Solomon Rutzky tries to reverse engineer the action_id values used in SQL Server audits:
This post is, for the most part, a continuation of Server Audit Mystery 1: Filtering class_type gets Error Msg 25713. In that post I was trying to filter on the
class_typefield / predicate source (i.e. the object, or whatever, that the event is on). The tricky part was thatclass_typeis supposed to be filterable on string values such asUfor “User Table”,Pfor “Stored Procedure”, etc. But, the reality is that it has to be filtered using numbers, and that list does not seem to be documented anywhere. Fortunately, I was able to find the list of possible numbers, so all is well with regards toclass_type.When it comes to the
action_idfield, however, we are not so lucky. It, too, should be filterable on the string codes that are returned bysys.database_audit_specification_detailsandsys.fn_get_audit_file. But, just likeclass_type, only numbers can be used for filtering. And, likeclass_type, that list of numbers does not seem to be documented anywhere. But, unlikeclass_type, I cannot find any list of numbers (in SQL Server) that corresponds to the available actions. I did find a list of statements by looking at Extended Events info (since Audits use Extended Events):SELECT * FROM sys.dm_xe_map_values WHERE [name] = N'statement_type';but it wasn’t the correct list. So, this means that I have to go hunting for these values the even-harder way
Read on for some fun with binary tree search.