How can we help you today? How can we help you today?

Redgate Monitor Long running Query - Microsoft Defender

Microsoft Defender for SQL is is issuing a perpetual query showing in Redgate Monitor as a long running query across all SQL Server in Redgate Monitor.  The Query is: (@source nvarchar(256))SELECT type, data FROM sys.fn_MSxe_read_event_stream (@source, 0).

I believe this is new functionality being pushed out by Microsoft for those using Defender. The issue is that all SQL Server now show blue because of this Long running Query.  So this is causing unexpected results as the Redgate Monitor SQL Server will likely never show Green staus again unless this can be ingnored.  

Has anyone encountered this issue?  I'm hoping to be able to filter or ignore this query as I can not turn of MS Defender.  

 

 

Jim Evans
0

Comments

3 comments

Sort by
  • Jim Evans

    This is part of Microsoft Defender - Advanced Threat Protection which can be extended to on-premise SQL Servers. I was able to filter this out in Redgate SQL Monitor by going to Setting, go to Alert settings, and add a filter in “Exclude Queries that contain sql commands or objects matching the following regular expressions.”  There I entered the object sys.fn_MSxe_read_event_stream.  This did the trick.

    Jim Evans
    1
  • bekean

    From what I can tell, this is related to new background telemetry or auditing behavior from Microsoft Defender, and unfortunately, it appears to run indefinitely, skewing Redgate Monitor’s reporting. All of our monitored SQL Servers now show a "blue" subway surfers status due to this query being flagged, which prevents us from seeing a clean "green" status even when everything else is healthy.

    bekean
    0
  • Stoner

    Yes, I’ve noticed the same issue recently across several monitored instances. It seems like Microsoft Defender’s integration with Extended Events is introducing this long-running system query, which unfortunately gets flagged in Redgate Monitor as a performance concern—even though it’s harmless in most cases.

    Redgate doesn’t currently offer a native way to exclude specific system queries from triggering alerts or status changes, but I’ve seen some users work around this by adjusting custom alert thresholds or creating a filter using Redgate’s API (though it’s not ideal). Hopefully, Microsoft or Redgate provides a cleaner solution soon.

    Interesting how background system behavior like this can skew monitoring tools—sometimes I just step away from it all with a quick mobile gaming break to reset my brain.

    Would be great to hear how others are handling this too.

    Stoner
    0

Add comment

Please sign in to leave a comment.