Databricks

  • Published on Oct 23, 2025
  • 2 minute(s) read
Prev Next

Databricks audit events provide visibility into user activity, job runs, cluster usage, and workspace changes - helping security and compliance teams monitor access and usage patterns. For detailed information, please refer to Databricks audit logs documentation.

Integration Method: API and S3.

Note:

For S3 ingestion, refer to linked documentation for Datasource configuration. Follow the steps outlined in the Databricks Audit Log Delivery Guide, and then configure a service principal access to Databricks using OAuth (M2M authentication) as described in the official documentation.

Tables: Account change (3001), Authentication (3002), Scan Activity (6007), File System Activity (1001), Detection Finding (2004), User Access Management (3005), SSH Activity (4007)

This integration supports the following types of events.

Event

Description

Audits

Retrieve a list of all audit events.


This integration supports the following versions

Databricks version

v2025.16 (Serverless SQL Warehouse – Current Channel)

Databricks sql statement API version

2.0

Prerequisites

  • The user should have access to the Databricks portal as an Administrator. 

  • The user should have access to the DataBee console.

Configuration Overview

  1. Generate API credentials from the Databricks portal.

    1. Generate a personal access token.

    2. Retrieve the SQL Warehouse ID from the Databricks UI.

  2. Create Databricks Data Feed in the DataBee console with the required credentials.

    DataBee Parameter

    Databricks Parameter

    Token

    Token

    API Base URL(<instance>)

    Databricks Instance

    Warehouse Id

    warehouse_id

Databricks Configuration

Generate Token

  1. Sign in to Databricks instance as an Administrator.

  2. Copy the instance value from the URL for later use.
     

  3. Click on your profile icon (top right corner).

    1. Select Settings from the dropdown menu.
       

  4. Under Settings,

    1. Under User, click on the Developer tab.
       

  5. In the Developer section, click Manage.
     

  6. Click on Generate new token button.
     

  7. Add a comment for reference.

    1. Click Generate.

      Note:

      The token will expire after 90 days. Users must re-generate a new token once it expires.

       

  8. Copy the token securely (you will not be able to view it again).

    1. Click on the Done button.
       

Retrieve Warehouse Id

  1. On the left sidebar, click on SQL Warehouses.

  2. On SQL Warehouses tab, click on the name of the warehouse you want to use.
     

  3. Copy the warehouse Id for later use.
     

DataBee Configuration

  1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
     

  2. Search for the Databricks and click it as shown below.
     

  3. Click on the API Ingest option for collection method.

  4. Enter basic contact information in the contact form and click Next.
     

  5. In the following dialog box, enter the following:

    • Authorization Method: Bearer Token

    • Token: Paste the token that was generated earlier step.

    • Warehouse Id: Paste the warehouse id that was generated earlier step.

    • API Base URL: Replace <instance> by your instance value.

    • Event types: Preselected for all the event types that integration pulls.
       

      6. Click Submit.

Troubleshooting Tips

If you're receiving a 401 Unauthorized response, it could be due to one of the following:

  • Incorrect credentials: Double-check that your token and other authentication details are correct.

  • Expired token: Tokens expire after 90 days. If your token has expired, re-generate a new one to restore access.