Use Azure Log Analytics to audit if a process is or has been running on a VM

Reading Time: 2 minutes

In this blog post, I am going to show you how to use Azure Log Analytics to see if a Process is or has been running on a VM. For this, we are going to use Performance Counters. This can come in handy to see if an application has been running on a server and potentially help combat data loss.

Perquisites

The servers you want to monitor connected to the Azure Log Analytics Workspace you are querying against.

You will also need to add 1 Performance counter to your Azure Log Analytics Workspace Data source.

Process(*)\% Processor Time 

You can follow this video on how to do that.

The Queries

So, let’s say you want to find all of your servers running Dropbox and how many instances you may have running on the server. (The server could handle RDS, so multiple logins.) The query below will use Performance counters, specifically % Processor Time with the Process object. It then only looks for the InstanceName the contains Dropbox. You could change the instance name to anything you want to check.

By default, this will get you What’s been running in the last 24 hours. Now say you would like to know between a certain date range. The next query will help with that. Just change the StartDate and EndDate to when you would like to check.

So now that you know DropBox is not only installed on a server but is actively running. You can now uninstall the software from your Server to help stop any potential data loss.

You could also change the contains to notcontains. This will then show you all servers not running a process. This could help you find servers not running some software you know needs to be installed like vulnerability scanning.

I hope you found this article helpful. If you have any questions or comments, please reach out in the comments below or via social media.

Thanks for reading.