Diagnostic log reference

Note

This feature requires the Premium plan.

This article provides you with a comprehensive reference of audit log services and events. The availability of these services depends on how you access the logs:

Azure Monitor's diagnostic settings service does not log all of these services. Services that are unavailable on Azure's diagnostic settings are labeled accordingly.
The workspace-level and account-level designations only apply to the audit logs system table. Azure diagnostic logs do not include account-level events.

Note

Azure Databricks retains a copy of audit logs for up to 1 year for security and fraud analysis purposes.

Workspace-level events

The following services log audit events at the workspace level.

Authentication events

These events are related to user authentication.

These events are logged under the service_name of accounts.

action_name	Description	request_params
`accountInHouseOAuthClientAuthentication`	An OAuth client is authenticated using an in-house OAuth token.	`user` `authenticationMethod`
`accountLoginCodeAuthentication`	A user's account login code is authenticated.	`user`
`aadBrowserLogin`	A user logs in to Databricks using a Microsoft Entra ID browser workflow.	`user`
`aadTokenLogin`	A user logs in to Databricks through the Microsoft Entra ID token.	`user`
`jwtLogin`	User logs into Databricks using a JWT.	`user` `authenticationMethod`
`login`	User logs into the workspace.	`user` `authenticationMethod`
`logout`	User logs out of the workspace.	`user`
`mfaAddKey`	User registers a new security key.
`mfaDeleteKey`	User deletes a security key.	`id`
`mfaLogin`	User logs into Databricks using MFA.	`user` `authenticationMethod`
`mintOAuthAuthorizationCode`	An in-house OAuth authorization code is minted.	`client_id`
`mintOAuthToken`	An in-house OAuth token is minted.	`grant_type` `scope` `expires_in` `client_id`
`multiFactorAuthenticationLogin`	A user logs in to Databricks using multi-factor authentication.	`user` `authenticationMethod`
`oidcBrowserLogin`	A user logs in to Databricks using an OpenID Connect browser workflow.	`user` `authenticationMethod`
`oidcTokenAuthorization`	When an API call is authorized through a generic OIDC/OAuth token.	`user` `authenticationMethod`
`samlLogin`	User logs in to Databricks through SAML SSO.	`user` `authenticationMethod`
`tokenLogin`	A user logs into Databricks using a token.	`tokenId` `user` `authenticationMethod`
`workspaceLoginCodeAuthentication`	A user's workspace-scoped login code is authenticated.	`user` `authenticationMethod`

User and group management events

These events are related to user and group management.

These events are logged under the service_name of accounts.

action_name	Description	request_params
`activateUser`	A user is reactivated after being deactivated. See Deactivate users in workspace.	`targetUserName` `endpoint` `targetUserId`
`add`	A user is added to an Azure Databricks workspace.	`targetUserName` `endpoint` `targetUserId`
`addPrincipalToGroup`	A user is added to a workspace-level group.	`targetGroupId` `endpoint` `targetUserId` `targetGroupName` `groupMembershipType` `targetUserName`
`addPrincipalsToGroup`	Multiple users are added to a workspace-level group.	`targetGroupId` `endpoint` `targetUserId` `targetGroupName` `groupMembershipType` `targetUserName`
`changeDatabricksSqlAcl`	A user's Databricks SQL permissions are changed.	`shardName` `targetUserId` `resourceId` `aclPermissionSet`
`changeDatabricksWorkspaceAcl`	Permissions to a workspace are changed.	`shardName` `targetUserId` `resourceId` `aclPermissionSet`
`changeDatabricksWorkspaceDirectoryAcl`	Permissions to a workspace directory are changed.	`shardName` `targetUserId` `resourceId` `aclPermissionSet`
`changePassword`	A user's password is changed.	`newPasswordSource` `targetUserId` `serviceSource` `wasPasswordChanged` `userId`
`changePasswordAcl`	Password changing permissions are changed in the account.	`shardName` `targetUserId` `resourceId` `aclPermissionSet`
`changeServicePrincipalAcls`	When a service principal's permissions are changed.	`shardName` `targetServicePrincipal` `resourceId` `aclPermissionSet`
`createGroup`	A workspace-level group is created.	`endpoint` `targetUserId` `targetUserName`
`deactivateUser`	A user is deactivated in the workspace. See Deactivate users in workspace.	`targetUserName` `endpoint` `targetUserId`
`delete`	A user is deleted from the Azure Databricks workspace.	`targetUserId` `targetUserName` `endpoint`
`deleteUser`	A user's personally identifiable information is purged after they have not belonged to any running workspaces for at least 7 days.
`disableClusterAcls`	Cluster access control is disabled for the workspace.	`shardName` `endpoint`
`disableTableAcls`	Table access control is disabled for the workspace.	`shardName` `endpoint`
`disableWorkspaceAcls`	Workspace access control is disabled for the workspace.	`shardName` `endpoint`
`enableClusterAcls`	Cluster access control is enabled for the workspace.	`shardName` `endpoint`
`enableTableAcls`	Table access control is enabled for the workspace.	`shardName` `endpoint`
`enableWorkspaceAcls`	Workspace access control is enabled for the workspace.	`shardName` `endpoint`
`removeAdmin`	A user is revoked of workspace admin permissions.	`targetUserName` `endpoint` `targetUserId`
`removeGroup`	A group is removed from the workspace.	`targetGroupId` `targetGroupName` `endpoint`
`removePrincipalFromGroup`	A user is removed from a group.	`targetGroupId` `endpoint` `targetUserId` `targetGroupName` `groupMembershipType` `targetUserName`
`removePrincipalsFromGroup`	Multiple users are removed from a workspace-level group.	`targetGroupId` `endpoint` `targetUserId` `targetGroupName` `groupMembershipType` `targetUserName`
`resetPassword`	A user's password is reset.	`serviceSource` `userId` `endpoint` `targetUserId` `targetUserName` `wasPasswordChanged` `newPasswordSource`
`setAdmin`	A user is granted account admin permissions.	`endpoint` `targetUserName` `targetUserId`
`updateGroup`	A group's properties are updated.	`endpoint` `targetGroupId` `targetGroupName`
`updateUser`	A change is made to a user's account.	`endpoint` `targetUserName` `targetUserId` `targetUserExternalId`
`usernameDomainDenied`	A user sign-up attempt is denied because the email domain is not allowed.	`targetUserName`
`validateEmail`	When a user validates their email after account creation.	`endpoint` `targetUserName` `targetUserId`

Token management events

These events are related to token management.

These events are logged under the service_name of accounts.

action_name	Description	request_params
`autoScopeDbToken`	A batch operation reduces token scopes as part of automated scope enforcement.	`token_infos.scope` `token_infos.token_hash` `token_partition_id.workspaceId` `token_partition_id.accountId` `run_mode`
`changeDbTokenAcl`	Permissions on an access token are changed.	`shardName` `targetUserId` `resourceId` `aclPermissionSet`
`changeDbTokenState`	A Databricks access token is disabled.	`tokenHash` `tokenState` `userId`
`garbageCollectDbToken`	A user runs a garbage collect command on expired tokens.	`tokenExpirationTime` `tokenClientId` `userId` `tokenCreationTime` `tokenFirstAccessed` `tokenHash`
`generateDbToken`	When someone generates a token from User Settings or when the service generates the token.	`tokenExpirationTime` `tokenCreatedBy` `tokenHash` `userId`
`reachMaxQuotaDbToken`	When the current number of non-expired tokens exceeds the token quota.
`revokeDbToken`	A user's token is dropped from a workspace. Can be triggered by a user being removed from the Databricks account.	`userId` `tokenHash`
`revokeOutOfQuotaDbToken`	A Databricks access token is revoked because the token quota was exceeded.
`updateDbToken`	A Databricks access token is updated.	`token.scopes` `token_id`
`updateOnBehalfOfToken`	An on-behalf-of token is updated.	`token.created_by_id` `token.owner_id` `token.scopes` `token.token_id`

IP access list events

These events are related to IP access lists.

These events are logged under the service_name of accounts.

action_name	Description	request_params
`createIpAccessList`	An IP access list is added to the workspace.	`ipAccessListId` `userId`
`deleteIpAccessList`	An IP access list is deleted from the workspace.	`ipAccessListId` `userId`
`IpAccessDenied`	A user attempts to connect to the service through a denied IP.	`path` `user` `userId`
`ipAccessListQuotaExceeded`		`userId`
`updateIpAccessList`	An IP access list is changed.	`ipAccessListId` `userId`

IAM role events

The following event is logged at the workspace level.

These events are logged under the service_name of iamRole.

action_name	Description	request_params
`changeIamRoleAcl`	A workspace admin changes permissions for an IAM role.	`targetUserId` `shardName` `resourceId` `aclPermissionSet`

AI/BI dashboard events

These events are logged at the workspace level. This service includes events related to AI/BI dashboards.

These events are logged under the service_name of dashboards.

action_name	Description	request_params
`getDashboard`	A user accesses the draft version of a dashboard either by viewing it in the UI or requesting the dashboard definition using the API. Only workspace users can access the draft version of a dashboard.	`dashboard_id`
`getPublishedDashboard`	A user accesses the published version of a dashboard by viewing in the UI or requesting the dashboard definition using the API. Includes activity from both workspace users and account users. Excludes receiving a PDF snapshot of a dashboard using scheduled email.	`dashboard_id` `credentials_embedded`
`executeQuery`	A user executes a query from a dashboard.	`dashboard_id` `statement_id` `details`
`cancelQuery`	A user cancels a query from a dashboard.	`dashboard_id` `statement_id`
`getQueryResult`	A user receives the results of a query from a dashboard.	`dashboard_id` `statement_id`
`triggerDashboardSnapshot`	A user downloads a PDF snapshot of a dashboard.	`dashboard_id` `name`
`sendDashboardSnapshot`	A PDF snapshot of a dashboard is sent through a scheduled email or notification destination. The request parameters values depend on the type of recipient. For a Databricks notification destination, only the `destination_id` is shown. For a Databricks user, the subscriber's user ID and email address are shown. If the recipient is an email address, only the email address is shown.	`dashboard_id` `subscriber_destination_id` `subscriber_user_details.user_id` `subscriber_user_details.email_address`
`getDashboardDetails`	A user accesses details of a draft dashboard, such as datasets and widgets. `getDashboardDetails` is always emitted when a user views a draft dashboard using UI or requests the dashboard definition using the API.	`dashboard_id`
`createDashboard`	A user creates a new AI/BI dashboard using the UI or API.	`dashboard_id`
`updateDashboard`	A user makes an update to an AI/BI dashboard using the UI or API.	`dashboard_id`
`cloneDashboard`	A user clones an AI/BI dashboard.	`source_dashboard_id` `new_dashboard_id`
`publishDashboard`	A user publishes an AI/BI dashboard with shared or individual data permissions using the UI or API.	`dashboard_id` `credentials_embedded` `warehouse_id`
`unpublishDashboard`	A user unpublishes a published AI/BI dashboard using the UI or API.	`dashboard_id`
`trashDashboard`	A user moves a dashboard to the trash using the dashboard UI or Lakeview API commands. This event is logged only when performed through these channels, not for workspace actions. To audit workspace actions, see Workspace events.	`dashboard_id`
`restoreDashboard`	A user restores an AI/BI dashboard from the trash using the dashboard UI or Lakeview API commands. This event is logged only when performed through these channels, not for workspace actions. To audit workspace actions, see Workspace events.	`dashboard_id`
`migrateDashboard`	A user migrates a DBSQL dashboard to an AI/BI dashboard.	`source_dashboard_id` `new_dashboard_id` `update_parameter_syntax`
`createSchedule`	A user creates an email subscription schedule.	`dashboard_id` `schedule_id` `schedule`
`updateSchedule`	A user makes an update to an AI/BI dashboard's schedule.	`dashboard_id` `schedule_id`
`deleteSchedule`	A user deletes an AI/BI dashboard's schedule.	`dashboard_id` `schedule_id`
`createSubscription`	A user subscribes an email destination to an AI/BI dashboard schedule.	`dashboard_id` `schedule_id` `schedule`
`deleteSubscription`	A user deletes an email destination from an AI/BI dashboard schedule.	`dashboard_id` `schedule_id`

Alerts events

Important

This feature is in Beta. Workspace admins can control access to this feature from the Previews page. See Manage Azure Databricks previews.

These events are logged at the workspace level. This service includes events related to alerts.

Note

This service does not record legacy alert events. Legacy alert events are logged under the databrickssql service.

These events are logged under the service_name of alerts.

action_name	Description	request_params
`apiCreateAlert`	A user creates an alert using the Alerts V2 API.	`alert.id`
`apiGetAlert`	A user gets an alert using the Alerts V2 API.	`alert_id`
`apiTrashAlert`	A user deletes an alert using the Alerts V2 API.	`alert_id`
`apiUpdateAlert`	A user updates an alert using the Alerts V2 API.	`alert.id`
`cloneAlert`	A user clones an existing alert.	`alert_id`
`createAlert`	A user creates a new alert.	`alert_id`
`getAlert`	A user gets information about an alert using the UI.	`alert_id`
`previewAlertEvaluate`	The Test condition feature returns the results of the alert test.	`execution_session_id`
`previewAlertExecute`	A user uses the Test condition feature to preview and test their alert.	`warehouse_id`
`runNowAlert`	A user clicks the Run now button to run the alert query immediately.	`alert_id`
`updateAlert`	A user updates the details of an alert.	`alert.id`

Clusters events

These events are logged at the workspace level. This service includes events related to classic clusters.

These events are logged under the service_name of clusters.

action_name	Description	request_params
`changeClusterAcl`	A user changes the cluster ACL.	`shardName` `aclPermissionSet` `targetUserId` `resourceId`
`changeOwner`	A user changes the owner of a cluster.	`cluster_id` `owner_username`
`create`	A user creates a cluster.	`access_mode` `acl_path_prefix` `apply_policy_default_values` `assigned_principal` `autoscale` `autotermination_minutes` `azure_attributes` `budget_policy_id` `clone_from` `cluster_creator` `cluster_log_conf` `cluster_name` `cluster_source` `cpu_architecture` `custom_tags` `data_security_mode` `disk_spec` `docker_image` `driver_instance_pool_id` `driver_instance_source` `driver_node_type_id` `effective_spark_version` `enable_elastic_disk` `enable_jobs_autostart` `enable_local_disk_encryption` `enable_serverless_compute` `idempotency_token` `init_scripts` `instance_pool_id` `instance_source` `is_single_node` `kind` `nephos_virtual_driver_size` `nephos_virtual_worker_size` `no_driver_daemon` `node_type_id` `num_workers` `organization_id` `performance_target` `platform_channel` `policy_id` `runtime_engine` `single_user_name` `spark_conf` `spark_env_vars` `spark_image_key` `spark_version` `ssh_public_keys` `start_cluster` `use_ml_runtime` `user_id` `validate_cluster_name_uniqueness` `virtual_cluster_size` `workload_type`
`createResult`	Results from cluster creation. In conjunction with `create`.	`clusterName` `clusterState` `clusterId` `clusterTerminationReasonCode` `clusterWorkers` `clusterOwnerUserId`
`delete`	A cluster is terminated.	`cluster_id` `termination_reason`
`deleteResult`	Results from cluster termination. In conjunction with `delete`.	`clusterName` `clusterState` `clusterId` `clusterTerminationReasonCode` `clusterWorkers` `clusterOwnerUserId`
`edit`	A user makes changes to cluster settings. This logs all changes except for changes in cluster size or autoscaling behavior.	`acl_path_prefix` `apply_policy_default_values` `assigned_principal` `autoscale` `autotermination_minutes` `azure_attributes` `cluster_creator` `cluster_id` `cluster_log_conf` `cluster_name` `cluster_source` `custom_tags` `data_security_mode` `docker_image` `driver_instance_pool_id` `driver_node_type_id` `effective_spark_version` `enable_elastic_disk` `enable_local_disk_encryption` `idempotency_token` `init_scripts` `instance_pool_id` `is_single_node` `kind` `no_driver_daemon` `node_type_id` `num_workers` `organization_id` `policy_id` `runtime_engine` `single_user_name` `spark_conf` `spark_env_vars` `spark_version` `ssh_public_keys` `start_cluster` `use_ml_runtime` `user_id` `validate_cluster_name_uniqueness` `virtual_cluster_size` `workload_type`
`permanentDelete`	A cluster is deleted from the UI.	`cluster_id`
`resize`	Cluster resizes. This is logged on running clusters where the only property that changes is either the cluster size or autoscaling behavior.	`avoid_containers` `autoscale` `cluster_id` `num_workers`
`resizeResult`	Results from cluster resize. In conjunction with `resize`.	`clusterName` `clusterState` `clusterId` `clusterWorkers` `clusterOwnerUserId`
`restart`	A user restarts a running cluster.	`cluster_id`
`restartResult`	Results from cluster restart. In conjunction with `restart`.	`clusterName` `clusterState` `clusterId` `clusterTerminationReasonCode` `clusterWorkers` `clusterOwnerUserId`
`start`	A user starts a cluster.	`cluster_id` `init_scripts_safe_mode`
`startResult`	Results from cluster start. In conjunction with `start`.	`clusterName` `clusterState` `clusterId` `clusterTerminationReasonCode` `clusterWorkers` `clusterOwnerUserId`

Cluster libraries events

These events logged at the workspace level. This service includes events related to compute-scoped libraries.

These events are logged under the service_name of clusterLibraries.

action_name	Description	request_params
`installLibraries`	User installs a library on a cluster.	`cluster_id` `libraries` `are_installed_via_policy` `replace`
`uninstallLibraries`	User uninstalls a library on a cluster.	`cluster_id` `libraries`

Instance pool events

These events are logged at the workspace level. This service includes events related to pools.

These events are logged under the service_name of instancePools.

action_name	Description	request_params
`changeInstancePoolAcl`	A user changes an instance pool's permissions.	`shardName` `resourceId` `targetUserId` `aclPermissionSet`
`create`	A user creates an instance pool.	`azure_attributes` `custom_tags` `disk_spec` `enable_elastic_disk` `idle_instance_autotermination_minutes` `instance_pool_name` `max_capacity` `min_idle_instances` `node_type_flexibility` `node_type_id` `preloaded_docker_images` `preloaded_spark_versions`
`delete`	A user deletes an instance pool.	`instance_pool_id`
`edit`	A user edits an instance pool.	`azure_attributes` `custom_tags` `disk_spec` `enable_elastic_disk` `idle_instance_autotermination_minutes` `instance_pool_id` `instance_pool_name` `max_capacity` `min_idle_instances` `node_type_flexibility` `node_type_id` `preloaded_docker_images` `preloaded_spark_versions`

Job events

These events are logged at the workspace level. This service includes events related to jobs.

These events are logged under the service_name of jobs.

action_name	Description	request_params
`cancel`	A job run is cancelled.	`run_id`
`cancelAllRuns`	A user cancels all runs on a job.	`all_queued_runs` `job_id`
`changeJobAcl`	A user updates permissions on a job.	`shardName` `aclPermissionSet` `resourceId` `targetUserId`
`create`	A user creates a job.	`budget_policy_id` `compute` `continuous` `create_as_untouched` `deployment` `description` `edit_mode` `email_notifications` `environments` `existing_cluster_id` `git_source` `health` `idempotency_token` `job_clusters` `job_type` `libraries` `max_concurrent_runs` `max_retries` `min_retry_interval_millis` `name` `new_cluster` `notebook_task` `notification_settings` `parameters` `performance_target` `queue` `retry_on_timeout` `run_as` `run_as_user_name` `schedule` `spark_jar_task` `spark_python_task` `spark_submit_task` `tags` `tasks` `timeout_seconds` `trigger` `webhook_notifications`
`delete`	A user deletes a job.	`job_id`
`deleteRun`	A user deletes a job run.	`run_id` `job_id`
`deleteTaskValues`	A user deletes task values for a job run.	`ids`
`getRunOutput`	A user makes an API call to get a run output.	`run_id` `is_from_webapp` `notebook_output_limit` `skip_additional_acl_checks`
`repairRun`	A user repairs a job run.	`run_id` `latest_repair_id` `rerun_tasks` `rerun_all_failed_tasks` `rerun_dependent_tasks` `job_parameters`
`reset`	A job is reset.	`job_id` `new_settings`
`resetJobAcl`	A user requests the change of a job's permissions.	`grants` `job_id`
`runCommand`	Available when verbose audit logs are enabled. Emitted after a command in a notebook is executed by a job run. A command corresponds to a cell in a notebook.	`jobId` `runId` `notebookId` `executionTime` `status` `commandId` `commandText` `clusterId` `commandLanguage`
`runFailed`	A job run fails or is canceled.	`jobClusterType` `jobTriggerType` `jobId` `jobTaskType` `runId` `jobTerminalState` `idInJob` `orgId` `runCreatorUserName` `clusterId` `jobRunId` `multitaskParentRunId` `parentRunId` `repairId` `taskDependencies` `taskDependencyType` `taskKey`
`runNow`	A user triggers an on-demand job run.	`notebook_params` `job_id` `jar_params` `workflow_context` `job_parameters` `idempotency_token` `only` `performance_target` `pipeline_params` `python_params` `queue`
`runStart`	Emitted when a job run starts after validation and cluster creation. The request parameters emitted from this event depend on the type of tasks in the job. In addition to the parameters listed, they can include: `dashboardId` (for a SQL dashboard task) `filePath` (for a SQL file task) `notebookPath` (for a notebook task) `mainClassName` (for a Spark JAR task) `pythonFile` (for a Spark JAR task) `projectDirectory` (for a dbt task) `commands` (for a dbt task) `packageName` (for a Python wheel task) `entryPoint` (for a Python wheel task) `pipelineId` (for a pipeline task) `queryIds` (for a SQL query task) `alertId` (for a SQL alert task)	`taskDependencies` `multitaskParentRunId` `orgId` `idInJob` `jobId` `jobTerminalState` `taskKey` `jobTriggerType` `jobTaskType` `runId` `runCreatorUserName`
`runSucceeded`	A job run is successful.	`idInJob` `jobId` `jobTriggerType` `orgId` `runId` `jobClusterType` `jobTaskType` `jobTerminalState` `runCreatorUserName` `clusterId` `jobRunId` `multitaskParentRunId` `parentRunId` `repairId` `taskDependencies` `taskDependencyType` `taskKey`
`runTriggered`	A job schedule is triggered automatically according to its schedule or trigger.	`jobId` `jobTriggeredType` `runId` `jobTriggerType` `runCreatorUserName`
`sendRunWebhook`	A webhook is sent either when the job begins, completes, or fails.	`orgId` `jobId` `jobWebhookId` `jobWebhookEvent` `runId`
`setTaskValue`	A user sets values for a task.	`run_id` `key`
`submitRun`	A user submits a one-time run via the API.	`run_name` `spark_python_task` `existing_cluster_id` `notebook_task` `timeout_seconds` `libraries` `new_cluster` `spark_jar_task` `access_control_list` `email_notifications` `git_source` `idempotency_token` `run_as` `tasks` `workflow_context`
`update`	A user edits a job's settings.	`job_id` `fields_to_remove` `new_settings`

Lakeflow Spark Declarative Pipelines events

These events are logged at the workspace level. This service includes events related to Lakeflow Spark Declarative Pipelines.

These events are logged under the service_name of deltaPipelines.

action_name	Description	request_params
`changePipelineAcls`	A user changes permissions on a pipeline.	`aclPermissionSet` `resourceId` `shardName` `targetUserId`
`create`	A user creates a declarative pipeline.	`allow_duplicate_names` `budget_policy_id` `catalog` `channel` `clusters` `configuration` `continuous` `data_sampling` `dbr_version` `deployment` `development` `dry_run` `edition` `email_notifications` `event_log` `event_log_spec` `filters` `gateway_definition` `id` `ingestion_definition` `libraries` `managed_definition` `name` `notifications` `photon` `pipeline_type` `restart_window` `run_as` `schema` `serverless` `storage` `tags` `target` `trigger`
`delete`	A user deletes a declarative pipeline.	`cascade` `pipeline_id`
`edit`	A user edits a declarative pipeline.	`allow_duplicate_names` `budget_policy_id` `catalog` `channel` `clusters` `configuration` `continuous` `data_sampling` `dbr_version` `deployment` `development` `edition` `email_notifications` `event_log` `event_log_spec` `expected_last_modified` `filters` `gateway_definition` `id` `ingestion_definition` `libraries` `managed_definition` `name` `notifications` `photon` `pipeline_id` `pipeline_type` `restart_window` `run_as` `schema` `serverless` `storage` `tags` `target` `trigger`
`startUpdate`	A user restarts a declarative pipeline.	`cause` `development` `explore_only` `full_refresh` `full_refresh_selection` `idempotency_token` `job_task` `pipeline_id` `refresh_selection` `reset_checkpoint_selection` `update_cause_details` `usage_policy_id` `validate_only`
`stop`	A user stops a declarative pipeline.	`pipeline_id`

Cloud storage metadata events

These events are logged at the workspace level. This service includes events related to cloud storage metadata operations used by Auto Loader and file arrival triggers.

These events are logged under the service_name of cloudStorageMetadata.

action_name	Description	request_params
`listObjects`	A user or Auto Loader job fetches a paginated list of file changes (new, updated, or deleted files) from a cloud storage location or Unity Catalog volume. Clients use continuation tokens to incrementally fetch only files that changed since their last read.	`uri`: Cloud storage path `continuation_token`: Opaque pagination token from a previous response `max_objects`: Maximum objects to return (default 1,000, capped at 10,000) `include_updates`: Whether to include updated objects (not just newly created objects) `include_deletes`: Whether to include deleted objects `until_continuation_token`: Optional upper-bound token at which to stop reading `omit_objects`: If true, returns only count without object details `include_oldest_object_age`: Whether to include the age of the oldest listed object `include_earliest_ingestion_time`: Whether to include the earliest ingestion timestamp `workload_id`: Workload identifier `caller_context_entries`: Caller-provided context IDs for observability (for example, `job_id`, `pipeline_id`, `run_id`)
`validateFileEventsPermissions`	Validates that credentials and cloud resources (queues, subscriptions) are properly configured for file event notifications on a cloud storage location. Called when a user enables managed file notifications for an external location in Unity Catalog.	`url`: Cloud storage path to validate `credential_name`: Name of the Unity Catalog storage credential to validate `provided_sqs`: User-provided AWS SQS queue `provided_aqs`: User-provided Azure Queue Storage `provided_pubsub`: User-provided GCP Pub/Sub `managed_sqs`: Azure Databricks-managed AWS SQS `managed_aqs`: Azure Databricks-managed Azure Queue Storage `managed_pubsub`: Azure Databricks-managed GCP Pub/Sub

Ingestion events

The following event is logged at the workspace level and is related to file uploads.

These events are logged under the service_name of ingestion.

action_name	Description	request_params
`proxyFileUpload`	A user uploads a file to their Azure Databricks workspace.	`x-databricks-content-length-0` `x-databricks-total-files`

Lineage tracking events

These events are logged at the workspace level. This service includes events related to data lineage.

These events are logged under the service_name of lineageTracking.

action_name	Description	request_params
`listColumnLineages`	A user accesses the list of the upstream or downstream columns of a column.	`table_name` `column_name` `lineage_direction`: The lineage direction (`UPSTREAM` or `DOWNSTREAM`).
`listSecurableLineagesBySecurable`	A user accesses the list of the upstream or downstream securables of a securable.	`securable_full_name` `securable_type` `lineage_direction`: The lineage direction (`UPSTREAM` or `DOWNSTREAM`). `metastore_id` `page_size` `page_token` `securable_response_filter` `start_timestamp` `subsecurable_id` `workspace_id`
`listEntityLineagesBySecurable`	A user accesses the list of entities (notebooks, jobs, etc.) that write to or read a securable.	`securable_full_name` `securable_type` `lineage_direction`: The lineage direction (`UPSTREAM` or `DOWNSTREAM`). `entity_response_filter`: The entity type (notebook, job, dashboard, pipeline, query, serving endpoint, etc.). `metastore_id` `page_size` `start_timestamp` `subsecurable_id` `workspace_id`
`getColumnLineages`	A user gets the column lineages for a table and its column.	`table_name` `column_name` `metastore_id` `only_downstream` `only_upstream` `workspace_id`
`getTableEntityLineages`	A user gets the upstream and downstream lineages of a table.	`table_name` `include_entity_lineage` `include_downstream` `include_upstream` `metastore_id` `workspace_id`
`getJobTableLineages`	A user gets the upstream and downstream table lineages of a job.	`job_id` `max_result` `metastore_id` `workspace_id`
`getFunctionLineages`	A user gets the upstream and downstream securables and entities (notebooks, jobs, etc.) of a function.	`function_name`
`getModelVersionLineages`	A user gets the upstream and downstream securables and entities (notebooks, jobs, etc.) of a model and its version.	`model_name` `version` `metastore_id` `workspace_id`
`getEntityTableLineages`	A user gets the upstream and downstream tables of an entity (notebooks, jobs, etc.).	`entity_type` `entity_id` `max_downstreams` `max_upstreams` `metastore_id` `workspace_id`
`getFrequentlyJoinedTables`	A user gets the frequently joined tables for a table.	`table_name` `include_columns` `limit_size` `metastore_id` `workspace_id`
`getFrequentQueryByTable`	A user gets the frequent queries for a table.	`source_table_name` `limit_size` `metastore_id` `workspace_id`
`getFrequentUserByTable`	A user gets the frequent users for a table.	`table_name` `limit_size` `metastore_id` `workspace_id`
`getTablePopularityByDate`	A user gets the popularity (query count) for a table for the past month.	`table_name` `metastore_id` `workspace_id`
`getPopularEntities`	A user gets the popular entities (notebooks, jobs, etc.) for a table.	`scope`: Specifies the scope for retrieving popular entities, either from the workspace or table name. `table_name` `limit_size` `metastore_id` `workspace_id`
`getPopularTables`	A user gets the table popularity info for a list of tables.	`scope`: Specifies the scope for retrieving popular tables, either from the metastore or the table list. `table_name_list` `metastore_id` `workspace_id`
`listCustomLineages`	A user lists custom lineages for an entity.	`entity_id` `lineage_direction` `metastore_id` `page_size` `workspace_id`
`listSecurableByEntityEvent`	A user lists securables associated with entity events.	`entity_id` `entity_type` `lineage_direction` `metastore_id` `page_size` `page_token` `securable_response_filter` `start_timestamp` `workspace_id`

Request for access events

These events are logged at the workspace level. This service includes events related to access request destinations (Public Preview).

These events are logged under the service_name of request-for-access.

action_name	Description	request_params
`updateAccessRequestDestinations`	A user updates access request destinations for a Unity Catalog securable.	`destinations` `securable`
`getAccessRequestDestinations`	A user gets access request destinations for a Unity Catalog securable.	`full_name` `securable_type`
`listDestinations`	A user gets access request destinations for a Unity Catalog securable. This is a legacy version of the `getAccessRequestDestinations` action.	`securable`
`getStatus`	A user gets status information for a Unity Catalog securable. Request for access is considered enabled for a Unity Catalog securable if at least one access request destination exists.	`securable`
`batchCreateAccessRequests`	A user requests access for one or more Unity Catalog securables.	`requests`
`requestAccess`	A user requests access for a single Unity Catalog securable. This is a legacy version of the `batchCreateAccessRequests` action.	`behalf_of` `comment` `privileges` `securable`
`updateDefaultDestinationStatus`	A user updates the status of a workspace-level setting that controls whether all Unity Catalog securables have a default destination assigned.	none
`getDefaultDestinationStatus`	A user gets the status of the default destination setting.	none

Uniform Iceberg REST API events

These events are logged at the workspace level. These events are logged when users interact with managed Apache Iceberg tables using an external Iceberg-compatible engine that supports the Iceberg REST Catalog API.

These events are logged under the service_name of uniformIcebergRestCatalog.

action_name	Description	request_params
`config`	User gets a catalog configuration.	`http_method` `http_path`
`createNamespace`	User creates a namespace, with an optional set of properties.	`http_method` `http_path`
`createTable`	User creates a new Iceberg table.	`http_method` `http_path`
`deleteNamespace`	User deletes an existing namespace.	`http_method` `http_path`
`deleteTable`	User deletes an existing table.	`http_method` `http_path`
`getNamespace`	User gets properties of a namespace.	`http_method` `http_path`
`listNamespaces`	User makes a call to list all namespaces at a specified level.	`http_method` `http_path`
`listTables`	User lists all tables under a given namespace.	`http_method` `http_path`
`loadTableCredentials`	User loads vended credentials for a table from the catalog.	`http_method` `http_path`
`loadTable`	User loads a table from the catalog.	`http_method` `http_path`
`loadView`	User loads a view from the catalog.	`http_method` `http_path`
`namespaceExists`	User checks if a namespace exists.	`http_method` `http_path`
`renameTable`	User renames an existing table	`http_method` `http_path`
`reportMetrics`	User sends a metrics report	`http_method` `http_path`
`tableExists`	User checks if a table exists within a given namespace.	`http_method` `http_path`
`updateNamespaceProperties`	User updates properties for a namespace.	`http_method` `http_path`
`updateTable`	User updates table metadata.	`http_method` `http_path`
`viewExists`	User checks if a view exists within a given namespace.	`http_method` `http_path`

DBFS events

These events are logged at the workspace level. This service includes events related to DBFS.

There are two types of DBFS events: API calls and operational events.

DBFS API events

These audit events are only logged when written through the DBFS REST API.

These events are logged under the service_name of dbfs.

action_name	Description	request_params
`addBlock`	User appends a block of data to the stream. This is used in conjunction with dbfs/create to stream data to DBFS.	`handle` `data_length`
`close`	User closes a stream specified by the input handle.	`handle`
`create`	User opens a stream to write a file to DBFS.	`path` `bufferSize` `overwrite`
`delete`	User deletes the file or directory from DBFS.	`recursive` `path`
`getStatus`	User gets information for a file or directory.	`path`
`mkdirs`	User creates a new DBFS directory.	`path`
`move`	User moves a file from one location to another location within DBFS.	`dst` `source_path` `src` `destination_path`
`put`	User uploads a file through the use of a multipart form post to DBFS.	`path` `overwrite`
`read`	User reads the contents of a file.	`path` `offset` `length`

DBFS operational events

These audit events occur at the compute plane.

These events are logged under the service_name of dbfs.

action_name	Description	request_params
`mount`	User creates a mount point at a certain DBFS location.	`mountPoint` `owner`
`unmount`	User removes a mount point at a certain DBFS location.	`mountPoint`

Files events

These events are logged at the workspace level. This service includes events related to file management, which includes interacting with files using the Files API or in the volumes UI.

These events are logged under the service_name of filesystem.

action_name	Description	request_params
`directoriesDelete`	A user deletes a directory using the Files API or the volumes UI.	`path`
`directoriesGet`	A user lists the contents of a directory using the Files API or the volumes UI.	`path`
`directoriesHead`	A user gets information about a directory using the Files API or the volumes UI.	`path`
`directoriesPut`	A user creates a directory using the Files API or the volumes UI.	`path`
`filesDelete`	User deletes a file using the Files API or the volumes UI.	`path`
`filesGet`	User downloads a file using the Files API or the volumes UI.	`path` `transferredSize`
`filesHead`	User gets information about a file using the Files API or the volumes UI.	`path`
`filesPut`	User uploads a file using the Files API or the volumes UI.	`path` `receivedSize`

Workspace files events

These events are logged at the workspace level. This service includes events related to workspaces files.

These events are logged under the service_name of workspaceFiles.

action_name	Description	request_params
`wsfsStreamingRead`	A workspace file is read by a user or programmatically as part of a workflow.	`path`
`wsfsStreamingWrite`	A workspace file is written to by a user or programmatically as part of a workflow.	`path`
`wsfsImportFile`	A user imports a file into the workspace.	`path`

Agent evaluation events

These events are logged at the workspace level. This service includes events related to agent evaluation, including production monitoring, evaluation datasets, and human evaluation.

Production monitoring events

These events are related to production monitoring, including scorers, metric backfill, and trace archival.

These events are logged under the service_name of agentEvaluation.

action_name	Description	request_params
`getChatAssessments`	A user requests LLM-judge assessments on an agent response.	`experiment_id` `requested_assessments`
`getChatCompletions`	A user requests an LLM to evaluate an agent response. For example, by invoking a judge created by make_judge.	none
`createScheduledScorers`	A user creates scorers for an experiment.	`experiment_id` `scheduled_scorers.scorers.name` `scheduled_scorers.scorers.sample_rate`
`getScheduledScorers`	A user retrieves scorers for an experiment.	`experiment_id`
`updateScheduledScorers`	A user updates scorers for an experiment.	`experiment_id` `scheduled_scorers.scorers.name` `scheduled_scorers.scorers.sample_rate`
`deleteScheduledScorers`	A user deletes scorers for an experiment.	`experiment_id`
`runMetricBackfill`	A user runs a metric backfill for an experiment.	`experiment_id` `start_timestamp_ms` `end_timestamp_ms`
`startTraceArchival`	A user starts trace archival for an experiment.	`experiment_id` `archive_table_fullname`
`stopTraceArchival`	A user stops trace archival for an experiment.	`experiment_id`

Evaluation dataset events

These events are related to evaluation datasets, including CRUD operations for datasets and dataset records, batch operations, and expectations management.

These events are logged under the service_name of agentEvaluation.

action_name	Description	request_params
`createDataset`	A user creates an evaluation dataset.	`dataset.dataset_id` `dataset.name`
`getDataset`	A user retrieves an evaluation dataset.	`dataset_id`
`listDatasets`	A user lists evaluation datasets.	`filter` `order_by`
`updateDataset`	A user updates an evaluation dataset.	`dataset_id` `dataset.dataset_id` `dataset.name`
`deleteDataset`	A user deletes an evaluation dataset.	`dataset_id`
`createDatasetRecord`	A user creates a record in an evaluation dataset.	`dataset_id` `dataset_record.dataset_record_id`
`getDatasetRecord`	A user retrieves a record from an evaluation dataset.	`dataset_id` `dataset_record_id`
`listDatasetRecords`	A user lists records in an evaluation dataset.	`dataset_id`
`updateDatasetRecord`	A user updates a record in an evaluation dataset.	`dataset_id` `dataset_record_id` `dataset_record.dataset_record_id`
`deleteDatasetRecord`	A user deletes a record from an evaluation dataset.	`dataset_id` `dataset_record_id`
`batchCreateDatasetRecords`	A user creates multiple records in an evaluation dataset in a single batch operation.	`dataset_id` `requests.dataset_id` `requests.dataset_record.dataset_record_id`
`upsertExpectations`	A user upserts expectations for a record in an evaluation dataset.	`dataset_id` `dataset_record_id`

Synthetic data generation events

These events are related to synthetic evaluation data generation .

These events are logged under the service_name of agentEvaluation.

action_name	Description	request_params
`generateQuestions`	A user generates synthetic questions for evaluation.	`experiment_id` `instance_id` `num_questions`
`generateAnswer`	A user generates synthetic answers for evaluation.	`answer_types` `experiment_id` `instance_id`

Review app events

These events are related to review apps for human evaluation, including review app management, labeling sessions, and item management.

These events are logged under the service_name of agentEvaluation.

action_name	Description	request_params
`createReviewApp`	A user creates a review app for human evaluation.	`review_app.experiment_id` `review_app.review_app_id`
`getReviewApp`	A user retrieves a review app.	`review_app_id`
`listReviewApps`	A user lists review apps.	none
`updateReviewApp`	A user updates a review app.	`review_app.experiment_id` `review_app.review_app_id` `review_app_id`
`createLabelingSession`	A user creates a labeling session in a review app.	`labeling_session.labeling_session_id` `labeling_session.mlflow_run_id` `labeling_session.name` `review_app_id`
`getLabelingSession`	A user retrieves a labeling session from a review app.	`labeling_session_id` `review_app_id`
`listLabelingSessions`	A user lists labeling sessions in a review app.	`review_app_id`
`updateLabelingSession`	A user updates a labeling session in a review app.	`labeling_session.labeling_session_id` `labeling_session.mlflow_run_id` `labeling_session.name` `labeling_session_id` `review_app_id`
`deleteLabelingSession`	A user deletes a labeling session from a review app.	`review_app_id` `labeling_session_id`
`batchCreateItems`	A user creates multiple items in a labeling session in a single batch operation.	`items.item_id` `labeling_session_id` `review_app_id`
`getItem`	A user retrieves an item from a labeling session.	`review_app_id` `labeling_session_id` `item_id`
`listItems`	A user lists items in a labeling session.	`labeling_session_id` `review_app_id`
`updateItem`	A user updates an item in a labeling session.	`review_app_id` `labeling_session_id` `item_id` `item.item_id`
`batchDeleteItems`	A user deletes multiple items from a labeling session in a single batch operation.	`review_app_id` `labeling_session_id` `item_ids`

MLflow experiment events

These events are logged at the workspace level. This service includes events related to MLflow experiments.

These events are logged under the service_name of mlflowExperiment.

action_name	Description	request_params
`createMlflowExperiment`	A user creates an MLflow experiment.	`experimentId` `path` `experimentName`
`deleteMlflowExperiment`	A user deletes an MLflow experiment.	`experimentId` `path` `experimentName`
`moveMlflowExperiment`	A user moves an MLflow experiment.	`newPath` `experimentId` `oldPath`
`restoreMlflowExperiment`	A user restores an MLflow experiment.	`experimentId` `path` `experimentName`
`renameMlflowExperimentEvent`	A user renames an MLflow experiment.	`oldName` `newName` `experimentId` `parentPath`

MLflow artifacts with ACL events

These events are logged at the workspace level. This service includes events related to MLflow artifacts with ACLs.

These events are logged under the service_name of mlflowAcledArtifact.

action_name	Description	request_params
`readArtifact`	A user makes call to read an artifact.	`artifactLocation` `experimentId` `runId`
`writeArtifact`	A user makes call to write to an artifact.	`artifactLocation` `experimentId` `runId`

MLflow model registry events

These events are logged at the workspace level. This service includes events related to the workspace model registry. For activity logs for models in Unity Catalog, see Unity Catalog events.

These events are logged under the service_name of modelRegistry.

action_name	Description	request_params
`approveTransitionRequest`	A user approves a model version stage transition request.	`name` `version` `stage` `archive_existing_versions` `comment`
`changeRegisteredModelAcl`	A user updates permissions for a registered model.	`registeredModelId` `userId` `aclPermissionSet` `resourceId` `shardName` `targetUserId`
`createComment`	A user posts a comment on a model version.	`name` `version`
`createModelVersion`	A user creates a model version.	`name` `source` `run_id` `tags` `run_link`
`createRegisteredModel`	A user creates a new registered model	`name` `tags` `description`
`createRegistryWebhook`	User creates a webhook for Model Registry events.	`orgId` `registeredModelId` `events` `description` `status` `creatorId` `httpUrlSpec`
`createTransitionRequest`	A user creates a model version stage transition request.	`name` `version` `stage` `comment`
`deleteComment`	A user deletes a comment on a model version.	`id`
`deleteModelVersion`	A user deletes a model version.	`name` `version`
`deleteModelVersionTag`	A user deletes a model version tag.	`name` `version` `key`
`deleteRegisteredModel`	A user deletes a registered model	`name`
`deleteRegisteredModelTag`	A user deletes the tag for a registered model.	`name` `key`
`deleteRegistryWebhook`	User deletes a Model Registry webhook.	`orgId` `webhookId`
`deleteTransitionRequest`	A user cancels a model version stage transition request.	`name` `version` `stage` `creator`
`finishCreateModelVersionAsync`	Completed asynchronous model copying.	`name` `version`
`generateBatchInferenceNotebook`	Batch inference notebook is autogenerated.	`userId` `orgId` `modelName` `inputTableOpt` `outputTablePathOpt` `stageOrVersion` `modelVersionEntityOpt` `notebookPath`
`generateDltInferenceNotebook`	Inference notebook for a declarative pipeline is autogenerated.	`userId` `orgId` `modelName` `inputTable` `outputTable` `stageOrVersion` `notebookPath` `input_table` `name` `output_table` `stage` `version`
`getModelVersionDownloadUri`	A user gets a URI to download the model version.	`name` `version`
`getModelVersionSignedDownloadUri`	A user gets a URI to download a signed model version.	`name` `version` `path`
`listModelArtifacts`	A user makes a call to list a model's artifacts.	`name` `version` `path` `page_token`
`listRegistryWebhooks`	A user makes a call to list all registry webhooks in the model.	`orgId` `registeredModelId`
`rejectTransitionRequest`	A user rejects a model version stage transition request.	`name` `version` `stage` `comment`
`renameRegisteredModel`	A user renames a registered model	`name` `new_name`
`setEmailSubscriptionStatus`	A user updates the email subscription status for a registered model	`model_name` `subscription_type`
`setModelVersionTag`	A user sets a model version tag.	`name` `version` `key` `value`
`setRegisteredModelTag`	A user sets a model version tag.	`name` `key` `value`
`setUserLevelEmailSubscriptionStatus`	A user updates their email notifications status for the whole registry.	`orgId` `userId` `subscriptionStatus` `subscription_type`
`testRegistryWebhook`	A user tests the Model Registry webhook.	`orgId` `webhookId`
`transitionModelVersionStage`	A user gets a list of all open stage transition requests for the model version.	`name` `version` `stage` `archive_existing_versions` `comment`
`triggerRegistryWebhook`	A Model Registry webhook is triggered by an event.	`orgId` `registeredModelId` `events` `status`
`updateComment`	A user post an edit to a comment on a model version.	`id`
`updateRegistryWebhook`	A user updates a Model Registry webhook.	`orgId` `webhookId`

Feature store events

These events are logged at the workspace level. This service includes events related to the Databricks Feature Store.

These events are logged under the service_name of featureStore.

action_name	Description	request_params
`addConsumer`	A consumer is added to the feature store.	`features` `job_run` `notebook`
`addDataSources`	A data source is added to a feature table.	`feature_table` `paths` `tables`
`addProducer`	A producer is added to a feature table.	`feature_table` `job_run` `notebook` `producer_action`
`changeFeatureTableAcl`	Permissions are changed in a feature table.	`aclPermissionSet` `resourceId` `shardName` `targetUserId`
`createFeatureSpec`	A feature specification is created.	`feature_spec_yaml` `name`
`createFeatureTable`	A feature table is created.	`description` `is_imported` `name` `partition_keys` `primary_keys` `timestamp_keys`
`createFeatures`	Features are created in a feature table.	`feature_table` `features`
`deleteFeatureTable`	A feature table is deleted.	`dry_run` `name`
`deleteTags`	Tags are deleted from a feature table.	`feature_table_id` `keys`
`generateFeatureSpecYaml`	A feature specification YAML is generated.	`exclude_columns` `feature_spec_yaml` `features` `input_columns`
`getBrickstoreOnlineTableMetadata`	A user gets Brickstore online table metadata.	`feature_table_features`
`getConsumers`	A user makes a call to get the consumers in a feature table.	`feature_table`
`getFeatureStoreWidePermissions`	A user gets feature store-wide permissions.	none
`getFeatureTable`	A user makes a call to get feature tables.	`exclude_online_stores` `include_producers` `name`
`getFeatureTablesById`	A user makes a call to get feature table IDs.	`ids`
`getFeatures`	A user makes a call to get features.	`feature_table` `max_results`
`getModelServingMetadata`	A user makes a call to get Model Serving metadata.	`feature_table_features`
`getOnlineFeatureTables`	A user gets online feature tables.	`create_if_not_exist` `feature_table_features` `include_brickstore` `is_v1_serving`
`getOnlineStore`	A user makes a call to get online store details.	`cloud` `feature_table` `online_table` `store_type`
`getOnlineStores`	A user gets online stores.	`feature_tables`
`getTags`	A user makes a call to get tags for a feature table.	`feature_table_id`
`logFeatureStoreClientEvent`	A feature store client event is logged.	`aggregate_features` `create_materialized_view`
`publishFeatureTable`	A feature table is published.	`cloud` `feature_table` `host` `online_table` `port` `read_secret_prefix` `store_type` `write_secret_prefix`
`searchFeatureTables`	A user searches for feature tables.	`catalog_names` `exclude_online_stores` `is_multi_catalog` `max_results` `owner_ids` `page_token` `search_scopes` `sort_order` `text`
`setTags`	Tags are added to a feature table.	`feature_table_id` `tags`
`updateFeatureTable`	A feature table is updated.	`description` `name`

Unity Catalog HTTP connection events

These events are logged at the workspace level when requests are proxied through a Unity Catalog HTTP connection, such as when calling external functions or connecting to external MCP servers.

These events are logged under the service_name of ucHttpConnection.

action_name	Description	request_params
`ucHttpConnectionProxiedRequest`	A request is proxied through a Unity Catalog HTTP connection to an external endpoint.	`auth_type` `connection_id` `connection_name` `http_method`

Databricks SQL events

These events are logged at the workspace level. This service includes events related to Databricks SQL.

Note

If you manage your SQL warehouses using the legacy SQL endpoints API, your SQL warehouse audit events will have different action names. See SQL endpoint logs.

These events are logged under the service_name of databrickssql.

action_name	Description	request_params
`cancelQueryExecution`	A query execution is cancelled from the SQL editor UI. This does not include cancellations that originate from the Query History UI or Databricks SQL Execution API.	`queryExecutionId`: Only emitted when the legacy SQL editor is used. `query_id`: Only emitted when the new SQL editor is used.
`changeEndpointAcls`	A warehouse manager updates permissions on a SQL warehouse.	`aclPermissionSet` `resourceId` `shardName` `targetUserId`
`cloneFolderNode`	A user clones a folder in the workspace browser.	`dashboardId`
`commandFinish`	Only in verbose audit logs. Generated when a command on a SQL warehouse completes or is canceled, regardless of the origin of the cancellation request.	`warehouseId` `commandId`
`commandSubmit`	Only in verbose audit logs. Generated when a command is submitted to a SQL warehouse, regardless of origin of the request.	`warehouseId` `commandId` `validation` `commandText` `commandParameters`
`createAlert`	A user creates a legacy alert.	`alertId` `queryId`
`createQuery`	A user creates a new query.	`queryId`
`getQuery`	A user opens a query in SQL editor page or calls the Databricks SQL Get a query API. Only emitted when the legacy SQL editor or Databricks SQL REST API is used.	`queryId`
`createQueryDraft`	A user creates a query draft. Only emitted when the legacy SQL editor is used.	`queryId`
`createQuerySnippet`	A user creates a query snippet.	`querySnippetId`
`createVisualization`	A user generates a visualization using the SQL editor. Excludes default results tables and visualizations in notebooks that utilize SQL warehouses. Only emitted when the legacy SQL editor is used.	`queryId` `visualizationId`
`createWarehouse`	A user with the cluster create entitlement creates a SQL warehouse.	`auto_resume` `auto_stop_mins` `channel` `warehouse_type` `cluster_size` `conf_pairs` `custom_cluster_confs` `enable_databricks_compute` `enable_photon` `enable_serverless_compute` `instance_profile_arn` `max_num_clusters` `min_num_clusters` `name` `size` `tags` `test_overrides`
`deleteAlert`	A user deletes a legacy alert through the API. Excludes deletions from the file browser UI or from the legacy alert interface.	`alertId`
`deleteNotificationDestination`	A workspace admin deletes a notification destination.	`notificationDestinationId`
`deleteWarehouse`	A warehouse manager deletes a SQL warehouse.	`id`
`deleteQuery`	A user deletes a query, either from the query interface or through API. Excludes deletion via the file browser UI.	`queryId`
`deleteQueryDraft`	A user deletes a query draft. Only emitted when the legacy SQL editor is used.	`queryId`
`deleteQuerySnippet`	A user deletes a query snippet.	`querySnippetId`
`deleteVisualization`	A user deletes a visualization from a query in the SQL Editor. Only emitted when the legacy SQL editor is used.	`visualizationId`
`downloadQueryResult`	A user downloads a query result from the SQL Editor. Excludes downloads from dashboards.	`fileType` `queryId` `queryResultId`: Only emitted when the legacy SQL editor is used. `credentialsEmbedded` `credentialsEmbeddedId`
`editWarehouse`	A warehouse manager makes edits to a SQL warehouse.	`auto_stop_mins` `channel` `warehouse_type` `cluster_size` `confs` `enable_photon` `enable_serverless_compute` `id` `instance_profile_arn` `max_num_clusters` `min_num_clusters` `name` `tags`
`executeAdhocQuery`	Generated by one of the following: A user runs a query draft in the SQL editor A query is executed from a visualization aggregation A user loads a dashboard and executes underlying queries	`dataSourceId`: Only emitted when the legacy SQL editor is used. Equivalent to the SQL warehouse ID. `warehouse_id`: Only emitted when the new SQL editor is used. `query_id`: Only emitted when the new SQL editor is used. Corresponds to the current query text in the new SQL editor, which may be equivalent to the original saved query.
`executeSavedQuery`	A user runs a saved query. Only emitted when the legacy SQL editor is used.	`queryId`
`favoriteQuery`	A user favorites a query.	`queryId`
`forkQuery`	A user clones a query.	`originalQueryId` `queryId`
`getAlert`	A user opens a legacy alert's details page or calls the legacy get alert API.	`id`: ID of the alert
`getHistoryQueriesByLookupKeys`	A user gets details for one or more query executions using lookup keys.	`lookup_keys` `include_metrics`
`getHistoryQuery`	A user gets details for a query execution using the UI.	`id` `queryId` `include_metrics` `include_plans` `include_json_plans`
`listHistoryQueries`	A user opens the query history page or calls the Query History List Queries API.	`filter_by` `include_metrics` `max_results` `page_token` `order_by`
`moveAlertToTrash`	A user moves an legacy alert to the trash using the API. Excludes deletions from the file browser UI or from the legacy alert interface.	`alertId`
`moveQueryToTrash`	A user moves a query to the trash.	`queryId` `treestoreId`: Only emitted when the new SQL editor is used and a valid `queryId` cannot be returned.
`restoreAlert`	A user restores a legacy alert from the trash.	`alertId`
`restoreQuery`	A user restores a query from the trash.	`queryId`
`setWarehouseConfig`	A workspace admin updates their workspace's SQL warehouse settings, including configuration parameters and data access properties.	`data_access_config` `enable_serverless_compute` `instance_profile_arn` `security_policy` `serverless_agreement` `sql_configuration_parameters`
`startWarehouse`	A SQL warehouse is started.	`id`
`stopWarehouse`	A warehouse manager stops a SQL warehouse. Excludes autostopped warehouses.	`id`
`transferObjectOwnership`	A workspace admin transfers the ownership of a dashboard, query, or legacy alert to an active user through the transfer object ownership API. Ownership transfer done through the UI or update APIs is not captured by this audit log event.	`newOwner` `objectId` `objectType`
`unfavoriteQuery`	A user removes a query from their favorites.	`queryId`
`updateAlert`	A user makes updates to a legacy alert. `ownerUserName` is populated if the legacy alert ownership is transferred using the API.	`alertId` `queryId` `ownerUserName`
`updateNotificationDestination`	A workspace admin makes an update to a notification destination.	`notificationDestinationId`
`updateFolderNode`	A user updates a folder node in the workspace browser.	`name`
`updateOrganizationSetting`	A workspace admin makes updates to the workspace's SQL settings.	`has_configured_data_access` `has_explored_sql_warehouses` `has_granted_permissions` `hide_plotly_mode_bar` `send_email_on_failed_dashboards` `allow_downloads`
`updateQuery`	A user makes an update to a query. `ownerUserName` is populated if the query ownership is transferred using the API.	`queryId` `ownerUserName`
`updateQueryDraft`	A user makes an update to a query draft. Only emitted when the legacy SQL editor is used.	`queryId`
`updateQuerySnippet`	A user makes an update to a query snippet.	`querySnippetId`
`updateVisualization`	A user updates a visualization from the SQL Editor. Only emitted when the legacy SQL editor is used.	`visualizationId`

Notebook events

These events are logged at the workspace level. This service includes events related to notebooks.

These events are logged under the service_name of notebook.

action_name	Description	request_params
`attachNotebook`	A notebook is attached to a cluster. Also emitted when the new SQL editor is attached to a SQL warehouse.	`path` `clusterId` `notebookId`
`cloneNotebook`	A user clones a notebook.	`notebookId` `path` `clonedNotebookId` `destinationPath`
`createFolder`	A notebook folder is created.	`path`
`createNotebook`	A notebook is created.	`notebookId` `path`
`deleteFolder`	A notebook folder is deleted.	`path`
`deleteNotebook`	A notebook is deleted.	`notebookId` `notebookName` `path`
`deleteRepo`	A repository is deleted.	`path`
`detachNotebook`	A notebook is detached from a cluster. Also emitted when the new SQL editor is detached from a SQL warehouse.	`notebookId` `clusterId` `path`
`downloadLargeResults`	A user downloads query results too large to display in the notebook. Also emitted when the new SQL editor is used to download query results.	`notebookId` `notebookFullPath` `commandId` `fileType`
`downloadPreviewResults`	A user downloads query results from a notebook or the new SQL editor. Also emitted when a user views a previous result in execution history. If the log is from a view, `fileType` is set to `json`.	`notebookId` `notebookFullPath` `commandId` `fileType` `statementId`: Only emitted when a user views a previous result in execution history.
`importNotebook`	A user imports a notebook.	`path` `workspaceExportFormat`
`modifyNotebook`	A notebook is modified.	`notebookId` `path`
`moveFolder`	A notebook folder is moved from one location to another.	`oldPath` `newPath` `folderId`
`moveNotebook`	A notebook is moved from one location to another.	`newPath` `oldPath` `notebookId`
`openNotebook`	A user opens a notebook using the UI.	`notebookId` `path`
`renameFolder`	A notebook folder is renamed.	`folderId` `newName` `oldName` `parentPath`
`renameNotebook`	A notebook is renamed.	`newName` `oldName` `parentPath` `notebookId`
`restoreFolder`	A deleted folder is restored.	`path`
`restoreNotebook`	A deleted notebook is restored.	`path` `notebookId` `notebookName`
`restoreRepo`	A deleted repository is restored.	`path`
`runCommand`	Available when verbose audit logs are enabled. Emitted after Databricks runs a command in a notebook or the new SQL editor. A command corresponds to a cell in a notebook or the query text in the new SQL editor. `executionTime` is measured in seconds.	`notebookId` `executionTime` `status` `commandId` `commandText` `commandLanguage`
`submitCommand`	Generated when a command is submitted for execution in a notebook or the new SQL editor. A command corresponds to a cell in a notebook or the query text in the new SQL editor.	`notebookId` `commandId` `clusterId` `commandLanguage` `commandText` (only available when verbose audit logs are enabled)
`takeNotebookSnapshot`	Notebook snapshots are taken when either the job service or mlflow is run.	`path`

Git folder events

These events are logged at the workspace level. This service includes events related to Databricks Git folders. See also gitCredentials.

These events are logged under the service_name of repos.

action_name	Description	request_params
`checkoutBranch`	A user checks out a branch on the repo.	`id` `branch`
`commitAndPush`	A user commits and pushes to a repo.	`id` `message` `files` `checkSensitiveToken`
`createRepo`	A user creates a repo in the workspace	`url` `provider` `path`
`deleteRepo`	A user deletes a repo.	`id`
`discard`	A user discards a commit to a repo.	`id` `file_paths`
`getRepo`	A user makes a call to get information about a single repo.	`id`
`listRepos`	A user makes a call to get all repos they have Manage permissions on.	`path_prefix` `next_page_token`
`pull`	A user pulls the latest commits from a repo.	`id`
`updateRepo`	A user updates the repo to a different branch or tag, or to the latest commit on the same branch.	`id` `branch` `tag` `git_url` `git_provider`

Git credential events

These events are logged at the workspace level. This service includes events related to Git credentials for Databricks Git folders.

These events are logged under the service_name of gitCredentials.

action_name	Description	request_params
`createGitCredential`	A user creates a git credential.	`git_provider` `git_username`
`deleteGitCredential`	A user deletes a git credential.	`id`
`getGitCredential`	A user gets a git credentials.	`id`
`linkGitProvider`	A user links a git provider.	`git_provider` `principal_id`
`listGitCredentials`	A user lists all git credentials	`principal_id`
`updateGitCredential`	A user updates a git credential.	`id` `git_provider` `git_username`

Global init scripts events

These events are logged at the workspace level. This service includes events related global init scripts.

These events are logged under the service_name of globalInitScripts.

action_name	Description	request_params
`batch-reorder`	A workspace admin reorders global initialization scripts.	`script_ids`
`create`	A workspace admin creates a global initialization script.	`name` `position` `script-SHA256` `enabled`
`update`	A workspace admin updates a global initialization script.	`script_id` `name` `position` `script-SHA256` `enabled`
`delete`	A workspace admin deletes a global initialization script.	`script_id`

Remote history service events

These events are logged at the workspace level. This service includes events related to adding and removing GitHub Credentials.

These events are logged under the service_name of RemoteHistoryService.

action_name	Description	request_params
`addUserGitHubCredentials`	User adds Github Credentials	none
`deleteUserGitHubCredentials`	User removes Github Credentials	none
`updateUserGitHubCredentials`	User updates Github Credentials	none

Workspace events

These events are logged at the workspace level. This service includes events related to workspace management.

These events are logged under the service_name of workspace.

action_name	Description	request_params
`addPermissionAssignment`	An account admin adds a principal to a workspace.	`principal_id` `account_id` `workspace_id`
`changeWorkspaceAcl`	Permissions to the workspace are changed.	`shardName` `targetUserId` `aclPermissionSet` `resourceId`
`deletePermissionAssignment`	A workspace admin removes a principal from a workspace.	`principal_id` `account_id` `workspace_id`
`deleteSetting`	A setting is deleted from the workspace.	`settingKeyTypeName` `settingKeyName` `settingTypeName` `settingName`
`fileCreate`	User creates a file in the workspace.	`path`
`fileDelete`	User deletes a file in the workspace.	`path`
`fileEditorOpenEvent`	User opens the file editor.	`notebookId` `path`
`getPermissionAssignment`	An account admin gets a workspace's permission assignments.	`account_id` `workspace_id`
`getRoleAssignment`	User gets a workspace's user roles.	`account_id` `workspace_id`
`mintOAuthAuthorizationCode`	Recorded when in-house OAuth authorization code is minted at the workspace level.	`client_id`
`mintOAuthToken`	OAuth token is minted for workspace.	`grant_type` `scope` `expires_in` `client_id`
`moveWorkspaceNode`	A workspace admin moves workspace node.	`destinationPath` `path`
`purgeWorkspaceNodes`	A workspace admin purges workspace nodes.	`treestoreId`
`reattachHomeFolder`	An existing home folder is re-attached for a user that is re-added to the workspace.	`path`
`renameWorkspaceNode`	A workspace admin renames workspace nodes.	`path` `destinationPath`
`unmarkHomeFolder`	Home folder special attributes are removed when a user is removed from the workspace.	`path`
`updateRoleAssignment`	A workspace admin updates a workspace user's role.	`account_id` `workspace_id` `principal_id` `role`
`updatePermissionAssignment`	A workspace admin adds a principal to the workspace.	`principal_id` `permissions`
`setSetting`	A workspace admin configures a workspace setting.	`settingKeyTypeName` `settingKeyName` `settingTypeName` `settingName` `settingValueForAudit`
`workspaceConfEdit`	Workspace admin makes updates to a setting, for example enabling verbose audit logs.	`workspaceConfKeys` `workspaceConfValues`
`workspaceExport`	User exports a notebook from a workspace.	`workspaceExportDirectDownload` `workspaceExportFormat` `notebookFullPath`
`workspaceInHouseOAuthClientAuthentication`	OAuth client is authenticated in workspace service.	`user`

Secrets events

These events are logged at the workspace level. This service includes events related to secrets.

These events are logged under the service_name of secrets.

action_name	Description	request_params
`createScope`	User creates a secret scope.	`scope` `initial_manage_principal` `scope_backend_type`
`deleteAcl`	User deletes ACLs for a secret scope.	`scope` `principal`
`deleteScope`	User deletes a secret scope.	`scope`
`deleteSecret`	User deletes a secret from a scope.	`key` `scope`
`getAcl`	User gets ACLs for a secret scope.	`scope` `principal`
`getSecret`	User gets a secret from a scope.	`key` `scope`
`listAcls`	User makes a call to list ACLs for a secret scope.	`scope`
`listScopes`	User makes a call to list secret scopes	none
`listSecrets`	User makes a call to list secrets within a scope.	`scope`
`putAcl`	User changes ACLs for a secret scope.	`scope` `principal` `permission`
`putSecret`	User adds or edits a secret within a scope.	`string_value` `key` `scope`

SSH events

These events are logged at the workspace level. This service includes events related to SSH access.

These events are logged under the service_name of ssh.

action_name	Description	request_params
`login`	Agent login of SSH into Spark driver.	`containerId` `userName` `port` `publicKey` `instanceId`
`logout`	Agent logout of SSH from Spark driver.	`userName` `containerId` `instanceId`

Web terminal events

These events are logged at the workspace level. This service includes events related to the web terminal feature.

These events are logged under the service_name of webTerminal.

action_name	Description	request_params
`startSession`	User starts a web terminal sessions.	`socketGUID` `clusterId` `serverPort` `ProxyTargetURI`
`closeSession`	User closes a web terminal session.	`socketGUID` `clusterId` `serverPort` `ProxyTargetURI`

Webhook events

These events are logged at the workspace level. This service includes events related to notification destinations.

These events are logged under the service_name of webhookNotifications.

action_name	Description	request_params
`createWebhook`	An admin creates a new notification destination.	`name` `options` `type`
`deleteWebhook`	An admin deletes a notification destination.	`id`
`getWebhook`	A user views information about a notification destination using the UI or API.	`id`
`notifyWebhook`	A webhook is triggered and sends a notification payload to the target URL.	`body` `id`
`testWebhook`	A test payload is sent to a webhook URL to verify the configuration and ensure it can receive notifications successfully.	`id`
`updateWebhook`	An admin updates a notification destination.	`name` `options` `type`

Account-level services

The following services log audit events at the account level.

Account-level authentication events

These events are related to account console authentication.

These events are logged under the service_name of accounts.

action_name	Description	request_params
`accountInHouseOAuthClientAuthentication`	An OAuth client is authenticated.	`endpoint` `user`: logged as an email address `authenticationMethod`
`accountLoginCodeAuthentication`	A user's account login code is authenticated.	`user`
`accountlessToAccountLoginAuthentication`	A user logs in through the accountless-to-account upgrade flow.	`user` `authenticationMethod`
`deletePasskeyCredential`	A user deletes a passkey credential.	`credential_id`
`deleteTotpCredential`	A user deletes a TOTP authenticator app setup key.
`login`	A user logs into the account console.	`user` `authenticationMethod`
`logout`	A user logs out of the account console.	`user`
`mfaLogin`	A user logs in to the account console using multi-factor authentication.	`user` `authenticationMethod`
`mintOAuthAuthorizationCode`	Recorded when in-house OAuth authorization code is minted at the account level.	`client_id`
`mintOAuthToken`	An account-level OAuth token is issued to the service principal.	`grant_type` `scope` `expires_in` `client_id`
`multiFactorAuthenticationLogin`	A user logs in to the account console using multi-factor authentication.	`user` `authenticationMethod`
`multiFactorAuthenticationUpdateUserAuthPolicy`	A user's multi-factor authentication policy is updated.	`user_mfa_state` `user_id`
`oidcBrowserLogin`	A user logs into their account with the OpenID Connect browser workflow.	`user`
`oidcTokenAuthorization`	An OIDC token is authenticated for an account admin login.	`user` `authenticationMethod`
`registerPasskeyCredential`	A user registers a passkey credential for multi-factor authentication.
`registerTotpCredential`	A user registers a TOTP authenticator app credential for multi-factor authentication.
`skipRegistration`	A user skips multi-factor authentication registration.
`tokenLogin`	A user logs into Databricks using a token.	`tokenId` `user` `authenticationMethod`

Account-level user and group management events

These events are related to account-level user and group management.

These events are logged under the service_name of accounts.

action_name	Description	request_params
`activateUser`	A user is reactivated after being deactivated. See Deactivate users in account.	`targetUserName` `endpoint` `targetUserId`
`add`	A user is added to the Azure Databricks account.	`targetUserName` `endpoint` `targetUserId`
`addPrincipalToGroup`	A user is added to an account-level group.	`targetGroupId` `endpoint` `targetUserId` `targetGroupName` `groupMembershipType` `targetUserName`
`addPrincipalsToGroup`	Users are added to an account-level group using SCIM provisioning.	`targetGroupId` `endpoint` `targetUserId` `targetGroupName` `groupMembershipType` `targetUserName`
`createGroup`	An account-level group is created.	`endpoint` `targetGroupId` `targetGroupName`
`deactivateUser`	A user is deactivated. See Deactivate users in account.	`targetUserName` `endpoint` `targetUserId`
`delete`	A user is deleted from the Azure Databricks account.	`targetUserId` `targetUserName` `endpoint`
`removeAccountAdmin`	An account admin removes account admin permissions from another user.	`targetUserName` `endpoint` `targetUserId`
`removeGroup`	A group is removed from the account.	`targetGroupId` `targetGroupName` `endpoint`
`removePrincipalFromGroup`	A user is removed from an account-level group.	`targetGroupId` `endpoint` `targetUserId` `targetGroupName` `groupMembershipType` `targetUserName`
`removePrincipalsFromGroup`	Users are removed from an account-level group using SCIM provisioning.	`targetGroupId` `endpoint` `targetUserId` `targetGroupName` `targetUserName`
`setAccountAdmin`	An account admin assigns the account admin role to another user.	`targetUserName` `endpoint` `targetUserId`
`updateGroup`	An account admin updates an account-level group.	`endpoint` `targetGroupId` `targetGroupName`
`updateUser`	An account admin updates a user account.	`targetUserName` `endpoint` `targetUserId` `targetUserExternalId`
`usernameDomainDenied`	A user sign-up attempt is denied because the email domain is not allowed.	`targetUserName`
`validateEmail`	When a user validates their email after account creation.	`endpoint` `targetUserName` `targetUserId`

Account-level token and settings events

These events are related to token management and account settings.

These events are logged under the service_name of accounts.

action_name	Description	request_params
`accountIpAclsValidationFailed`	IP permissions validation fails. Returns statusCode 403.	`sourceIpAddress` `user`: logged as an email address
`deleteSetting`	Account admin removes a setting from the Azure Databricks account.	`settingKeyTypeName` `settingKeyName` `settingTypeName` `settingName` `settingValueForAudit`
`garbageCollectDbToken`	A user runs a garbage collect command on expired tokens.	`tokenExpirationTime` `tokenClientId` `userId` `tokenCreationTime` `tokenFirstAccessed` `tokenHash`
`generateDbToken`	User generates a token from User Settings or when the service generates the token.	`tokenExpirationTime` `tokenCreatedBy` `tokenHash` `userId`
`setSetting`	An account admin updates an account-level setting.	`settingKeyTypeName` `settingKeyName` `settingTypeName` `settingName` `settingValueForAudit`

Service principal credentials events

These events are logged at the account level. These events are related to service credentials.

These events are logged under the service_name of servicePrincipalCredentials.

action_name	Description	request_params
`create`	Account admin generates an OAuth secret for the service principal.	`account_id` `service_principal` `secret_id` `lifetime`
`list`	Account admin lists all OAuth secrets under a service principal.	`account_id` `service_principal`
`delete`	Account admin deletes a service principal's OAuth secret.	`account_id` `service_principal` `secret_id`

Serverless budget policy events

These events are logged at the account level and are related to serverless budget policies. See Attribute usage with serverless usage policies.

These events are logged under the service_name of budgetPolicyCentral.

action_name	Description	request_params
`createBudgetPolicy`	Workspace admin or billing admin creates a serverless budget policy. The new `policy_id` is logged in the `response` column.	`policy_name`
`updateBudgetPolicy`	Workspace admin, billing admin, or policy manager updates a serverless budget policy.	`policy.policy_id` `policy.policy_name`
`deleteBudgetPolicy`	Workspace admin, billing admin, or policy manager deletes a serverless budget policy.	`policy_id`

Delta Sharing provider events

These audit log events are logged in the provider's account. Actions that are performed by recipients start with the deltaSharing prefix. Each of these logs also includes request_params.metastore_id, which is the metastore that manages the shared data, and userIdentity.email, which is the ID of the user who initiated the activity.

These events are logged under the service_name of unityCatalog.

action_name	Description	request_params
`deltaSharingListShares`	A data recipient requests a list of shares.	`options`: The pagination options provided with this request. `recipient_name`: Indicates the recipient executing the action. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`deltaSharingGetShare`	A data recipient requests details about a shares.	`share`: The name of the share. `recipient_name`: Indicates the recipient executing the action. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`deltaSharingListSchemas`	A data recipient requests a list of shared schemas.	`share`: The name of the share. `recipient_name`: Indicates the recipient executing the action. `options`: The pagination options provided with this request. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`deltaSharingListAllTables`	A data recipient requests a list of all shared tables.	`share`: The name of the share. `recipient_name`: Indicates the recipient executing the action. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`deltaSharingListTables`	A data recipient requests a list of shared tables.	`share`: The name of the share. `recipient_name`: Indicates the recipient executing the action. `options`: The pagination options provided with this request. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`deltaSharingGetTableMetadata`	A data recipient requests a details about a table's metadata.	`share`: The name of the share. `recipient_name`: Indicates the recipient executing the action. `schema`: The name of the schema. `name`: The name of the table. `predicateHints`: The predicates included in the query. `limitHints`: The maximum number of rows to return. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`deltaSharingGetTableVersion`	A data recipient requests a details about a table version.	`share`: The name of the share. `recipient_name`: Indicates the recipient executing the action. `schema`: The name of the schema. `name`: The name of the table. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`deltaSharingQueryTable`	Logged when a data recipient queries a shared table.	`share`: The name of the share. `recipient_name`: Indicates the recipient executing the action. `schema`: The name of the schema. `name`: The name of the table. `predicateHints`: The predicates included in the query. `limitHints`: The maximum number of rows to return. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`deltaSharingQueryTableChanges`	Logged when a data recipient queries change data for a table.	`share`: The name of the share. `recipient_name`: Indicates the recipient executing the action. `schema`: The name of the schema. `name`: The name of the table. `cdf_options`: Change data feed options. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`deltaSharingQueriedTable`	Logged after a data recipient gets a response to their query. The `response.result` field includes more information on the recipient's query	`recipient_name`: Indicates the recipient executing the action. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`deltaSharingQueriedTableChanges`	Logged after a data recipient gets a response to their query. The `response.result` field includes more information on the recipient's query.	`recipient_name`: Indicates the recipient executing the action. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`deltaSharingListNotebookFiles`	A data recipient requests a list of shared notebook files.	`share`: The name of the share. `recipient_name`: Indicates the recipient executing the action. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`deltaSharingQueryNotebookFile`	A data recipient queries a shared notebook file.	`file_name`: The name of the notebook file. `recipient_name`: Indicates the recipient executing the action. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`deltaSharingListFunctions`	A data recipient requests a list of functions in a parent schema.	`share`: The name of the share. `schema`: The name of the parent schema of the function. `recipient_name`: Indicates the recipient executing the action. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`deltaSharingListAllFunctions`	A data recipient requests a list of all shared functions.	`share`: The name of the share. `schema`: The name of the parent schema of the function. `recipient_name`: Indicates the recipient executing the action. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`deltaSharingListFunctionVersions`	A data recipient requests a list of function versions.	`share`: The name of the share. `schema`: The name of the parent schema of the function. `function`: The name of the function. `recipient_name`: Indicates the recipient executing the action. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`deltaSharingListVolumes`	A data recipient requests a list of shared volumes in a schema.	`share`: The name of the share. `schema`: The parents schema of the volumes. `recipient_name`: Indicates the recipient executing the action. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`deltaSharingListAllVolumes`	A data recipient requests all shared volumes.	`share`: The name of the share. `recipient_name`: Indicates the recipient executing the action. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, true if the request was denied and false if the request was not denied. `sourceIPaddress` is the recipient IP address.
`updateMetastore`	Provider updates their metastore.	`delta_sharing_scope`: Values can be `INTERNAL` or `INTERNAL_AND_EXTERNAL`. `delta_sharing_recipient_token_lifetime_in_seconds`: If present, indicates that the recipient token lifetime was updated.
`createRecipient`	Provider creates a data recipient.	`name`: The name of the recipient. `comment`: The comment for the recipient. `ip_access_list.allowed_ip_addresses:` Recipient IP address allowlist.
`deleteRecipient`	Provider deletes a data recipient.	`name`: The name of the recipient.
`getRecipient`	Provider requests details about a data recipient.	`name`: The name of the recipient.
`listRecipients`	Provider requests a list of all their data recipients.	none
`rotateRecipientToken`	Provider rotates a recipient's token.	`name`: The name of the recipient. `comment`: The comment given in the rotation command.
`updateRecipient`	Provider updates a data recipient's attributes.	`name`: The name of the recipient. `updates`: A JSON representation of recipient attributes that were added or removed from the share.
`createShare`	Provider updates a data recipient's attributes.	`name`: The name of the share. `comment`: The comment for the share.
`deleteShare`	Provider updates a data recipient's attributes.	`name`: The name of the share.
`getShare`	Provider requests details about a share.	`name`: The name of the share. `include_shared_objects`: Whether the share's table names were included in the request.
`updateShare`	Provider adds or removes data assets from a share.	`name`: The name of the share. `updates`: A JSON representation of data assets that were added or removed from the share. Each item includes `action` (add or remove), `name` (the actual name of the table), `shared_as` (the name the asset was shared as, if different from the actual name), and `partition_specification` (if a partition specification was provided).
`listShares`	Provider requests a list of their shares.	none
`getSharePermissions`	Provider requests details on a share's permissions.	`name`: The name of the share.
`updateSharePermissions`	Provider updates a share's permissions.	`name`: The name of the share. `changes`: A JSON representation of the updated permissions. Each change includes `principal` (the user or group to whom permission is granted or revoked), `add` (the list of permissions that were granted), and `remove` (the list of permissions that were revoked).
`getRecipientSharePermissions`	Provider requests details about a recipient's share permissions.	`name`: The name of the share.
`getActivationUrlInfo`	Provider requests details about activity on their activation link.	`recipient_name`: The name of the recipient who opened the activation URL. `is_ip_access_denied`: None if there is no IP access list configured. Otherwise, `true` if the request was denied and `false` if the request was not denied. `sourceIPaddress` is the recipient IP address.
`generateTemporaryVolumeCredential`	Temporary credential is generated for the recipient to access a shared volume.	`share_name`: The name of the share through which the recipient requests. `share_id`: The ID of the share. `share_owner`: The owner of the share. `recipient_name`: The name of the recipient who requests the credential. `recipient_id`: The ID of the recipient. `volume_full_name`: The full 3-level name of the volume. `volume_id`: The ID of the volume. `volume_storage_location`: The cloud path of the volume root. `operation`: Either `READ_VOLUME` or `WRITE_VOLUME`. For volume sharing, only `READ_VOLUME` is supported. `credential_id`: The ID of the credential. `credential_type`: The type of the credential. Value is either `StorageCredential` or `ServiceCredential`. `credential_kind`: The method used to authorize access. `workspace_id`: Value is always `0` when the request is for shared volumes.
`generateTemporaryTableCredential`	Temporary credential is generated for the recipient to access a shared table.	`share_name`: The name of the share through which the recipient requests. `share_id`: The ID of the share. `share_owner`: The owner of the share. `recipient_name`: The name of the recipient who requests the credential. `recipient_id`: The ID of the recipient. `table_full_name`: The full 3-level name of the table. `table_id`: The ID of the table. `table_url`: The cloud path of the table root. `operation`: Either `READ` or `READ_WRITE`. `credential_id`: The ID of the credential. `credential_type`: The type of the credential. Value is either `StorageCredential` or `ServiceCredential`. `credential_kind`: The method used to authorize access. `workspace_id`: Value is always `0` when the request is for shared tables.
`createRecipientOidcPolicy`	Provider creates an OIDC federation policy for a recipient.	`recipient_name` `policy`
`deleteRecipientOidcPolicy`	Provider deletes an OIDC federation policy for a recipient.	`recipient_name` `name` `workspace_id` `metastore_id`
`deleteRecipientPolicy`	Provider deletes a recipient policy.	`recipient_name` `name` `workspace_id` `metastore_id`
`getRecipientOidcPolicy`	Provider requests details about a recipient's OIDC federation policy.	`recipient_name` `name` `workspace_id` `metastore_id`
`getRecipientPropertiesByDependentId`	Provider requests recipient properties for a dependent object.	`dependent` `property_keys` `workspace_id` `metastore_id`
`listRecipientOidcPolicies`	Provider requests a list of OIDC federation policies for a recipient.	`recipient_name` `workspace_id` `metastore_id`
`reconnectRecipientAccount`	Provider reconnects a Databricks-to-Databricks recipient account.	`recipient` `metastore_id`
`retrieveRecipientToken`	Recipient retrieves their bearer token for open sharing authentication.	`recipient_name` `is_ip_access_denied` `metastore_id`
`deltaSharingGetQueryInfo`	Provider requests query information for a shared table.	`name` `recipient_authentication_type` `recipient_global_metastore_id` `recipient_name` `share_id` `user_agent` `is_ip_access_denied` `share` `schema` `query_id` `share_name` `recipient_id` `workspace_id` `metastore_id`
`deltaSharingReconciliation`	Delta Sharing performs reconciliation for a shared table.	`tableType` `tableDataSourceFormat` `tableUrl` `schemaId` `tableFullName` `accountId` `metastoreId` `securableId` `catalogId` `opType` `workspace_id` `metastore_id`
`addShareToCatalog`	Recipient mounts a share to a catalog.	`catalog_name` `provider_name` `share_name` `workspace_id` `metastore_id`
`listSharesInCatalog`	User requests a list of shares mounted in a catalog.	`catalog_name` `workspace_id` `metastore_id`
`removeShareFromCatalog`	Recipient unmounts a share from a catalog.	`catalog_name` `provider_name` `share_name` `workspace_id` `metastore_id`
`listProviderShareAssets`	User requests a list of assets in a provider's share.	`provider_name_arg` `share_name_arg` `workspace_id` `metastore_id`
`listInboundSharedNotebookFiles`	Recipient requests a list of notebook files shared in a catalog.	`catalog_name` `workspace_id` `metastore_id`
`getInboundSharedNotebookFile`	Recipient requests details about a shared notebook file.	`catalog_name` `notebook_file_name_arg` `workspace_id` `metastore_id`
`listSharedCatalogs`	Provider requests a list of shared catalogs.	`provider_ids` `workspace_id` `metastore_id`

Delta Sharing recipient events

These events are logged in the data recipient's account. These events record recipient access of shared data and AI assets, along with events associated with the management of providers. Each of these events also includes the following request parameters:

recipient_name: The name of the recipient in the data provider's system.
metastore_id: The name of the metastore in the data provider's system.
sourceIPAddress: The IP address where the request originated.

These events are logged under the service_name of unityCatalog.

action_name	Description	request_params
`deltaSharingProxyGetTableVersion`	A data recipient requests details on a shared table version.	`share_name`: The name of the share. `catalog_name`: The name of the catalog mounted to the share. `schema`: The name of the table's parent schema. `name`: The name of the table.
`deltaSharingProxyGetTableMetadata`	A data recipient requests details on a shared table's metadata.	`share_name`: The name of the share. `catalog_name`: The name of the catalog mounted to the share. `schema`: The name of the table's parent schema. `name`: The name of the table.
`deltaSharingProxyQueryTable`	A data recipient queries a shared table.	`share_name`: The name of the share. `catalog_name`: The name of the catalog mounted to the share. `schema`: The name of the table's parent schema. `name`: The name of the table. `limitHints`: The maximum number of rows to return. `predicateHints`: The predicates included in the query. `version`: Table version, if change data feed is enabled.
`deltaSharingProxyQueryTableChanges`	A data recipient queries change data for a table.	`share_name`: The name of the share. `catalog_name`: The name of the catalog mounted to the share. `schema`: The name of the table's parent schema. `name`: The name of the table. `cdf_options`: Change data feed options.
`createProvider`	A data recipient creates a provider object.	`name`: The name of the provider. `comment`: The comment for the provider.
`updateProvider`	A data recipient updates a provider object.	`name`: The name of the provider. `updates`: A JSON representation of provider attributes that were added or removed from the share. Each item includes `action` (add or remove) and can include `name` (the new provider name), `owner` (new owner), and `comment`.
`deleteProvider`	A data recipient deletes a provider object.	`name`: The name of the provider.
`getProvider`	A data recipient requests details about a provider object.	`name`: The name of the provider.
`listProviders`	A data recipient requests a list of providers.	none
`activateProvider`	A data recipient activates a provider object.	`name`: The name of the provider.
`listProviderShares`	A data recipient requests a list of a provider's shares.	`name`: The name of the provider.

Delta Sharing external Iceberg client events

Important

This feature is in Public Preview.

These events are logged at the account level for external Iceberg clients accessing shared data using the Apache Iceberg REST Catalog API. To learn more, see Enable sharing to external Iceberg clients.

These events are logged when external Iceberg clients (such as Snowflake or other non-Databricks systems) access shared data.

These events are logged under the service_name of dataSharing.

action_name	Description	request_params
`icebergGetConfig`	An external Iceberg client requests configuration information.	`recipient_id` `recipient_name` `recipient_authentication_type` `user_agent` `share_id` `share_name` `namespace_name` `table_name` `metastore_id`
`icebergListNamespaces`	An external Iceberg client requests a list of namespaces.	`recipient_id` `recipient_name` `recipient_authentication_type` `user_agent` `share_id` `share_name` `namespace_name` `table_name` `metastore_id`
`icebergGetNamespace`	An external Iceberg client requests details about a namespace.	`recipient_id` `recipient_name` `recipient_authentication_type` `user_agent` `share_id` `share_name` `namespace_name` `table_name` `metastore_id`
`icebergListTables`	An external Iceberg client requests a list of tables in a namespace.	`recipient_id` `recipient_name` `recipient_authentication_type` `user_agent` `share_id` `share_name` `namespace_name` `table_name` `metastore_id`
`icebergLoadTable`	An external Iceberg client loads table metadata.	`recipient_id` `recipient_name` `recipient_authentication_type` `user_agent` `share_id` `share_name` `namespace_name` `table_name` `metastore_id`
`icebergReportMetrics`	An external Iceberg client reports metrics.	`recipient_id` `recipient_name` `recipient_authentication_type` `user_agent` `share_id` `share_name` `namespace_name` `table_name` `metastore_id`

SQL table access events

Note

The sqlPermissions service includes events related to the legacy Hive metastore table access control. Databricks recommends that you upgrade the tables managed by the Hive metastore to the Unity Catalog metastore.

These events are logged at the workspace level.

These events are logged under the service_name of sqlPermissions.

action_name	Description	request_params
`changeSecurableOwner`	Workspace admin or owner of an object transfers object ownership.	`securable` `principal`
`createSecurable`	User creates a securable object.	`securable`
`denyPermission`	Object owner denies privileges on a securable object.	`permission`
`grantPermission`	Object owner grants permission on a securable object.	`permission`
`removeAllPermissions`	User drops a securable object.	`securable`
`renameSecurable`	User renames a securable object.	`before` `after`
`requestPermissions`	User requests permissions on a securable object.	`requests` `denied` `permitted`
`revokePermission`	Object owner revokes permissions on their securable object.	`permission`
`showPermissions`	User views securable object permissions.	`securable` `principal`

Deprecated log events

Databricks has deprecated the following serverlessRealTimeInference diagnostic events. These events were associated with Legacy MLflow Model Serving, which reached end of life on September 15, 2025.

enable
disable

Databricks has deprecated the following databrickssql diagnostic events:

createAlertDestination (now createNotificationDestination)
deleteAlertDestination (now deleteNotificationDestination)
updateAlertDestination (now updateNotificationDestination)
muteAlert
unmuteAlert

SQL endpoint logs

If you create SQL warehouses using the deprecated SQL endpoint API (the former name for SQL warehouses), the corresponding audit event name will include the word Endpoint instead of Warehouse. Besides the name, these events are identical to the SQL warehouse events. To view descriptions and request parameters of these events, see their corresponding warehouse events in Databricks SQL events.

The SQL endpoint events are:

changeEndpointAcls
createEndpoint
editEndpoint
startEndpoint
stopEndpoint
deleteEndpoint
setEndpointConfig

Last updated on 2026-05-22

Diagnostic log reference

Workspace-level events

Authentication events

User and group management events

Token management events

IP access list events

IAM role events

AI/BI dashboard events

Alerts events

Clusters events

Cluster libraries events

Instance pool events

Job events

Lakeflow Spark Declarative Pipelines events

Cloud storage metadata events

Ingestion events

Lineage tracking events

Request for access events

Uniform Iceberg REST API events

DBFS events

DBFS API events

DBFS operational events

Files events

Workspace files events

Agent evaluation events

Production monitoring events

Evaluation dataset events

Synthetic data generation events

Review app events

MLflow experiment events

MLflow artifacts with ACL events

MLflow model registry events

Feature store events

Unity Catalog HTTP connection events

Databricks SQL events

Notebook events

Git folder events

Git credential events

Global init scripts events

Remote history service events

Workspace events

Secrets events

SSH events

Web terminal events

Webhook events

Account-level services

Account-level authentication events

Account-level user and group management events

Account-level token and settings events

Service principal credentials events

Serverless budget policy events

Delta Sharing provider events

Delta Sharing recipient events

Delta Sharing external Iceberg client events

SQL table access events

Deprecated log events

SQL endpoint logs

Additional resources