question

GeraldPerkins-5579 avatar image
0 Votes"
GeraldPerkins-5579 asked AnshulKumarMINDTREELIMITED-5501 commented

How do I eliminate the High Severity alert regarding high volume data extraction for my SQL Server instance?

I receive a High Severity alert which reads "Someone has extracted an unusual amount of potentially sensitive data from your SQL server xxxx".
Normally, the application executing the query returns a few rows but it is acceptable that the client requests a significant number of rows, which triggers this alert.
I cannot find this alert in https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/security-center/alerts-reference.md
I wouldn't mind if this was a "low" or "moderate" alert which didn't frighten those who view it.
Is it possible to tweak something in the Advanced Threat Protection for SQL Server? Can this alert be removed?
THANKS!

azure-sql-databaseazure-security-center
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, if the posted answer resolves your question, please mark it as the answer by clicking the check mark. Doing so helps others find answers to their questions.

0 Votes 0 ·

1 Answer

TomPhillips-1744 avatar image
0 Votes"
TomPhillips-1744 answered GeraldPerkins-5579 commented

This is an Azure message, not a SQL Server message. Your question would be better answered on the Azure forum.

See "PREVIEW - Unusual amount of data extracted from a Cosmos DB account" :

https://docs.microsoft.com/en-us/azure/security-center/alerts-reference

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks Tom. I have seen the reference re' Cosmos DB account. It references the error severity as "medium". The email which we received declares the error severity to be "high". If, however, I find the alert in the Azure Security Center console, it informs me the error severity is "informational".
I'm good with informational but red flags are waved when my manager gets an email with SQL Server data extraction error with serverity of "high".
In fact, the data extraction was valid user processing.
I would like to know how to mediate the error level being reported or toggle the security alert limit for rows retrieved. Are either of these alternatives possible?
THANKS!

0 Votes 0 ·