SQL ATP Extended Event session on On-prem SQL servers

Nama Budidi 21 Reputation points
2023-10-13T18:31:31.0433333+00:00

we noticed there is an Extended Events Session(SQLAdvancedThreatProtectionTraffic) created on all of our On-prem sql servers. If we delete it or stop it, it gets re-created and restarted. I am assuming is this some kind of Azure Defender that is installed agent on all our on-prem servers ? Can you guide in Azure portal where to look for and how to stop that service on On-prem servers ?

Azure SQL Database
SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,896 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Erland Sommarskog 102.3K Reputation points
    2023-10-13T21:03:16.48+00:00

    I would assume that you have Arc-enabled your SQL Server? Or for that matter, you have Windows for Arc. If you do that, Azure Arc will automatically enrol the SQL Server instances on the machine in Arc.

    To find out in the portal, go to the Services page and search for Azure Arc. Once on that page, select All Arc Resources in the menu to the left (it's the second-highest item). This will show you a list of servers. All server names will typically appear twice, once for Windows and one for SQL Server. You see the type of service to the right in the list.

    On the menu to the left under Security you find Microsoft Defender for Cloud. I would guess this is where you need to go turn it off. (I have not tried this service myself.)

    0 comments No comments