How to get audit details from sys.fn_get_audit_file, sys.dm_audit_class_type_map and sys.dm_audit_actions ?

Hi,

I want to extract audit details by using following dmvs

SELECT distinct event_time, succeeded, server_principal_name, database_name, object_name, statement,fng.action_id ,da.name,fng.class_type

FROM sys.fn_get_audit_file('C:\Audit*.sqlaudit', DEFAULT, DEFAULT) fng

join sys.dm_audit_class_type_map dc on dc.class_type = fng.class_type

join sys.dm_audit_actions da on da.action_id = fng.action_id and da.class_desc = dc.class_type_desc

order by event_time desc

There is an event whose action_id = 'CR' and class_type = 'SU'

If we execute query, select * from sys.dm_audit_class_type_map where class_type = 'SU' we will get the following result

then if we check the above class_type_desc in sys.dm_audit_actions this does not exists

SELECT * FROM sys.dm_audit_actions

where

action_id in ('CR')

and class_desc in ('SQL USER')

Instead of SQL USER it has class_des = 'USER'

due to this data not matching and query does not return results. Either they need to change the data in class_desc column and add another column "Class_type" in sys.dm_audit_actions.