Security Audit Data Columns
The Security Audit event category has the following event classes:
| Event ID | Event Name | Event Description |
|---|---|---|
| 1 | Audit Login | Collects all new connection events since the trace was started, such as when a client requests a connection to a server running an instance of SQL Server. |
| 2 | Audit Logout | Collects all new disconnect events since the trace was started, such as when a client issues a disconnect command. |
| 4 | Audit Server Starts And Stops | Records service shut down, start, and pause activities. |
| 18 | Audit Object Permission Event | Records object permission changes. |
| 19 | Audit Admin Operations Event | Records server backup/restore/synchronize/attach/detach/imageload/imagesave. |
The following tables list the data columns for each of these event classes.
Audit Login
| Column Name | Column Id | Column Type | Column Description |
|---|---|---|---|
| EventClass | 0 | 1 | Event Class is used to categorize events. |
| CurrentTime | 2 | 5 | Time at which the event started, when available. For filtering, expected formats are 'YYYY-MM-DD' and 'YYYY-MM-DD HH:MM:SS'. |
| StartTime | 3 | 5 | Time at which the event started, when available. For filtering, expected formats are 'YYYY-MM-DD' and 'YYYY-MM-DD HH:MM:SS'. |
| Severity | 22 | 1 | Severity level of an exception. |
| Success | 23 | 1 | 1 = success. 0 = failure (for example, a 1 means success of a permissions check and a 0 means a failure of that check). |
| Error | 24 | 1 | Error number of a given event. |
| ConnectionID | 25 | 1 | Unique connection ID. |
| NTUserName | 32 | 8 | Contains the user name associated with the command event. Depending on the environment, the user name is in the following form: - Windows user account (DOMAIN\UserName) - User Principal Name (UPN) (username@domain.com) - Service Principal Name (SPN) (appid@tenantid) - Power BI Service Account (Power BI Service) - Power BI Service on behalf of a UPN or SPN (Power BI Service (UPN/SPN)) |
| NTDomainName | 33 | 8 | Contains the domain name associated with the user account that triggered the command event. - Windows domain name for Windows user accounts - AzureAD for Microsoft Entra accounts - NT AUTHORITY accounts without a Windows domain name, such as the Power BI service |
| ClientHostName | 35 | 8 | Name of the computer on which the client is running. This data column is populated if the host name is provided by the client. |
| ClientProcessID | 36 | 1 | The process ID of the client application. |
| ApplicationName | 37 | 8 | Name of the client application that created the connection to the server. This column is populated with the values passed by the application rather than the displayed name of the program. |
| NTCanonicalUserName | 40 | 8 | Contains the user name associated with the command event. Depending on the environment, the user name is in the following form: - Windows user account (DOMAIN\UserName) - User Principal Name (UPN) (username@domain.com) - Service Principal Name (SPN) (appid@tenantid) - Power BI Service Account (Power BI Service) |
| ServerName | 43 | 8 | Name of the server producing the event. |
Audit Logout
| Column Name | Column Id | Column Type | Column Description |
|---|---|---|---|
| EventClass | 0 | 1 | Event Class is used to categorize events. |
| CurrentTime | 2 | 5 | Time at which the event started, when available. For filtering, expected formats are 'YYYY-MM-DD' and 'YYYY-MM-DD HH:MM:SS'. |
| EndTime | 4 | 5 | Time at which the event ended. This column is not populated for starting event classes, such as SQL:BatchStarting or SP:Starting. For filtering, expected formats are 'YYYY-MM-DD' and 'YYYY-MM-DD HH:MM:SS'. |
| Duration | 5 | 2 | Amount of time (in milliseconds) taken by the event. |
| CPUTime | 6 | 2 | Amount of CPU time (in milliseconds) used by the event. |
| Success | 23 | 1 | 1 = success. 0 = failure (for example, a 1 means success of a permissions check and a 0 means a failure of that check). |
| ConnectionID | 25 | 1 | Unique connection ID. |
| NTUserName | 32 | 8 | Contains the user name associated with the command event. Depending on the environment, the user name is in the following form: - Windows user account (DOMAIN\UserName) - User Principal Name (UPN) (username@domain.com) - Service Principal Name (SPN) (appid@tenantid) - Power BI Service Account (Power BI Service) - Power BI Service on behalf of a UPN or SPN (Power BI Service (UPN/SPN)) |
| NTDomainName | 33 | 8 | Contains the domain name associated with the user account that triggered the command event. - Windows domain name for Windows user accounts - AzureAD for Microsoft Entra accounts - NT AUTHORITY accounts without a Windows domain name, such as the Power BI service |
| ClientHostName | 35 | 8 | Name of the computer on which the client is running. This data column is populated if the host name is provided by the client. |
| ClientProcessID | 36 | 1 | The process ID of the client application. |
| ApplicationName | 37 | 8 | Name of the client application that created the connection to the server. This column is populated with the values passed by the application rather than the displayed name of the program. |
| NTCanonicalUserName | 40 | 8 | Contains the user name associated with the command event. Depending on the environment, the user name is in the following form: - Windows user account (DOMAIN\UserName) - User Principal Name (UPN) (username@domain.com) - Service Principal Name (SPN) (appid@tenantid) - Power BI Service Account (Power BI Service) |
| ServerName | 43 | 8 | Name of the server producing the event. |
Audit Server Starts And Stops
| Column Name | Column Id | Column Type | Column Description |
|---|---|---|---|
| EventClass | 0 | 1 | Event Class is used to categorize events. |
| EventSubclass | 1 | 1 | Event Subclass provides additional information about each event class: 1: Instance Shutdown 2: Instance Started 3: Instance Paused 4: Instance Continued |
| CurrentTime | 2 | 5 | Time at which the event started, when available. For filtering, expected formats are 'YYYY-MM-DD' and 'YYYY-MM-DD HH:MM:SS'. |
| Severity | 22 | 1 | Severity level of an exception. |
| Success | 23 | 1 | 1 = success. 0 = failure (for example, a 1 means success of a permissions check and a 0 means a failure of that check). |
| Error | 24 | 1 | Error number of a given event. |
| TextData | 42 | 9 | Text data associated with the event. |
| ServerName | 43 | 8 | Name of the server producing the event. |
Audit Object Permission Event
| Column Name | Column Id | Column Type | Column Description |
|---|---|---|---|
| ObjectID | 11 | 8 | Object ID (note this is a string). |
| ObjectType | 12 | 1 | Object type. |
| ObjectName | 13 | 8 | Object name. |
| ObjectPath | 14 | 8 | Object path. A comma-separated list of parents, starting with the object's parent. |
| ObjectReference | 15 | 8 | Object reference. Encoded as XML for all parents, using tags to describe the object. |
| Severity | 22 | 1 | Severity level of an exception. |
| Success | 23 | 1 | 1 = success. 0 = failure (for example, a 1 means success of a permissions check and a 0 means a failure of that check). |
| Error | 24 | 1 | Error number of a given event. |
| ConnectionID | 25 | 1 | Unique connection ID. |
| DatabaseName | 28 | 8 | Name of the database in which the statement of the user is running. |
| NTUserName | 32 | 8 | Contains the user name associated with the command event. Depending on the environment, the user name is in the following form: - Windows user account (DOMAIN\UserName) - User Principal Name (UPN) (username@domain.com) - Service Principal Name (SPN) (appid@tenantid) - Power BI Service Account (Power BI Service) - Power BI Service on behalf of a UPN or SPN (Power BI Service (UPN/SPN)) |
| NTDomainName | 33 | 8 | Contains the domain name associated with the user account that triggered the command event. - Windows domain name for Windows user accounts - AzureAD for Microsoft Entra accounts - NT AUTHORITY accounts without a Windows domain name, such as the Power BI service |
| ClientHostName | 35 | 8 | Name of the computer on which the client is running. This data column is populated if the host name is provided by the client. |
| ClientProcessID | 36 | 1 | The process ID of the client application. |
| ApplicationName | 37 | 8 | Name of the client application that created the connection to the server. This column is populated with the values passed by the application rather than the displayed name of the program. |
| SessionID | 39 | 8 | Session GUID. |
| NTCanonicalUserName | 40 | 8 | Contains the user name associated with the command event. Depending on the environment, the user name is in the following form: - Windows user account (DOMAIN\UserName) - User Principal Name (UPN) (username@domain.com) - Service Principal Name (SPN) (appid@tenantid) - Power BI Service Account (Power BI Service) |
| SPID | 41 | 1 | Server process ID. This uniquely identifies a user session. This directly corresponds to the session GUID used by XML/A. |
| TextData | 42 | 9 | Text data associated with the event. |
| ServerName | 43 | 8 | Name of the server producing the event. |
Audit Admin Operations Event
| Column Name | Column Id | Column Type | Column Description |
|---|---|---|---|
| EventSubclass | 1 | 1 | Event Subclass provides additional information about each event class: 1: Backup 2: Restore 3: Synchronize 4: Detach 5: Attach 6: ImageLoad 7: ImageSave |
| Severity | 22 | 1 | Severity level of an exception. |
| Success | 23 | 1 | 1 = success. 0 = failure (for example, a 1 means success of a permissions check and a 0 means a failure of that check). |
| Error | 24 | 1 | Error number of a given event. |
| ConnectionID | 25 | 1 | Unique connection ID. |
| DatabaseName | 28 | 8 | Name of the database in which the statement of the user is running. |
| NTUserName | 32 | 8 | Contains the user name associated with the command event. Depending on the environment, the user name is in the following form: - Windows user account (DOMAIN\UserName) - User Principal Name (UPN) (username@domain.com) - Service Principal Name (SPN) (appid@tenantid) - Power BI Service Account (Power BI Service) - Power BI Service on behalf of a UPN or SPN (Power BI Service (UPN/SPN)) |
| NTDomainName | 33 | 8 | Contains the domain name associated with the user account that triggered the command event. - Windows domain name for Windows user accounts - AzureAD for Microsoft Entra accounts - NT AUTHORITY accounts without a Windows domain name, such as the Power BI service |
| ClientHostName | 35 | 8 | Name of the computer on which the client is running. This data column is populated if the host name is provided by the client. |
| ClientProcessID | 36 | 1 | The process ID of the client application. |
| ApplicationName | 37 | 8 | Name of the client application that created the connection to the server. This column is populated with the values passed by the application rather than the displayed name of the program. |
| SessionID | 39 | 8 | Session GUID. |
| NTCanonicalUserName | 40 | 8 | Contains the user name associated with the command event. Depending on the environment, the user name is in the following form: - Windows user account (DOMAIN\UserName) - User Principal Name (UPN) (username@domain.com) - Service Principal Name (SPN) (appid@tenantid) - Power BI Service Account (Power BI Service) |
| SPID | 41 | 1 | Server process ID. This uniquely identifies a user session. This directly corresponds to the session GUID used by XML/A. |
| TextData | 42 | 9 | Text data associated with the event. |
| ServerName | 43 | 8 | Name of the server producing the event. |