# DemoKustoQueryLanguage.ipynb

Written by Taiob  Ali

SqlWorldWide.com

## Set up Demo

Setup section of the notebook will create:

- A resource group
- One logical SQL server
- Empty sample databases
- Create Log AnalyticsWorkspace
- Setting up an action group(Azure Alert)
- Creates a Log Alert Rule (Scheduled Query Rule type) using Kusto Query Language
- Clean up code at the end

<mark>Script can take between 5~8 minutes during my test. Mileage will vary in your case</mark>

Credit:

- [https://docs.microsoft.com/en-us/azure/sql-database/sql-database-get-started-powershell](https://docs.microsoft.com/en-us/azure/sql-database/sql-database-get-started-powershell)
- [https://gallery.technet.microsoft.com/scriptcenter/Get-ExternalPublic-IP-c1b601bb](https://gallery.technet.microsoft.com/scriptcenter/Get-ExternalPublic-IP-c1b601bb)

<span style="color: rgb(23, 23, 23); font-family: &quot;Segoe UI&quot;, SegoeUI, &quot;Helvetica Neue&quot;, Helvetica, Arial, sans-serif; font-size: 16px; background-color: rgb(226, 218, 241);">PowerShell 7 and later is the recommended version of PowerShell for use with Az PowerShell on all platforms.</span>

To check the version of PowerShell running on your machine, run the following command.

If you have an outdated version, upgrade from:  
[https://github.com/PowerShell/PowerShell](https://github.com/PowerShell/PowerShell)

In [None]:
$PSVersionTable.PSVersion

Install Az Module if you do not have it.  
[https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-5.4.0](https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-5.4.0)

In [None]:
Install-Module -Name Az

In [2]:
Import-Module -name Az 



Setup your Debug Preference

[https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about\_preference\_variables?view=powershell-7.1#debugpreference](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_preference_variables?view=powershell-7.1#debugpreference)  
This example shows the effect of `$DebugPreference` with the Continue value. The debug message is displayed and the command continues to process.

In [None]:
$DebugPreference = "Continue"
Write-Debug -Message "Hello, World"

Sign in to Azure

In [None]:
Connect-AzAccount 

If you need to see the list of your subscription

<span style="color: rgb(106, 153, 85);">$SubscriptionList=Get-AzSubscription</span><span style="color: rgb(106, 153, 85);">$SubscriptionList</span>

Use below code if you have multiple subscription and you want to use a particular one

In [None]:
Set-AzContext -SubscriptionId '18d92f52-ac34-4379-ab8b-5a5106f1c54e'

Breaking change warnings are a means for the cmdlet authors to communicate with the end users any upcoming breaking changes in the cmdlet. Most of these changes will be taking effect in the next breaking change release. 

How do I get rid of the warnings? 

To suppress these warning messages, set the environment variable 'SuppressAzurePowerShellBreakingChangeWarnings' to 'true'.

In [None]:
Set-Item Env:\SuppressAzurePowerShellBreakingChangeWarnings "true"

Declare Variables

In [None]:
# The region and resource group name
$resourceGroupName = "sqlalertdemo1"
$rgLocation = "East US"  
# Log Analytics workspace name
$workspaceName = "Sqlalertdemo2"
# The logical server name: Use a random value or replace with your own value (do not capitalize)
$sqlServerName = "sqlalertdemoserver"
# The database name
$alertDemoDatabase = "sqlalertdemodatabase"

# Set an admin login and password for your database
# The login information for the server
$adminlogin = "taiob"
#Replace with password file location
$password = Get-Content "C:\password.txt"

# The ip address range that you want to allow to access your server - change as appropriate
$ipinfo = Invoke-RestMethod http://ipinfo.io/json 
$startip = $ipinfo.ip
$endip = $ipinfo.ip 

Check if Resource group exists. If exist delete the resource group.

Create a new Resource group

In [None]:
$resGrpChk = Get-AzResourceGroup `
    -Name $resourceGroupName `
    -ev notPresent `
    -ea 0

if ($resGrpChk) {  
    #Delete resource group
    Remove-AzResourceGroup `
        -Name $resourceGroupName -Confirm   
    Write-Host 'Resource group deleted' `
        -fore white `
        -back green
}

New-AzResourceGroup `
    -Name $resourceGroupName `
    -Location "East US 2"    
Write-Host 'Resource group created' `
    -fore white `
    -back green

- Creating a Azure SQL server
- Configure server firewall rule for the server
- Create an empty database

In [None]:
New-AzSqlServer `
    -ResourceGroupName $resourceGroupName `
    -ServerName $sqlServerName `
    -Location $rgLocation `
    -SqlAdministratorCredentials $(New-Object -TypeName System.Management.Automation.PSCredential `
    -ArgumentList $adminlogin, $(ConvertTo-SecureString -String $password -AsPlainText -Force))

New-AzSqlServerFirewallRule `
    -ResourceGroupName $resourceGroupName `
    -ServerName $sqlServerName `
    -FirewallRuleName "TaiobDesktop" `
    -StartIpAddress $startip `
    -EndIpAddress $endip

New-AzSqlServerFirewallRule `
    -ServerName $sqlServerName `
    -ResourceGroupName $resourceGroupName  `
    -AllowAllAzureIPs

New-AzSqlDatabase  `
    -ResourceGroupName $resourceGroupName `
    -ServerName $sqlServerName `
    -DatabaseName $alertDemoDatabase `
    -Edition "Standard" `
    -RequestedServiceObjectiveName "S0" `
    -MaxSizeBytes 10737418240 

- Create a log analytics workspace
- Enable solutions
- Setup diagonstic for the Azure SQL Database, detination to the log analytics workspace

In [None]:
#Create a log analytics workspace
New-AzOperationalInsightsWorkspace `
    -Location $rgLocation `
    -Name $workspaceName `
    -Sku Standard `
    -ResourceGroupName $resourceGroupName

# List of solutions to enable for the log analytics workspace you create above
$Solutions = "Security", "Updates", "SQLAssessment"
# Add solutions
foreach ($solution in $Solutions) {
    Set-AzOperationalInsightsIntelligencePack `
    -ResourceGroupName $resourceGroupName `
    -WorkspaceName $workspaceName `
    -IntelligencePackName $solution -Enabled $true
}

# Setting up Azure SQL Database to send diagonstic data to log analytics workspace created above
$workspaceId = (Get-AzResource -name $workspaceName).ResourceId
$databaseId = (Get-AzsqlDatabase -ServerName $sqlServerName -DatabaseName $alertDemoDatabase -ResourceGroupName $resourceGroupName).ResourceId

Make sure your subscription is registered for microsoft.insights 

If you get an error about 'not registered' read this 

[https://kasunkodagoda.com/2019/03/10/registering-azure-resource-providers-to-enable-azure-features/](https://kasunkodagoda.com/2019/03/10/registering-azure-resource-providers-to-enable-azure-features/)

In [None]:
Set-AzDiagnosticSetting `
    -WorkspaceId $workspaceId `
    -ResourceId $databaseId `
    -Enabled $True `
    -Name "sqlalertdemo"

Setting up action group to use with the alert

In [None]:
$emailaddress = 'taiob@sqlworldwide.com'
$phoneNumber = 9784272092
$emailDBA = 
New-AzActionGroupReceiver `
    -Name 'emailDBA' `
    -EmailAddress $emailaddress
$smsDBA = 
New-AzActionGroupReceiver  `
    -Name 'smsDBA' -SmsReceiver `
    -CountryCode '1' `
    -PhoneNumber $phoneNumber 
$phoneDBA = 
New-AzActionGroupReceiver `
    -Name 'phoneDBA' `
    -VoiceReceiver -VoiceCountryCode '1' `
    -VoicePhoneNumber $phoneNumber 
 
Set-AzActionGroup `
    -Name 'notifydbadeadlock' `
    -ResourceGroupName $resourceGroupName `
    -ShortName 'deadlock' `
    -Receiver $emailDBA,$smsDBA,$phoneDBA

# Retreive action group id
$actionGroupId =(Get-AzResource -name 'notifydbadeadlock').ResourceId

I am using a simple Kusto query here for demo purpose.
In production I will use this one:
```
AzureMetrics
| where ResourceProvider == "MICROSOFT.SQL"
| where TimeGenerated >=ago(60min)
| where MetricName in ('deadlock')
| parse _ResourceId with * "/microsoft.sql/servers/" Resource // subtract Resource name for _ResourceId
| summarize Deadlock_max_60Mins = max(Maximum) by Resource, MetricName
```

Creating the Azure alert

In [None]:
$source =
New-AzScheduledQueryRuleSource  `
    -Query "AzureMetrics | where MetricName == 'deadlock' "  `
    -DataSourceId $workspaceId

$schedule = 
New-AzScheduledQueryRuleSchedule `
    -FrequencyInMinutes 15 `
    -TimeWindowInMinutes 30
    
$triggerCondition = 
New-AzScheduledQueryRuleTriggerCondition `
    -ThresholdOperator  "GreaterThan" `
    -Threshold 0 
    
$aznsActionGroup = 
New-AzScheduledQueryRuleAznsActionGroup `
    -ActionGroup $actionGroupId `
    -EmailSubject "Deadlock Found" 

$alertingAction = 
New-AzScheduledQueryRuleAlertingAction `
    -AznsAction $aznsActionGroup `
    -Severity "3" `
    -Trigger $triggerCondition

New-AzScheduledQueryRule `
    -ResourceGroupName $resourceGroupName `
    -Location $rgLocation `
    -Action $alertingAction `
    -Enabled $true `
    -Description "This alert will be fired when a deadlock is found in last 30 minutes " `
    -Source $source `
    -Schedule $schedule `
    -Name "Found Deadlock Alert"

Enable the log analytics auditing policy of an Azure SQL server  

In [None]:
Set-AzSqlServerAudit `
    -ResourceGroupName $resourceGroupName `
    -ServerName $sqlServerName `
    -LogAnalyticsTargetState Enabled `
    -WorkspaceResourceId $workspaceId

Demo alert using DemoDeadlock.ipynb notebook

Clean up by removing resource group name

In [None]:
Remove-AzResourceGroup -ResourceGroupName $resourceGroupName