Change Explorer
Product permission: changeexplorer.read (the current API is admin-gated).
Purpose
App routes: /change-explorer and /change-explorer/:tab Change Explorer collects a bounded Azure change window, classifies activity, resolves actors where possible, and saves a repeatable forensic run. AI enrichment is optional and off by default. 
Prerequisites and data sources
Prerequisites
- An ARM-capable connection with access to Activity Log/change evidence across the selected scope.
- A registered workload for workload and workload-plus-dependencies modes; tenant-wide mode requires broad subscription visibility.
- Microsoft Graph capability is optional but improves user/service-principal display-name resolution.
- A configured AI provider only for optional narrative/enrichment; deterministic analysis does not require AI.
Tabs and actions
Tabs
- Summary: headline, analyzed window, scope, severity counts, top actor/type, and insights.
- Operations: correlated operations or actor/time bursts with verb, resources, highest risk, and flags.
- Narrative: ordered story beats; if the run was deterministic, this tab offers on-demand AI enrichment.
- Timeline: chronological interactive event view.
- All Changes: virtualized searchable event grid and detail drawer.
- Security: flagged events and suspicious patterns such as public exposure, grants, secret access/change, disabled logging, removed locks, exemptions, off-hours activity, mass deletion, or potential escalation.
- Risk Insights: severity distribution and highest-risk events.
- Resources: per-resource history and available blast-radius context.
- Actors: resolved identity kind, source information where available, and activity counts.
- Technical Diff: before/after property differences for available events.
- Dependency Impact: direct/transitive dependency and blast-radius analysis available to the model.
- Compare: deltas between two saved runs.
- Export / Reports: CSV, high-risk CSV, JSON, executive/technical Markdown, RCA, ServiceNow text, validation queries, and PDF.
The surrounding Fleet view ranks workloads by latest run/risk. Cleanup supports trash, restore, and permanent purge.
Freshness and scope behavior
Freshness and retention
Each run is a fixed analysis of its recorded start/end window. Changing selectors does not rewrite the run. Runs persist until trashed and purged; trash is recoverable, purge is permanent. Raw JSON is omitted from lightweight reads and fetched when needed to keep large runs responsive.
Activity Log and Resource Graph are eventually consistent. A run performed immediately after a change may need to be repeated later. Actor resolution is best-effort and can degrade without Graph permissions.
Workflow overview
Configure an analysis
Choose workload, connection, start/end time, and scope mode:
- Workload limits analysis to direct workload resources.
- Workload + dependencies expands through the dependency model available to the app.
- Tenant-wide scans all subscriptions visible to the connection.
Enable AI only when contextual narrative/risk enrichment is valuable and approved. Start the streaming analysis and monitor collection, classification, and AI phases. The run is persisted before completion is returned.
Investigate a run
- Confirm the displayed analyzed window and scope. A stale-window banner means the saved run does not match current selectors; re-analyze instead of assuming it does.
- Start with Summary and Risk Insights, then validate high-risk events in All Changes.
- Open an event drawer. Inspect summary and technical diff; raw event JSON is loaded only on demand.
- Use Security flags as leads, not verdicts. Confirm context and expected change records.
- Review Actors. An unresolved identifier means Graph resolution was unavailable, not that the actor was anonymous.
- Inspect resource history and dependency impact before declaring blast radius.
- Pin relevant events, add notes, or hand off to investigation where the UI offers it.
- Compare against a suitable prior run and export the minimum evidence needed.
Interpretation of results
Interpretation
- Risk is triage prioritization, not proof of impact or malicious intent.
- Operations can be grouped by correlation ID or actor/time burst; grouped events are related heuristically when correlation is absent.
- Security patterns such as off-hours or first-time actor require organizational context.
- Technical diff availability depends on source evidence; absence of a before value is not proof that nothing changed.
- Dependency impact reflects the app’s known graph and cannot discover every runtime/data-plane dependency.
- AI narrative and re-scoring can be wrong. Cite underlying events and timestamps in an incident conclusion.
Exports, history, scheduling, and integrations
Exports and safety
Exports are read-only and Change Explorer never reverts Azure changes. JSON can include raw operational payloads and identifiers; handle it as sensitive evidence. CSV/Markdown summaries may omit detail, while PDF is board-oriented. Validation queries are starting points and must be reviewed before use.
Do not purge runs needed for incident, legal, or audit retention. Do not mistake a generated RCA for an approved final RCA.
Safety and limitations
Troubleshooting
| Symptom | Check |
|---|---|
| No events | Verify UTC window, selected mode/workload, Activity Log permissions, subscription visibility, and eventual consistency. |
| Banner says cached window differs | Re-analyze the current selection; do not use the cached run as if it matched. |
| Actors show unresolved IDs | Verify Graph token/consent and rerun or refresh identity context. |
| Narrative is empty | The run likely used deterministic mode; start optional AI enrichment if allowed. |
| Raw JSON is absent | Open the event’s Raw JSON section to lazy-load it; confirm the source retained it. |
| Export is too large/sensitive | Filter or use high-risk/executive output and follow evidence-handling policy. |
| Compare looks misleading | Ensure both runs use comparable scope and windows. |