{"id":6952,"date":"2025-07-29T09:42:15","date_gmt":"2025-07-29T14:42:15","guid":{"rendered":"https:\/\/andreas-wolter.com\/?p=6952"},"modified":"2026-03-09T12:37:16","modified_gmt":"2026-03-09T17:37:16","slug":"202507_recommended_security_auditing_databases_sql_server","status":"publish","type":"post","link":"https:\/\/andreas-wolter.com\/en\/202507_recommended_security_auditing_databases_sql_server\/","title":{"rendered":"Recommendation for Security Auditing for databases &#8211; with example for Microsoft SQL Server"},"content":{"rendered":"\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-m0cxh8ps-392c21b3d3ea22555bda169a4445db84\">\n#top .av-special-heading.av-m0cxh8ps-392c21b3d3ea22555bda169a4445db84{\npadding-bottom:10px;\n}\nbody .av-special-heading.av-m0cxh8ps-392c21b3d3ea22555bda169a4445db84 .av-special-heading-tag .heading-char{\nfont-size:25px;\n}\n.av-special-heading.av-m0cxh8ps-392c21b3d3ea22555bda169a4445db84 .av-subheading{\nfont-size:15px;\n}\n<\/style>\n<div  class='av-special-heading av-m0cxh8ps-392c21b3d3ea22555bda169a4445db84 av-special-heading-h3 blockquote modern-quote  avia-builder-el-0  el_before_av_textblock  avia-builder-el-first '><h3 class='av-special-heading-tag'  itemprop=\"headline\"  >Recommendation for Security Auditing for databases &#8211; with example for Microsoft SQL Server<\/h3><div class=\"special-heading-border\"><div class=\"special-heading-inner-border\"><\/div><\/div><\/div>\r\n\r\n<section  class='av_textblock_section av-m0cxgkjy-c935304b4106b45214698f40e83a9894 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>In this article, I want to share what I consider an essential minimum security audit definition for database systems, using Microsoft SQL Server as example.<\/p>\n<p>As my readers know, Auditing is one of the most important security controls that we have. It is thanks to Auditing that we can prove who did what, and also what has not been done. This can be done by analyzing the \u201cAudit trail\u201d, a concept which I describe here: <a href=\"https:\/\/andreas-wolter.com\/en\/202109_security_concept_audit_trail\/\"><strong>Security concept: Audit Trail<\/strong><\/a>.<\/p>\n<p>In short, auditing &#8211; which should always include both logging and (automated) review &#8211; helps you to:<\/p>\n<ul>\n<li>To <strong>prevent breaches<\/strong> if you detect attacks in the reconnaissance-scanning phase<\/li>\n<li><strong>Limit breaches<\/strong> by detecting breaches early<\/li>\n<\/ul>\n<p>And of course, in the <strong>containment and recovery <\/strong>phase:<\/p>\n<ul>\n<li>To determine which systems need to be contained<\/li>\n<li>To track back how a breach occurred<\/li>\n<li>To be able to determine if it has been successfully contained<\/li>\n<\/ul>\n<p>Otherwise, how could you be sure that you found all breached accounts and potential backdoors if you have no logs of such activities going back to the time when the attacker gained access to the system?<\/p>\n<p style=\"padding-left: 40px;\"><strong><em>Real-world examples of breaches facilitated due to a lack of Auditing<\/em><\/strong><\/p>\n<p style=\"padding-left: 40px;\">This lack of an active audit has bitten many companies, including <strong>Microsoft,<\/strong> when it was breached by russia\u2019s foreign intelligence service, using the group <strong>Midnight Blizzard<\/strong> in 2024, and only many months later, the breach and even later the vastness of it emerged. In an attempt to contain the unknown, a huge effort that included closing unused Azure subscriptions and months of Engineering efforts was undertaken, the effects of which still ripple on. Many months of potential new feature development were lost which shows in the small set of security additions in SQL Server 2025. (So, whenever you hear me criticize this fact, it does not mean I am blaming the PMs or engineers, as I know the reasons behind this. All I hope is that leadership listens to customers again and invests in the security team rather than keeps slimming it.)<\/p>\n<p style=\"padding-left: 40px;\">Lack of Auditing was a major handicap in the <strong>SolarWinds \/ Orion Supply<\/strong><strong>\u2011<\/strong><strong>Chain Breach <\/strong>2019\/2020: \u201cThe government couldn\u2019t tell how they got in and how far across the network they had gone. It was also \u201creally difficult to tell what they had taken.\u201d <a href=\"https:\/\/www.wired.com\/story\/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever\" target=\"_blank\" rel=\"noopener\">https:\/\/www.wired.com\/story\/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever<\/a><\/p>\n<p style=\"padding-left: 40px;\">And 2019, the Capital One breach went undetected for months until the attacker boasted about his success online.<\/p>\n<p style=\"padding-left: 40px;\">The list goes on.<\/p>\n<p>That is why I am a staunch proponent that <strong>every SQL Server and other database system should have a security audit active by default<\/strong>, just like Windows has it for decades.<br \/>\nCurrently, Auditing must be turned on and configured after setup.<\/p>\n<p style=\"padding-left: 40px;\"><strong><em>Auditing in Azure SQL Database \u2013 renewed infrastructure<\/em><\/strong><\/p>\n<p style=\"padding-left: 40px;\">The standard Audit that gets activated in Azure SQL database via the Azure portal is essentially a catch-all audit, which captures every single event (BATCH_COMPLETED) \u2013 an overkill for many systems.<br \/>\nI do not have the numbers for the overhead that the new architecture, which was rolled out mid-2025 (<a href=\"https:\/\/techcommunity.microsoft.com\/blog\/azuresqlblog\/enhanced-server-audit-for-azure-sql-database-greater-performance-availability-an\/4366433\" target=\"_blank\" rel=\"noopener\">Enhanced Server Audit for Azure SQL Database: Greater Performance, Availability and Reliability<\/a> ), but as a general rule, no observation comes for free, even if the overhead is much lower now.<br \/>\nOf course, most importantly, the new auditing infrastructure does not have the issue of lost events, which the former Auditing architecture for Azure SQL DB had (SQL Server Auditing did not have this issue). <strong>With the new architecture, Azure SQL DB Auditing is now enterprise ready<\/strong>.<\/p>\n<h2><\/h2>\n<h2><\/h2>\n<h2><\/h2>\n<h2><\/h2>\n<h2>The goal: an Audit that captures any directly security-impacting activity<\/h2>\n<p>My bare-minimum(!) recommendation for any customer is:<\/p>\n<blockquote><p><strong>Every operation that alters the security configuration of the system should be audited \u2013 even if there is no specific regulatory requirement.<\/strong><\/p><\/blockquote>\n<p>In some environments, those would also need to be under <em>Separation of Duties<\/em>. If you are familiar with SoD, you might be aware that Auditing is a classic example of a <em>compensating control<\/em>.<br \/>\nAnother strong argument can be found in the NIST-standards for Security and Privacy Controls for Information Systems and Organizations: The Audit and Accountability (AU) control family specifies under Control Number AC-6 for LEAST PRIVILEGE: \u201cLog the execution of privileged functions\u201d.<br \/>\nWith this background, here are some of the events to always Audit:<\/p>\n<p>These are some of those events to always Audit:<\/p>\n<ul>\n<li>Creating new accounts (Logins or Users)<\/li>\n<li>Changing passwords of Logins\/Users<\/li>\n<li>Changing permissions<\/li>\n<li>Adding accounts to highly privileged roles\/groups<\/li>\n<li>Impersonating another account (basically assuming the other account\u2019s permissions)<\/li>\n<li>Turning off Encryption, i.e. TDE (Transparent Data Encryption)<\/li>\n<li>Altering ownership of objects (in systems using Discretionary Access Control (DAC) such as SQL Server, this directly influences permissions)<\/li>\n<\/ul>\n<p>All these activities can leave the system in a less secure state than before and that\u2019s why <strong>these activities should be audited = logged and reviewed<\/strong>. <u>No matter which database engine or offering.<\/u><\/p>\n<blockquote><p><strong>Auditing means: Logging and Reviewing. Logging alone does not help prevent anything.<\/strong><\/p><\/blockquote>\n<h3><\/h3>\n<h3><\/h3>\n<h3>Plus: always audit for successful account breaches and attempts thereof<\/h3>\n<p>In addition to the above list of activities, I recommend to also <strong>always audit both successful and failed logon events<\/strong>. While these do not fall under the definition of impacting the security configuration, these are always critical events to monitor for the following reasons:<\/p>\n<ol>\n<li>To detect if someone tries to breach an account (Logon Failure)<\/li>\n<li>Or, if a breach was successful (Logon successful)<\/li>\n<li>And, thirdly, to develop a pattern for what Logon times and User-combinations are normal. This will also help determine if a successful Logon is suspicious.<\/li>\n<\/ol>\n<p>While this article uses the example of Microsoft SQL Server, <strong>all these recommendations are the same for any other database system<\/strong>, whether it\u2019s Azure SQL database in Fabric, PostgreSQL, Oracle, \u00a0DB2 or Snowflake. It\u2019s just the technique and capabilities that vary. At the end of this article, I will provide links to get started with Auditing for some of these systems.<\/p>\n<h2><\/h2>\n<h2><\/h2>\n<h2><\/h2>\n<h2>Should you audit more than that?<\/h2>\n<p>You may think, \u201cWhy not audit for any security violations by default?\u201d.<\/p>\n<p>My answer: <strong>You absolutely should.<\/strong> If you have a definition of what comprises a security violation in your environment, please absolutely do audit those activities as well.<\/p>\n<p>My recommendation is what should be done for every system at the bare minimum.<\/p>\n<p>That is why I draw the line for activities that change the security posture rather than try to look for Data Exfiltration, for example. I cannot decide this for any system type generically. That is why I do not include BACKUP events in this audit. Yes, it could be initiated maliciously and be considered Data Exfiltration. However, so could be any SELECT-statement. But instead of blindly recommending everyone to audit every type of access on every system I decided to draw the line at security-posture influencing events as a general recommendation.<\/p>\n<p>If you know you need specific other events, do not feel discouraged. More is better, as long as you know what you can use it for.<\/p>\n<p style=\"padding-left: 40px;\"><strong><em>Note: Avoid Alert Fatigue<\/em><\/strong><br \/>\nOverloading your team with an excessive volume of captured events and running SIEM systems without proper configuration is counterproductive. Without tuning your SIEM to fit your specific environment, you risk drowning in noise, missing real threats, and exhausting your resources on false positives.<\/p>\n<p>Now let\u2019s get to the specific events for SQL Server Auditing.<\/p>\n<h2><\/h2>\n<h2><\/h2>\n<h2><\/h2>\n<h2>List of Audit actions to capture<\/h2>\n<p>Here is the list of events as they are available in Microsoft SQL Server for the audit specification that include the above listed activities:<\/p>\n<p style=\"padding-left: 40px;\">&#8212; Before creating this Audit Specification, you need to create an Audit which I am not showing here. I am using the name SQL_Default_Audit but of course you use whatever you defined.<\/p>\n<p style=\"padding-left: 40px;\">CREATE SERVER AUDIT SPECIFICATION [SQL_Default_AuditSpecification]<\/p>\n<p style=\"padding-left: 40px;\">FOR SERVER AUDIT SQL_Default_Audit \u2013 name of the Audit created beforehand<\/p>\n<p style=\"padding-left: 40px;\">&#8212; server scope<\/p>\n<p style=\"padding-left: 40px;\">\u00a0 ADD (AUDIT_CHANGE_GROUP)<\/p>\n<p style=\"padding-left: 40px;\">, ADD (DBCC_GROUP)<\/p>\n<p style=\"padding-left: 40px;\">, ADD (EXTGOV_OPERATION_GROUP)<\/p>\n<p style=\"padding-left: 40px;\">, ADD (SERVER_OBJECT_CHANGE_GROUP)<\/p>\n<p style=\"padding-left: 40px;\">, ADD (SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP)<\/p>\n<p style=\"padding-left: 40px;\">, ADD (SERVER_OBJECT_PERMISSION_CHANGE_GROUP)<\/p>\n<p style=\"padding-left: 40px;\">, ADD (SERVER_OPERATION_GROUP)<\/p>\n<p style=\"padding-left: 40px;\">, ADD (SERVER_PERMISSION_CHANGE_GROUP)<\/p>\n<p style=\"padding-left: 40px;\">, ADD (SERVER_PRINCIPAL_CHANGE_GROUP)<\/p>\n<p style=\"padding-left: 40px;\">, ADD (SERVER_PRINCIPAL_IMPERSONATION_GROUP)<\/p>\n<p style=\"padding-left: 40px;\">, ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP)<\/p>\n<p style=\"padding-left: 40px;\">, ADD (SERVER_STATE_CHANGE_GROUP)<\/p>\n<p style=\"padding-left: 40px;\">, ADD (LOGIN_CHANGE_PASSWORD_GROUP)<\/p>\n<p style=\"padding-left: 40px;\">&#8211;Connection attempts<\/p>\n<p style=\"padding-left: 40px;\">, ADD (FAILED_LOGIN_GROUP)<\/p>\n<p style=\"padding-left: 40px;\">, ADD (SUCCESSFUL_LOGIN_GROUP)<\/p>\n<p style=\"padding-left: 40px;\">, ADD (FAILED_DATABASE_AUTHENTICATION_GROUP)<\/p>\n<p style=\"padding-left: 40px;\">&#8212; database scope<\/p>\n<p style=\"padding-left: 40px;\">, ADD (DATABASE_CHANGE_GROUP)<\/p>\n<p style=\"padding-left: 40px;\">, ADD (DATABASE_OWNERSHIP_CHANGE_GROUP)<\/p>\n<p style=\"padding-left: 40px;\">, ADD (DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP)<\/p>\n<p style=\"padding-left: 40px;\">, ADD (DATABASE_OBJECT_PERMISSION_CHANGE_GROUP)<\/p>\n<p style=\"padding-left: 40px;\">, ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP)<\/p>\n<p style=\"padding-left: 40px;\">, ADD (DATABASE_PRINCIPAL_CHANGE_GROUP)<\/p>\n<p style=\"padding-left: 40px;\">, ADD (DATABASE_PRINCIPAL_IMPERSONATION_GROUP)<\/p>\n<p style=\"padding-left: 40px;\">, ADD (APPLICATION_ROLE_CHANGE_PASSWORD_GROUP)<\/p>\n<p style=\"padding-left: 40px;\">WITH (STATE = ON)<\/p>\n<p style=\"padding-left: 40px;\">GO<\/p>\n<h3><\/h3>\n<h3><\/h3>\n<h3>Limiting background noise in SQL Server Auditing<\/h3>\n<p>If you use this Audit specification, you will find out that your Audit Log quickly pollutes with hundreds, if not thousands, of SELECTs coming from either Action_ID VSST = VIEW SERVER STATE or VW = VIEW (COLUMN ENCRYPTION KEY or COLUMN MASTER KEY) per day.<br \/>\nThose are read-access to system views and mostly come from background tasks. For example, SQL Server Management Studio runs them for every refresh. In my opinion, those should have their own Audit_Group and not be mixed under actual Server or database \u201coperations\u201d since they don\u2019t do anything. They are called by SSMS in the background, which is why you get these massive amounts.<\/p>\n<p>As long as those events do not receive their own Audit Action Groups we need to use the Filter property in the Audit itself to filter those harmless activities but massive amounts of data before storing them. (In SQL Server, the Audit object defines the target and is created before the specification, which I show above.)<br \/>\nTo filter out selects on server scoped dynamic management views, you would need to add the following in the Audit filter:<\/p>\n<p>([ACTION_ID]<>1414746966) \/*VSST = VIEW SERVER STATE*\/<\/p>\n<p>I hope that saves you some time and headache.<\/p>\n<p style=\"padding-left: 40px;\"><strong><em>Important note on SQL Server 2022<\/em><\/strong><\/p>\n<p style=\"padding-left: 40px;\">If you are on SQL Server 2022,<strong> make sure to have at least Cumulative Update 19 installed<\/strong>. Because SQL Server 2022 had a <a href=\"https:\/\/andreas-wolter.com\/en\/2502-sql-auditing-missing-permission-changes-security-bug\/\">bug in Auditing for SQL Server 2022<\/a>, which prevented the SERVER_PERMISSION_CHANGE-Audit Action from capturing events, which is part of this list for good reasons. This was fixed with CU 19.<\/p>\n<p>Hopefully, this helps with rolling out security auditing on your SQL Server installations and thus increases the security of your SQL Server systems.<\/p>\n<h2><\/h2>\n<h2><\/h2>\n<h2><\/h2>\n<h2><\/h2>\n<h2>Note on STIG-compliance<\/h2>\n<p>If you are operating within the Department of Defense (DoD) network, are a defense contractor, or an organization interacting with the DoD supply chain, you need to comply with <a href=\"https:\/\/public.cyber.mil\/stigs\/\" target=\"_blank\" rel=\"noopener\">Security Technical Implementation Guides (STIGs<\/a>), published by Defense Information Systems Agency (DISA)<\/p>\n<p style=\"padding-left: 40px;\"><em>Coincidentally, one of the contributors for the SQL Server STIGs, Adrian Rupp, kindly reviewed this article \ud83d\ude42<\/em><\/p>\n<p>This Audit recommendation of this article will give you a good start and help you to comply with many of the Audit-related rules. But <strong>you will need to audit additional activities to comply with all Audit-related STIG rules<\/strong>. For example, you also need to audit access to schema-objects and other things. You can use the described Audit as a start and add a complementary Audit in addition or extend this Audit.<\/p>\n<p style=\"padding-left: 40px;\"><strong>This is great, but you require security assurance and want to be notified of suspicious events?<\/strong><\/p>\n<p style=\"padding-left: 40px;\">If you&#8217;re looking for an expert to review your environment and specific requirements\u2014helping not only with auditing but also with setting up processes to parse data and automatically alert on suspicious activity &#8211; my team and I would be happy to assist. (<strong>Inquiries <\/strong><a href=\"https:\/\/sarpedonqualitylab.us\/contact\/\" target=\"_blank\" rel=\"noopener\"><strong>here<\/strong><\/a>). &#8211; That includes efficiently assessing your systems based on the latest STIGs for Microsoft SQL Server.<br \/>\nIf you want to learn more about what we can do, <a href=\"https:\/\/sarpedonqualitylab.us\/contact\/\" target=\"_blank\" rel=\"noopener\">talk to us<\/a>.<\/p>\n<h2><\/h2>\n<h2><\/h2>\n<h2><\/h2>\n<h2><\/h2>\n<h2>Lastly: help improve Auditing in SQL Server<\/h2>\n<p>If you want to help improving Auditing in SQL Server, here are a few Feedback-items which you can <strong>upvote<\/strong> to help the Auditing team prioritize those issues:<\/p>\n<ol>\n<li><a href=\"https:\/\/feedback.azure.com\/d365community\/idea\/e39b989e-eeb6-ee11-92bc-0022484c4141\" target=\"_blank\" rel=\"noopener\">Implicit addition of database user is not audited<\/a><\/li>\n<li><a href=\"https:\/\/feedback.azure.com\/d365community\/idea\/4a378000-82bd-ef11-95f5-000d3a7d9e49\" target=\"_blank\" rel=\"noopener\">Document ALL_AUDIT_SPECIFICATIONS_AND_ACTIONS wait type<\/a><\/li>\n<li><a href=\"https:\/\/feedback.azure.com\/d365community\/idea\/57ca4365-71e3-ef11-b542-00224854717c\" target=\"_blank\" rel=\"noopener\">RESTORE VERIFYONLY should not be captured under CREATE DATABASE Audit Action group<\/a><\/li>\n<\/ol>\n<h2><\/h2>\n<h2><\/h2>\n<h2><\/h2>\n<h2><\/h2>\n<h2>Links to get you started with Auditing for your database system<\/h2>\n<p>Here are the promised links that may serve as a starting point for auditing different database systems:<\/p>\n<ul>\n<li><strong>Security concept: Audit Trail<\/strong> <a href=\"https:\/\/andreas-wolter.com\/en\/202109_security_concept_audit_trail\/\">https:\/\/andreas-wolter.com\/en\/202109_security_concept_audit_trail\/<\/a><\/li>\n<li><strong>Microsoft SQL Server<\/strong>: <a href=\"https:\/\/learn.microsoft.com\/en-us\/sql\/relational-databases\/security\/auditing\/sql-server-audit-database-engine\" target=\"_blank\" rel=\"noopener\">https:\/\/learn.microsoft.com\/en-us\/sql\/relational-databases\/security\/auditing\/sql-server-audit-database-engine<\/a><\/li>\n<li><strong>Azure SQL Managed Instance<\/strong>: <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/azure-sql\/managed-instance\/auditing-configure?view=azuresql\" target=\"_blank\" rel=\"noopener\">https:\/\/learn.microsoft.com\/en-us\/azure\/azure-sql\/managed-instance\/auditing-configure?view=azuresql<\/a><\/li>\n<li><strong>Azure SQL Database and Azure Synapse Analytics<\/strong>: <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/azure-sql\/database\/auditing-setup\" target=\"_blank\" rel=\"noopener\">https:\/\/learn.microsoft.com\/en-us\/azure\/azure-sql\/database\/auditing-setup<\/a><\/li>\n<li><strong>Azure SQL Database in Fabric does not support Auditing (yet).<\/strong> Keep this in mind if you work with sensitive data: <a href=\"https:\/\/learn.microsoft.com\/en-us\/fabric\/database\/sql\/feature-comparison-sql-database-fabric\" target=\"_blank\" rel=\"noopener\">https:\/\/learn.microsoft.com\/en-us\/fabric\/database\/sql\/feature-comparison-sql-database-fabric<\/a><\/li>\n<li><strong>Fabric Data Warehouse<\/strong>: <a href=\"https:\/\/learn.microsoft.com\/en-us\/fabric\/data-warehouse\/sql-audit-logs\" target=\"_blank\" rel=\"noopener\">https:\/\/learn.microsoft.com\/en-us\/fabric\/data-warehouse\/sql-audit-logs<\/a><\/li>\n<li><strong>Microsoft Purview<\/strong>: <a href=\"https:\/\/learn.microsoft.com\/en-us\/purview\/audit-solutions-overview\" target=\"_blank\" rel=\"noopener\">https:\/\/learn.microsoft.com\/en-us\/purview\/audit-solutions-overview<\/a><\/li>\n<li><strong>Oracle database<\/strong>: <a href=\"https:\/\/www.oracle.com\/database\/technologies\/security\/db-auditing.html\" target=\"_blank\" rel=\"noopener\">https:\/\/www.oracle.com\/database\/technologies\/security\/db-auditing.html<\/a><\/li>\n<li><strong>PostgreSQL<\/strong>:\n<ul>\n<li>Microsoft Azure: <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/postgresql\/flexible-server\/concepts-audit\" target=\"_blank\" rel=\"noopener\">https:\/\/learn.microsoft.com\/en-us\/azure\/postgresql\/flexible-server\/concepts-audit<\/a><\/li>\n<li>Google Cloud: <a href=\"https:\/\/cloud.google.com\/sql\/docs\/postgres\/pg-audit\" target=\"_blank\" rel=\"noopener\">https:\/\/cloud.google.com\/sql\/docs\/postgres\/pg-audit<\/a><\/li>\n<li>Amazon AWS: <a href=\"https:\/\/docs.aws.amazon.com\/AmazonRDS\/latest\/UserGuide\/Appendix.PostgreSQL.CommonDBATasks.pgaudit.html\" target=\"_blank\" rel=\"noopener\">https:\/\/docs.aws.amazon.com\/AmazonRDS\/latest\/UserGuide\/Appendix.PostgreSQL.CommonDBATasks.pgaudit.html<\/a><\/li>\n<\/ul>\n<\/li>\n<li><strong>MongoDB<\/strong>: <a href=\"https:\/\/www.mongodb.com\/docs\/manual\/tutorial\/configure-auditing\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.mongodb.com\/docs\/manual\/tutorial\/configure-auditing\/<\/a><\/li>\n<li><strong>Snowflake<\/strong>: <a href=\"https:\/\/docs.snowflake.com\/en\/sql-reference\/account-usage\" target=\"_blank\" rel=\"noopener\">https:\/\/docs.snowflake.com\/en\/sql-reference\/account-usage<\/a><\/li>\n<\/ul>\n<p>Happy Auditing<\/p>\n<p>Andreas<\/p>\n<p>Reviewed by: Adrian Rupp, Senior Consultant at Sarpedon Quality Lab LLC and former Principal Program Manager for SQL Auditing at Microsoft and contributor to security compliance requirements for the U.S. Department of Defense.<\/p>\n<\/div><\/section>\r\n\r\n<div  class='hr av-baku8u-c77559299fb7cb036a9bcb2d27e7c839 hr-default  avia-builder-el-2  el_after_av_textblock  el_before_av_social_share '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\r\n\r\n<div  class='av-social-sharing-box av-5n5vpa-78ffdd9d224b4a246af65bdc00dce900 av-social-sharing-box-default  avia-builder-el-3  el_after_av_hr  el_before_av_hr  av-social-sharing-box-fullwidth'><div class=\"av-share-box\"><h5 class='av-share-link-description av-no-toc '>Share article<\/h5><ul class=\"av-share-box-list noLightbox\"><li class='av-share-link av-social-link-facebook' ><a target=\"_blank\" aria-label=\"Share on Facebook\" href=\"https:\/\/www.facebook.com\/sharer.php?u=https:\/\/andreas-wolter.com\/en\/202507_recommended_security_auditing_databases_sql_server\/&#038;t=Recommendation%20for%20Security%20Auditing%20for%20databases%20%E2%80%93%20with%20example%20for%20Microsoft%20SQL%20Server\" aria-hidden=\"false\" data-av_icon=\"\ue8f3\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on Facebook\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on Facebook<\/span><\/a><\/li><li class='av-share-link av-social-link-twitter' ><a target=\"_blank\" aria-label=\"Share on Twitter\" href=\"https:\/\/twitter.com\/share?text=Recommendation%20for%20Security%20Auditing%20for%20databases%20%E2%80%93%20with%20example%20for%20Microsoft%20SQL%20Server&#038;url=https:\/\/andreas-wolter.com\/en\/?p=6952\" aria-hidden=\"false\" data-av_icon=\"\ue8f1\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on Twitter\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on Twitter<\/span><\/a><\/li><li class='av-share-link av-social-link-linkedin' ><a target=\"_blank\" aria-label=\"Share on LinkedIn\" href=\"https:\/\/linkedin.com\/shareArticle?mini=true&#038;title=Recommendation%20for%20Security%20Auditing%20for%20databases%20%E2%80%93%20with%20example%20for%20Microsoft%20SQL%20Server&#038;url=https:\/\/andreas-wolter.com\/en\/202507_recommended_security_auditing_databases_sql_server\/\" aria-hidden=\"false\" data-av_icon=\"\ue8fc\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on LinkedIn\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on LinkedIn<\/span><\/a><\/li><\/ul><\/div><\/div>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-4ofg9q-c2108540b480aba02923089240a3a176\">\n#top .hr.hr-invisible.av-4ofg9q-c2108540b480aba02923089240a3a176{\nheight:50px;\n}\n<\/style>\n<div  class='hr av-4ofg9q-c2108540b480aba02923089240a3a176 hr-invisible  avia-builder-el-4  el_after_av_social_share  el_before_av_comments_list '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\r\n\r\n<div  class='av-buildercomment av-284ftq-f5a1564cd6b8ffad6ce835e2d40de4b7  av-blog-meta-author-disabled av-blog-meta-html-info-disabled'><\/div>","protected":false},"excerpt":{"rendered":"","protected":false},"author":4,"featured_media":6948,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[57],"tags":[380,206],"class_list":["post-6952","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-en","tag-auditing","tag-sql-security"],"_links":{"self":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/6952","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/comments?post=6952"}],"version-history":[{"count":11,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/6952\/revisions"}],"predecessor-version":[{"id":6965,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/6952\/revisions\/6965"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media\/6948"}],"wp:attachment":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media?parent=6952"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/categories?post=6952"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/tags?post=6952"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}