DETECT-6

USE [master];
GO

-- aim events to the Application log
CREATE SERVER AUDIT [Audit_RBAC_Admins_Additions]
TO APPLICATION_LOG 
WITH (QUEUE_DELAY = 1000, ON_FAILURE = CONTINUE);
GO

-- turn on the server audit
ALTER SERVER AUDIT [Audit_RBAC_Admins_Additions]
WITH (STATE = ON);
GO

USE [CM_XXX];  -- Replace XXX w/ SCCM database name
GO

-- track additions to RBAC_Admins
CREATE DATABASE AUDIT SPECIFICATION [DBAudit_RBAC_Admins_Additions]
FOR SERVER AUDIT [Audit_RBAC_Admins_Additions]
ADD (INSERT ON dbo.RBAC_Admins BY PUBLIC)
WITH (STATE = ON);
GO

Audit event: audit_schema_version:1
event_time:2024-10-23 03:11:01.1300947
sequence_number:1
action_id:IN  
succeeded:true
is_column_permission:false
session_id:64
server_principal_id:268
database_principal_id:1
target_server_principal_id:0
target_database_principal_id:0
object_id:1597248745
user_defined_event_id:0
transaction_id:219732354
class_type:U 
duration_milliseconds:0
response_rows:0
affected_rows:0
client_ip:10.1.0.201
permission_bitmask:00000000000000000000000000000008
sequence_group_id:C48FC797-C20A-488D-83F6-F23EA8B17687
session_server_principal_name:APERTURE\ATLAS$
server_principal_name:APERTURE\atlas$
server_principal_sid:0105000000000005150000007d2e52aa5ad54377c5fc12f35c040000
database_principal_name:dbo
target_server_principal_name:
target_server_principal_sid:
target_database_principal_name:
server_instance_name:P-BODY
database_name:CM_PS1
schema_name:dbo
object_name:RBAC_Admins
statement:INSERT INTO RBAC_Admins (AdminSID, LogonName, IsGroup, IsDeleted, CreatedBy, CreatedDate, ModifiedBy, ModifiedDate, SourceSite) SELECT 0x0105000000000005150000007D2E52AA5AD54377C5FC12F357040000, 'APERTURE\testsubject1', 0, 0, '', '', '', '', 'ps1' WHERE NOT EXISTS ( SELECT 1 FROM RBAC_Admins WHERE LogonName = 'APERTURE\testsubject1' )
additional_information:
user_defined_information:
application_name:sVVsXNEb
connection_id:E26F1BB6-1A98-488B-ADDF-7B7C19FA1BB4
data_sensitivity_information:
host_name:UVJyJtIi
.