Hi,
I've setup auditing (Sql Server Audit + Sql Server Audit Specification) and in the audit file I see a lot of events about Impersonation.
(90 events in a few hours).
Securable_Class_desc= User
class_type_desc= SQL User
ActionName=Impersonate
ActionContainingGroupName=DATABASE_PRINCIPAL_IMPERSONATION_GROUP
different session_id's and databases
Server_principal_name=sa
database_prinicpal_name=dbo
Target_principal_name and target_database_principal_name are always empty
How can I determine who or what is generating these events ?
thx in advance for any feedback or tips