Change Analysis: Find out who changed what on Azure

When managing resources in Azure, it is crucial to track changes and understand the current state of your Azure environment. Change Analysis is an invaluable tool for querying your resources to gain insights and explore changes made across your Azure subscriptions. It is now in Public Preview for everyone, so let’s dive right into it.

What is Change Analysis?

With Change Analysis it is easier to find out who initiated a change and what client was used. Using Azure Resource Graph Explorer, which is a service designed to extend Azure Resource Management, we can query changes made across subscriptions and even tenants.

  • Explore resources across multiple subscriptions.
  • Organize resources by various criteria.
  • Discover resource changes and historical configurations.
  • Assess the impact of potential changes.

How to query changes using Azure Resource Graph Explorer

Microsoft published two new tables to query:

  • resourcechanges 
  • resourcecontainerchanges

To explore changes made to your resources, you can follow these steps:

  1. Access Azure Resource Graph Explorer: Navigate to the Azure portal and open Resource Graph Explorer from the “All services” menu.
  2. Write Your Query: Use KQL to create a query that filters and selects resources based on the changes you’re interested in. The language allows you to use ‘where’, ‘summarize’, and ‘join’ clauses among others to refine your results.
  3. Run the Query: Execute the query to view the changes. For example, you might track down modifications to virtual machine sizes or changes in network security group rules.
  4. Analyse the Results: Once the query runs, analyse the results in the Azure portal or export them to CSV or JSON formats for further processing.
  5. Create Alerts for Future Changes: Use Azure Monitor to create alerts based on your query, which can notify you of specific changes as they happen.

Example query for Change Analysis:

To see changes within the last 30 days, you could write a query like this:

Kusto
resourcechanges  
| extend changeTime = todatetime(properties.changeAttributes.timestamp),  
targetResourceId = tostring(properties.targetResourceId),  
changeType = tostring(properties.changeType), changedBy = tostring(properties.changeAttributes.changedBy),  
changedByType = properties.changeAttributes.changedByType,  
clientType = tostring(properties.changeAttributes.clientType)  
| where changeTime > ago(30d)  
| project changeTime, targetResourceId, changeType, changedBy, changedByType, clientType
| sort by changeTime

About the query results

The Kusto Query Language (KQL) query provided in the example is designed to extract information from the resourcechanges table within Azure Resource Graph Explorer. Here’s a step-by-step explanation of what this KQL query does:

  1. resourcechanges: This specifies the table we are querying. It contains records of resource changes within Azure.
  2. | extend: This command adds new calculated columns to the result set.

    • changeTime: Converts the timestamp of when the change occurred from the properties.changeAttributes.timestamp field into a datetime.
    • targetResourceId: Converts the ID of the resource that changed into a string.
    • changeType: Converts the type of change into a string.
    • changedBy: Converts the identifier of who made the change into a string.
    • changedByType: Represents the type of identity that made the change (like User, Application, Managed Identity).
    • clientType: Converts the type of client that made the change into a string.
  3. | where changeTime > ago(30d): Filters the result to only include changes that occurred in the past 30 days.
  4. | project changeTime, targetResourceId, changeType, changedBy, changedByType, clientType: This selects specific columns to be included in the final output, effectively shaping the data set that we wish to analyze or view.
  5. | sort by changeTime: Sorts the resulting records by the changeTime in ascending order, showing the newest changes first.

The result of this query is a list of changes made to Azure resources in the last 30 days, including when each change was made, on which resource, what type of change it was, who made the change, the identity type of the changer, and through which type of client the change was effected.

Use the query in a dashboard

To add the Kusto query to a dashboard in Azure, follow these steps to create a visual representation of your query results directly within the Azure portal:

  1. Execute the query in Azure Resource Graph Explorer:
    • Navigate to Azure Resource Graph Explorer as mentioned above.
    • Enter and run your Kusto query to ensure it returns the expected results.
azure resource graph explorer run query
  1. Pin the results to a dashboard:
    • Once you have the results from the query, look for the “Pin to dashboard” option at the top of the results pane.
    • Click on “Pin to dashboard” to create a tile with the query results.
    • You will be prompted to choose an existing dashboard to pin to or create a new dashboard. Select your preference.
pin query to dashboard
  1. Configure the tile on the Dashboard:
    • After pinning, go to your dashboard by clicking “Go to dashboard” or navigate to the dashboard from “All services” > “Dashboards”.
    • Locate the newly added tile, which will display the query results.
    • You can resize or move the tile as needed by clicking and dragging the edges or the move icon.
azure-dashboard-change-analysis
  1. Save the query for future use:
    • Optionally, if you plan to reuse the Kusto query often, you can save it within the Azure Resource Graph Explorer for quick access in the future.
    • Click “Save” near the query window, give your query a name and description, and save it.

By following these steps, you will have successfully added your Kusto query to an Azure dashboard for ongoing monitoring of your Azure resources and changes.

Conclusion

Change Analysis is a potent tool for Azure administrators and engineers, providing deep insights through advanced querying capabilities. By leveraging the power of KQL and the extensive data provided by Azure Resource Management, you can maintain a secure, optimized, and well-governed Azure environment. Whether you’re tracking changes for compliance, security, or operational efficiency, Azure Resource Graph Explorer simplifies and accelerates the process.

Documentation