Assume that you set up a Microsoft SQL Server audit to have a server audit specification that uses the DATABASE_CHANGE_GROUP event. When a user runs RESTORE VERIFYONLY on a database backup file, the CREATE DATABASE permission is logged to the Audit log.
The CREATE DATABASE permission is required to run RESTORE VERIFYONLY. When that permission is checked, a corresponding event is logged to the Audit log for the DATABASE_CHANGE_GROUP audit specification.
To work around this issue, use a query such as the following to filter the Audit log records that are related to running RESTORE VERIFYONLY:
select * from fn_get_audit_file('C:\path\to\file.sqlaudit', default, default) where statement NOT LIKE '%RESTORE VERIFYONLY%'
Microsoft has confirmed that this is an issue in the Microsoft products that are listed in the "Applies to" section.