Databricks

Databricks Audit Logs: Auditing, Tracking, and Compliance in Practice

2026-03-26
更新: 2026-03-27
NicheeLab Editorial Team

"Who, when, what data, what operation?" — if you cannot answer that question instantly, you cannot investigate security incidents or respond to compliance audits. Databricks Audit Logs automatically record every operation in the workspace and make them queryable via SQL through the system.access.audit table (System Tables).

This article walks through the structure of audit logs, the major event catalog, practical SQL query examples, Log Delivery setup (AWS S3 / Azure Event Hubs / GCS), key points for SOC 2 / ISO 27001 compliance, and the patterns asked on the Databricks certification exams.

Audit Logs Overview (system.access.audit)

Databricks audit logs are delivered as part of System Tables. System Tables are schemas under the system catalog — read-only Delta Tables that Databricks populates and refreshes automatically. Audit logs live in system.access.audit.

-- Inspect the audit log table schema
DESCRIBE TABLE system.access.audit;

-- Key columns
-- event_time        TIMESTAMP   When the event occurred
-- event_date        DATE        Event date (partition key)
-- workspace_id      BIGINT      Workspace ID
-- action_name       STRING      Operation type (e.g. createCluster, getTable)
-- user_identity     STRUCT      User / service principal performing the action
-- service_name      STRING      Service name (e.g. clusters, unityCatalog, jobs)
-- request_params    MAP         Request parameters (details of the target object)
-- response          STRUCT      Response info (status code, error message)
-- source_ip_address STRING      Source IP address of the request
-- audit_level       STRING      Log level (ACCOUNT_LEVEL / WORKSPACE_LEVEL)

Catalog of Key Events

Categoryservice_nameRepresentative action_nameDescription
Workspaceaccountslogin, logout, tokenLoginUser login/logout, authentication via PAT
Clusterclusterscreate, start, permanentDelete, resizeCluster create / start / delete / resize
NotebooknotebookcreateNotebook, runCommand, attachNotebookNotebook create, command run, attach to cluster
Jobjobscreate, runNow, runSucceeded, runFailedJob create / run / success / failure
Unity CatalogunityCatalogcreateTable, getTable, grantPermission, revokePermissionTable create/access, permission grant/revoke
SecretssecretsgetSecret, putSecret, createScopeRead/write secrets, create scope
SQL WarehousedatabrickssqlcreateEndpoint, startEndpoint, executeStatementSQL Warehouse create/start, SQL execution
FiledbfsaddBlock, create, deleteCreate/delete DBFS files
RepositoryreposcreateRepo, updateRepo, deleteRepoGit-integrated repository operations

Practical SQL Query Examples

Detecting unauthorized access (monitoring failed logins)

SELECT
  event_time,
  user_identity.email AS user_email,
  source_ip_address,
  response.status_code,
  response.error_message
FROM system.access.audit
WHERE action_name = 'login'
  AND response.status_code != 200
  AND event_date >= current_date() - INTERVAL 7 DAYS
ORDER BY event_time DESC;

Auditing access to Unity Catalog tables

SELECT
  event_date,
  user_identity.email AS user_email,
  action_name,
  request_params['full_name_arg'] AS table_name,
  COUNT(*) AS access_count
FROM system.access.audit
WHERE service_name = 'unityCatalog'
  AND action_name IN ('getTable', 'createTable', 'deleteTable')
  AND event_date >= current_date() - INTERVAL 30 DAYS
GROUP BY event_date, user_identity.email, action_name,
         request_params['full_name_arg']
ORDER BY event_date DESC, access_count DESC;

Job run history and failure analysis

SELECT
  event_time,
  user_identity.email AS triggered_by,
  request_params['jobId'] AS job_id,
  request_params['runId'] AS run_id,
  action_name,
  CASE
    WHEN action_name = 'runSucceeded' THEN 'SUCCESS'
    WHEN action_name = 'runFailed' THEN 'FAILED'
    ELSE action_name
  END AS status
FROM system.access.audit
WHERE service_name = 'jobs'
  AND action_name IN ('runSucceeded', 'runFailed', 'runNow')
  AND event_date >= current_date() - INTERVAL 14 DAYS
ORDER BY event_time DESC;

Tracking permission changes (GRANT/REVOKE)

SELECT
  event_time,
  user_identity.email AS granted_by,
  action_name,
  request_params['securable_type'] AS object_type,
  request_params['full_name_arg'] AS object_name,
  request_params['principal'] AS granted_to,
  request_params['privileges'] AS privileges
FROM system.access.audit
WHERE service_name = 'unityCatalog'
  AND action_name IN ('grantPermission', 'revokePermission', 'updatePermissions')
  AND event_date >= current_date() - INTERVAL 90 DAYS
ORDER BY event_time DESC;

Cluster cost-related auditing

SELECT
  event_date,
  user_identity.email AS creator,
  request_params['cluster_name'] AS cluster_name,
  request_params['node_type_id'] AS instance_type,
  request_params['num_workers'] AS num_workers,
  request_params['autotermination_minutes'] AS auto_terminate_min
FROM system.access.audit
WHERE service_name = 'clusters'
  AND action_name = 'create'
  AND event_date >= current_date() - INTERVAL 30 DAYS
ORDER BY event_date DESC;

Log Delivery Setup

On top of SQL analysis via System Tables, you can also deliver audit logs to external storage or SIEM tools. Log Delivery is configured from the Account Console (or Account API) and enabled at the account level.

CloudDestinationFormatPrimary use case
AWSS3 bucketJSON (gzip-compressed)Long-term archival, Athena analysis, Splunk ingestion
AzureAzure Event Hubs / Azure MonitorJSONAzure Sentinel integration, real-time monitoring
GCPGCS / Cloud LoggingJSONBigQuery analysis, integration with Cloud SIEM
# AWS: configure Log Delivery via the Account API
curl -X POST "https://accounts.cloud.databricks.com/api/2.0/accounts/<account_id>/log-delivery" \
  -H "Authorization: Bearer <admin_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "log_type": "AUDIT_LOGS",
    "output_format": "JSON",
    "credentials_id": "<credential_config_id>",
    "storage_configuration_id": "<storage_config_id>",
    "delivery_path_prefix": "databricks/audit-logs"
  }'

System Tables vs Log Delivery: Comparison

AspectSystem Tables (system.access.audit)Log Delivery (S3 / Event Hubs / GCS)
SetupNo extra setup (just enable)Requires storage and credential configuration
Query methodDirect SQL from Databricks SQL / NotebookExternal tools (Athena, Sentinel, Splunk)
Data formatDelta Table (optimized)JSON (gzip-compressed)
Retention365 days (varies by plan)Depends on storage configuration (unlimited possible)
CostDBU consumption (when queries run)Cloud storage and egress costs
LatencyMinutes to tens of minutes of delayNear real-time available via Event Hubs
Access from outside DatabricksNot supported (query only inside Databricks)Supported (direct access from external tools)

Compliance

Databricks audit logs can support the major compliance frameworks.

FrameworkHow audit logs help
SOC 2 (Type II)Prove the effectiveness of access controls (login events, permission changes, anomaly detection). Submit query results as evidence to auditors.
ISO 27001Addresses A.12.4 'Logging and monitoring' requirements: evidence for recording, protecting, and reviewing event logs.
GDPRAccess logs for personal data. Track who accessed tables containing personal data and when.
HIPAAAudit access to PHI (Protected Health Information). Access logs must be retained for at least 6 years.

Recommended best practices for compliance:

  • Two-tier setup: System Tables for day-to-day monitoring plus Log Delivery for long-term archival
  • Configure alerts on permission-change events (grantPermission / revokePermission)
  • Detect login-failure thresholds being exceeded (early detection of brute-force attacks)
  • Quarterly audit log reviews and permission inventories
  • Apply encryption, access control, and versioning to Log Delivery destinations (S3/ADLS)

What the Exam Asks

Audit Logs are in scope for Data Engineer Associate / Professional and for Administration-related exams.

  • "Which System Tables table stores audit logs?" system.access.audit
  • "How do I see who accessed which table?" → Filter system.access.audit with service_name='unityCatalog'
  • "How do I forward audit logs to an external SIEM tool?" → Configure Log Delivery
  • "What format is System Tables data?" → Delta Table (directly queryable with SQL)
  • "How do I extend audit log retention?" → Archive to external storage via Log Delivery

Check Your Understanding

Data Engineer / Administration / Security

問題 1

The security team wants to investigate "which users made Unity Catalog permission changes (GRANT/REVOKE) in the last 30 days and which objects they targeted." Which approach is most appropriate?

  1. Query the system.access.audit table with SQL, filtering on service_name='unityCatalog' and action_name in ('grantPermission', 'revokePermission')
  2. Manually search each user's notebook history for GRANT statements
  3. Inspect table lineage graphs in the Unity Catalog data lineage UI
  4. Download cluster driver logs from S3 and grep through them

正解: A

The system.access.audit table automatically records every Unity Catalog permission change (grantPermission / revokePermission). Filtering by service_name and action_name and pulling the target object and grantee principal out of request_params is the most efficient and accurate approach. Manually searching notebook history is not comprehensive and misses permission changes made via the API. Lineage graphs track data flow, not permission changes. Cluster logs are Spark runtime logs and do not record Unity Catalog permission changes.

Frequently Asked Questions

Should I use System Tables (system.access.audit) or Audit Log Delivery?

system.access.audit can be queried directly with SQL from Databricks SQL or Notebooks with no extra configuration, making it ideal for day-to-day audit queries and dashboards. Log Delivery (to S3, Azure Event Hubs, or GCS) is needed when you want to integrate logs with SIEM tools outside Databricks (Splunk, Sentinel, Datadog, etc.) or when long-term archival and compliance require storage in external systems. The best practice is to use both together.

Which events are recorded in the audit logs?

Key event categories include workspace operations (login/logout, configuration changes), cluster operations (create/start/terminate/delete), notebook operations (create/run/share/export), job operations (create/run/success/failure), Unity Catalog events (GRANT/REVOKE/table access/lineage), and Secrets operations (read/write secrets). Every event includes a timestamp, user ID, action name, request parameters, and a response code.

How long are audit logs retained?

Retention for System Tables (system.access.audit) varies by Databricks plan; the default is 365 days. If compliance requirements demand longer retention, configure Log Delivery to archive to S3/ADLS/GCS, or periodically copy System Tables data into a Delta Table for long-term storage. SOC 2 and ISO 27001 audits typically require 1-3 years of retention, so archiving to external storage is recommended.

Check what you learned with practice questions

Practice with certification-focused question sets

無料で問題を解いてみる
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Databricks

Databricks Certifications: All 7 Exams, Difficulty & Study Plan (2026)

Complete guide to all 7 Databricks certifications — Data Eng...

Databricks

Databricks Exam Difficulty Ranking: All 7 Certs Compared (2026)

Every Databricks certification ranked by difficulty, with st...

Databricks

Databricks Study Guide: Fastest Pass Route & Time Estimates (2026)

How to pass Databricks certifications efficiently. Official ...

Databricks

Databricks Data Engineer Associate: Complete Guide (2026)

Domain-by-domain breakdown of the Databricks Certified Data ...

Databricks

Databricks Data Engineer Professional: Complete Guide (2026)

Tactics for the Databricks Certified Data Engineer Professio...

Browse all Databricks articles (110)
© 2026 NicheeLab All rights reserved.