|
| 1 | +--- |
| 2 | +id: databricks-audit |
| 3 | +title: Databricks Audit |
| 4 | +sidebar_label: Databricks Audit |
| 5 | +description: The Databricks Audit app for Sumo Logic provides insights into your organization's cybersecurity practices to strengthen security. |
| 6 | +--- |
| 7 | + |
| 8 | +import useBaseUrl from '@docusaurus/useBaseUrl'; |
| 9 | + |
| 10 | +<img src={useBaseUrl('img/collector/databricks-icon.png')} alt="thumbnail icon" width="70"/> |
| 11 | + |
| 12 | +The Sumo Logic app for Databricks Audit provides insights into your organization's security analytics. It provides real-time visibility into user activity, administrative operations, and security-related events across Databricks workspaces, empowering security and compliance teams to quickly detect, investigate, and respond to suspicious behavior. |
| 13 | + |
| 14 | +By ingesting Databricks audit logs, the app enables detection of potential threats such as unauthorized access attempts, privilege escalations, and anomalous job or login activities. Preconfigured dashboards highlight user access trends, critical configuration changes, error patterns, and high-risk operations, helping analysts proactively identify emerging threats and compliance risks. |
| 15 | + |
| 16 | +With rich visualizations and detailed event insights, the app enhances oversight of sensitive data access and strengthens the overall security posture of Databricks environments. |
| 17 | + |
| 18 | +:::info |
| 19 | +This app includes [built-in monitors](#databricks-audit-monitors). For details on creating custom monitors, refer to [Create monitors for Databricks Audit app](#create-monitors-for-databricks-audit-app). |
| 20 | +::: |
| 21 | + |
| 22 | +## Log types |
| 23 | + |
| 24 | +This app uses Sumo Logic’s [Databricks Audit source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/databricks-audit-source/) to collect the [audit logs](https://docs.databricks.com/api/workspace/statementexecution/executestatement) from the Databricks Audit platform. |
| 25 | + |
| 26 | +## Sample log messages |
| 27 | + |
| 28 | +<details> |
| 29 | +<summary>Audit Log</summary> |
| 30 | + |
| 31 | +```json |
| 32 | +{ |
| 33 | + "account_id":"83860f25-7194-4d0c-a304-8902b05c4b0e", |
| 34 | + "action_name":"tokenLogin", |
| 35 | + "audit_level":"WORKSPACE_LEVEL", |
| 36 | + "event_date":"2025-10-23", |
| 37 | + "event_id":"3dd93080-f90f-3ea4-8870-6b7527b77393", |
| 38 | + "event_time":"2025-10-23T09:11:56.509Z", |
| 39 | + "identity_metadata":"{\"run_by\":null,\"run_as\":null,\"acting_resource\":null}", |
| 40 | + "request_id":"46e37143-8bb4-45ec-a63e-1eefe3d716bc", |
| 41 | + "request_params":"{\"user\":\"ddb92362-81fa-4f41-b5d3-e5a747e0b2f5\",\"tokenId\":\"33846778b496e5a557f17ade5b0fe2e4afce8e4c90378fc130c5537c9042a94c\",\"authenticationMethod\":\"API_INT_PAT_TOKEN\"}", |
| 42 | + "response":"{\"status_code\":\"200\",\"error_message\":null,\"result\":null}", |
| 43 | + "service_name":"accounts", |
| 44 | + "session_id":null, |
| 45 | + "source_ip_address":"10.251.166.254", |
| 46 | + "user_agent":"Apache-HttpClient/4.5.14 (Java/17.0.15) Databricks-Service/driver DBHttpClient/v2RawClient", |
| 47 | + "user_identity":"{\"email\":\"ddb92362-81fa-4f41-b5d3-e5a747e0b2f5\",\"subject_name\":null}", |
| 48 | + "version":"2.0", |
| 49 | + "workspace_id":"4150696479394378" |
| 50 | +} |
| 51 | +``` |
| 52 | +</details> |
| 53 | + |
| 54 | +## Sample queries |
| 55 | + |
| 56 | +```sql title="Total Alerts" |
| 57 | +_sourceCategory="Labs/DatabricksAudit" |
| 58 | +| json "action_name", "audit_level", "event_time", "response", "service_name", "source_ip_address", "user_identity", "workspace_id" as action_name, audit_level, event_time, response, service_name, ip_address, user_identity, workspace_id nodrop |
| 59 | +| json field=response "status_code", "result", "error_message" as status_code, result, error_message nodrop |
| 60 | +| json field=user_identity "email" as email_id nodrop |
| 61 | + |
| 62 | +// global filters |
| 63 | +| where email_id matches "{{email_id}}" |
| 64 | +| where action_name matches "{{action_name}}" |
| 65 | +| where audit_level matches "{{audit_level}}" |
| 66 | +| where service_name matches "{{service_name}}" |
| 67 | +| where ip_address matches "{{ip_address}}" |
| 68 | +| where status_code matches "{{response_code}}" |
| 69 | + |
| 70 | +// panel specific |
| 71 | +| where !isNull(email_id) |
| 72 | +| count by email_id |
| 73 | +| count |
| 74 | +``` |
| 75 | + |
| 76 | +```sql title="API Response Code" |
| 77 | +_sourceCategory="Labs/DatabricksAudit" |
| 78 | +| json "action_name", "audit_level", "event_time", "response", "service_name", "source_ip_address", "user_identity", "workspace_id" as action_name, audit_level, event_time, response, service_name, ip_address, user_identity, workspace_id nodrop |
| 79 | +| json field=response "status_code", "result", "error_message" as status_code, result, error_message nodrop |
| 80 | +| json field=request_params "authenticationMethod" as authentication_method nodrop |
| 81 | +| json field=user_identity "email" as email_id nodrop |
| 82 | + |
| 83 | +// global filters |
| 84 | +| where email_id matches "{{email_id}}" |
| 85 | +| where action_name matches "{{action_name}}" |
| 86 | +| where audit_level matches "{{audit_level}}" |
| 87 | +| where service_name matches "{{service_name}}" |
| 88 | +| where ip_address matches "{{ip_address}}" |
| 89 | +| where status_code matches "{{response_code}}" |
| 90 | + |
| 91 | +// panel specific |
| 92 | +| where !isBlank(event_id) and !isBlank(status_code) |
| 93 | +| count by event_id ,status_code |
| 94 | +| count as frequency by status_code |
| 95 | +| sort by frequency, status_code |
| 96 | +``` |
| 97 | + |
| 98 | +## Collection configuration and app installation |
| 99 | + |
| 100 | +import CollectionConfiguration from '../../reuse/apps/collection-configuration.md'; |
| 101 | + |
| 102 | +<CollectionConfiguration/> |
| 103 | + |
| 104 | +:::important |
| 105 | +Use the [Cloud-to-Cloud Integration for Databricks Audit](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/databricks-audit-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Databricks Audit app is properly integrated and configured to collect and analyze your Databricks Audit data. |
| 106 | +::: |
| 107 | + |
| 108 | +### Create a new collector and install the app |
| 109 | + |
| 110 | +import AppCollectionOPtion1 from '../../reuse/apps/app-collection-option-1.md'; |
| 111 | + |
| 112 | +<AppCollectionOPtion1/> |
| 113 | + |
| 114 | +### Use an existing collector and install the app |
| 115 | + |
| 116 | +import AppCollectionOPtion2 from '../../reuse/apps/app-collection-option-2.md'; |
| 117 | + |
| 118 | +<AppCollectionOPtion2/> |
| 119 | + |
| 120 | +### Use an existing source and install the app |
| 121 | + |
| 122 | +import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md'; |
| 123 | + |
| 124 | +<AppCollectionOPtion3/> |
| 125 | + |
| 126 | +## Viewing the Databricks Audit dashboards |
| 127 | + |
| 128 | +import ViewDashboards from '../../reuse/apps/view-dashboards.md'; |
| 129 | + |
| 130 | +<ViewDashboards/> |
| 131 | + |
| 132 | +### Overview |
| 133 | + |
| 134 | +The **Databricks Audit - Overview** dashboard provides a comprehensive view of user activity, workspace operations, and security event trends across your Databricks environment. It delivers instant visibility into key metrics such as total users, total workspaces, and audit level distribution, helping teams quickly understand usage patterns and organizational structure. |
| 135 | + |
| 136 | +The dashboard tracks login activity and failed login attempts over time, allowing for rapid detection of authentication anomalies and potential security risks. Panels highlight the most active services and actions, along with a detailed audit summary, supporting effective monitoring of operational events and risk assessment. |
| 137 | + |
| 138 | +By consolidating these critical insights, the dashboard enables security and compliance teams to detect unusual behaviors, investigate incidents, and proactively strengthen the security of their Databricks workspaces. <br/><img src='https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/Databricks-Audit/Databricks-Audits-Overview.png' alt="Databricks-Audit-Overview" /> |
| 139 | + |
| 140 | +### Security Overview |
| 141 | + |
| 142 | +The **Databricks Audit - Security Overview** dashboard provides targeted insights into key security events and potential risk exposures across your Databricks environment. It enables proactive detection of suspicious activity by visualizing failed API calls over time, authentication method usage, and API response codes that may indicate unauthorized access attempts or configuration issues. |
| 143 | + |
| 144 | +Security teams can easily track trends in failed authentications and API errors, investigate root causes, and identify patterns that signal emerging threats or compliance violations. The dashboard also includes a geographic overview of audit activities, highlighting events originating from embargoed or high-risk regions to help monitor potential data exfiltration or policy breaches. |
| 145 | + |
| 146 | +By consolidating these critical security indicators, including summaries of failed API attempts and geographic context, the dashboard empowers teams to rapidly investigate incidents, respond to evolving risks, and maintain strong security and compliance across all Databricks workspaces. <br/><img src='https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/Databricks-Audit/Databricks-Audits-Security.png' alt="Databricks-Audit-Security" /> |
| 147 | + |
| 148 | +## Create monitors for Databricks Audit app |
| 149 | + |
| 150 | +import CreateMonitors from '../../reuse/apps/create-monitors.md'; |
| 151 | + |
| 152 | +<CreateMonitors/> |
| 153 | + |
| 154 | +### Databricks Audit monitors |
| 155 | + |
| 156 | +| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | |
| 157 | +|:--|:--|:--|:--| |
| 158 | +| `Databricks Audits - Audits from Embargoed Geo Locations` | This alert is triggered when audit logs are generated from sanctioned or embargoed regions, helping you to maintain compliance with legal and regulatory requirements. | Critical | Count > 0 | |
| 159 | +| `Users with Failed Login` | This alert is triggered when there are more than three failed login attempts, supporting you to early detect the potential unauthorized access attempts. | Critical | Count > 3 | |
| 160 | + |
| 161 | +## Upgrading the Databricks Audit app (Optional) |
| 162 | + |
| 163 | +import AppUpdate from '../../reuse/apps/app-update.md'; |
| 164 | + |
| 165 | +<AppUpdate/> |
| 166 | + |
| 167 | +## Uninstalling the Databricks Audit app (Optional) |
| 168 | + |
| 169 | +import AppUninstall from '../../reuse/apps/app-uninstall.md'; |
| 170 | + |
| 171 | +<AppUninstall/> |
0 commit comments