SQL Audting for System Admin Changes

I’d like to be able to monitor and trigger alerts for SQL sys admin changes, ie users getting promoted to Sysadmin acocunts, new users being created on SQL, password change etc.
I have configured SQL 2017 std to audit events following the Rapid 7 documentation, the data collection is working well in Insight IDR and i can see events are being recorded. Unfortunately all events being recorded appear to have the same event code 33205. I have created new users, changed password etc , Insight IDR is collecting the data however lacking any detail therefore triggering alerts would result in a lot of false positives.
Has anyone configured Insight IDR to audit SQL events that could indicate someone is tampering/hacking the DB? Can someone point me in the right direction?

Many thanks Sam