Lets have a look at the Azure Virtual Change Tracking extension/solution that allows you to view guest-related OS changes within your Virtual Machine from Azure. This data can be used to alert-on if required various changes within your Virtual Machine environment.
What can be tracked?
Currently, the following change-types can be tracked within the Change Tracking Solution:-
- Windows Software
- Linux Software (packages)
- Windows and Linux Files
- Windows Registry Keys
- Windows Services
- Linux daemons
These type of changes can be viewed within the change tracking dashboard in Azure, in this blog I will detail how this can be viewed and possible ways you can alert of certain changes.
What is required to setup?
Along with the required Virtual Machines, you will also need:-
- Automation Account
- Log Analytics Workspace
Change tracking Solution Configuration
In my example, I will show how to setup the configuration on a single Virtual Machine (VM). If you have multiple Virtual Machines you want to onboard with this solution – I recommend these two guides
Within your selected Virtual Machine, select Operations -> Change Tracking
Follow the onscreen process and once setup, you will have a similar setup to:-
Within this, you can then view variables changes on the Virtual Machine, in my example above you can see “Windows update” Windows service had been modified, if you select it – it will drill down details further; showing its values before and after!
Change tracking is a great tool, that can allow you to create multiple alerts also within the Log analytics data that you are producing.
This is an example of configuration changes within the last 24hours for any Virtual Machines that have change tracking enabled.
From the query output; you can see the Windows update changes that was mentioned above.
I recommend you enabling change tracking for a couple of Virtual Machines, get a feel of the User Interface and how powerful it can be for troubleshooting and even to assist with any potential malicious activity that may be happening on any Virtual Machines within your environment and along with this, you now have full audit ability of any VM from within the Azure Portal in relation to VM change tracking.