OMS Query – Patching Status for Meltdown and Spectre

This is a short article to show you how to use OMS Log Analytics to query the status of patches on Microsoft Windows Server platforms.

Please note: Official guidance and advice can be found here Protect your Windows devices against Spectre and Meltdown. This article is just one example of how to monitor patch status using the super cool OMS Log Analytics tools.

If you have not used OMS or Log Analytics it is well worth spending some time investigating.  You have the option of paid, trial and free tiers and a whole range of interesting preconfigured packs to play with.

Where Log Analytics gets interesting is when you start to increase the amount of information you are gathering and then use custom queries to dig for information, provide proactive notifications and automated actions and to train and develop models to display insights into your environment. Just imagine a machine learning model applied to data from your sys log server to map our network activity and threats.

For this article I am assuming that you already have OMS enabled and are collecting data but may never have looked into Log Analytics. You’ve probably clicked the Advanced Analytics button a few times and made some progress or gone “Whoa dude, strange things are afoot at the Circle K!” (The last bit might just be me :-))

Lets get cracking:

Head to your OMS Workspace that hosts your LogAnalytics Service for the VMs you want to monitor. At this stage it’s worth noting that there are a number of architectural options when considering your OMS Workspace design. This article does not go into the patterns you can adopt but as long as you have some VMs on premises being monitored and the data being collected you’ll be able to continue.

Select Log Search and then open up Advanced Analytics and “Hold On!”

When the Advanced Analytics page has loaded open a new tab and paste in the query you need for the results you are after.  To test select Run.

The query you are looking to run is from the Update data.  Therefore this needs to be your first input.  You are then extracting data from here and narrowing down what you are looking for.  Once narrowed down you need to decide how you want this data displayed, this is your summary.  Finally we are placing all this information into a table.

If this is the very first time you have tried a free form query try the top most line first.  Its likely you will get a lot of records but you will see all the data and then be able to narrow it down to what you are after.

I have copied the query below for you to use.  Like everything if you know a better of of doing things please share I’d certainly be interested!

| where KBID == "4056898" or KBID == "4056890"
| where UpdateState == 'Installed' or UpdateState == "Needed"
| summarize hint.strategy=partitioned arg_max(TimeGenerated, *) by Computer,SourceComputerId,UpdateID
|summarize dcount(Computer) by Computer,UpdateState
| render table

Disclaimer:  Please note although I work for Microsoft the information provided here does not represent an official Microsoft position and is provided as is.