ConfigurationChange 表的查询

有关在 Azure 门户中使用这些查询的信息，请参阅 Log Analytics 教程。 有关 REST API，请参阅查询。

查找在过去 30 分钟内停止的所有 Windows 服务。

// To create an alert for this query, click '+ New alert rule'
ConfigurationChange  // (relies on the Change Tracking solution): 
| where ConfigChangeType == "WindowsServices" and SvcChangeType == "State"
| where SvcPreviousState == "Running" and SvcState == "Stopped"
| where SvcStartupType == "Auto" and TimeGenerated > ago(30m)

列出按时间排序的软件更改（最新更改先列出）。

ConfigurationChange
| where ConfigChangeType == "Software"
| sort by TimeGenerated desc

列出按时间排序的服务更改（最新更改先列出）。

ConfigurationChange
| where ConfigChangeType == "Services"
| sort by TimeGenerated desc

按计算机计算软件更改。

ConfigurationChange 
| where ConfigChangeType == "Software"
| summarize AggregatedValue = count() by Computer

列出按时间排序的已停止服务更改。

ConfigurationChange 
| where ConfigChangeType == "WindowsServices" and SvcState == "Stopped" 
| sort by TimeGenerated desc

按更改类别计算软件更改。

ConfigurationChange
| where ConfigChangeType == "Software"
| summarize AggregatedValue = count() by ChangeCategory

显示已删除的软件的更改记录。

ConfigurationChange
| where ConfigChangeType == "Software" and ChangeCategory == "Removed"
| order by TimeGenerated desc