Diagnostic log reference

Note

This feature requires the Premium plan.

This article provides you with a comprehensive reference of audit log services and events. The availability of these services depends on how you access the logs:

  • Azure Monitor's diagnostic settings service does not log all of these services. Services that are unavailable on Azure's diagnostic settings are labeled accordingly.
  • The workspace-level and account-level designations only apply to the audit logs system table. Azure diagnostic logs do not include account-level events.

Note

Azure Databricks retains a copy of audit logs for up to 1 year for security and fraud analysis purposes.

Workspace-level events

The following services log audit events at the workspace level.

Account events

The following accounts events are logged at the workspace level. This service includes events related to accounts, users, groups, and IP access lists.

Service Action Description Request parameters
accounts accountLoginCodeAuthentication A user's account login code is authenticated.
  • user
accounts activateUser A user is reactivated after being deactivated. See Deactivate users in workspace.
  • targetUserName
  • endpoint
  • targetUserId
accounts aadBrowserLogin A user logs in to Databricks using a Microsoft Entra ID browser workflow.
  • user
accounts aadTokenLogin A user logs in to Databricks through the Microsoft Entra ID token.
  • user
accounts add A user is added to an Azure Databricks workspace.
  • targetUserName
  • endpoint
  • targetUserId
accounts addPrincipalToGroup A user is added to a workspace-level group.
  • targetGroupId
  • endpoint
  • targetUserId
  • targetGroupName
  • groupMembershipType
  • targetUserName
accounts changeDatabricksSqlAcl A user's Databricks SQL permissions are changed.
  • shardName
  • targetUserId
  • resourceId
  • aclPermissionSet
accounts changeDatabricksWorkspaceAcl Permissions to a workspace are changed.
  • shardName
  • targetUserId
  • resourceId
  • aclPermissionSet
accounts changeDbTokenAcl Permissions on an access token are changed.
  • shardName
  • targetUserId
  • resourceId
  • aclPermissionSet
accounts changeDbTokenState A Databricks access token is disabled.
  • tokenHash
  • tokenState
  • userId
accounts changeServicePrincipalAcls When a service principal's permissions are changed.
  • shardName
  • targetServicePrincipal
  • resourceId
  • aclPermissionSet
accounts createGroup A workspace-level group is created.
  • endpoint
  • targetUserId
  • targetUserName
accounts createIpAccessList An IP access list is added to the workspace.
  • ipAccessListId
  • userId
accounts deactivateUser A user is deactivated in the workspace. See Deactivate users in workspace.
  • targetUserName
  • endpoint
  • targetUserId
accounts delete A user is deleted from the Azure Databricks workspace.
  • targetUserId
  • targetUserName
  • endpoint
accounts deleteIpAccessList An IP access list is deleted from the workspace.
  • ipAccessListId
  • userId
accounts garbageCollectDbToken A user runs a garbage collect command on expired tokens.
  • tokenExpirationTime
  • tokenClientId
  • userId
  • tokenCreationTime
  • tokenFirstAccessed
  • tokenHash
accounts generateDbToken When someone generates a token from User Settings or when the service generates the token.
  • tokenExpirationTime
  • tokenCreatedBy
  • tokenHash
  • userId
accounts IpAccessDenied A user attempts to connect to the service through a denied IP.
  • path
  • user
  • userId
accounts ipAccessListQuotaExceeded
  • userId
accounts jwtLogin User logs into Databricks using a JWT.
  • user
  • authenticationMethod
accounts login User logs into the workspace.
  • user
  • authenticationMethod
accounts logout User logs out of the workspace.
  • user
accounts oidcTokenAuthorization When an API call is authorized through a generic OIDC/OAuth token.
  • user
  • authenticationMethod
accounts passwordVerifyAuthentication
  • user
accounts reachMaxQuotaDbToken When the current number of non-expired tokens exceeds the token quota.
accounts removeAdmin A user is revoked of workspace admin permissions.
  • targetUserName
  • endpoint
  • targetUserId
accounts removeGroup A group is removed from the workspace.
  • targetGroupId
  • targetGroupName
  • endpoint
accounts removePrincipalFromGroup A user is removed from a group.
  • targetGroupId
  • endpoint
  • targetUserId
  • targetGroupName
  • groupMembershipType
  • targetUserName
accounts revokeDbToken A user's token is dropped from a workspace. Can be triggered by a user being removed from the Databricks account.
  • userId
  • tokenHash
accounts setAdmin A user is granted account admin permissions.
  • endpoint
  • targetUserName
  • targetUserId
accounts tokenLogin A user logs into Databricks using a token.
  • tokenId
  • user
  • authenticationMethod
accounts updateIpAccessList An IP access list is changed.
  • ipAccessListId
  • userId
accounts updateUser A change is made to a user's account.
  • endpoint
  • targetUserName
  • targetUserId
  • targetUserExternalId
accounts validateEmail When a user validates their email after account creation.
  • endpoint
  • targetUserName
  • targetUserId
accounts workspaceLoginCodeAuthentication A user's workspace-scoped login code is authenticated.
  • user
  • authenticationMethod

AI/BI dashboard events

The following dashboards events are logged at the workspace level. This service includes events related to AI/BI dashboards.

Service Action Description Request parameters
dashboards getDashboard A user accesses the draft version of a dashboard either by viewing it in the UI or requesting the dashboard definition using the API. Only workspace users can access the draft version of a dashboard.
  • dashboard_id
dashboards getPublishedDashboard A user accesses the published version of a dashboard by viewing in the UI or requesting the dashboard definition using the API. Includes activity from both workspace users and account users. Excludes receiving a PDF snapshot of a dashboard using scheduled email.
  • dashboard_id
  • credentials_embedded
dashboards executeQuery A user executes a query from a dashboard.
  • dashboard_id
  • statement_id
  • details
dashboards cancelQuery A user cancels a query from a dashboard.
  • dashboard_id
  • statement_id
dashboards getQueryResult A user receives the results of a query from a dashboard.
  • dashboard_id
  • statement_id
dashboards triggerDashboardSnapshot A user downloads a PDF snapshot of a dashboard.
  • dashboard_id
  • name
dashboards sendDashboardSnapshot A PDF snapshot of a dashboard is sent through a scheduled email.
The request parameters values depend on the type of recipient. For a Databricks notification destination, only the destination_id is shown. For a Databricks user, the subscriber's user ID and email address are shown. If the recipient is an email address, only the email address is shown.
  • dashboard_id
  • subscriber_destination_id
  • subscriber_user_details.user_id
  • subscriber_user_details.email_address
dashboards getDashboardDetails A user accesses details of a draft dashboard, such as datasets and widgets. getDashboardDetails is always emitted when a user views a draft dashboard using UI or requests the dashboard definition using the API.
  • dashboard_id
dashboards createDashboard A user creates a new AI/BI dashboard using the UI or API.
  • dashboard_id
dashboards updateDashboard A user makes an update to an AI/BI dashboard using the UI or API.
  • dashboard_id
dashboards cloneDashboard A user clones an AI/BI dashboard.
  • source_dashboard_id
  • new_dashboard_id
dashboards publishDashboard A user publishes an AI/BI dashboard with or without embedded credentials using the UI or API.
  • dashboard_id
  • credentials_embedded
  • warehouse_id
dashboards unpublishDashboard A user unpublishes a published AI/BI dashboard using the UI or API.
  • dashboard_id
dashboards trashDashboard A user moves a dashboard to the trash using the dashboard UI or Lakeview API commands. This event is logged only when performed through these channels, not for workspace actions. To audit workspace actions, see Workspace events.
  • dashboard_id
dashboards restoreDashboard A user restores an AI/BI dashboard from the trash using the dashboard UI or Lakeview API commands. This event is logged only when performed through these channels, not for workspace actions. To audit workspace actions, see Workspace events.
  • dashboard_id
dashboards migrateDashboard A user migrates a DBSQL dashboard to an AI/BI dashboard.
  • source_dashboard_id
  • new_dashboard_id
  • update_parameter_syntax
dashboards createSchedule A user creates an email subscription schedule.
  • dashboard_id
  • schedule_id
  • schedule
dashboards updateSchedule A user makes an update to an AI/BI dashboard's schedule.
  • dashboard_id
  • schedule_id
dashboards deleteSchedule A user deletes an AI/BI dashboard's schedule.
  • dashboard_id
  • schedule_id
dashboards createSubscription A user subscribes an email destination to an AI/BI dashboard schedule.
  • dashboard_id
  • schedule_id
  • schedule
dashboards deleteSubscription A user deletes an email destination from an AI/BI dashboard schedule.
  • dashboard_id
  • schedule_id

Alerts events

Important

This feature is in Beta.

The following alerts events are logged at the workspace level. This service includes events related to alerts.

Note

This service does not record legacy alert events. Legacy alert events are logged under the databrickssql service.

Service Action Description Request parameters
alerts apiCreateAlert A user creates an alert using the Alerts V2 API.
  • alert.id
alerts apiGetAlert A user gets an alert using the Alerts V2 API.
  • alert_id
alerts apiTrashAlert A user deletes an alert using the Alerts V2 API.
  • alert_id
alerts apiUpdateAlert A user updates an alert using the Alerts V2 API.
  • alert.id
alerts cloneAlert A user clones an existing alert.
  • alert_id
alerts createAlert A user creates a new alert.
  • alert_id
alerts getAlert A user gets information about an alert using the UI.
  • alert_id
alerts previewAlertEvaluate The Test condition feature returns the results of the alert test.
  • execution_session_id
alerts previewAlertExecute A user uses the Test condition feature to preview and test their alert.
  • warehouse_id
alerts runNowAlert A user clicks the Run now button to run the alert query immediately.
  • alert_id
alerts updateAlert A user updates the details of an alert.
  • alert.id

Clusters events

The following cluster events are logged at the workspace level. This service includes events related to classic clusters.

Service Action Description Request parameters
clusters changeClusterAcl A user changes the cluster ACL.
  • shardName
  • aclPermissionSet
  • targetUserId
  • resourceId
clusters create A user creates a cluster.
  • access_mode
  • acl_path_prefix
  • apply_policy_default_values
  • assigned_principal
  • autoscale
  • autotermination_minutes
  • aws_attributes
  • billing_info
  • budget_policy_id
  • channel
  • clone_from
  • cluster_creator
  • cluster_event_notification_info
  • cluster_log_conf
  • cluster_name
  • cluster_source
  • cpu_architecture
  • custom_tags
  • data_security_mode
  • disk_spec
  • docker_image
  • driver_instance_pool_id
  • driver_instance_source
  • driver_node_type_id
  • effective_spark_version
  • enable_elastic_disk
  • enable_jobs_autostart
  • enable_local_disk_encryption
  • enable_serverless_compute
  • idempotency_token
  • init_scripts
  • instance_pool_id
  • instance_source
  • is_single_node
  • kind
  • nephos_virtual_driver_size
  • nephos_virtual_worker_size
  • no_driver_daemon
  • node_type_id
  • num_workers
  • organization_id
  • performance_target
  • platform_channel
  • policy_id
  • runtime_engine
  • single_user_name
  • spark_conf
  • spark_env_vars
  • spark_image_key
  • spark_version
  • ssh_public_keys
  • start_cluster
  • use_ml_runtime
  • user_id
  • validate_cluster_name_uniqueness
  • virtual_cluster_size
  • workload_type
clusters createResult Results from cluster creation. In conjunction with create.
  • clusterName
  • clusterState
  • clusterId
  • clusterTerminationReasonCode
  • clusterWorkers
  • clusterOwnerUserId
clusters delete A cluster is terminated.
  • cluster_id
  • termination_reason
clusters deleteResult Results from cluster termination. In conjunction with delete.
  • clusterName
  • clusterState
  • clusterId
  • clusterTerminationReasonCode
  • clusterWorkers
  • clusterOwnerUserId
clusters edit A user makes changes to cluster settings. This logs all changes except for changes in cluster size or autoscaling behavior.
  • acl_path_prefix
  • apply_policy_default_values
  • assigned_principal
  • autoscale
  • autotermination_minutes
  • aws_attributes
  • cluster_creator
  • cluster_id
  • cluster_log_conf
  • cluster_name
  • cluster_source
  • custom_tags
  • data_security_mode
  • docker_image
  • driver_instance_pool_id
  • driver_node_type_id
  • effective_spark_version
  • enable_elastic_disk
  • enable_local_disk_encryption
  • idempotency_token
  • init_scripts
  • instance_pool_id
  • is_single_node
  • kind
  • no_driver_daemon
  • node_type_id
  • num_workers
  • organization_id
  • policy_id
  • runtime_engine
  • single_user_name
  • spark_conf
  • spark_env_vars
  • spark_version
  • ssh_public_keys
  • start_cluster
  • use_ml_runtime
  • user_id
  • validate_cluster_name_uniqueness
  • virtual_cluster_size
  • workload_type
clusters permanentDelete A cluster is deleted from the UI.
  • cluster_id
clusters resize Cluster resizes. This is logged on running clusters where the only property that changes is either the cluster size or autoscaling behavior.
  • avoid_containers
  • autoscale
  • cluster_id
  • num_workers
clusters resizeResult Results from cluster resize. In conjunction with resize.
  • clusterName
  • clusterState
  • clusterId
  • clusterWorkers
  • clusterOwnerUserId
clusters restart A user restarts a running cluster.
  • cluster_id
clusters restartResult Results from cluster restart. In conjunction with restart.
  • clusterName
  • clusterState
  • clusterId
  • clusterTerminationReasonCode
  • clusterWorkers
  • clusterOwnerUserId
clusters start A user starts a cluster.
  • cluster_id
  • init_scripts_safe_mode
clusters startResult Results from cluster start. In conjunction with start.
  • clusterName
  • clusterState
  • clusterId
  • clusterTerminationReasonCode
  • clusterWorkers
  • clusterOwnerUserId

Cluster libraries events

The following clusterLibraries events logged at the workspace level. This service includes events related to compute-scoped libraries.

Service Action Description Request parameters
clusterLibraries installLibraries User installs a library on a cluster.
  • cluster_id
  • libraries
  • are_installed_via_policy
  • replace
clusterLibraries uninstallLibraries User uninstalls a library on a cluster.
  • cluster_id
  • libraries
clusterLibraries installLibraryOnAllClusters A workspace admin schedules a library to install on all cluster.
  • user
  • library
clusterLibraries uninstallLibraryOnAllClusters A workspace admin removes a library from the list to install on all clusters.
  • user
  • library

Databricks SQL events

The following databrickssql events are logged at the workspace level. This service includes events related to Databricks SQL.

Note

If you manage your SQL warehouses using the legacy SQL endpoints API, your SQL warehouse audit events will have different action names. See SQL endpoint logs.

Service Action Description Request parameters
databrickssql cancelQueryExecution A query execution is cancelled from the SQL editor UI. This does not include cancellations that originate from the Query History UI or Databricks SQL Execution API.
  • queryExecutionId: Only emitted when the legacy SQL editor is used.
  • query_id: Only emitted when the new SQL editor is used.
databrickssql changeEndpointAcls A warehouse manager updates permissions on a SQL warehouse.
  • aclPermissionSet
  • resourceId
  • shardName
  • targetUserId
databrickssql cloneFolderNode A user clones a folder in the workspace browser.
  • dashboardId
databrickssql commandFinish Only in verbose audit logs. Generated when a command on a SQL warehouse completes or is canceled, regardless of the origin of the cancellation request.
  • warehouseId
  • commandId
databrickssql commandSubmit Only in verbose audit logs. Generated when a command is submitted to a SQL warehouse, regardless of origin of the request.
  • warehouseId
  • commandId
  • validation
  • commandText
  • commandParameters
databrickssql createAlert A user creates a legacy alert.
  • alertId
  • queryId
databrickssql createQuery A user creates a new query.
  • queryId
databrickssql getQuery A user opens a query in SQL editor page or calls the Databricks SQL Get a query API. Only emitted when the legacy SQL editor or Databricks SQL REST API is used.
  • queryId
databrickssql createQueryDraft A user creates a query draft. Only emitted when the legacy SQL editor is used.
  • queryId
databrickssql createQuerySnippet A user creates a query snippet.
  • querySnippetId
databrickssql createVisualization A user generates a visualization using the SQL editor. Excludes default results tables and visualizations in notebooks that utilize SQL warehouses. Only emitted when the legacy SQL editor is used.
  • queryId
  • visualizationId
databrickssql createWarehouse A user with the cluster create entitlement creates a SQL warehouse.
  • auto_resume
  • auto_stop_mins
  • channel
  • warehouse_type
  • cluster_size
  • conf_pairs
  • custom_cluster_confs
  • enable_databricks_compute
  • enable_photon
  • enable_serverless_compute
  • instance_profile_arn
  • max_num_clusters
  • min_num_clusters
  • name
  • size
  • spot_instance_policy
  • tags
  • test_overrides
databrickssql deleteAlert A user deletes a legacy alert through the API. Excludes deletions from the file browser UI or from the legacy alert interface.
  • alertId
databrickssql deleteNotificationDestination A workspace admin deletes a notification destination.
  • notificationDestinationId
databrickssql deleteDashboard A user deletes a dashboard either from the dashboard interface or through API. Excludes deletion via the file browser UI.
  • dashboardId
databrickssql deleteDashboardWidget A user deletes a dashboard widget.
  • widgetId
databrickssql deleteWarehouse A warehouse manager deletes a SQL warehouse.
  • id
databrickssql deleteQuery A user deletes a query, either from the query interface or through API. Excludes deletion via the file browser UI.
  • queryId
databrickssql deleteQueryDraft A user deletes a query draft. Only emitted when the legacy SQL editor is used.
  • queryId
databrickssql deleteQuerySnippet A user deletes a query snippet.
  • querySnippetId
databrickssql deleteVisualization A user deletes a visualization from a query in the SQL Editor. Only emitted when the legacy SQL editor is used.
  • visualizationId
databrickssql downloadQueryResult A user downloads a query result from the SQL Editor. Excludes downloads from dashboards.
  • fileType
  • queryId
  • queryResultId: Only emitted when the legacy SQL editor is used.
  • credentialsEmbedded
  • credentialsEmbeddedId
databrickssql editWarehouse A warehouse manager makes edits to a SQL warehouse.
  • auto_stop_mins
  • channel
  • warehouse_type
  • cluster_size
  • confs
  • enable_photon
  • enable_serverless_compute
  • id
  • instance_profile_arn
  • max_num_clusters
  • min_num_clusters
  • name
  • spot_instance_policy
  • tags
databrickssql executeAdhocQuery Generated by one of the following:
  • A user runs a query draft in the SQL editor
  • A query is executed from a visualization aggregation
  • A user loads a dashboard and executes underlying queries
  • dataSourceId: Only emitted when the legacy SQL editor is used. Equivalent to the SQL warehouse ID.
  • warehouse_id: Only emitted when the new SQL editor is used.
  • query_id: Only emitted when the new SQL editor is used. Corresponds to the current query text in the new SQL editor, which may be equivalent to the original saved query.
databrickssql executeSavedQuery A user runs a saved query. Only emitted when the legacy SQL editor is used.
  • queryId
databrickssql executeWidgetQuery Generated by any event that executes a query such that a dashboard panel refreshes. Some examples of applicable events include:
  • Refreshing a single panel
  • Refreshing an entire dashboard
  • Scheduled dashboard executions
  • Parameter or filter changes operating over more than 64,000 rows
  • widgetId
databrickssql favoriteDashboard A user favorites a dashboard.
  • dashboardId
databrickssql favoriteQuery A user favorites a query.
  • queryId
databrickssql forkQuery A user clones a query.
  • originalQueryId
  • queryId
databrickssql getAlert A user opens a legacy alert's details page or calls the legacy get alert API.
  • id: ID of the alert
databrickssql getHistoryQueriesByLookupKeys A user gets details for one or more query executions using lookup keys.
  • lookup_keys
  • include_metrics
databrickssql getHistoryQuery A user gets details for a query execution using the UI.
  • id
  • queryId
  • include_metrics
  • include_plans
  • include_json_plans
databrickssql listHistoryQueries A user opens the query history page or calls the Query History List Queries API.
  • filter_by
  • include_metrics
  • max_results
  • page_token
  • order_by
databrickssql moveAlertToTrash A user moves an legacy alert to the trash using the API. Excludes deletions from the file browser UI or from the legacy alert interface.
  • alertId
databrickssql moveDashboardToTrash A user moves a dashboard to the trash.
  • dashboardId
databrickssql moveQueryToTrash A user moves a query to the trash.
  • queryId
  • treestoreId: Only emitted when the new SQL editor is used and a valid queryId cannot be returned.
databrickssql restoreAlert A user restores a legacy alert from the trash.
  • alertId
databrickssql restoreDashboard A user restores a dashboard from the trash.
  • dashboardId
databrickssql restoreQuery A user restores a query from the trash.
  • queryId
databrickssql setWarehouseConfig A workspace admin updates their workspace's SQL warehouse settings, including configuration parameters and data access properties.
  • data_access_config
  • enable_serverless_compute
  • instance_profile_arn
  • security_policy
  • serverless_agreement
  • sql_configuration_parameters
databrickssql snapshotDashboard A user requests a snapshot of a dashboard. Includes scheduled dashboard snapshots.
  • dashboardId
databrickssql startWarehouse A SQL warehouse is started.
  • id
databrickssql stopWarehouse A warehouse manager stops a SQL warehouse. Excludes autostopped warehouses.
  • id
databrickssql transferObjectOwnership A workspace admin transfers the ownership of a dashboard, query, or legacy alert to an active user through the transfer object ownership API. Ownership transfer done through the UI or update APIs is not captured by this audit log event.
  • newOwner
  • objectId
  • objectType
databrickssql unfavoriteDashboard A user removes a dashboard from their favorites.
  • dashboardId
databrickssql unfavoriteQuery A user removes a query from their favorites.
  • queryId
databrickssql updateAlert A user makes updates to a legacy alert. ownerUserName is populated if the legacy alert ownership is transferred using the API.
  • alertId
  • queryId
  • ownerUserName
databrickssql updateNotificationDestination A workspace admin makes an update to a notification destination.
  • notificationDestinationId
databrickssql updateDashboardWidget A user makes an update to a dashboard widget. Excludes changes to axis scales. Examples of applicable updates include:
  • Change to widget size or placement
  • Adding or removing widget parameters
  • widgetId
databrickssql updateDashboard A user makes an update to a dashboard property. Excludes changes to schedules and subscriptions. Examples of applicable updates include:
  • Change in dashboard name
  • Change to the SQL warehouse
  • Change to Run As settings
  • dashboardId
databrickssql updateFolderNode A user updates a folder node in the workspace browser.
  • name
databrickssql updateOrganizationSetting A workspace admin makes updates to the workspace's SQL settings.
  • has_configured_data_access
  • has_explored_sql_warehouses
  • has_granted_permissions
  • hide_plotly_mode_bar
  • send_email_on_failed_dashboards
  • allow_downloads
databrickssql updateQuery A user makes an update to a query. ownerUserName is populated if the query ownership is transferred using the API.
  • queryId
  • ownerUserName
databrickssql updateQueryDraft A user makes an update to a query draft. Only emitted when the legacy SQL editor is used.
  • queryId
databrickssql updateQuerySnippet A user makes an update to a query snippet.
  • querySnippetId
databrickssql updateVisualization A user updates a visualization from either the SQL Editor or the dashboard. Only emitted when the legacy SQL editor is used.
  • visualizationId
databrickssql viewAdhocVisualizationQuery A user views the query behind a visualization. none

Data monitoring events

The following dataMonitoring events are logged at the workspace level. This service includes events related to Lakehouse Monitoring .

Service Action Description Request parameters
dataMonitoring CancelRefresh User cancels a monitor refresh.
  • full_table_name_arg
  • refresh_id
dataMonitoring CreateMonitor User creates a monitor.
  • data_classification_config
  • full_table_name_arg
  • assets_dir
  • schedule
  • output_schema_name
  • notifications
  • inference_log
  • custom_metrics
  • slicing_exprs
  • snapshot
  • time_series
dataMonitoring DeleteMonitor User deletes a monitor.
  • full_table_name_arg
dataMonitoring RegenerateDashboard User regenerates a monitor dashboard.
  • full_table_name_arg
dataMonitoring RunRefresh Monitor is refreshed, either by schedule or manually.
  • full_table_name_arg
dataMonitoring UpdateMonitor User makes an update to a monitor.
  • data_classification_config
  • table_name
  • full_table_name_arg
  • drift_metrics_table_name
  • dashboard_id
  • custom_metrics
  • assets_dir
  • monitor_version
  • profile_metrics_table_name
  • baseline_table_name
  • status
  • output_schema_name
  • inference_log
  • slicing_exprs
  • latest_monitor_failure_msg
  • notifications
  • schedule
  • snapshot

DBFS events

The following dbfs events are logged at the workspace level. This service includes events related to DBFS.

There are two types of DBFS events: API calls and operational events.

DBFS API events

The following DBFS audit events are only logged when written through the DBFS REST API.

Service Action Description Request parameters
dbfs addBlock User appends a block of data to the stream. This is used in conjunction with dbfs/create to stream data to DBFS.
  • handle
  • data_length
dbfs create User opens a stream to write a file to DBFs.
  • path
  • bufferSize
  • overwrite
dbfs delete User deletes the file or directory from DBFs.
  • recursive
  • path
dbfs mkdirs User creates a new DBFS directory.
  • path
dbfs move User moves a file from one location to another location within DBFs.
  • dst
  • source_path
  • src
  • destination_path
dbfs put User uploads a file through the use of multipart form post to DBFs.
  • path
  • overwrite

DBFS operational events

The following DBFS audit events occur at the compute plane.

Service Action Description Request parameters
dbfs mount User creates a mount point at a certain DBFS location.
  • mountPoint
  • owner
dbfs unmount User removes a mount point at a certain DBFS location.
  • mountPoint

Feature store events

The following featureStore events are logged at the workspace level. This service includes events related to the Databricks Feature Store.

Service Action Description Request parameters
featureStore addConsumer A consumer is added to the feature store.
  • features
  • job_run
  • notebook
featureStore addDataSources A data source is added to a feature table.
  • feature_table
  • paths
  • tables
featureStore addProducer A producer is added to a feature table.
  • feature_table
  • job_run
  • notebook
  • producer_action
featureStore changeFeatureTableAcl Permissions are changed in a feature table.
  • aclPermissionSet
  • resourceId
  • shardName
  • targetUserId
featureStore createFeatureSpec A feature specification is created.
  • feature_spec_yaml
  • name
featureStore createFeatureTable A feature table is created.
  • description
  • is_imported
  • name
  • partition_keys
  • primary_keys
  • timestamp_keys
featureStore createFeatures Features are created in a feature table.
  • feature_table
  • features
featureStore deleteFeatureTable A feature table is deleted.
  • dry_run
  • name
featureStore deleteTags Tags are deleted from a feature table.
  • feature_table_id
  • keys
featureStore generateFeatureSpecYaml A feature specification YAML is generated.
  • exclude_columns
  • feature_spec_yaml
  • features
  • input_columns
featureStore getBrickstoreOnlineTableMetadata A user gets Brickstore online table metadata.
  • feature_table_features
featureStore getConsumers A user makes a call to get the consumers in a feature table.
  • feature_table
featureStore getFeatureStoreWidePermissions A user gets feature store-wide permissions. none
featureStore getFeatureTable A user makes a call to get feature tables.
  • exclude_online_stores
  • include_producers
  • name
featureStore getFeatureTablesById A user makes a call to get feature table IDs.
  • ids
featureStore getFeatures A user makes a call to get features.
  • feature_table
  • max_results
featureStore getModelServingMetadata A user makes a call to get Model Serving metadata.
  • feature_table_features
featureStore getOnlineFeatureTables A user gets online feature tables.
  • create_if_not_exist
  • feature_table_features
  • include_brickstore
  • is_v1_serving
featureStore getOnlineFeatureTablesState A user gets the state of online feature tables.
  • feature_table_names
featureStore getOnlineStore A user makes a call to get online store details.
  • cloud
  • feature_table
  • online_table
  • store_type
featureStore getOnlineStores A user gets online stores.
  • feature_tables
featureStore getTags A user makes a call to get tags for a feature table.
  • feature_table_id
featureStore logFeatureStoreClientEvent A feature store client event is logged.
  • aggregate_features
  • create_materialized_view
featureStore publishFeatureTable A feature table is published.
  • cloud
  • feature_table
  • host
  • online_table
  • port
  • read_secret_prefix
  • store_type
  • write_secret_prefix
featureStore searchFeatureTables A user searches for feature tables.
  • catalog_names
  • exclude_online_stores
  • is_multi_catalog
  • max_results
  • owner_ids
  • page_token
  • search_scopes
  • sort_order
  • text
featureStore setTags Tags are added to a feature table.
  • feature_table_id
  • tags
featureStore updateFeatureTable A feature table is updated.
  • description
  • name

Files events

The following filesystem events are logged at the workspace level. This service includes events related to file management, which includes interacting with files using the Files API or in the volumes UI.

Service Action Description Request parameters
filesystem directoriesDelete A user deletes a directory using the Files API or the volumes UI.
  • path
filesystem directoriesGet A user lists the contents of a directory using the Files API or the volumes UI.
  • path
filesystem directoriesHead A user gets information about a directory using the Files API or the volumes UI.
  • path
filesystem directoriesPut A user creates a directory using the Files API or the volumes UI.
  • path
filesystem filesDelete User deletes a file using the Files API or the volumes UI.
  • path
filesystem filesGet User downloads a file using the Files API or the volumes UI.
  • path
  • transferredSize
filesystem filesHead User gets information about a file using the Files API or the volumes UI.
  • path
filesystem filesPut User uploads a file using the Files API or the volumes UI.
  • path
  • receivedSize

Git credential events

The following gitCredentials events are logged at the workspace level. This service includes events related to Git credentials for Databricks Git folders.

Service Action Description Request parameters
gitCredentials createGitCredential A user creates a git credential.
  • git_provider
  • git_username
gitCredentials deleteGitCredential A user deletes a git credential.
  • id
gitCredentials getGitCredential A user gets a git credentials.
  • id
gitCredentials linkGitProvider A user links a git provider.
  • git_provider
  • principal_id
gitCredentials listGitCredentials A user lists all git credentials
  • principal_id
gitCredentials updateGitCredential A user updates a git credential.
  • id
  • git_provider
  • git_username

Git folder events

The following repos events are logged at the workspace level. This service includes events related to Databricks Git folders. See also gitCredentials.

Service Action name Description Request parameters
repos checkoutBranch A user checks out a branch on the repo.
  • id
  • branch
repos commitAndPush A user commits and pushes to a repo.
  • id
  • message
  • files
  • checkSensitiveToken
repos createRepo A user creates a repo in the workspace
  • url
  • provider
  • path
repos deleteRepo A user deletes a repo.
  • id
repos discard A user discards a commit to a repo.
  • id
  • file_paths
repos getRepo A user makes a call to get information about a single repo.
  • id
repos listRepos A user makes a call to get all repos they have Manage permissions on.
  • path_prefix
  • next_page_token
repos pull A user pulls the latest commits from a repo.
  • id
repos updateRepo A user updates the repo to a different branch or tag, or to the latest commit on the same branch.
  • id
  • branch
  • tag
  • git_url
  • git_provider

Global init scripts events

The following globalInitScripts events are logged at the workspace level. This service includes events related global init scripts.

Service Action Description Request parameters
globalInitScripts create A workspace admin creates a global initialization script.
  • name
  • position
  • script-SHA256
  • enabled
globalInitScripts update A workspace admin updates a global initialization script.
  • script_id
  • name
  • position
  • script-SHA256
  • enabled
globalInitScripts delete A workspace admin deletes a global initialization script.
  • script_id

IAM role events

The following iamRole event is logged at the workspace level.

Service Action Description Request parameters
iamRole changeIamRoleAcl A workspace admin changes permissions for an IAM role.
  • targetUserId
  • shardName
  • resourceId
  • aclPermissionSet

Ingestion events

The following ingestion event is logged at the workspace level and is related to file uploads.

Service Action Description Request parameters
ingestion proxyFileUpload A user uploads a file to their Azure Databricks workspace.
  • x-databricks-content-length-0
  • x-databricks-total-files

Instance pool events

The following instancePools events are logged at the workspace level. This service includes events related to pools.

Service Action Description Request parameters
instancePools changeInstancePoolAcl A user changes an instance pool's permissions.
  • shardName
  • resourceId
  • targetUserId
  • aclPermissionSet
instancePools create A user creates an instance pool.
  • enable_elastic_disk
  • preloaded_spark_versions
  • idle_instance_autotermination_minutes
  • instance_pool_name
  • node_type_id
  • custom_tags
  • max_capacity
  • min_idle_instances
  • aws_attributes
instancePools delete A user deletes an instance pool.
  • instance_pool_id
instancePools edit A user edits an instance pool.
  • instance_pool_name
  • idle_instance_autotermination_minutes
  • min_idle_instances
  • preloaded_spark_versions
  • max_capacity
  • enable_elastic_disk
  • node_type_id
  • instance_pool_id
  • aws_attributes

Job events

The following jobs events are logged at the workspace level. This service includes events related to jobs.

Service Action Description Request parameters
jobs cancel A job run is cancelled.
  • run_id
jobs cancelAllRuns A user cancels all runs on a job.
  • all_queued_runs
  • job_id
jobs changeJobAcl A user updates permissions on a job.
  • shardName
  • aclPermissionSet
  • resourceId
  • targetUserId
jobs create A user creates a job.
  • budget_policy_id
  • compute
  • continuous
  • create_as_untouched
  • deployment
  • description
  • edit_mode
  • email_notifications
  • environments
  • existing_cluster_id
  • format
  • git_source
  • health
  • idempotency_token
  • is_from_redash
  • job_clusters
  • job_type
  • libraries
  • max_concurrent_runs
  • max_retries
  • min_retry_interval_millis
  • name
  • new_cluster
  • notebook_task
  • notification_settings
  • parameters
  • performance_target
  • queue
  • retry_on_timeout
  • run_as
  • run_as_user_name
  • schedule
  • spark_jar_task
  • spark_python_task
  • spark_submit_task
  • tags
  • tasks
  • timeout_seconds
  • trigger
  • webhook_notifications
jobs delete A user deletes a job.
  • job_id
jobs deleteRun A user deletes a job run.
  • run_id
jobs getRunOutput A user makes an API call to get a run output.
  • run_id
  • is_from_webapp
  • notebook_output_limit
  • skip_additional_acl_checks
jobs repairRun A user repairs a job run.
  • run_id
  • latest_repair_id
  • rerun_tasks
  • job_parameters
jobs reset A job is reset.
  • job_id
  • new_settings
jobs resetJobAcl A user requests the change of a job's permissions.
  • grants
  • job_id
jobs runCommand Available when verbose audit logs are enabled. Emitted after a command in a notebook is executed by a job run. A command corresponds to a cell in a notebook.
  • jobId
  • runId
  • notebookId
  • executionTime
  • status
  • commandId
  • commandText
  • clusterId
  • commandLanguage
jobs runFailed A job run fails or is canceled.
  • jobClusterType
  • jobTriggerType
  • jobId
  • jobTaskType
  • runId
  • jobTerminalState
  • idInJob
  • orgId
  • runCreatorUserName
  • clusterId
  • jobRunId
  • multitaskParentRunId
  • parentRunId
  • repairId
  • taskDependencies
  • taskDependencyType
  • taskKey
jobs runNow A user triggers an on-demand job run.
  • notebook_params
  • job_id
  • jar_params
  • workflow_context
  • job_parameters
  • only
  • pipeline_params
  • python_params
  • queue
jobs runStart Emitted when a job run starts after validation and cluster creation. The request parameters emitted from this event depend on the type of tasks in the job. In addition to the parameters listed, they can include:
  • dashboardId (for a SQL dashboard task)
  • filePath (for a SQL file task)
  • notebookPath (for a notebook task)
  • mainClassName (for a Spark JAR task)
  • pythonFile (for a Spark JAR task)
  • projectDirectory (for a dbt task)
  • commands (for a dbt task)
  • packageName (for a Python wheel task)
  • entryPoint (for a Python wheel task)
  • pipelineId (for a pipeline task)
  • queryIds (for a SQL query task)
  • alertId (for a SQL alert task)
  • taskDependencies
  • multitaskParentRunId
  • orgId
  • idInJob
  • jobId
  • jobTerminalState
  • taskKey
  • jobTriggerType
  • jobTaskType
  • runId
  • runCreatorUserName
jobs runSucceeded A job run is successful.
  • idInJob
  • jobId
  • jobTriggerType
  • orgId
  • runId
  • jobClusterType
  • jobTaskType
  • jobTerminalState
  • runCreatorUserName
  • clusterId
  • jobRunId
  • multitaskParentRunId
  • parentRunId
  • repairId
  • taskDependencies
  • taskDependencyType
  • taskKey
jobs runTriggered A job schedule is triggered automatically according to its schedule or trigger.
  • jobId
  • jobTriggeredType
  • runId
  • jobTriggerType
  • runCreatorUserName
jobs sendRunWebhook A webhook is sent either when the job begins, completes, or fails.
  • orgId
  • jobId
  • jobWebhookId
  • jobWebhookEvent
  • runId
jobs setTaskValue A user sets values for a task.
  • run_id
  • key
jobs submitRun A user submits a one-time run via the API.
  • shell_command_task
  • run_name
  • spark_python_task
  • existing_cluster_id
  • notebook_task
  • timeout_seconds
  • libraries
  • new_cluster
  • spark_jar_task
  • access_control_list
  • email_notifications
  • git_source
  • idempotency_token
  • run_as
  • tasks
  • workflow_context
jobs update A user edits a job's settings.
  • job_id
  • fields_to_remove
  • new_settings
  • is_from_dlt
  • fields_to_remove_mirror
  • is_from_redash
  • new_settings_mirror

Lakeflow Declarative Pipeline events

The following deltaPipelines events are logged at the workspace level. This service includes events related to Lakeflow Declarative Pipelines.

Service Action Description Request parameters
deltaPipelines changePipelineAcls A user changes permissions on a pipeline.
  • aclPermissionSet
  • resourceId
  • shardId
  • shardName
  • targetUserId
deltaPipelines create A user creates a declarative pipeline.
  • allow_duplicate_names
  • budget_policy_id
  • catalog
  • channel
  • clusters
  • configuration
  • continuous
  • data_sampling
  • dbr_version
  • deployment
  • development
  • dry_run
  • edition
  • email_notifications
  • event_log
  • gateway_definition
  • id
  • ingestion_definition
  • libraries
  • managed_definition
  • name
  • notifications
  • photon
  • pipeline_type
  • restart_window
  • schema
  • serverless
  • storage
  • target
  • trigger
deltaPipelines delete A user deletes a declarative pipeline.
  • pipeline_id
deltaPipelines edit A user edits a declarative pipeline.
  • allow_duplicate_names
  • budget_policy_id
  • catalog
  • channel
  • clusters
  • configuration
  • continuous
  • data_sampling
  • dbr_version
  • deployment
  • development
  • edition
  • email_notifications
  • event_log
  • expected_last_modified
  • gateway_definition
  • id
  • ingestion_definition
  • libraries
  • name
  • notifications
  • photon
  • pipeline_id
  • pipeline_type
  • restart_window
  • run_as
  • schema
  • serverless
  • storage
  • target
deltaPipelines startUpdate A user restarts a declarative pipeline.
  • cause
  • development
  • full_refresh
  • full_refresh_selection
  • job_task
  • pipeline_id
  • refresh_selection
  • update_cause_details
  • validate_only
deltaPipelines stop A user stops a declarative pipeline.
  • cancellation_cause
  • pipeline_id

Lineage tracking events

The following lineageTracking events are logged at the workspace level. This service includes events related to data lineage.

Service Action Description Request parameters
lineageTracking listColumnLineages A user accesses the list of the upstream or downstream columns of a column.
  • table_name
  • column_name
  • lineage_direction: The lineage direction (UPSTREAM or DOWNSTREAM).
lineageTracking listSecurableLineagesBySecurable A user accesses the list of the upstream or downstream securables of a securable.
  • securable_full_name
  • securable_type
  • lineage_direction: The lineage direction (UPSTREAM or DOWNSTREAM).
  • metastore_id
  • page_size
  • page_token
  • securable_response_filter
  • start_timestamp
  • subsecurable_id
  • workspace_id
lineageTracking listEntityLineagesBySecurable A user accesses the list of entities (notebooks, jobs, etc.) that write to or read a securable.
  • securable_full_name
  • securable_type
  • lineage_direction: The lineage direction (UPSTREAM or DOWNSTREAM).
  • entity_response_filter: The entity type (notebook, job, dashboard, pipeline, query, serving endpoint, etc.).
  • metastore_id
  • page_size
  • start_timestamp
  • subsecurable_id
  • workspace_id
lineageTracking getColumnLineages A user gets the column lineages for a table and its column.
  • table_name
  • column_name
  • metastore_id
  • only_downstream
  • only_upstream
  • workspace_id
lineageTracking getTableEntityLineages A user gets the upstream and downstream lineages of a table.
  • table_name
  • include_entity_lineage
  • include_downstream
  • include_upstream
  • metastore_id
  • workspace_id
lineageTracking getJobTableLineages A user gets the upstream and downstream table lineages of a job.
  • job_id
  • max_result
  • metastore_id
  • workspace_id
lineageTracking getFunctionLineages A user gets the upstream and downstream securables and entities (notebooks, jobs, etc.) of a function.
  • function_name
lineageTracking getModelVersionLineages A user gets the upstream and downstream securables and entities (notebooks, jobs, etc.) of a model and its version.
  • model_name
  • version
  • metastore_id
  • workspace_id
lineageTracking getEntityTableLineages A user gets the upstream and downstream tables of an entity (notebooks, jobs, etc.).
  • entity_type
  • entity_id
  • max_downstreams
  • max_upstreams
  • metastore_id
  • workspace_id
lineageTracking getFrequentlyJoinedTables A user gets the frequently joined tables for a table.
  • table_name
  • include_columns
  • limit_size
  • metastore_id
  • workspace_id
lineageTracking getFrequentQueryByTable A user gets the frequent queries for a table.
  • source_table_name
  • limit_size
  • metastore_id
  • workspace_id
lineageTracking getFrequentUserByTable A user gets the frequent users for a table.
  • table_name
  • limit_size
  • metastore_id
  • workspace_id
lineageTracking getTablePopularityByDate A user gets the popularity (query count) for a table for the past month.
  • table_name
  • metastore_id
  • workspace_id
lineageTracking getPopularEntities A user gets the popular entities (notebooks, jobs, etc.) for a table.
  • scope: Specifies the scope for retrieving popular entities, either from the workspace or table name.
  • table_name
  • limit_size
  • metastore_id
  • workspace_id
lineageTracking getPopularTables A user gets the table popularity info for a list of tables.
  • scope: Specifies the scope for retrieving popular tables, either from the metastore or the table list.
  • table_name_list
  • metastore_id
  • workspace_id
lineageTracking listCustomLineages A user lists custom lineages for an entity.
  • entity_id
  • lineage_direction
  • metastore_id
  • page_size
  • workspace_id
lineageTracking listSecurableByEntityEvent A user lists securables associated with entity events.
  • entity_id
  • entity_type
  • lineage_direction
  • metastore_id
  • page_size
  • page_token
  • securable_response_filter
  • start_timestamp
  • workspace_id

MLflow artifacts with ACL events

The following mlflowAcledArtifact events are logged at the workspace level. This service includes events related to MLflow artifacts with ACLs.

Service Action Description Request parameters
mlflowAcledArtifact readArtifact A user makes call to read an artifact.
  • artifactLocation
  • experimentId
  • runId
mlflowAcledArtifact writeArtifact A user makes call to write to an artifact.
  • artifactLocation
  • experimentId
  • runId

MLflow experiment events

The following mlflowExperiment events are logged at the workspace level. This service includes events related to MLflow experiments.

Service Action Description Request parameters
mlflowExperiment createMlflowExperiment A user creates an MLflow experiment.
  • experimentId
  • path
  • experimentName
mlflowExperiment deleteMlflowExperiment A user deletes an MLflow experiment.
  • experimentId
  • path
  • experimentName
mlflowExperiment moveMlflowExperiment A user moves an MLflow experiment.
  • newPath
  • experimentId
  • oldPath
mlflowExperiment restoreMlflowExperiment A user restores an MLflow experiment.
  • experimentId
  • path
  • experimentName
mlflowExperiment renameMlflowExperiment A user renames an MLflow experiment.
  • oldName
  • newName
  • experimentId
  • parentPath

MLflow model registry events

The following mlflowModelRegistry events are logged at the workspace level. This service includes events related to the workspace model registry. For activity logs for models in Unity Catalog, see Unity Catalog events.

Service Action Description Request parameters
modelRegistry approveTransitionRequest A user approves a model version stage transition request.
  • name
  • version
  • stage
  • archive_existing_versions
  • comment
modelRegistry changeRegisteredModelAcl A user updates permissions for a registered model.
  • registeredModelId
  • userId
  • aclPermissionSet
  • resourceId
  • shardName
  • targetUserId
modelRegistry createComment A user posts a comment on a model version.
  • name
  • version
modelRegistry createModelVersion A user creates a model version.
  • name
  • source
  • run_id
  • tags
  • run_link
modelRegistry createRegisteredModel A user creates a new registered model
  • name
  • tags
  • description
modelRegistry createRegistryWebhook User creates a webhook for Model Registry events.
  • orgId
  • registeredModelId
  • events
  • description
  • status
  • creatorId
  • httpUrlSpec
modelRegistry createTransitionRequest A user creates a model version stage transition request.
  • name
  • version
  • stage
  • comment
modelRegistry deleteComment A user deletes a comment on a model version.
  • id
modelRegistry deleteModelVersion A user deletes a model version.
  • name
  • version
modelRegistry deleteModelVersionTag A user deletes a model version tag.
  • name
  • version
  • key
modelRegistry deleteRegisteredModel A user deletes a registered model
  • name
modelRegistry deleteRegisteredModelTag A user deletes the tag for a registered model.
  • name
  • key
modelRegistry deleteRegistryWebhook User deletes a Model Registry webhook.
  • orgId
  • webhookId
modelRegistry deleteTransitionRequest A user cancels a model version stage transition request.
  • name
  • version
  • stage
  • creator
modelRegistry finishCreateModelVersionAsync Completed asynchronous model copying.
  • name
  • version
modelRegistry generateBatchInferenceNotebook Batch inference notebook is autogenerated.
  • userId
  • orgId
  • modelName
  • inputTableOpt
  • outputTablePathOpt
  • stageOrVersion
  • modelVersionEntityOpt
  • notebookPath
modelRegistry generateDltInferenceNotebook Inference notebook for a declarative pipeline is autogenerated.
  • userId
  • orgId
  • modelName
  • inputTable
  • outputTable
  • stageOrVersion
  • notebookPath
  • input_table
  • name
  • output_table
  • stage
  • version
modelRegistry getModelVersionDownloadUri A user gets a URI to download the model version.
  • name
  • version
modelRegistry getModelVersionSignedDownloadUri A user gets a URI to download a signed model version.
  • name
  • version
  • path
modelRegistry listModelArtifacts A user makes a call to list a model's artifacts.
  • name
  • version
  • path
  • page_token
modelRegistry listRegistryWebhooks A user makes a call to list all registry webhooks in the model.
  • orgId
  • registeredModelId
modelRegistry rejectTransitionRequest A user rejects a model version stage transition request.
  • name
  • version
  • stage
  • comment
modelRegistry renameRegisteredModel A user renames a registered model
  • name
  • new_name
modelRegistry setEmailSubscriptionStatus A user updates the email subscription status for a registered model
  • model_name
  • subscription_type
modelRegistry setModelVersionTag A user sets a model version tag.
  • name
  • version
  • key
  • value
modelRegistry setRegisteredModelTag A user sets a model version tag.
  • name
  • key
  • value
modelRegistry setUserLevelEmailSubscriptionStatus A user updates their email notifications status for the whole registry.
  • orgId
  • userId
  • subscriptionStatus
  • subscription_type
modelRegistry testRegistryWebhook A user tests the Model Registry webhook.
  • orgId
  • webhookId
modelRegistry transitionModelVersionStage A user gets a list of all open stage transition requests for the model version.
  • name
  • version
  • stage
  • archive_existing_versions
  • comment
modelRegistry triggerRegistryWebhook A Model Registry webhook is triggered by an event.
  • orgId
  • registeredModelId
  • events
  • status
modelRegistry updateComment A user post an edit to a comment on a model version.
  • id
modelRegistry updateRegistryWebhook A user updates a Model Registry webhook.
  • orgId
  • webhookId

Notebook events

The following notebook events are logged at the workspace level. This service includes events related to notebooks.

Service Action Description Request parameters
notebook attachNotebook A notebook is attached to a cluster. Also emitted when the new SQL editor is attached to a SQL warehouse.
  • path
  • clusterId
  • notebookId
notebook cloneNotebook A user clones a notebook.
  • notebookId
  • path
  • clonedNotebookId
  • destinationPath
notebook createFolder A notebook folder is created.
  • path
notebook createNotebook A notebook is created.
  • notebookId
  • path
notebook deleteFolder A notebook folder is deleted.
  • path
notebook deleteNotebook A notebook is deleted.
  • notebookId
  • notebookName
  • path
notebook deleteRepo A repository is deleted.
  • path
notebook detachNotebook A notebook is detached from a cluster. Also emitted when the new SQL editor is detached from a SQL warehouse.
  • notebookId
  • clusterId
  • path
notebook downloadLargeResults A user downloads query results too large to display in the notebook.
  • notebookId
  • notebookFullPath
notebook downloadPreviewResults A user downloads the query results.
  • notebookId
  • notebookFullPath
notebook importNotebook A user imports a notebook.
  • path
  • workspaceExportFormat
notebook moveFolder A notebook folder is moved from one location to another.
  • oldPath
  • newPath
  • folderId
notebook moveNotebook A notebook is moved from one location to another.
  • newPath
  • oldPath
  • notebookId
notebook renameFolder A notebook folder is renamed.
  • folderId
  • newName
  • oldName
  • parentPath
notebook renameNotebook A notebook is renamed.
  • newName
  • oldName
  • parentPath
  • notebookId
notebook restoreFolder A deleted folder is restored.
  • path
notebook restoreNotebook A deleted notebook is restored.
  • path
  • notebookId
  • notebookName
notebook restoreRepo A deleted repository is restored.
  • path
notebook runCommand Available when verbose audit logs are enabled. Emitted after Databricks runs a command in a notebook or the new SQL editor. A command corresponds to a cell in a notebook or the query text in the new SQL editor.
executionTime is measured in seconds.
  • notebookId
  • executionTime
  • status
  • commandId
  • commandText
  • commandLanguage
notebook takeNotebookSnapshot Notebook snapshots are taken when either the job service or mlflow is run.
  • path

Remote history service events

The following RemoteHistoryService events are logged at the workspace level. This service includes events related to adding and removing GitHub Credentials.

Service Action Description Request parameters
RemoteHistoryService addUserGitHubCredentials User adds Github Credentials none
RemoteHistoryService deleteUserGitHubCredentials User removes Github Credentials none
RemoteHistoryService updateUserGitHubCredentials User updates Github Credentials none

Secrets events

The following secrets events are logged at the workspace level. This service includes events related to secrets.

Service Action name Description Request parameters
secrets createScope User creates a secret scope.
  • scope
  • initial_manage_principal
  • scope_backend_type
secrets deleteAcl User deletes ACLs for a secret scope.
  • scope
  • principal
secrets deleteScope User deletes a secret scope.
  • scope
secrets deleteSecret User deletes a secret from a scope.
  • key
  • scope
secrets getAcl User gets ACLs for a secret scope.
  • scope
  • principal
secrets getSecret User gets a secret from a scope.
  • key
  • scope
secrets listAcls User makes a call to list ACLs for a secret scope.
  • scope
secrets listScopes User makes a call to list secret scopes none
secrets listSecrets User makes a call to list secrets within a scope.
  • scope
secrets putAcl User changes ACLs for a secret scope.
  • scope
  • principal
  • permission
secrets putSecret User adds or edits a secret within a scope.
  • string_value
  • key
  • scope

SQL table access events

Note

The sqlPermissions service includes events related to the legacy Hive metastore table access control. Databricks recommends that you upgrade the tables managed by the Hive metastore to the Unity Catalog metastore.

The following sqlPermissions events are logged at the workspace level.

Service Action name Description Request parameters
sqlPermissions changeSecurableOwner Workspace admin or owner of an object transfers object ownership.
  • securable
  • principal
sqlPermissions createSecurable User creates a securable object.
  • securable
sqlPermissions denyPermission Object owner denies privileges on a securable object.
  • permission
sqlPermissions grantPermission Object owner grants permission on a securable object.
  • permission
sqlPermissions removeAllPermissions User drops a securable object.
  • securable
sqlPermissions renameSecurable User renames a securable object.
  • before
  • after
sqlPermissions requestPermissions User requests permissions on a securable object.
  • requests
  • denied
  • permitted
sqlPermissions revokePermission Object owner revokes permissions on their securable object.
  • permission
sqlPermissions showPermissions User views securable object permissions.
  • securable
  • principal

SSH events

The following ssh events are logged at the workspace level. This service includes events related to SSH access.

Service Action name Description Request parameters
ssh login Agent login of SSH into Spark driver.
  • containerId
  • userName
  • port
  • publicKey
  • instanceId
ssh logout Agent logout of SSH from Spark driver.
  • userName
  • containerId
  • instanceId

Uniform Iceberg REST API events

The following uniformIcebergRestCatalog events are logged at the workspace level. These events are logged when users interact with managed Apache Iceberg tables using an external Iceberg-compatible engine that supports the Iceberg REST Catalog API.

Service Action Description Request parameters
uniformIcebergRestCatalog config User gets a catalog configuration.
  • http_method
  • http_path
uniformIcebergRestCatalog createNamespace User creates a namespace, with an optional set of properties.
  • http_method
  • http_path
uniformIcebergRestCatalog createTable User creates a new Iceberg table.
  • http_method
  • http_path
uniformIcebergRestCatalog deleteNamespace User deletes an existing namespace.
  • http_method
  • http_path
uniformIcebergRestCatalog deleteTable User deletes an existing table.
  • http_method
  • http_path
uniformIcebergRestCatalog getNamespace User gets properties of a namespace.
  • http_method
  • http_path
uniformIcebergRestCatalog listNamespaces User makes a call to list all namespaces at a specified level.
  • http_method
  • http_path
uniformIcebergRestCatalog listTables User lists all tables under a given namespace.
  • http_method
  • http_path
uniformIcebergRestCatalog loadTableCredentials User loads vended credentials for a table from the catalog.
  • http_method
  • http_path
uniformIcebergRestCatalog loadTable User loads a table from the catalog.
  • http_method
  • http_path
uniformIcebergRestCatalog loadView User loads a view from the catalog.
  • http_method
  • http_path
uniformIcebergRestCatalog namespaceExists User checks if a namespace exists.
  • http_method
  • http_path
uniformIcebergRestCatalog renameTable User renames an existing table
  • http_method
  • http_path
uniformIcebergRestCatalog reportMetrics User sends a metrics report
  • http_method
  • http_path
uniformIcebergRestCatalog tableExists User checks if a table exists within a given namespace.
  • http_method
  • http_path
uniformIcebergRestCatalog updateNamespaceProperties User updates properties for a namespace.
  • http_method
  • http_path
uniformIcebergRestCatalog updateTable User updates table metadata.
  • http_method
  • http_path
uniformIcebergRestCatalog viewExists User checks if a view exists within a given namespace.
  • http_method
  • http_path

Webhook events

The following webhookNotifications events are logged at the workspace level. This service includes events related to notification destinations.

Service Action Description Request parameters
webhookNotifications createWebhook An admin creates a new notification destination.
  • name
  • options
  • type
webhookNotifications deleteWebhook An admin deletes a notification destination.
  • id
webhookNotifications getWebhook A user views information about a notification destination using the UI or API.
  • id
webhookNotifications notifyWebhook A webhook is triggered and sends a notification payload to the target URL.
  • body
  • id
webhookNotifications testWebhook A test payload is sent to a webhook URL to verify the configuration and ensure it can receive notifications successfully.
  • id
webhookNotifications updateWebhook An admin updates a notification destination.
  • name
  • options
  • type

Web terminal events

The following webTerminal events are logged at the workspace level. This service includes events related to the web terminal feature.

Service Action name Description Request parameters
webTerminal startSession User starts a web terminal sessions.
  • socketGUID
  • clusterId
  • serverPort
  • ProxyTargetURI
webTerminal closeSession User closes a web terminal session.
  • socketGUID
  • clusterId
  • serverPort
  • ProxyTargetURI

Workspace events

The following workspace events are logged at the workspace level. This service includes events related to workspace management.

Service Action name Description Request parameters
workspace addPermissionAssignment An account admin adds a principal to a workspace.
  • principal_id
  • account_id
  • workspace_id
workspace changeWorkspaceAcl Permissions to the workspace are changed.
  • shardName
  • targetUserId
  • aclPermissionSet
  • resourceId
workspace deletePermissionAssignment A workspace admin removes a principal from a workspace.
  • principal_id
  • account_id
  • workspace_id
workspace deleteSetting A setting is deleted from the workspace.
  • settingKeyTypeName
  • settingKeyName
  • settingTypeName
  • settingName
workspace fileCreate User creates a file in the workspace.
  • path
workspace fileDelete User deletes a file in the workspace.
  • path
workspace fileEditorOpenEvent User opens the file editor.
  • notebookId
  • path
workspace getPermissionAssignment An account admin gets a workspace's permission assignments.
  • account_id
  • workspace_id
workspace getRoleAssignment User gets a workspace's user roles.
  • account_id
  • workspace_id
workspace mintOAuthAuthorizationCode Recorded when in-house OAuth authorization code is minted at the workspace level.
  • client_id
workspace mintOAuthToken OAuth token is minted for workspace.
  • grant_type
  • scope
  • expires_in
  • client_id
workspace moveWorkspaceNode A workspace admin moves workspace node.
  • destinationPath
  • path
workspace purgeWorkspaceNodes A workspace admin purges workspace nodes.
  • treestoreId
workspace reattachHomeFolder An existing home folder is re-attached for a user that is re-added to the workspace.
  • path
workspace renameWorkspaceNode A workspace admin renames workspace nodes.
  • path
  • destinationPath
workspace unmarkHomeFolder Home folder special attributes are removed when a user is removed from the workspace.
  • path
workspace updateRoleAssignment A workspace admin updates a workspace user's role.
  • account_id
  • workspace_id
  • principal_id
  • role
workspace updatePermissionAssignment A workspace admin adds a principal to the workspace.
  • principal_id
  • permissions
workspace setSetting A workspace admin configures a workspace setting.
  • settingKeyTypeName
  • settingKeyName
  • settingTypeName
  • settingName
  • settingValueForAudit
workspace workspaceConfEdit Workspace admin makes updates to a setting, for example enabling verbose audit logs.
  • workspaceConfKeys
  • workspaceConfValues
workspace workspaceExport User exports a notebook from a workspace.
  • workspaceExportDirectDownload
  • workspaceExportFormat
  • notebookFullPath
workspace workspaceInHouseOAuthClientAuthentication OAuth client is authenticated in workspace service.
  • user

Workspace files events

The following workspaceFiles events are logged at the workspace level. This service includes events related to workspaces files.

Service Action name Description Request parameters
workspaceFiles wsfsStreamingRead A workspace file is read by a user or programmatically as part of a workflow.
  • path
workspaceFiles wsfsStreamingWrite A workspace file is written to by a user or programmatically as part of a workflow.
  • path
workspaceFiles wsfsImportFile A user imports a file into the workspace.
  • path

Service principal credentials events (Public Preview)

The following servicePrincipalCredentials events are logged at the account level. These events are related to service credentials.

Service Action Description Request parameters
servicePrincipalCredentials create Account admin generates an OAuth secret for the service principal.
  • account_id
  • service_principal
  • secret_id
  • lifetime
servicePrincipalCredentials list Account admin lists all OAuth secrets under a service principal.
  • account_id
  • service_principal
servicePrincipalCredentials delete Account admin deletes a service principal's OAuth secret.
  • account_id
  • service_principal
  • secret_id

Unity Catalog events

Deprecated log events

Databricks has deprecated the following databrickssql diagnostic events:

  • createAlertDestination (now createNotificationDestination)
  • deleteAlertDestination (now deleteNotificationDestination)
  • updateAlertDestination (now updateNotificationDestination)
  • muteAlert
  • unmuteAlert

SQL endpoint logs

If you create SQL warehouses using the deprecated SQL endpoint API (the former name for SQL warehouses), the corresponding audit event name will include the word Endpoint instead of Warehouse. Besides the name, these events are identical to the SQL warehouse events. To view descriptions and request parameters of these events, see their corresponding warehouse events in Databricks SQL events.

The SQL endpoint events are:

  • changeEndpointAcls
  • createEndpoint
  • editEndpoint
  • startEndpoint
  • stopEndpoint
  • deleteEndpoint
  • setEndpointConfig