{
  "system": {
    "provider": "MSSQL$RADAR",
    "guid": "",
    "event_source_name": "",
    "event_id": 15457,
    "version": 0,
    "level": 4,
    "task": 2,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2021-04-13T21:56:47.264690+00:00",
    "event_record_id": 151004,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "mssql01.offsec.lan",
    "security": {
      "user_id": "S-1-5-21-4230534742-2542757381-3142984815-1111"
    }
  },
  "event_data": {
    "Data": [
      "clr enabled",
      "0",
      "1"
    ],
    "Binary": "YTwAAAoAAAAOAAAATQBTAFMAUQBMADAAMQBcAFIAQQBEAEEAUgAAAAcAAABtAGEAcwB0AGUAcgAAAA=="
  },
  "message": ""
}

{
  "system": {
    "provider": "MSSQL$RADAR",
    "guid": "",
    "event_source_name": "",
    "event_id": 17115,
    "version": 0,
    "level": 4,
    "task": 2,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2021-02-03T15:18:22.260286+00:00",
    "event_record_id": 125735,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "mssql01.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "\r\n\t -s \"RADAR\"\r\n\t -m"
    ],
    "Binary": "20IAAAoAAAAOAAAATQBTAFMAUQBMADAAMQBcAFIAQQBEAEEAUgAAAAAAAAA="
  },
  "message": ""
}

{
  "system": {
    "provider": "MSSQL$RADAR",
    "guid": "",
    "event_source_name": "",
    "event_id": 18456,
    "version": 0,
    "level": 0,
    "task": 4,
    "opcode": 0,
    "keywords": 40532396646334464,
    "time_created": "2020-07-15T11:31:21.474283+00:00",
    "event_record_id": 58857,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "mssql01.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "unexisting-user",
      " Reason: An attempt to login using SQL authentication failed. Server is configured for Windows authentication only.",
      " [CLIENT: 10.23.23.9]"
    ],
    "Binary": "GEgAAA4AAAAOAAAATQBTAFMAUQBMADAAMQBcAFIAQQBEAEEAUgAAAAcAAABtAGEAcwB0AGUAcgAAAA=="
  },
  "message": ""
}

{
  "system": {
    "provider": "MSSQL$RADAR",
    "guid": "",
    "event_source_name": "",
    "event_id": 33205,
    "version": 0,
    "level": 0,
    "task": 5,
    "opcode": 0,
    "keywords": 45035996273704960,
    "time_created": "2020-11-24T09:14:16.167790+00:00",
    "event_record_id": 113202,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "mssql01.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "audit_schema_version:1\nevent_time:2020-11-24 09:14:11.6833666\nsequence_number:1\naction_id:AL  \nsucceeded:true\nis_column_permission:false\nsession_id:53\nserver_principal_id:2\ndatabase_principal_id:1\ntarget_server_principal_id:0\ntarget_database_principal_id:0\nobject_id:0\nuser_defined_event_id:0\nclass_type:DA\npermission_bitmask:00000000000000000000000000000000\nsequence_group_id:07DE5F90-9DA4-4653-AE58-F113BEAFD795\nsession_server_principal_name:OFFSEC\\admin-hacker\nserver_principal_name:OFFSEC\\admin-hacker\nserver_principal_sid:01050000000000051500000056d628fc05668f976f2456bb7b040000\ndatabase_principal_name:dbo\ntarget_server_principal_name:\ntarget_server_principal_sid:\ntarget_database_principal_name:\nserver_instance_name:MSSQL01\\RADAR\ndatabase_name:RCS-TEST-db\nschema_name:\nobject_name:db-audit-spec\nstatement:ALTER DATABASE AUDIT SPECIFICATION [db-audit-spec]\r\nWITH (STATE = OFF)\nadditional_information:\nuser_defined_information:\n"
    ]
  },
  "message": ""
}