SQL Server Audit Action Group: SERVER_OBJECT_PERMISSION_CHANGE_GROUP

This group tracks changes of permissions on "server objects". We are unsure of what constitutes a "server object", but apparently this includes server master keys, server credentials and cryptographic providers.

This would seem to be an important audit action group because ownership changes are significant to the security of the system.

LOGbinder for SQL Server events generated under this Audit Action Group:

Event ID	Description
24172	Issued grant server object permissions command
24173	Issued grant server object permissions with grant command
24174	Issued deny server object permissions command
24175	Issued deny server object permissions with cascade command
24176	Issued revoke server object permissions command
24177	Issued revoke server object permissions with grant command
24178	Issued revoke server object permissions with cascade command
24291	Issued grant user-defined server role permissions command
24292	Issued grant user-defined server role permissions with grant command
24293	Issued deny user-defined server role permissions command
24294	Issued deny user-defined server role permissions with cascade command
24295	Issued revoke user-defined server role permissions command
24296	Issued revoke user-defined server role permissions with grant command
24297	Issued revoke user-defined server role permissions with cascade command

 

Upcoming Webinars Assessing the Security of Your Active Directory: User Accounts Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

•	Server Audit Specification
•	Database Audit Specification
•	Audit Action Groups
•	Audit Actions
•	Audit Policy Wizard