Queries for the ConfigurationChange table
Stopped Windows services
Find all windows services that stopped in the last 30 minutes.
// To create an alert for this query, click '+ New alert rule'
ConfigurationChange // (relies on the Change Tracking solution):
| where ConfigChangeType == "WindowsServices" and SvcChangeType == "State"
| where SvcPreviousState == "Running" and SvcState == "Stopped"
| where SvcStartupType == "Auto" and TimeGenerated > ago(30m)
Software changes
Lists software changes sorted by time (newest first).
ConfigurationChange
| where ConfigChangeType == "Software"
| sort by TimeGenerated desc
Service changes
Lists service changes sorted by time (newest first).
ConfigurationChange
| where ConfigChangeType == "Services"
| sort by TimeGenerated desc
Software change type per computer
Count software changes by computer.
ConfigurationChange
| where ConfigChangeType == "Software"
| summarize AggregatedValue = count() by Computer
Stopped services
Lists stopped service changes sorted by time.
ConfigurationChange
| where ConfigChangeType == "WindowsServices" and SvcState == "Stopped"
| sort by TimeGenerated desc
Software change count per category
Count software changes by change category.
ConfigurationChange
| where ConfigChangeType == "Software"
| summarize AggregatedValue = count() by ChangeCategory
Removed software changes
Shows change records for removed software.
ConfigurationChange
| where ConfigChangeType == "Software" and ChangeCategory == "Removed"
| order by TimeGenerated desc
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for