Edit

Share via

About Azure Change Tracking and Inventory

This article provides an overview of Azure Change Tracking and Inventory by using the Azure Monitor Agent (AMA). This article also includes the key features and benefits of the service.

What is Change Tracking and Inventory

Change Tracking and Inventory enhances the auditing and governance for in-guest operations by monitoring changes and providing detailed inventory logs for servers across Azure, on-premises, and other cloud environments.

Important

We recommend that you use Change Tracking and Inventory with the Change Tracking extension version 2.20.0.0 or later.

Change tracking

  • Monitors changes, including modifications to files, registry keys, software installations, and Windows services or Linux daemons.
  • Provides detailed logs of what and when the changes were made so that you can quickly detect configuration drifts or unauthorized changes.
    Change tracking metadata gets ingested into the ConfigurationChange table in the connected Log Analytics workspace. For more information, see ConfigurationChange.

Note

Change Tracking and Inventory data is logged for both system-level and user-level applications. System-level data is always logged, but user-level applications appear only when a user signs in to a machine. If the user signs out, those applications are marked as Removed.

Inventory

  • Collects and maintains an updated list of installed software, operating system details, and other server configurations in linked Log Analytics workspaces.
  • Helps create an overview of system assets, which is useful for compliance, audits, and proactive maintenance.
  • Ingests inventory metadata into the ConfigurationData table in the connected Log Analytics workspace. For more information, see ConfigurationData.

Key benefits of Azure Change Tracking and Inventory

Here are the key benefits:

  • Compatibility with the unified monitoring agent: Is compatible with the AMA that enhances security and reliability and facilitates multi-homing experience to store data.
  • Compatibility with tracking tool: Is compatible with the Change Tracking extension deployed through the Azure Policy on the client's virtual machine (VM). You can switch to the AMA, and then the Change Tracking extension pushes the software, files, and registry to the AMA.
  • Multi-homing experience: Provides standardization of management from one central workspace. You can transition from Azure Monitor Logs to the AMA so that all VMs point to a single workspace for data collection and maintenance.
  • Rules management: Uses data collection rules to configure or customize various aspects of data collection. For example, you can change the frequency of file collection.

For information on supported operating systems, see Support matrix and regions for Change Tracking and Inventory.

Enable Azure Change Tracking and Inventory

You can enable Change Tracking and Inventory in the following ways:

  • Azure Arc-enabled servers (non-Azure machines): In the Azure portal, on the Change Tracking and Inventory Center | Machines pane, select Policy > Definition Type > Category > Change Tracking and Inventory. Under Initiative, select Enable Change Tracking and Inventory for Arc-enabled virtual machines. To enable Change Tracking and Inventory at scale, use the deploy-if-not-exists (DINE) policy-based solution. For more information, see Quickstart: Enable Azure Change Tracking and Inventory.
  • Single Azure VM: In the Azure portal, select the VM from the Virtual machines pane. This scenario is available for Linux and Windows VMs.
  • Single and multiple Azure VMs: In the Azure portal, select the VMs from the Virtual machines pane.

Track file changes

For tracking changes in files on both Windows and Linux, Change Tracking and Inventory uses SHA256 hashes of the files. The feature uses the hashes to detect if changes were made since the last inventory.

Track file content changes

With Change Tracking and Inventory, you can view the contents of a Windows or Linux file. For each change to a file, Change Tracking and Inventory stores the contents of the file in an Azure Storage account. When you track a file, you can view its contents before or after a change. You can view the file content either inline or side by side. For more information, see Tutorial: Change a workspace and configure data collection rule.

Screenshot of viewing changes in a Windows or Linux file.

Track registry keys

Change Tracking and Inventory allows monitoring of changes to Windows registry keys. When you use monitoring, you can pinpoint extensibility points where non-Microsoft code and malware can activate. The following table lists preconfigured (but not enabled) registry keys. To track these keys, you must enable each one.

Registry key Purpose
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup Monitors scripts that run at startup.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown Monitors scripts that run at shutdown.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Monitors keys that are loaded before the user signs in to the Windows account. The key is used for 32-bit applications running on 64-bit computers.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components Monitors changes to application settings.
HKEY_LOCAL_MACHINE\Software\Classes\Directory\ShellEx\ContextMenuHandlers Monitors context menu handlers that hook directly into Windows Explorer and usually run in-process with explorer.exe.
HKEY_LOCAL_MACHINE\Software\Classes\Directory\Shellex\CopyHookHandlers Monitors copy hook handlers that hook directly into Windows Explorer and usually run in-process with explorer.exe.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers Monitors for icon overlay handler registration.
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers Monitors for icon overlay handler registration for 32-bit applications running on 64-bit computers.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects Monitors for new browser helper object plugins for Internet Explorer. Used to access the Document Object Model (DOM) of the current pane and to control navigation.
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects Monitors for new browser helper object plugins for Internet Explorer. Used to access the DOM of the current pane and to control navigation for 32-bit applications running on 64-bit computers.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions Monitors for new Internet Explorer extensions, such as custom tool menus and custom toolbar buttons.
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions Monitors for new Internet Explorer extensions, such as custom tool menus and custom toolbar buttons for 32-bit applications running on 64-bit computers.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Monitors 32-bit drivers associated with wavemapper, wave1 and wave2, msacm.imaadpcm, .msadpcm, .msgsm610, and vidc. Similar to the [drivers] section in the system.ini file.
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 Monitors 32-bit drivers associated with wavemapper, wave1 and wave2, msacm.imaadpcm, .msadpcm, .msgsm610, and vidc for 32-bit applications running on 64-bit computers. Similar to the [drivers] section in the system.ini file.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDlls Monitors the list of known or commonly used system DLLs. Monitoring prevents people from exploiting weak application directory permissions by dropping in Trojan horse versions of system DLLs.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify Monitors the list of packages that can receive event notifications from winlogon.exe, the interactive sign-in support model for Windows.

Related content

  • Last updated on