"Who, when, what data, what operation?" — if you cannot answer that question instantly, you cannot investigate security incidents or respond to compliance audits. Databricks Audit Logs automatically record every operation in the workspace and make them queryable via SQL through the system.access.audit table (System Tables).
This article walks through the structure of audit logs, the major event catalog, practical SQL query examples, Log Delivery setup (AWS S3 / Azure Event Hubs / GCS), key points for SOC 2 / ISO 27001 compliance, and the patterns asked on the Databricks certification exams.
Databricks audit logs are delivered as part of System Tables. System Tables are schemas under the system catalog — read-only Delta Tables that Databricks populates and refreshes automatically. Audit logs live in system.access.audit.
-- Inspect the audit log table schema
DESCRIBE TABLE system.access.audit;
-- Key columns
-- event_time TIMESTAMP When the event occurred
-- event_date DATE Event date (partition key)
-- workspace_id BIGINT Workspace ID
-- action_name STRING Operation type (e.g. createCluster, getTable)
-- user_identity STRUCT User / service principal performing the action
-- service_name STRING Service name (e.g. clusters, unityCatalog, jobs)
-- request_params MAP Request parameters (details of the target object)
-- response STRUCT Response info (status code, error message)
-- source_ip_address STRING Source IP address of the request
-- audit_level STRING Log level (ACCOUNT_LEVEL / WORKSPACE_LEVEL)| Category | service_name | Representative action_name | Description |
|---|---|---|---|
| Workspace | accounts | login, logout, tokenLogin | User login/logout, authentication via PAT |
| Cluster | clusters | create, start, permanentDelete, resize | Cluster create / start / delete / resize |
| Notebook | notebook | createNotebook, runCommand, attachNotebook | Notebook create, command run, attach to cluster |
| Job | jobs | create, runNow, runSucceeded, runFailed | Job create / run / success / failure |
| Unity Catalog | unityCatalog | createTable, getTable, grantPermission, revokePermission | Table create/access, permission grant/revoke |
| Secrets | secrets | getSecret, putSecret, createScope | Read/write secrets, create scope |
| SQL Warehouse | databrickssql | createEndpoint, startEndpoint, executeStatement | SQL Warehouse create/start, SQL execution |
| File | dbfs | addBlock, create, delete | Create/delete DBFS files |
| Repository | repos | createRepo, updateRepo, deleteRepo | Git-integrated repository operations |
SELECT
event_time,
user_identity.email AS user_email,
source_ip_address,
response.status_code,
response.error_message
FROM system.access.audit
WHERE action_name = 'login'
AND response.status_code != 200
AND event_date >= current_date() - INTERVAL 7 DAYS
ORDER BY event_time DESC;SELECT
event_date,
user_identity.email AS user_email,
action_name,
request_params['full_name_arg'] AS table_name,
COUNT(*) AS access_count
FROM system.access.audit
WHERE service_name = 'unityCatalog'
AND action_name IN ('getTable', 'createTable', 'deleteTable')
AND event_date >= current_date() - INTERVAL 30 DAYS
GROUP BY event_date, user_identity.email, action_name,
request_params['full_name_arg']
ORDER BY event_date DESC, access_count DESC;SELECT
event_time,
user_identity.email AS triggered_by,
request_params['jobId'] AS job_id,
request_params['runId'] AS run_id,
action_name,
CASE
WHEN action_name = 'runSucceeded' THEN 'SUCCESS'
WHEN action_name = 'runFailed' THEN 'FAILED'
ELSE action_name
END AS status
FROM system.access.audit
WHERE service_name = 'jobs'
AND action_name IN ('runSucceeded', 'runFailed', 'runNow')
AND event_date >= current_date() - INTERVAL 14 DAYS
ORDER BY event_time DESC;SELECT
event_time,
user_identity.email AS granted_by,
action_name,
request_params['securable_type'] AS object_type,
request_params['full_name_arg'] AS object_name,
request_params['principal'] AS granted_to,
request_params['privileges'] AS privileges
FROM system.access.audit
WHERE service_name = 'unityCatalog'
AND action_name IN ('grantPermission', 'revokePermission', 'updatePermissions')
AND event_date >= current_date() - INTERVAL 90 DAYS
ORDER BY event_time DESC;SELECT
event_date,
user_identity.email AS creator,
request_params['cluster_name'] AS cluster_name,
request_params['node_type_id'] AS instance_type,
request_params['num_workers'] AS num_workers,
request_params['autotermination_minutes'] AS auto_terminate_min
FROM system.access.audit
WHERE service_name = 'clusters'
AND action_name = 'create'
AND event_date >= current_date() - INTERVAL 30 DAYS
ORDER BY event_date DESC;On top of SQL analysis via System Tables, you can also deliver audit logs to external storage or SIEM tools. Log Delivery is configured from the Account Console (or Account API) and enabled at the account level.
| Cloud | Destination | Format | Primary use case |
|---|---|---|---|
| AWS | S3 bucket | JSON (gzip-compressed) | Long-term archival, Athena analysis, Splunk ingestion |
| Azure | Azure Event Hubs / Azure Monitor | JSON | Azure Sentinel integration, real-time monitoring |
| GCP | GCS / Cloud Logging | JSON | BigQuery analysis, integration with Cloud SIEM |
# AWS: configure Log Delivery via the Account API
curl -X POST "https://accounts.cloud.databricks.com/api/2.0/accounts/<account_id>/log-delivery" \
-H "Authorization: Bearer <admin_token>" \
-H "Content-Type: application/json" \
-d '{
"log_type": "AUDIT_LOGS",
"output_format": "JSON",
"credentials_id": "<credential_config_id>",
"storage_configuration_id": "<storage_config_id>",
"delivery_path_prefix": "databricks/audit-logs"
}'| Aspect | System Tables (system.access.audit) | Log Delivery (S3 / Event Hubs / GCS) |
|---|---|---|
| Setup | No extra setup (just enable) | Requires storage and credential configuration |
| Query method | Direct SQL from Databricks SQL / Notebook | External tools (Athena, Sentinel, Splunk) |
| Data format | Delta Table (optimized) | JSON (gzip-compressed) |
| Retention | 365 days (varies by plan) | Depends on storage configuration (unlimited possible) |
| Cost | DBU consumption (when queries run) | Cloud storage and egress costs |
| Latency | Minutes to tens of minutes of delay | Near real-time available via Event Hubs |
| Access from outside Databricks | Not supported (query only inside Databricks) | Supported (direct access from external tools) |
Databricks audit logs can support the major compliance frameworks.
| Framework | How audit logs help |
|---|---|
| SOC 2 (Type II) | Prove the effectiveness of access controls (login events, permission changes, anomaly detection). Submit query results as evidence to auditors. |
| ISO 27001 | Addresses A.12.4 'Logging and monitoring' requirements: evidence for recording, protecting, and reviewing event logs. |
| GDPR | Access logs for personal data. Track who accessed tables containing personal data and when. |
| HIPAA | Audit access to PHI (Protected Health Information). Access logs must be retained for at least 6 years. |
Recommended best practices for compliance:
Audit Logs are in scope for Data Engineer Associate / Professional and for Administration-related exams.
system.access.auditData Engineer / Administration / Security
問題 1
The security team wants to investigate "which users made Unity Catalog permission changes (GRANT/REVOKE) in the last 30 days and which objects they targeted." Which approach is most appropriate?
正解: A
The system.access.audit table automatically records every Unity Catalog permission change (grantPermission / revokePermission). Filtering by service_name and action_name and pulling the target object and grantee principal out of request_params is the most efficient and accurate approach. Manually searching notebook history is not comprehensive and misses permission changes made via the API. Lineage graphs track data flow, not permission changes. Cluster logs are Spark runtime logs and do not record Unity Catalog permission changes.
Should I use System Tables (system.access.audit) or Audit Log Delivery?
system.access.audit can be queried directly with SQL from Databricks SQL or Notebooks with no extra configuration, making it ideal for day-to-day audit queries and dashboards. Log Delivery (to S3, Azure Event Hubs, or GCS) is needed when you want to integrate logs with SIEM tools outside Databricks (Splunk, Sentinel, Datadog, etc.) or when long-term archival and compliance require storage in external systems. The best practice is to use both together.
Which events are recorded in the audit logs?
Key event categories include workspace operations (login/logout, configuration changes), cluster operations (create/start/terminate/delete), notebook operations (create/run/share/export), job operations (create/run/success/failure), Unity Catalog events (GRANT/REVOKE/table access/lineage), and Secrets operations (read/write secrets). Every event includes a timestamp, user ID, action name, request parameters, and a response code.
How long are audit logs retained?
Retention for System Tables (system.access.audit) varies by Databricks plan; the default is 365 days. If compliance requirements demand longer retention, configure Log Delivery to archive to S3/ADLS/GCS, or periodically copy System Tables data into a Delta Table for long-term storage. SOC 2 and ISO 27001 audits typically require 1-3 years of retention, so archiving to external storage is recommended.
Practice with certification-focused question sets
無料で問題を解いてみるNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
Databricks Certifications: All 7 Exams, Difficulty & Study Plan (2026)
Complete guide to all 7 Databricks certifications — Data Eng...
Databricks Exam Difficulty Ranking: All 7 Certs Compared (2026)
Every Databricks certification ranked by difficulty, with st...
Databricks Study Guide: Fastest Pass Route & Time Estimates (2026)
How to pass Databricks certifications efficiently. Official ...
Databricks Data Engineer Associate: Complete Guide (2026)
Domain-by-domain breakdown of the Databricks Certified Data ...
Databricks Data Engineer Professional: Complete Guide (2026)
Tactics for the Databricks Certified Data Engineer Professio...