameters
`globalInitScripts`	`create`	A workspace admin creates a global initialization script.	- `name` - `position` - `script-SHA256` - `enabled`
`globalInitScripts`	`update`	A workspace admin updates a global initialization script.	- `script_id` - `name` - `position` - `script-SHA256` - `enabled`
`globalInitScripts`	`delete`	A workspace admin deletes a global initialization script.	- `script_id`

IAM role events

The following iamRole event is logged at the workspace level.

Service	Action	Description	Request parameters
`iamRole`	`changeIamRoleAcl`	A workspace admin changes permissions for an IAM role.	- `targetUserId` - `shardName` - `resourceId` - `aclPermissionSet`

Ingestion events

The following ingestion event is logged at the workspace level.

Service	Action	Description	Request parameters
`ingestion`	`proxyFileUpload`	A user uploads a file to their Azure Databricks workspace.	- `x-databricks-content-length-0` - `x-databricks-total-files`

Instance pool events

The following instancePools events are logged at the workspace level.

Service	Action	Description	Request parameters
`instancePools`	`changeInstancePoolAcl`	A user changes an instance pool's permissions.	- `shardName` - `resourceId` - `targetUserId` - `aclPermissionSet`
`instancePools`	`create`	A user creates an instance pool.	- `enable_elastic_disk` - `preloaded_spark_versions` - `idle_instance_autotermination_minutes` - `instance_pool_name` - `node_type_id` - `custom_tags` - `max_capacity` - `min_idle_instances` - `aws_attributes`
`instancePools`	`delete`	A user deletes an instance pool.	- `instance_pool_id`
`instancePools`	`edit`	A user edits an instance pool.	- `instance_pool_name` - `idle_instance_autotermination_minutes` - `min_idle_instances` - `preloaded_spark_versions` - `max_capacity` - `enable_elastic_disk` - `node_type_id` - `instance_pool_id` - `aws_attributes`

Job events

The following jobs events are logged at the workspace level.

Service	Action	Description	Request parameters
`jobs`	`cancel`	A job run is cancelled.	- `run_id`
`jobs`	`cancelAllRuns`	A user cancels all runs on a job.	- `job_id`
`jobs`	`changeJobAcl`	A user updates permissions on a job.	- `shardName` - `aclPermissionSet` - `resourceId` - `targetUserId`
`jobs`	`create`	A user creates a job.	- `spark_jar_task` - `email_notifications` - `notebook_task` - `spark_submit_task` - `timeout_seconds` - `libraries` - `name` - `spark_python_task` - `job_type` - `new_cluster` - `existing_cluster_id` - `max_retries` - `schedule` - `run_as`
`jobs`	`delete`	A user deletes a job.	- `job_id`
`jobs`	`deleteRun`	A user deletes a job run.	- `run_id`
`jobs`	`getRunOutput`	A user makes an API call to get a run output.	- `run_id` - `is_from_webapp`
`jobs`	`repairRun`	A user repairs a job run.	- `run_id` - `latest_repair_id` - `rerun_tasks`
`jobs`	`reset`	A job is reset.	- `job_id` - `new_settings`
`jobs`	`resetJobAcl`	A user requests the change of a job's permissions.	- `grants` - `job_id`
`jobs`	`runCommand`	Available when verbose audit logs are enabled. Emitted after a command in a notebook is executed by a job run. A command corresponds to a cell in a notebook.	- `jobId` - `runId` - `notebookId` - `executionTime` - `status` - `commandId` - `commandText`
`jobs`	`runFailed`	A job run fails.	- `jobClusterType` - `jobTriggerType` - `jobId` - `jobTaskType` - `runId` - `jobTerminalState` - `idInJob` - `orgId` - `runCreatorUserName`
`jobs`	`runNow`	A user triggers an on-demand job run.	- `notebook_params` - `job_id` - `jar_params` - `workflow_context`
`jobs`	`runStart`	Emitted when a job run starts after validation and cluster creation. The request parameters emitted from this event depend on the type of tasks in the job. In addition to the parameters listed, they can include: - `dashboardId` (for a SQL dashboard task) - `filePath` (for a SQL file task) - `notebookPath` (for a notebook task) - `mainClassName` (for a Spark JAR task) - `pythonFile` (for a Spark JAR task) - `projectDirectory` (for a dbt task) - `commands` (for a dbt task) - `packageName` (for a Python wheel task) - `entryPoint` (for a Python wheel task) - `pipelineId` (for a pipeline task) - `queryIds` (for a SQL query task) - `alertId` (for a SQL alert task)	- `taskDependencies` - `multitaskParentRunId` - `orgId` - `idInJob` - `jobId` - `jobTerminalState` - `taskKey` - `jobTriggerType` - `jobTaskType` - `runId` - `runCreatorUserName`
`jobs`	`runSucceeded`	A job run is successful.	- `idInJob` - `jobId` - `jobTriggerType` - `orgId` - `runId` - `jobClusterType` - `jobTaskType` - `jobTerminalState` - `runCreatorUserName`
`jobs`	`runTriggered`	A job schedule is triggered automatically according to its schedule or trigger.	- `jobId` - `jobTriggeredType` - `runId`
`jobs`	`sendRunWebhook`	A webhook is sent either when the job begins, completes, or fails.	- `orgId` - `jobId` - `jobWebhookId` - `jobWebhookEvent` - `runId`
`jobs`	`setTaskValue`	A user sets values for a task.	- `run_id` - `key`
`jobs`	`submitRun`	A user submits a one-time run via the API.	- `shell_command_task` - `run_name` - `spark_python_task` - `existing_cluster_id` - `notebook_task` - `timeout_seconds` - `libraries` - `new_cluster` - `spark_jar_task`
`jobs`	`update`	A user edits a job's settings.	- `job_id` - `fields_to_remove` - `new_settings` - `is_from_dlt`

MLflow artifacts with ACL events

The following mlflowAcledArtifact events are logged at the workspace level.

Service	Action	Description	Request parameters
`mlflowAcledArtifact`	`readArtifact`	A user makes call to read an artifact.	- `artifactLocation` - `experimentId` - `runId`
`mlflowAcledArtifact`	`writeArtifact`	A user makes call to write to an artifact.	- `artifactLocation` - `experimentId` - `runId`

MLflow experiment events

The following mlflowExperiment events are logged at the workspace level.

Service	Action	Description	Request parameters
`mlflowExperiment`	`createMlflowExperiment`	A user creates an MLflow experiment.	- `experimentId` - `path` - `experimentName`
`mlflowExperiment`	`deleteMlflowExperiment`	A user deletes an MLflow experiment.	- `experimentId` - `path` - `experimentName`
`mlflowExperiment`	`moveMlflowExperiment`	A user moves an MLflow experiment.	- `newPath` - `experimentId` - `oldPath`
`mlflowExperiment`	`restoreMlflowExperiment`	A user restores an MLflow experiment.	- `experimentId` - `path` - `experimentName`
`mlflowExperiment`	`renameMlflowExperiment`	A user renames an MLflow experiment.	- `oldName` - `newName` - `experimentId` - `parentPath`

MLflow model registry events

The following mlflowModelRegistry events are logged at the workspace level.

Service	Action	Description	Request parameters
`modelRegistry`	`approveTransitionRequest`	A user approves a model version stage transition request.	- `name` - `version` - `stage` - `archive_existing_versions`
`modelRegistry`	`changeRegisteredModelAcl`	A user updates permissions for a registered model.	- `registeredModelId` - `userId`
`modelRegistry`	`createComment`	A user posts a comment on a model version.	- `name` - `version`
`modelRegistry`	`createModelVersion`	A user creates a model version.	- `name` - `source` - `run_id` - `tags` - `run_link`
`modelRegistry`	`createRegisteredModel`	A user creates a new registered model	- `name` - `tags`
`modelRegistry`	`createRegistryWebhook`	User creates a webhook for Model Registry events.	- `orgId` - `registeredModelId` - `events` - `description` - `status` - `creatorId` - `httpUrlSpec`
`modelRegistry`	`createTransitionRequest`	A user creates a model version stage transition request.	- `name` - `version` - `stage`
`modelRegistry`	`deleteComment`	A user deletes a comment on a model version.	- `id`
`modelRegistry`	`deleteModelVersion`	A user deletes a model version.	- `name` - `version`
`modelRegistry`	`deleteModelVersionTag`	A user deletes a model version tag.	- `name` - `version` - `key`
`modelRegistry`	`deleteRegisteredModel`	A user deletes a registered model	- `name`
`modelRegistry`	`deleteRegisteredModelTag`	A user deletes the tag for a registered model.	- `name` - `key`
`modelRegistry`	`deleteRegistryWebhook`	User deletes a Model Registry webhook.	- `orgId` - `webhookId`
`modelRegistry`	`deleteTransitionRequest`	A user cancels a model version stage transition request.	- `name` - `version` - `stage` - `creator`
`modelRegistry`	`finishCreateModelVersionAsync`	Completed asynchronous model copying.	- `name` - `version`
`modelRegistry`	`generateBatchInferenceNotebook`	Batch inference notebook is autogenerated.	- `userId` - `orgId` - `modelName` - `inputTableOpt` - `outputTablePathOpt` - `stageOrVersion` - `modelVersionEntityOpt` - `notebookPath`
`modelRegistry`	`generateDltInferenceNotebook`	Inference notebook for a Delta Live Tables pipeline is autogenerated.	- `userId` - `orgId` - `modelName` - `inputTable` - `outputTable` - `stageOrVersion` - `notebookPath`
`modelRegistry`	`getModelVersionDownloadUri`	A user gets a URI to download the model version.	- `name` - `version`
`modelRegistry`	`getModelVersionSignedDownloadUri`	A user gets a URI to download a signed model version.	- `name` - `version` - `path`
`modelRegistry`	`listModelArtifacts`	A user makes a call to list a model's artifacts.	- `name` - `version` - `path` - `page_token`
`modelRegistry`	`listRegistryWebhooks`	A user makes a call to list all registry webhooks in the model.	- `orgId` - `registeredModelId`
`modelRegistry`	`rejectTransitionRequest`	A user rejects a model version stage transition request.	- `name` - `version` - `stage`
`modelRegistry`	`renameRegisteredModel`	A user renames a registered model	- `name` - `new_name`
`modelRegistry`	`setEmailSubscriptionStatus`	A user updates the email subscription status for a registered model
`modelRegistry`	`setModelVersionTag`	A user sets a model version tag.	- `name` - `version` - `key` - `value`
`modelRegistry`	`setRegisteredModelTag`	A user sets a model version tag.	- `name` - `key` - `value`
`modelRegistry`	`setUserLevelEmailSubscriptionStatus`	A user updates their email notifications status for the whole registry.	- `orgId` - `userId` - `subscriptionStatus`
`modelRegistry`	`testRegistryWebhook`	A user tests the Model Registry webhook.	- `orgId` - `webhookId`
`modelRegistry`	`transitionModelVersionStage`	A user gets a list of all open stage transition requests for the model version.	- `name` - `version` - `stage` - `archive_existing_versions`
`modelRegistry`	`triggerRegistryWebhook`	A Model Registry webhook is triggered by an event.	- `orgId` - `registeredModelId` - `events` - `status`
`modelRegistry`	`updateComment`	A user post an edit to a comment on a model version.	- `id`
`modelRegistry`	`updateRegistryWebhook`	A user updates a Model Registry webhook.	- `orgId` - `webhookId`

Notebook events

The following notebook events are logged at the workspace level.

Service	Action	Description	Request parameters
`notebook`	`attachNotebook`	A notebook is attached to a cluster.	- `path` - `clusterId` - `notebookId`
`notebook`	`cloneNotebook`	A user clones a notebook.	- `notebookId` - `path` - `clonedNotebookId` - `destinationPath`
`notebook`	`createNotebook`	A notebook is created.	- `notebookId` - `path`
`notebook`	`deleteFolder`	A notebook folder is deleted.	- `path`
`notebook`	`deleteNotebook`	A notebook is deleted.	- `notebookId` - `notebookName` - `path`
`notebook`	`detachNotebook`	A notebook is detached from a cluster.	- `notebookId` - `clusterId` - `path`
`notebook`	`downloadLargeResults`	A user downloads query results too large to display in the notebook.	- `notebookId` - `notebookFullPath`
`notebook`	`downloadPreviewResults`	A user downloads the query results.	- `notebookId` - `notebookFullPath`
`notebook`	`importNotebook`	A user imports a notebook.	- `path`
`notebook`	`moveFolder`	A notebook folder is moved from one location to another.	- `oldPath` - `newPath` - `folderId`
`notebook`	`moveNotebook`	A notebook is moved from one location to another.	- `newPath` - `oldPath` - `notebookId`
`notebook`	`renameNotebook`	A notebook is renamed.	- `newName` - `oldName` - `parentPath` - `notebookId`
`notebook`	`restoreFolder`	A deleted folder is restored.	- `path`
`notebook`	`restoreNotebook`	A deleted notebook is restored.	- `path` - `notebookId` - `notebookName`
`notebook`	`runCommand`	Available when verbose audit logs are enabled. Emitted after Databricks runs a command in a notebook. A command corresponds to a cell in a notebook. `executionTime` is measured in seconds.	- `notebookId` - `executionTime` - `status` - `commandId` - `commandText` - `commandLanguage`
`notebook`	`takeNotebookSnapshot`	Notebook snapshots are taken when either the job service or mlflow is run.	- `path`

Remote history service events

The following remoteHistoryService events are logged at the workspace level.

Service	Action	Description	Request parameters
`remoteHistoryService`	`addUserGitHubCredentials`	User adds Github Credentials	none
`remoteHistoryService`	`deleteUserGitHubCredentials`	User removes Github Credentials	none
`remoteHistoryService`	`updateUserGitHubCredentials`	User updates Github Credentials	none

Git folder events

The following repos events are logged at the workspace level.

Service	Action name	Description	Request parameters
`repos`	`checkoutBranch`	A user checks out a branch on the repo.	- `id` - `branch`
`repos`	`commitAndPush`	A user commits and pushes to a repo.	- `id` - `message` - `files` - `checkSensitiveToken`
`repos`	`createRepo`	A user creates a repo in the workspace	- `url` - `provider` - `path`
`repos`	`deleteRepo`	A user deletes a repo.	- `id`
`repos`	`discard`	A user discards a commit to a repo.	- `id` - `file_paths`
`repos`	`getRepo`	A user makes a call to get information about a single repo.	- `id`
`repos`	`listRepos`	A user makes a call to get all repos they have Manage permissions on.	- `path_prefix` - `next_page_token`
`repos`	`pull`	A user pulls the latest commits from a repo.	- `id`
`repos`	`updateRepo`	A user updates the repo to a different branch or tag, or to the latest commit on the same branch.	- `id` - `branch` - `tag` - `git_url` - `git_provider`

Secrets events

The following secrets events are logged at the workspace level.

Service	Action name	Description	Request parameters
`secrets`	`createScope`	User creates a secret scope.	- `scope` - `initial_manage_principal` - `scope_backend_type`
`secrets`	`deleteAcl`	User deletes ACLs for a secret scope.	- `scope` - `principal`
`secrets`	`deleteScope`	User deletes a secret scope.	- `scope`
`secrets`	`deleteSecret`	User deletes a secret from a scope.	- `key` - `scope`
`secrets`	`getAcl`	User gets ACLs for a secret scope.	- `scope` - `principal`
`secrets`	`getSecret`	User gets a secret from a scope.	- `key` - `scope`
`secrets`	`listAcls`	User makes a call to list ACLs for a secret scope.	- `scope`
`secrets`	`listScopes`	User makes a call to list secret scopes	none
`secrets`	`listSecrets`	User makes a call to list secrets within a scope.	- `scope`
`secrets`	`putAcl`	User changes ACLs for a secret scope.	- `scope` - `principal` - `permission`
`secrets`	`putSecret`	User adds or edits a secret within a scope.	- `string_value` - `key` - `scope`

SQL table access events

Note

The sqlPermissions service includes events related to the legacy Hive metastore table access control. Databricks recommends that you upgrade the tables managed by the Hive metastore to the Unity Catalog metastore.

The following sqlPermissions events are logged at the workspace level.

Service	Action name	Description	Request parameters
`sqlPermissions`	`changeSecurableOwner`	Workspace admin or owner of an object transfers object ownership.	- `securable` - `principal`
`sqlPermissions`	`createSecurable`	User creates a securable object.	- `securable`
`sqlPermissions`	`denyPermission`	Object owner denies privileges on a securable object.	- `permission`
`sqlPermissions`	`grantPermission`	Object owner grants permission on a securable object.	- `permission`
`sqlPermissions`	`removeAllPermissions`	User drops a securable object.	- `securable`
`sqlPermissions`	`renameSecurable`	User renames a securable object.	- `before` - `after`
`sqlPermissions`	`requestPermissions`	User requests permissions on a securable object.	- `requests`
`sqlPermissions`	`revokePermission`	Object owner revokes permissions on their securable object.	- `permission`
`sqlPermissions`	`showPermissions`	User views securable object permissions.	- `securable` - `principal`

SSH events

The following ssh events are logged at the workspace level.

Service	Action name	Description	Request parameters
`ssh`	`login`	Agent login of SSH into Spark driver.	- `containerId` - `userName` - `port` - `publicKey` - `instanceId`
`ssh`	`logout`	Agent logout of SSH from Spark driver.	- `userName` - `containerId` - `instanceId`

Web terminal events

The following webTerminal events are logged at the workspace level.

Service	Action name	Description	Request parameters
`webTerminal`	`startSession`	User starts a web terminal sessions.	- `socketGUID` - `clusterId` - `serverPort` - `ProxyTargetURI`
`webTerminal`	`closeSession`	User closes a web terminal session.	- `socketGUID` - `clusterId` - `serverPort` - `ProxyTargetURI`

Workspace events

The following workspace events are logged at the workspace level.

Service	Action name	Description	Request parameters
`workspace`	`changeWorkspaceAcl`	Permissions to the workspace are changed.	- `shardName` - `targetUserId` - `aclPermissionSet` - `resourceId`
`workspace`	`deleteSetting`	A setting is deleted from the workspace.	- `settingKeyTypeName` - `settingKeyName` - `settingTypeName` - `settingName`
`workspace`	`fileCreate`	User creates a file in the workspace.	- `path`
`workspace`	`fileDelete`	User deletes a file in the workspace.	- `path`
`workspace`	`fileEditorOpenEvent`	User opens the file editor.	- `notebookId` - `path`
`workspace`	`getRoleAssignment`	User gets a workspace's user roles.	- `account_id` - `workspace_id`
`workspace`	`mintOAuthAuthorizationCode`	Recorded when in-house OAuth authorization code is minted at the workspace level.	- `client_id`
`workspace`	`mintOAuthToken`	OAuth token is minted for workspace.	- `grant_type` - `scope` - `expires_in` - `client_id`
`workspace`	`moveWorkspaceNode`	A workspace admin moves workspace node.	- `destinationPath` - `path`
`workspace`	`purgeWorkspaceNodes`	A workspace admin purges workspace nodes.	- `treestoreId`
`workspace`	`reattachHomeFolder`	An existing home folder is re-attached for a user that is re-added to the workspace.	- `path`
`workspace`	`renameWorkspaceNode`	A workspace admin renames workspace nodes.	- `path` - `destinationPath`
`workspace`	`unmarkHomeFolder`	Home folder special attributes are removed when a user is removed from the workspace.	- `path`
`workspace`	`updateRoleAssignment`	A workspace admin updates a workspace user's role.	- `account_id` - `workspace_id` - `principal_id`
`workspace`	`updatePermissionAssignment`	A workspace admin adds a principal to the workspace.	- `principal_id` - `permissions`
`workspace`	`setSetting`	A workspace admin configures a workspace setting.	- `settingKeyTypeName` - `settingKeyName` - `settingTypeName` - `settingName` - `settingValueForAudit`
`workspace`	`workspaceConfEdit`	Workspace admin makes updates to a setting, for example enabling verbose audit logs.	- `workspaceConfKeys` - `workspaceConfValues`
`workspace`	`workspaceExport`	User exports a notebook from a workspace.	- `workspaceExportDirectDownload` - `workspaceExportFormat` - `notebookFullPath`
`workspace`	`workspaceInHouseOAuthClientAuthentication`	OAuth client is authenticated in workspace service.	- `user`

Delta Sharing provider events

The following audit log events are logged in the provider's account. Actions that are performed by recipients start with the deltaSharing prefix. Each of these logs also includes request_params.metastore_id, which is the metastore that manages the shared data, and userIdentity.email, which is the ID of the user who initiated the activity.

Service	Action	Description	Request parameters
`unityCatalog`	`deltaSharingListShares`	A data recipient requests a list of shares.	- `options`: The pagination options provided with this request. - `recipient_name`: Indicates the recipient executing the action. - `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingGetShare`	A data recipient requests details about a shares.	- `share`: The name of the share. - `recipient_name`: Indicates the recipient executing the action. - `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingListSchemas`	A data recipient requests a list of shared schemas.	- `share`: The name of the share. - `recipient_name`: Indicates the recipient executing the action. - `options`: The pagination options provided with this request. - `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingListAllTables`	A data recipient requests a list of all shared tables.	- `share`: The name of the share. - `recipient_name`: Indicates the recipient executing the action. - `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingListTables`	A data recipient requests a list of shared tables.	- `share`: The name of the share. - `recipient_name`: Indicates the recipient executing the action. - `options`: The pagination options provided with this request. - `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingGetTableMetadata`	A data recipient requests a details about a table's metadata.	- `share`: The name of the share. - `recipient_name`: Indicates the recipient executing the action. - `schema`: The name of the schema. - `name`: The name of the table. - `predicateHints`: The predicates included in the query. - `limitHints`: The maximum number of rows to return. - `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingGetTableVersion`	A data recipient requests a details about a table version.	- `share`: The name of the share. - `recipient_name`: Indicates the recipient executing the action. - `schema`: The name of the schema. - `name`: The name of the table. - `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingQueryTable`	Logged when a data recipient queries a shared table.	- `share`: The name of the share. - `recipient_name`: Indicates the recipient executing the action. - `schema`: The name of the schema. - `name`: The name of the table. - `predicateHints`: The predicates included in the query. - `limitHints`: The maximum number of rows to return. - `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingQueryTableChanges`	Logged when a data recipient queries change data for a table.	- `share`: The name of the share. - `recipient_name`: Indicates the recipient executing the action. - `schema`: The name of the schema. - `name`: The name of the table. - `cdf_options`: Change data feed options. - `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingQueriedTable`	Logged after a data recipient gets a response to their query. The `response.result` field includes more information on the recipient's query (see Audit and monitor data sharing )	- `recipient_name`: Indicates the recipient executing the action. - `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingQueriedTableChanges`	Logged after a data recipient gets a response to their query. The `response.result` field includes more information on the recipient's query.	* `recipient_name`: Indicates the recipient executing the action. * `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingListNotebookFiles`	A data recipient requests a list of shared notebook files.	- `share`: The name of the share. - `recipient_name`: Indicates the recipient executing the action. - `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingQueryNotebookFile`	A data recipient queries a shared notebook file.	- `file_name`: The name of the notebook file. - `recipient_name`: Indicates the recipient executing the action. - `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingListFunctions`	A data recipient requests a list of functions in a parent schema.	- `share`: The name of the share. - `schema`: The name of the parent schema of the function. - `recipient_name`: Indicates the recipient executing the action. - `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingListAllFunctions`	A data recipient requests a list of all shared functions.	- `share`: The name of the share. - `schema`: The name of the parent schema of the function. - `recipient_name`: Indicates the recipient executing the action. - `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingListFunctionVersions`	A data recipient requests a list of function versions.	- `share`: The name of the share. - `schema`: The name of the parent schema of the function. - `function`: The name of the function. - `recipient_name`: Indicates the recipient executing the action. - `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingListVolumes`	A data recipient requests a list of shared volumes in a schema.	- `share`: The name of the share. - `schema`: The parents schema of the volumes. - `recipient_name`: Indicates the recipient executing the action. - `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`deltaSharingListAllVolumes`	A data recipient requests all shared volumes.	- `share`: The name of the share. - `recipient_name`: Indicates the recipient executing the action. - `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`updateMetastore`	Provider updates their metastore.	- `delta_sharing_scope`: Values can be `INTERNAL` or `INTERNAL_AND_EXTERNAL`. - `delta_sharing_recipient_token_lifetime_in_seconds`: If present, indicates that the recipient token lifetime was updated.
`unityCatalog`	`createRecipient`	Provider creates a data recipient.	- `name`: The name of the recipient. - `comment`: The comment for the recipient. - `ip_access_list.allowed_ip_addresses:` Recipient IP address allowlist.
`unityCatalog`	`deleteRecipient`	Provider deletes a data recipient.	- `name`: The name of the recipient.
`unityCatalog`	`getRecipient`	Provider requests details about a data recipient.	- `name`: The name of the recipient.
`unityCatalog`	`listRecipients`	Provider requests a list of all their data recipients.	none
`unityCatalog`	`rotateRecipientToken`	Provider rotates a recipient's token.	- `name`: The name of the recipient. - `comment`: The comment given in the rotation command.
`unityCatalog`	`updateRecipient`	Provider updates a data recipient's attributes.	- `name`: The name of the recipient. - `updates`: A JSON representation of recipient attributes that were added or removed from the share.
`unityCatalog`	`createShare`	Provider updates a data recipient's attributes.	- `name`: The name of the share. - `comment`: The comment for the share.
`unityCatalog`	`deleteShare`	Provider updates a data recipient's attributes.	- `name`: The name of the share.
`unityCatalog`	`getShare`	Provider requests details about a share.	- `name`: The name of the share. - `include_shared_objects`: Whether the share's table names were included in the request.
`unityCatalog`	`updateShare`	Provider adds or removes data assets from a share.	- `name`: The name of the share. - `updates`: A JSON representation of data assets that were added or removed from the share. Each item includes `action` (add or remove), `name` (the actual name of the table), `shared_as` (the name the asset was shared as, if different from the actual name), and `partition_specification` (if a partition specification was provided).
`unityCatalog`	`listShares`	Provider requests a list of their shares.	none
`unityCatalog`	`getSharePermissions`	Provider requests details on a share's permissions.	- `name`: The name of the share.
`unityCatalog`	`updateSharePermissions`	Provider updates a share's permissions.	- `name`: The name of the share. - `changes`: A JSON representation of the updated permissions. Each change includes `principal` (the user or group to whom permission is granted or revoked), `add` (the list of permissions that were granted), and `remove` (the list of permissions that were revoked).
`unityCatalog`	`getRecipientSharePermissions`	Provider requests details about a recipient's share permissions.	- `name`: The name of the share.
`unityCatalog`	`getActivationUrlInfo`	Provider requests details about activity on their activation link.	- `recipient_name`: The name of the recipient who opened the activation URL. - `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, `true` if the request was denied and `false` if the request was not denied. `sourceIPaddress` is the recipient IP address.
`unityCatalog`	`generateTemporaryVolumeCredential`	Temporary credential is generated for the recipient to access a shared volume.	- `share_name`: The name of the share through which the recipient requests. - `share_id`: The ID of the share. - `share_owner`: The owner of the share. - `recipient_name`: The name of the recipient who requests the credential. - `recipient_id`: The ID of the recipient. - `volume_full_name`: The full 3-level name of the volume. - `volume_id`: The ID of the volume. - `volume_storage_location`: The cloud path of the volume root. - `operation`: Either `READ_VOLUME` or `WRITE_VOLUME`. For volume sharing, only `READ_VOLUME` is supported. - `credential_id`: The ID of the credential. - `credential_type`: The type of the credential. Value is always `StorageCredential`. - `workspace_id`: Value is always `0` when the request is for shared volumes.
`unityCatalog`	`generateTemporaryTableCredential`	Temporary credential is generated for the recipient to access a shared table.	- `share_name`: The name of the share through which the recipient requests. - `share_id`: The ID of the share. - `share_owner`: The owner of the share. - `recipient_name`: The name of the recipient who requests the credential. - `recipient_id`: The ID of the recipient. - `table_full_name`: The full 3-level name of the table. - `table_id`: The ID of the table. - `table_url`: The cloud path of the table root. - `operation`: Either `READ` or `READ_WRITE`. - `credential_id`: The ID of the credential. - `credential_type`: The type of the credential. Value is always `StorageCredential`. - `workspace_id`: Value is always `0` when the request is for shared tables.

Delta Sharing recipient events

The following events are logged in the data recipient's account. These events record recipient access of shared data and AI assets, along with events associated with the management of providers. Each of these events also includes the following request parameters:

recipient_name: The name of the recipient in the data provider's system.
metastore_id: The name of the metastore in the data provider's system.
sourceIPAddress: The IP address where the request originated.

Service	Action	Description	Request parameters
`unityCatalog`	`deltaSharingProxyGetTableVersion`	A data recipient requests a details on a shared table version.	- `share`: The name of the share. - `schema`: The name of the table's parent schema. - `name`: The name of the table.
`unityCatalog`	`deltaSharingProxyGetTableMetadata`	A data recipient requests a details on a shared table's metadata.	- `share`: The name of the share. - `schema`: The name of the table's parent schema. - `name`: The name of the table.
`unityCatalog`	`deltaSharingProxyQueryTable`	A data recipient queries a shared table.	- `share`: The name of the share. - `schema`: The name of the table's parent schema. - `name`: The name of the table. - `limitHints`: The maximum number of rows to return. - `predicateHints`: The predicates included in the query. - `version`: Table version, if change data feed is enabled.
`unityCatalog`	`deltaSharingProxyQueryTableChanges`	A data recipient queries change data for a table.	- `share`: The name of the share. - `schema`: The name of the table's parent schema. - `name`: The name of the table. - `cdf_options`: Change data feed options.
`unityCatalog`	`createProvider`	A data recipient creates a provider object.	- `name`: The name of the provider. - `comment`: The comment for the provider.
`unityCatalog`	`updateProvider`	A data recipient updates a provider object.	- `name`: The name of the provider. - `updates`: A JSON representation of provider attributes that were added or removed from the share. Each item includes `action` (add or remove) and can include `name` (the new provider name), `owner` (new owner), and `comment`.
`unityCatalog`	`deleteProvider`	A data recipient deletes a provider object.	- `name`: The name of the provider.
`unityCatalog`	`getProvider`	A data recipient requests details about a provider object.	- `name`: The name of the provider.
`unityCatalog`	`listProviders`	A data recipient requests a list of providers.	none
`unityCatalog`	`activateProvider`	A data recipient activates a provider object.	- `name`: The name of the provider.
`unityCatalog`	`listProviderShares`	A data recipient requests a list of a provider's shares.	- `name`: The name of the provider.
`unityCatalog`	`generateTemporaryVolumeCredential`	Temporary credential is generated for the recipient to access a shared volume.	- `share_name`: The name of the share through which the recipient requests. - `volume_full_name`: The full 3-level name of the volume. - `volume_id`: The ID of the volume. - `operation`: Either `READ_VOLUME` or `WRITE_VOLUME`. For volume sharing, only `READ_VOLUME` is supported. - `workspace_id`: The ID of the workspace that receives the user request.
`unityCatalog`	`generateTemporaryTableCredential`	Temporary credential is generated for the recipient to access a shared table.	- `share_name`: The name of the share through which the recipient requests. - `table_full_name`: The full 3-level name of the table. - `table_id`: The ID of the table. - `operation`: Either `READ` or `READ_WRITE`. - `workspace_id`: The ID of the workspace that receives the user request.

Deprecated log events

Databricks has deprecated the following databrickssql diagnostic events:

createAlertDestination (now createNotificationDestination)
deleteAlertDestination (now deleteNotificationDestination)
updateAlertDestination (now updateNotificationDestination)
muteAlert
unmuteAlert

SQL endpoint logs

If you create SQL warehouses using the deprecated SQL endpoint API (the former name for SQL warehouses), the corresponding audit event name will include the word Endpoint instead of Warehouse. Besides the name, these events are identical to the SQL warehouse events. To view descriptions and request parameters of these events, see their corresponding warehouse events in Databricks SQL events.

The SQL endpoint events are:

changeEndpointAcls
createEndpoint
editEndpoint
startEndpoint
stopEndpoint
deleteEndpoint
setEndpointConfig

Diagnostic log reference

Diagnostic log services

Workspace-level services

Account-level services

Diagnostic log example schema

Diagnostic log schema considerations

Account events

Clusters events

Cluster libraries events

Dashboards events

Databricks SQL events

Data monitoring events

DBFS events

DBFS API events

DBFS operational events

Delta pipelines events

Feature store events

Files API events

Git credential events

Global init scripts events

IAM role events

Ingestion events

Instance pool events

Job events

MLflow artifacts with ACL events

MLflow experiment events

MLflow model registry events

Notebook events

Remote history service events

Git folder events

Secrets events

SQL table access events

SSH events

Web terminal events

Workspace events

Delta Sharing provider events

Delta Sharing recipient events

Deprecated log events

SQL endpoint logs

Additional resources