Queries for the ConfigurationChange table

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

Stopped Windows services

Find all windows services that stopped in the last 30 minutes.

// To create an alert for this query, click '+ New alert rule'
ConfigurationChange  // (relies on the Change Tracking solution): 
| where ConfigChangeType == "WindowsServices" and SvcChangeType == "State"
| where SvcPreviousState == "Running" and SvcState == "Stopped"
| where SvcStartupType == "Auto" and TimeGenerated > ago(30m)

Software changes

Lists software changes sorted by time (newest first).

ConfigurationChange
| where ConfigChangeType == "Software"
| sort by TimeGenerated desc

Service changes

Lists service changes sorted by time (newest first).

ConfigurationChange
| where ConfigChangeType == "Services"
| sort by TimeGenerated desc

Software change type per computer

Count software changes by computer.

ConfigurationChange 
| where ConfigChangeType == "Software"
| summarize AggregatedValue = count() by Computer

Stopped services

Lists stopped service changes sorted by time.

ConfigurationChange 
| where ConfigChangeType == "WindowsServices" and SvcState == "Stopped" 
| sort by TimeGenerated desc

Software change count per category

Count software changes by change category.

ConfigurationChange
| where ConfigChangeType == "Software"
| summarize AggregatedValue = count() by ChangeCategory

Removed software changes

Shows change records for removed software.

ConfigurationChange
| where ConfigChangeType == "Software" and ChangeCategory == "Removed"
| order by TimeGenerated desc