Search audit logs for connections from prohibited IP addresses

Use audit logs to review and validate connection attempts to your workspace.

Written by John.Lourdu

Last published at: January 20th, 2023

IP access lists can be used to restrict access to Databricks based on known network locations. Once enabled, an IP access list requires uses to login from an allowed address. If a user attempts to login from any IP address not on the access list, the login is denied. Review the IP access list documentation for more details.

Best practices involve periodically reviewing the IP access logs to see if any login attempts were made from outside the permitted range. After you identify access attempts made from prohibited IP addresses, you can follow up with appropriate action. For example, if the attempts were made by a legitimate use, you may want to permit additional IP ranges in the access list. If the attempts were not made by legitimate users, you may want to review your security profile.


Information on access attempts is stored in the Databricks audit logs. You can use Databricks notebooks to analyze the audit logs and track activities performed by users. This example shows you how to search the audit logs for times when someone tried to login to your workspace from a prohibited IP address. 

  1. Load the audit logs as a DataFrame and register the DataFrame as a temp table. You will need to enter the S3 <bucket-name> and the full <path-to-audit-logs>. Review the Configure audit log delivery documentation for more information.
    val df ="json").load("s3a://<bucket-name>/<path-to-audit-logs>")
  2. Query the audit log based on the date range and accounts that attempted access from a prohibited IP address. You will need to enter the <start-date> and the <end-date>of the date range to search before running the sample code.
      get_json_object(rawMessage, '$.response.statusCode') StatusCode,
      get_json_object(rawMessage, '$.response.errorMessage') AS errorMessage
      date >= "<start-date>" #Date in yyyy-MM-dd format
      and date <= "<end-date>" #Date in yyyy-MM-dd format
      and serviceName = "accounts"
      and actionName = "IpAccessDenied" 
    order by
  3. The results display all instances when a user was denied access based on their IP address.
  4. Take appropriate action based on the results and you use case.


You can modify this sample code to search based on other serviceName and actionName values as required.

Was this article helpful?