EVID 33205 : SQL Audit Event | LogRhythm Documentation

Classification

Rule Name	Rule Type	Common Event	Classification
EVID 33205 : SQL Audit Event	Base Rule	Object Operation	Other Audit Success
Table Deleted	Sub Rule	Object Deleted/Removed	Access Success
Server Role Dropped	Sub Rule	User Account Deleted	Account Deleted
Scalar Function Executed	Sub Rule	Command Executed	Access Success
Stored Procedure Executed	Sub Rule	Command Executed	Access Success
Synonym Executed	Sub Rule	Command Executed	Access Success
Security Policy Executed	Sub Rule	Command Executed	Access Success
Type Executed	Sub Rule	Command Executed	Access Success
Table Inserted	Sub Rule	Object Modified	Access Success
Index Login	Sub Rule	Login Or Logout Event Executed	Other Audit
Index Logout	Sub Rule	Session Closed	Other Audit Success
Synonym Selected	Sub Rule	Object Accessed	Access Success
Function Scalar Object Selected	Sub Rule	Object Accessed	Access Success
Tablet Selected	Sub Rule	Object Accessed	Access Success
View Selected	Sub Rule	Object Accessed	Access Success
Table Updated	Sub Rule	Object Modified	Access Success
Function Table-valued Object Selected	Sub Rule	Object Accessed	Access Success

Device Key in Log Message	LogRhythm Schema	Data Type
Name	<vendorinfo>	Text/String
Eventid	<vmid>	Number
Level	<severity>	Number
Computer	<sname>	Text/String
server_instance_name	<dname>	Text/String
server_principal_name	<login>	Text/String
target_server_principal_name	<account>	Text/String
session_id	<session>	Text/String
action_id	<sessiontype>	Text/String
database_name	<object>	Text/String
object name	<objectname>	Text/String
schema_name	<group>	Text/String
succeeded	<result>	Text/String
sequence_number	<quantity>	Number
action_id	<tag1>	Text/String
class_type	<tag2>	Text/String
database_principal_name	<tag3>	Text/String