Forum Discussion
Monitor Only "Automatic" Windows Services
Hizarchi ,
This is possible. Example query:
ConfigurationChange | where ConfigChangeType =~ 'WindowsServices' and ChangeCategory =~ 'Modified' and SvcChangeType =~ 'State' and SvcState =~ 'Stopped' and SvcStartupType =~ 'Auto' | extend AggregatedValue = 1 | summarize arg_max(TimeGenerated, *) by _ResourceId, SvcDisplayName, bin(TimeGenerated, 5m)You can read more about the query I am using on my blog post. You need to set the alert on Metric measurement, greater than, threshold value 0, total breaches greater than 0. Period 5 mins, frequency 5 minutes. Aggregate on: select _ResourceId and SvcDisplayName. Usually Aggregate on is not available when you create alerts via portal so it is best to create it via ARM Template as I have shown in my blog post. My Advise is to always scope to specific services names as I have shown in my blog post and not to monitor all Automatic services. There are some automatic services that start and stop on certain periods which will generate a lot of false positives and noise.
Stanislav_Zhelyazkov Thanks for your suggestion. It is mentioned here in this article "To use the Change Tracking and Inventory feature, you must locate all your VMs in the same subscription and region of the Automation account."
https://docs.microsoft.com/en-us/azure/automation/change-tracking
As long as it is working fine with multiple subscriptions and different locations, I am happy to enable this. 🙂
zarchi As I have said it is not true. Here is official issue opened for the docs: https://github.com/MicrosoftDocs/azure-docs/issues/60154
Stanislav_Zhelyazkov Thanks so much. I have enabled it and working fine :).