Επεξεργασία

Κοινή χρήση μέσω


Security Audit Data Columns

The Security Audit event category has the following event classes:

Event ID Event Name Event Description
1 Audit Login Collects all new connection events since the trace was started, such as when a client requests a connection to a server running an instance of SQL Server.
2 Audit Logout Collects all new disconnect events since the trace was started, such as when a client issues a disconnect command.
4 Audit Server Starts And Stops Records service shut down, start, and pause activities.
18 Audit Object Permission Event Records object permission changes.
19 Audit Admin Operations Event Records server backup/restore/synchronize/attach/detach/imageload/imagesave.

The following tables list the data columns for each of these event classes.

Audit Login

Column Name Column Id Column Type Column Description
EventClass 0 1 Event Class is used to categorize events.
CurrentTime 2 5 Time at which the event started, when available. For filtering, expected formats are 'YYYY-MM-DD' and 'YYYY-MM-DD HH:MM:SS'.
StartTime 3 5 Time at which the event started, when available. For filtering, expected formats are 'YYYY-MM-DD' and 'YYYY-MM-DD HH:MM:SS'.
Severity 22 1 Severity level of an exception.
Success 23 1 1 = success. 0 = failure (for example, a 1 means success of a permissions check and a 0 means a failure of that check).
Error 24 1 Error number of a given event.
ConnectionID 25 1 Unique connection ID.
NTUserName 32 8 Contains the user name associated with the command event. Depending on the environment, the user name is in the following form:
- Windows user account (DOMAIN\UserName)
- User Principal Name (UPN) (username@domain.com)
- Service Principal Name (SPN) (appid@tenantid)
- Power BI Service Account (Power BI Service)
- Power BI Service on behalf of a UPN or SPN (Power BI Service (UPN/SPN))
NTDomainName 33 8 Contains the domain name associated with the user account that triggered the command event.
- Windows domain name for Windows user accounts
- AzureAD for Microsoft Entra accounts
- NT AUTHORITY accounts without a Windows domain name, such as the Power BI service
ClientHostName 35 8 Name of the computer on which the client is running. This data column is populated if the host name is provided by the client.
ClientProcessID 36 1 The process ID of the client application.
ApplicationName 37 8 Name of the client application that created the connection to the server. This column is populated with the values passed by the application rather than the displayed name of the program.
NTCanonicalUserName 40 8 Contains the user name associated with the command event. Depending on the environment, the user name is in the following form:
- Windows user account (DOMAIN\UserName)
- User Principal Name (UPN) (username@domain.com)
- Service Principal Name (SPN) (appid@tenantid)
- Power BI Service Account (Power BI Service)
ServerName 43 8 Name of the server producing the event.

Audit Logout

Column Name Column Id Column Type Column Description
EventClass 0 1 Event Class is used to categorize events.
CurrentTime 2 5 Time at which the event started, when available. For filtering, expected formats are 'YYYY-MM-DD' and 'YYYY-MM-DD HH:MM:SS'.
EndTime 4 5 Time at which the event ended. This column is not populated for starting event classes, such as SQL:BatchStarting or SP:Starting. For filtering, expected formats are 'YYYY-MM-DD' and 'YYYY-MM-DD HH:MM:SS'.
Duration 5 2 Amount of time (in milliseconds) taken by the event.
CPUTime 6 2 Amount of CPU time (in milliseconds) used by the event.
Success 23 1 1 = success. 0 = failure (for example, a 1 means success of a permissions check and a 0 means a failure of that check).
ConnectionID 25 1 Unique connection ID.
NTUserName 32 8 Contains the user name associated with the command event. Depending on the environment, the user name is in the following form:
- Windows user account (DOMAIN\UserName)
- User Principal Name (UPN) (username@domain.com)
- Service Principal Name (SPN) (appid@tenantid)
- Power BI Service Account (Power BI Service)
- Power BI Service on behalf of a UPN or SPN (Power BI Service (UPN/SPN))
NTDomainName 33 8 Contains the domain name associated with the user account that triggered the command event.
- Windows domain name for Windows user accounts
- AzureAD for Microsoft Entra accounts
- NT AUTHORITY accounts without a Windows domain name, such as the Power BI service
ClientHostName 35 8 Name of the computer on which the client is running. This data column is populated if the host name is provided by the client.
ClientProcessID 36 1 The process ID of the client application.
ApplicationName 37 8 Name of the client application that created the connection to the server. This column is populated with the values passed by the application rather than the displayed name of the program.
NTCanonicalUserName 40 8 Contains the user name associated with the command event. Depending on the environment, the user name is in the following form:
- Windows user account (DOMAIN\UserName)
- User Principal Name (UPN) (username@domain.com)
- Service Principal Name (SPN) (appid@tenantid)
- Power BI Service Account (Power BI Service)
ServerName 43 8 Name of the server producing the event.

Audit Server Starts And Stops

Column Name Column Id Column Type Column Description
EventClass 0 1 Event Class is used to categorize events.
EventSubclass 1 1 Event Subclass provides additional information about each event class:

1: Instance Shutdown

2: Instance Started

3: Instance Paused

4: Instance Continued
CurrentTime 2 5 Time at which the event started, when available. For filtering, expected formats are 'YYYY-MM-DD' and 'YYYY-MM-DD HH:MM:SS'.
Severity 22 1 Severity level of an exception.
Success 23 1 1 = success. 0 = failure (for example, a 1 means success of a permissions check and a 0 means a failure of that check).
Error 24 1 Error number of a given event.
TextData 42 9 Text data associated with the event.
ServerName 43 8 Name of the server producing the event.

Audit Object Permission Event

Column Name Column Id Column Type Column Description
ObjectID 11 8 Object ID (note this is a string).
ObjectType 12 1 Object type.
ObjectName 13 8 Object name.
ObjectPath 14 8 Object path. A comma-separated list of parents, starting with the object's parent.
ObjectReference 15 8 Object reference. Encoded as XML for all parents, using tags to describe the object.
Severity 22 1 Severity level of an exception.
Success 23 1 1 = success. 0 = failure (for example, a 1 means success of a permissions check and a 0 means a failure of that check).
Error 24 1 Error number of a given event.
ConnectionID 25 1 Unique connection ID.
DatabaseName 28 8 Name of the database in which the statement of the user is running.
NTUserName 32 8 Contains the user name associated with the command event. Depending on the environment, the user name is in the following form:
- Windows user account (DOMAIN\UserName)
- User Principal Name (UPN) (username@domain.com)
- Service Principal Name (SPN) (appid@tenantid)
- Power BI Service Account (Power BI Service)
- Power BI Service on behalf of a UPN or SPN (Power BI Service (UPN/SPN))
NTDomainName 33 8 Contains the domain name associated with the user account that triggered the command event.
- Windows domain name for Windows user accounts
- AzureAD for Microsoft Entra accounts
- NT AUTHORITY accounts without a Windows domain name, such as the Power BI service
ClientHostName 35 8 Name of the computer on which the client is running. This data column is populated if the host name is provided by the client.
ClientProcessID 36 1 The process ID of the client application.
ApplicationName 37 8 Name of the client application that created the connection to the server. This column is populated with the values passed by the application rather than the displayed name of the program.
SessionID 39 8 Session GUID.
NTCanonicalUserName 40 8 Contains the user name associated with the command event. Depending on the environment, the user name is in the following form:
- Windows user account (DOMAIN\UserName)
- User Principal Name (UPN) (username@domain.com)
- Service Principal Name (SPN) (appid@tenantid)
- Power BI Service Account (Power BI Service)
SPID 41 1 Server process ID. This uniquely identifies a user session. This directly corresponds to the session GUID used by XML/A.
TextData 42 9 Text data associated with the event.
ServerName 43 8 Name of the server producing the event.

Audit Admin Operations Event

Column Name Column Id Column Type Column Description
EventSubclass 1 1 Event Subclass provides additional information about each event class:

1: Backup

2: Restore

3: Synchronize

4: Detach

5: Attach

6: ImageLoad

7: ImageSave
Severity 22 1 Severity level of an exception.
Success 23 1 1 = success. 0 = failure (for example, a 1 means success of a permissions check and a 0 means a failure of that check).
Error 24 1 Error number of a given event.
ConnectionID 25 1 Unique connection ID.
DatabaseName 28 8 Name of the database in which the statement of the user is running.
NTUserName 32 8 Contains the user name associated with the command event. Depending on the environment, the user name is in the following form:
- Windows user account (DOMAIN\UserName)
- User Principal Name (UPN) (username@domain.com)
- Service Principal Name (SPN) (appid@tenantid)
- Power BI Service Account (Power BI Service)
- Power BI Service on behalf of a UPN or SPN (Power BI Service (UPN/SPN))
NTDomainName 33 8 Contains the domain name associated with the user account that triggered the command event.
- Windows domain name for Windows user accounts
- AzureAD for Microsoft Entra accounts
- NT AUTHORITY accounts without a Windows domain name, such as the Power BI service
ClientHostName 35 8 Name of the computer on which the client is running. This data column is populated if the host name is provided by the client.
ClientProcessID 36 1 The process ID of the client application.
ApplicationName 37 8 Name of the client application that created the connection to the server. This column is populated with the values passed by the application rather than the displayed name of the program.
SessionID 39 8 Session GUID.
NTCanonicalUserName 40 8 Contains the user name associated with the command event. Depending on the environment, the user name is in the following form:
- Windows user account (DOMAIN\UserName)
- User Principal Name (UPN) (username@domain.com)
- Service Principal Name (SPN) (appid@tenantid)
- Power BI Service Account (Power BI Service)
SPID 41 1 Server process ID. This uniquely identifies a user session. This directly corresponds to the session GUID used by XML/A.
TextData 42 9 Text data associated with the event.
ServerName 43 8 Name of the server producing the event.