SQL Server Audit Action Group: Database-level_audit_actions

Available in New to:
Database
Audit
Specification
Server
Audit
Specification
2012 2016
   

Most auditable operations in SQL Server are grouped together in Audit Action Groups but a few operations are available individually for more granular audit policy definition. These are called Audit Actions.

Audit Actions allow you to audit tables and stored procedures. Audit actions mandate that table row commands (select, insert, update, delete) and a few other commands be audited on specified database objects when performed by specified users or roles. For instance you can audit whenever EXECUTE is run on a certain stored procedure or if someone runs a DELETE command against a certain table.

Audit action rules are very useful for auditing core database activity on critical or sensitive tables and stored procedures.

The commands that can be audited are:

  • Select
  • Insert
  • Update
  • Delete
  • Execute (stored procedure)
  • Receive (queue)
  • References (raised whenever a REFERENCES permission is checked)

When you enable auditing of one of these commands you must specify which objects the rule will be applicable to. In the Object Type column of the audit rule you can select:

  • Database - If you select this, the command will be audited for all relevant objects in the database. There is no need to specify
  • Schema - You will need to then select a schema within the database. The command will be audited for all relevant objects within that schema.
  • Object - You will need to then select the appropriate object. For instance if the command is INSERT, you will need to select a table; or if the command is EXECUTE, you will need to select a stored procedure.

You must also specify a principal (i.e. user, database role or application role) for whom the command is audited. For example, if you enable EXECUTE for auditing and select db_datawriter as the principal, the command will only be audited when members of db_datawriter run it.

LOGbinder for SQL Server events generated under this Audit Action Group:

Event ID Description
24281 Issued select command
24282 Issued update command
24283 Issued insert command
24284 Issued delete command
24285 Issued execute command
24286 Issued receive command
24287 Issued check references command

 

Additional Resources