Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.
Find all windows services that stopped in the last 30 minutes.
// To create an alert for this query, click '+ New alert rule'
ConfigurationChange // (relies on the Change Tracking solution):
| where ConfigChangeType == "WindowsServices" and SvcChangeType == "State"
| where SvcPreviousState == "Running" and SvcState == "Stopped"
| where SvcStartupType == "Auto" and TimeGenerated > ago(30m)
Lists software changes sorted by time (newest first).
ConfigurationChange
| where ConfigChangeType == "Software"
| sort by TimeGenerated desc
Lists service changes sorted by time (newest first).
ConfigurationChange
| where ConfigChangeType == "Services"
| sort by TimeGenerated desc
Count software changes by computer.
ConfigurationChange
| where ConfigChangeType == "Software"
| summarize AggregatedValue = count() by Computer
Lists stopped service changes sorted by time.
ConfigurationChange
| where ConfigChangeType == "WindowsServices" and SvcState == "Stopped"
| sort by TimeGenerated desc
Count software changes by change category.
ConfigurationChange
| where ConfigChangeType == "Software"
| summarize AggregatedValue = count() by ChangeCategory
Shows change records for removed software.
ConfigurationChange
| where ConfigChangeType == "Software" and ChangeCategory == "Removed"
| order by TimeGenerated desc