Forum Discussion
Monitor Only "Automatic" Windows Services
Hizarchi ,
This is possible. Example query:
ConfigurationChange | where ConfigChangeType =~ 'WindowsServices' and ChangeCategory =~ 'Modified' and SvcChangeType =~ 'State' and SvcState =~ 'Stopped' and SvcStartupType =~ 'Auto' | extend AggregatedValue = 1 | summarize arg_max(TimeGenerated, *) by _ResourceId, SvcDisplayName, bin(TimeGenerated, 5m)You can read more about the query I am using on my blog post. You need to set the alert on Metric measurement, greater than, threshold value 0, total breaches greater than 0. Period 5 mins, frequency 5 minutes. Aggregate on: select _ResourceId and SvcDisplayName. Usually Aggregate on is not available when you create alerts via portal so it is best to create it via ARM Template as I have shown in my blog post. My Advise is to always scope to specific services names as I have shown in my blog post and not to monitor all Automatic services. There are some automatic services that start and stop on certain periods which will generate a lot of false positives and noise.
Hizarchi ,
This is possible. Example query:
ConfigurationChange
| where ConfigChangeType =~ 'WindowsServices' and ChangeCategory =~ 'Modified' and SvcChangeType =~ 'State' and SvcState =~ 'Stopped' and SvcStartupType =~ 'Auto'
| extend AggregatedValue = 1
| summarize arg_max(TimeGenerated, *) by _ResourceId, SvcDisplayName, bin(TimeGenerated, 5m) You can read more about the query I am using on my blog post. You need to set the alert on Metric measurement, greater than, threshold value 0, total breaches greater than 0. Period 5 mins, frequency 5 minutes. Aggregate on: select _ResourceId and SvcDisplayName. Usually Aggregate on is not available when you create alerts via portal so it is best to create it via ARM Template as I have shown in my blog post. My Advise is to always scope to specific services names as I have shown in my blog post and not to monitor all Automatic services. There are some automatic services that start and stop on certain periods which will generate a lot of false positives and noise.
Stanislav_ZhelyazkovThanks so much for the response. I was thinking to use "Change Tracking" and I found its limitation where all VMs need to the same subscription and region of the automation account. As we have many VMs across tenants and different subscriptions, we can't use it. Is it possible to use the Kusto query?
zarchi There is no such limitation. If there is it must be in the portal only experience. To a single workspace and automation account with change tracking enabled you can onboard VMs from multiple subscriptions under the same tenant. If you want to onboard VMs in other tenants you have to onboard them like they are on-premises VMs. I would strongly suggest using automation account and workspace per tenant rather onboarding multiple tenants to the same workspace and automation account. Especially of the tenants are different customers.
Stanislav_Zhelyazkov Thanks for your suggestion. It is mentioned here in this article "To use the Change Tracking and Inventory feature, you must locate all your VMs in the same subscription and region of the Automation account."
https://docs.microsoft.com/en-us/azure/automation/change-tracking
As long as it is working fine with multiple subscriptions and different locations, I am happy to enable this. 🙂
