Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides an overview of Azure Change Tracking and Inventory (CTI) using Azure Monitor Agent (AMA). This article also includes the key features and benefits of the service.
What is Change Tracking and Inventory
Azure CTI service enhances the auditing and governance for in-guest operations by monitoring changes and providing detailed inventory logs for servers across Azure, on-premises, and other cloud environments.
Important
We recommend that you use Azure CTI with the Change tracking extension version 2.20.0.0 or later.
Change Tracking:
- Monitors changes, including modifications to files, registry keys, software installations, and Windows services or Linux daemons.
- Provides detailed logs of what and when the changes were made, enabling you to quickly detect configuration drifts or unauthorized changes.
Change Tracking metadata will get ingested into the ConfigurationChange table in the connected LA workspace. Learn more.
Note
Azure CTI data is logged for both system-level and user-level applications. System-level data is always logged, but user-level applications appear only when a user logs into a machine; if the user logs out, those applications are marked as Removed.
Inventory:
- Collects and maintains an updated list of installed software, operating system details, and other server configurations in linked LA workspace.
- Helps create an overview of system assets, which is useful for compliance, audits, and proactive maintenance.
- Inventory metadata will get ingested into the ConfigurationData table in the connected LA workspace. Learn more.
Key benefits of Azure Change Tracking and Inventory
Here are the key benefits:
- Compatibility with the unified monitoring agent – Compatible with the Azure Monitor Agent that enhances security, reliability, and facilitates multi-homing experience to store data.
- Compatibility with tracking tool – Compatible with the Change Tracking (CT) extension deployed through the Azure Policy on the client's virtual machine. You can switch to AMA, and then the CT extension pushes the software, files, and registry to AMA.
- Multi-homing experience – Provides standardization of management from one central workspace. You can transition from Log Analytics (LA) to AMA so that all VMs point to a single workspace for data collection and maintenance.
- Rules management – Uses Data Collection Rules to configure or customize various aspects of data collection. For example, you can change the frequency of file collection.
For information on supported operating systems, see support matrix and regions for Azure CTI.
Enable Azure Change Tracking and Inventory
You can enable Azure CTI in the following ways:
For Azure Arc-enabled servers (non-Azure machines), refer to the Initiative Enable Change Tracking and Inventory for Arc-enabled virtual machines in Policy > Definitions > Select Category = ChangeTrackingAndInventory. To enable Azure CTI at scale, use the DINE Policy based solution. For more information, see Quickstart - Enable Azure Change Tracking and Inventory.
For a single Azure VM from the Virtual machine pane in the Azure portal. This scenario is available for Linux and Windows VMs.
For single and multiple Azure VMs by selecting them from the Virtual machines pane in the Azure portal.
Track file changes
For tracking changes in files on both Windows and Linux, Azure CTI uses SHA256 hashes of the files. The feature uses the hashes to detect if changes have been made since the last inventory.
Track file content changes
Azure CTI allows you to view the contents of a Windows or Linux file. For each change to a file, Azure CTI stores the contents of the file in an Azure Storage account. When you're tracking a file, you can view its contents before or after a change. The file content can be viewed either inline or side by side. Learn more.
Track registry keys
Azure CTI allows monitoring of changes to Windows registry keys. Monitoring allows you to pinpoint extensibility points where third-party code and malware can activate. The following table lists pre-configured (but not enabled) registry keys. To track these keys, you must enable each one.
| Registry Key | Purpose |
|---|---|
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup |
Monitors scripts that run at startup. |
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown |
Monitors scripts that run at shutdown. |
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run |
Monitors keys that are loaded before the user signs in to the Windows account. The key is used for 32-bit applications running on 64-bit computers. |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components |
Monitors changes to application settings. |
HKEY_LOCAL_MACHINE\Software\Classes\Directory\ShellEx\ContextMenuHandlers |
Monitors context menu handlers that hook directly into Windows Explorer and usually run in-process with explorer.exe. |
HKEY_LOCAL_MACHINE\Software\Classes\Directory\Shellex\CopyHookHandlers |
Monitors copy hook handlers that hook directly into Windows Explorer and usually run in-process with explorer.exe. |
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers |
Monitors for icon overlay handler registration. |
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers |
Monitors for icon overlay handler registration for 32-bit applications running on 64-bit computers. |
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects |
Monitors for new browser helper object plugins for Internet Explorer. Used to access the Document Object Model (DOM) of the current pane and to control navigation. |
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects |
Monitors for new browser helper object plugins for Internet Explorer. Used to access the Document Object Model (DOM) of the current pane and to control navigation for 32-bit applications running on 64-bit computers. |
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions |
Monitors for new Internet Explorer extensions, such as custom tool menus and custom toolbar buttons. |
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions |
Monitors for new Internet Explorer extensions, such as custom tool menus and custom toolbar buttons for 32-bit applications running on 64-bit computers. |
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 |
Monitors 32-bit drivers associated with wavemapper, wave1 and wave2, msacm.imaadpcm, .msadpcm, .msgsm610, and vidc. Similar to the [drivers] section in the system.ini file. |
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 |
Monitors 32-bit drivers associated with wavemapper, wave1 and wave2, msacm.imaadpcm, .msadpcm, .msgsm610, and vidc for 32-bit applications running on 64-bit computers. Similar to the [drivers] section in the system.ini file. |
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDlls |
Monitors the list of known or commonly used system DLLs. Monitoring prevents people from exploiting weak application directory permissions by dropping in Trojan horse versions of system DLLs. |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify |
Monitors the list of packages that can receive event notifications from winlogon.exe, the interactive logon support model for Windows. |
Next steps
Review support matrix and regions for Azure CTI.