How do I configure the Azure Service Graph Connector?

 

Current Version: 1.12

Sample Windows VM to Monitor: WinServer2019VM

Software Asset Management Enabled(Yes\No): Yes

Enabling Software Application Data Collection from Azure VM's (Yes\No): Yes

Enabling Deep Discovery Data Collection (Yes\No): Yes - New to Version 1.12

 

The following topics are covered in this How do I configure the Azure Service Graph Connector? Article:

 

A. Installing Azure Service Graph Connector on your ServiceNow Instance

B. Configuring Azure for monitoring your Azure VMs

C. Analyze your Windows VM in Azure

D. Configuring Azure Service Graph Connector on your ServiceNow Instance

E. Run Azure Service Graph Connector Scheduled Data Import Jobs on your ServiceNow Instance

F. Analyze the CMDB Records created\updated by the Azure Service Graph Connector for your Windows VM in your ServiceNow Instance

G. When to use Azure Service Graph Connector vs Cloud Discovery

 

A. Installing Azure Service Graph Connector on your ServiceNow Instance

 

(i)  Login to your ServiceNow Instance

(ii) Install the following Application from the ServiceNow Store:

 

Service Graph Connector for Azure: sn_sg_azure_integ

 

The following Applications are automatically installed\activated when you install this application

 

1. Discovery and Service Mapping Patterns: sn_itom_pattern
2. Integration Commons for CMDB: sn_cmdb_int_util
3. CMDB CI Class Model: sn_cmdb_ci_class

The following Plugins are automatically installed\activated when you install this application

 

1. Discovery Core: com.snc.discovery.core
2. Discovery - IP Based: com.snc.discovery.ip_based
3. ITOM Discovery License: com.snc.itom.discovery.license (Included with full Discovery Product)
4. ITOM Licensing: com.snc.itom.license
5. Pattern Designer (NG version): com.snc.ng.pattern.designer
6. ServiceNow IntegrationHub Action Template: com.glide.hub.action_type.datastream

 

(iii) Navigate to Setup under Azure in the Filter Menu and select it to bring you to Guided Setup

(iv) Go to the Setup Run Command for extended discovery - Download the scripts section

(v) Click Configure to Download an Azure Commands Zip file to your Desktop which contains the following Shell Scripts.

(vi) Unzip this Azure Commands Zip file to a folder on your Desktop to extract the following Shell Scripts.

The one highlighted in Bold is going to be used in the D. Configuring Azure Service Graph Connector on your ServiceNow Instance Section:

 

• azurePowershell.sh - Deep Discovery on Windows VM's
• azureShell.sh - Deep Discovery on Linux VM's that are on Version 2.4.0.2 or later

 

B. Configuring Azure for monitoring your Azure VMs

 

The sub sections listed below describe all the Setup that needs to be done in Azure before Configuring and Running the Azure Service Graph Connector:

 

• Registering Web Application in Azure
• Create Storage Containers
• Assigning Role Permissions to the Registered Web Application
• Creating Azure Log Analytics Workspace
• Creating Azure Data Collection Rules
• Assigning Azure Policy Initiative's to your Subscription
• Verifying that the Azure Monitoring Agent and related Extensions are automatically installed on New Azure Virtual Machines, e.g. WinServer2019VM
• Verifying that the Azure Monitoring Agent and related Extensions are automatically installed on already existing Azure Windows Virtual Machines

 

Registering Web Application in Azure 

 

1. *Register Azure Service Graph Connector Application in Azure 

 

*This step can only be performed by your Azure Administrator.

 

This setup involves creating a new Application Registration for the Azure Service Graph Connector in Azure for the purposes of allowing the Azure Service Graph Connector to Authenticate with Azure when accessing your Azure Resources (Refer to the Azure Register a web application in Azure Active Directory B2C Documentation Page for details on how to Register a Web Application in Azure)

 

For the purposes of Authentication, an Application Registration is considered an Azure Service Principal (Azure Security Identity) with assigned Permissions that Applications Authenticate against when accessing Azure Resources. 

 

There will be an Application (Client) ID and Directory (Tenant) ID associated with this new Application Registration that you will be providing as part of the Guided Setup step outlined in the C. Installing & Configuring Azure Service Graph Connector on your ServiceNow Instance Section further down.

 

(i) Log into the Azure Portal using your Azure Account

(ii) Navigate to App Registrations

(iii) Click on New Registration to bring up the Register an Application Form shown below:

 

 

(iv) Provide a name like e.g. Azure Service Graph Connector in the Name Field (to represent the Azure Service Graph Connector that will be authenticating with Azure when accessing your Azure Resources) and click on Register.

(v) Make note of the Application (Client) ID and Directory (Tenant) ID shown in the Application Registration Overview Screen for later use in the Guided Setup step outlined in the C. Installing & Configuring Azure Service Graph Connector on your ServiceNow Instance Section further down.

 

2. *Create a Client Secret Key for the Registered Application

 

*This step can only be performed by your Azure Administrator

 

In this Step you will be creating a new Client Secret Key for your newly Registered Application e.g. Azure Service Graph Connector. This will be provided along with the Application (Client) ID and Directory (Tenant) ID from the above step as part of the Guided Setup step outlined in the C. Installing & Configuring Azure Service Graph Connector on your ServiceNow Instance Section further down.

 

(i) Navigate down to Certificates & Secrets under the Manage menu associated with your newly Registered Application 

(ii)  Click on the New Client Secret to bring up the Add a Client Secret Screen

(iii) Add a Client Secret Screen

 

Description Field: Populate with the Client Secret Name that you want to associate with your Client Secret.

Expires Field: Select an Menu Option from the Expires Pulldown Menu to specify when you want your Client Secret to expire.

 

(iii) Click on the Add Pushbutton to save your Client Secret and go back to the Certificates and Secrets Screen

(iv) Make Note of the Client Secret Value shown for your New Client Secret on this screen for later use in Guided Setup.

 

3. *Assign Delegated API Permissions to the Registered Application

 

*This step can only be performed by your Azure Administrator

 

In this Step you will be assigning Microsoft Graph API User.Read and Log Analytics Data.Read Delegated Permissions to your newly Registered Application e.g. Azure Service Graph Connector (Please refer to these Microsoft Understanding delegated access  and Scopes and permissions in the Microsoft identity platform Documentation Pages for more details on Azure API Permissions).

 

(i) Navigate down to API Permissions under the Manage menu associated with your newly Registered Application

(ii) Click on Add Permission to bring up the Request API Permissions Screen

(iii) Click on the Microsoft Graph Tile shown on the Microsoft API's Tab (Default Tab on this screen) to select the Microsoft Graph API

(iv) Click on the Delegated Permission Tile under the What type of permissions does your application require? question that is displayed to bring up the list of available Delegated Permissions for this API.

(v) Scroll down to the Users category in this list and expand it to see the list of available Permissions in this Category

(vi) Select the User.Read Delegated Permission shown under this Users Category

(vii) Click on the Add Permissions Pushbutton on this screen to add this Permission to your Registered Application e.g. Azure Service Graph Connector. 

(viii) Navigate to the APIs my organization uses Tab on this same Request Permissions Screen. 

(ix) Click on the Log Analytics API shown on this APIs my organization uses Tab

(x) Click on the Delegated Permission Tile under the What type of permissions does your application require? question that is displayed to bring up the list of available Delegated Permissions.

(xi) Expand the Data category show in this list.

(xii) Select the Data.Read Delegated Permission shown under this Data Category

(xiii) Click on the Add Permissions Pushbutton on this screen to add this Permission to your Registered Application e.g. Azure Service Graph Connector. 

 

 

Create Storage Containers - Deep Discovery Steps

 

The collection of Deep Discovery data from your Azure VM's is enabled by the Azure Run Command Feature that involves running Shell Scripts against your Azure VM's to obtain the Deep Discovery data listed below. 

 

Note: Deep Discovery data will not be collected for Azure Linux VM's older than Linux Version 2.4.0.2 by the Azure Service Graph Connector.  Azure Linux VM's older than Linux Version 2.4.0.2 do not support the Azure RunCommand Feature (please refer to the Microsoft Azure Run scripts in your Linux VM by using managed Run Commands Documentation Page for more details).

 

• Serial Number -Operating System
• Manufacturer
• Model
• CPU Manufacturer
• CPU Type
• CPU Speed
• CPU Count
• CPU Core Count
• CPU Core Thread
• *Running Processes 
• *TCP Connections   

 

*For Azure Linux VM's older than Linux Version 2.4.0.2 you can enable the collection of Running Process & TCP Connection data from these VM's by following the Enabling Process & TCP Connection Data Collection steps outlined in the Azure Service Graph Connector Version 1.10 Article (Log Analytics Workspace and the associated  DependencyAgentWindows Azure Monitoring Extension are prerequisites for these steps).

 

Deep Discovery on your Azure VM's is achieved by the Azure Service Graph Connector through the execution of the below Shell Script files specific to the Operating System of your Azure VM's via the Azure RunCommand Feature (the Shell Scripts that you downloaded to your Desktop in step (v) of the previous A. Installing Azure Service Graph Connector on your ServiceNow Instance section).

 

• azurePowershell.sh - Deep Discovery on Windows VM's
• azureShell.sh - Deep Discovery on Linux VM's that are on Version 2.4.0.2 or later

You will be uploading these Shell Scripts to 1 of your Azure Subscriptions in step 6. Upload Script Files to the Containers in your Storage Account further down.

 

4. Create Storage Account 

 

In this step you will be creating an Azure Storage Account in 1 of your Azure Subscriptions that will contain the below 2 Containers:

 

• Script Files Container 

Contain the Shell Script Files listed above. These Shell Script Files will be executed against your Azure VM's by the Azure Run Command Feature for capturing the Deep Discovery Data listed above. The Azure Run Command Feature will be initiated by the Azure Service Graph Connector SG-RunCommand Scheduled Import Job (Scheduled Import Job that is new to Version 1.12).

 

• Deep Discovery Output Container

Contain the Output data from the execution of the Shell Script Files against your Azure VM's in Blob format. The data from this Output Blob will be obtained by the Azure Service Graph Connector via the SG-GetCommand Scheduled Import Job (Scheduled Import Job that is new to Version 1.12).  

 

(i) Navigate to Storage Accounts

(ii) Click on Create to bring up the Create a Storage Account Screen. Populate the Fields on this screen as indicated below:

 

Subscription Field - Populate with the Subscription that your Storage Account will be associated with.

Resource Group Field - Populate with the Resource Group that will contain your Storage Account.

Storage Account Name Field - Populate with a Name for your Storage Account e.g. deepdiscovery

Region Field - Populate with the Region that your Storage Account will be deployed in.

 

5. Create Containers in Storage Account

 

(i)   Navigate to your new Storage Account e.g. deepdiscovery

(ii)  Navigate to the Storage Browser Menu Option in the Left hand Navigator

(iii) Click on the Blob Containers Tile that is displayed to the right of the screen

- You are brought to the Blob Containers Screen that lists all the Blob Containers in your Storage Account

(iv) Create the Script Files Container by clicking on Add Container on this Blob Containers screen to bring up the New Container Screen

(v)  Populate the Name field on this screen e.g. scriptfiles 

(vi) Click on the Create pushbutton to create the new Script Files Container e.g. scriptfiles for containing the Script Files

- The list in the Blob Containers screen is updated to include the newly created Script Files Container

(vii) Create the Discovery Output Container by clicking on Add Container to bring up the New Container Screen

(viii) Populate the Name field on this screen e.g. discoutput

(ix) Click on the Create pushbutton to create the new Container e.g. discoutput for containing the Deep Discovery Output

- The list in the Blob Containers screen is updated to include the newly created Deep Discovery Output Container

 

6. Upload Script Files to the Containers in your Storage Account

 

(i)  Open the newly created Script Files Container e.g. scriptfiles to bring up list of files in the container. This list will be empty.

(ii)  Click on the Upload Action to bring up the Upload Blob Screen

(iii)  Select the azurePowershell.sh file that you downloaded in step (v) of the A. Installing Azure Service Graph Connector on your ServiceNow Instance section and click on the Upload pushbutton.

- The Container File list is updated to reflect the newly uploaded azurePowershell.sh file

(iv) Select newly uploaded azurePowershell.sh file in this list

(v) Click on the Properties Menu option in the right hand Context Menu to bring up Properties screen for the azurePowershell.sh file.

(vi) Make a note of the URL Field on this Properties screen. You will be using this field value for populating the URI of the ps1 file which has to be run on windows machines configuration property field in the Configure Connection properties subsection of the D. Configuring Azure Service Graph Connector on your ServiceNow Instance section further down.

(vii)  Select the azureShell.sh file that you downloaded in step (v) of the A. Installing Azure Service Graph Connector on your ServiceNow Instance section and click on the Upload pushbutton.

- The Container File list is updated to reflect the newly uploaded azureShell.sh file

(viii) Select newly uploaded azureShell.sh file in this list

(ix) Click on the Properties Menu option in the right hand Context Menu to bring up Properties screen for the azureShell.sh file.

(x) Make a note of the URL Field on this Properties screen. You will be using this field value for populating the URI of the ps1 file which has to be run on linux machines configuration property field in the Configure Connection properties subsection of the D. Configuring Azure Service Graph Connector on your ServiceNow Instance section further down.

 

Assigning Role Permissions to the Registered Web Application

 

*7. Add the Reader Role associated with your Azure Subscription to Application Registration\Service Principal

 

*This step can only be performed by the owner of the Azure Subscription

 

In this step you will be assigning the Reader Role associated with the Azure Subscription containing your Azure Resources to your Application Registration\Service Principal e.g. Azure Service Graph Connector.

 

(i) Navigate to your Azure Subscription and open it

(ii) Navigate down to Access Control (IAM) from the Subscription Menu associated with your Subscription

(iii) Click on Add\Add Role Assignment to bring up the Add Role Assignment screen

(iv) Highlight the 1st Reader Role row in the Role Tab on this screen to select it.

(v) Navigate to the Member Tab and leave the Assign access to User, group, or service principal Radio Button selected as shown in the below screen shot.

(vi) Click on Select Members to bring up the Select Members Screen

(vii) Pick your newly Registered Application\Service Principal e.g. Azure Service Graph Connector as the Member to assign your Subscription Reader Role to, as shown in the below screen shot. 

 

 

(viii) Click on the Select Pushbutton to save your assignment

(ix) Click on the Review + Assign Pushbutton (shown as enabled once Member has been selected) on the Add Role Assignment screen to add your Subscription Reader Role to your newly Registered Application\Service Principal e.g. Azure Service Graph Connector. This will allow your newly Registered Application\Service Principal to access the Resources in your Subscription via the Users User.Read API whose API Permission was granted to your Registered Application\Service Principal in the previous step.

 

*8. Add the Log Analytics Contributor Role associated with your Azure Subscription to Application Registration\Service Principal

 

*This step can only be performed by the owner of the Azure Subscription

 

In this step you will be assigning the Log Analytics Contributor Role associated with the Azure Subscription containing your Azure Resources to your Application Registration\Service Principal e.g. Azure Service Graph Connector.

 

(i) Navigate to your Azure Subscription and open it

(ii) Navigate down to Access Control (IAM) from the Subscription Menu associated with your Subscription

(iii) Click on Add\Add Role Assignment to bring up the Add Role Assignment screen

(iv) Search for the Log Analytics Contributor Role row in the Role Tab on this screen to select it.

(v) Navigate to the Member Tab and leave the Assign access to User, group, or service principal Radio Button selected as shown in the below screen shot.

(vi) Click on Select Members to bring up the Select Members Screen

(vii) Pick your newly Registered Application\Service Principal e.g. Azure Service Graph Connector as the Member to assign your Subscription Reader Role to, as shown in the below screen shot. 

 

 

(viii) Click on the Select Pushbutton to save your assignment

(ix) Click on the Review + Assign Pushbutton (shown as enabled once Member has been selected) on the Add Role Assignment screen to add your Subscription Log Analytics Contributor Role to your newly Registered Application\Service Principal e.g. Azure Service Graph Connector. This will allow your newly Registered Application\Service Principal to access all monitoring data associated with the Resources in your Subscription via the Log Analytics Data.Read API whose API Permission was granted to your Registered Application\Service Principal in the previous step.

 

*9. Create Custom Role for Accessing Containers in Storage Account  - Enabling Deep Discovery Step

 

In this step you will be creating a Custom Role for allowing your Application Registration\Service Principal to access the Containers in your Storage Account. This Custom Role will be created at your Azure Subscription Level Scope.

 

(i) Navigate to your Azure Subscription and open it

(ii) Navigate down to Access Control (IAM) from the Subscription Menu associated with your Subscription

(iii) Click on Add\Add Custom Role to bring up the Basics Tab in the Add Custom Role screen 

(iv) Populate the Custom role name field on the Basics Tab with a name like e.g. AccessStorageContainer

(v) Navigate to the Permissions Tab

(vi) Click Add Permissions on the Permissions Tab to bring up the Add Permissions screen

(vii) Navigate to the Microsoft Storage(Microsoft.Storage) Tile on this Screen

(viii) Select the following permissions from this Screen and click on the Add pushbutton:

 

• Microsoft.Storage/storageAccounts/blobServices/containers/write
• Microsoft.Storage/storageAccounts/blobServices/containers/read
• Microsoft.Storage/storageAccounts/blobServices/containers/delete
• Microsoft.Storage/storageAccounts/listServiceSas/action

(ix) Click on the Add pushbutton to add these Permissions to your new Custom Role

(x) Click on Review & Create\Create to create your new Custom Role e.g. AccessStorageContainer with these Permissions.

 

*10. Add the Accessing Containers Custom Role to Application Registration\Service Principal - Enabling Deep Discovery Step

 

*This step can only be performed by the owner of the Azure Subscription

 

In this step you will be assigning the Accessing Containers Custom Role that you created in the previous step e.g. AccessStorageContainer to your Application Registration\Service Principal e.g. Azure Service Graph Connector.

 

(i) Navigate to your Azure Subscription and open it

(ii) Navigate down to Access Control (IAM) from the Subscription Menu associated with your Subscription

(iii) Click on Add\Add Role Assignment to bring up the Add Role Assignment screen

(iv) Highlight the new Accessing Containers Custom Role e.g. AccessStorageContainer row in the Role Tab on this screen to select it.

(v) Navigate to the Member Tab and leave the Assign access to User, group, or service principal Radio Button selected as shown in the below screen shot.

(vi) Click on Select Members to bring up the Select Members Screen

(vii) Pick your newly Registered Application\Service Principal e.g. Azure Service Graph Connector as the Member to assign your Accessing Containers Custom Role e.g. AccessStorageContainer role to.

(vii) Click on the Select Pushbutton to save your assignment

(viii) Click on the Review + Assign Pushbutton (shown as enabled once Member has been selected) on the Add Role Assignment screen to add your Accessing Containers Custom Role e.g. AccessStorageContainer role to your newly Registered Application\Service Principal e.g. Azure Service Graph Connector. This will allow your newly Registered Application\Service Principal to access the Containers in your Storage Account via the Azure Service Graph Connector SG-Run Command and SG-Get Command Scheduled Import Jobs.

 

*11. Create Custom Role for Executing Container Script Files against your VMs - Enabling Deep Discovery Step

 

*This step can only be performed by the owner of the Azure Tenant

 

In this step you will be creating a new Custom Role like e.g. ExecuteScriptFiles for allowing your Application Registration\Service Principal to execute the Container Script Files against your Azure VM's. This Custom Role will be created at your Azure Tenant Level Scope.

 

(i) Navigate to your Azure Tenant and open it

(ii) Navigate down to Access Control (IAM) from the Tenant Menu associated with your Subscription

(iii) Click on Add\Add Custom Role to bring up the Basics Tab in the Add Custom Role screen 

(iv) Populate the Custom role name field on the Basics Tab with a name like e.g. ExecuteScriptFiles

(v) Navigate to the Permissions Tab

(vi) Click Add Permissions on the Permissions Tab to bring up the Add Permissions screen

(vii) Navigate to the Microsoft Compute(Microsoft.Compute) Tile on this Screen

(viii) Select the following permissions from this Screen and click on the Add pushbutton:

 

• Microsoft.Compute/virtualMachines/runCommands/read
• Microsoft.Compute/virtualMachines/runCommands/write
• Microsoft.Compute/virtualMachines/runCommands/delete

(ix) Click on the Add pushbutton to add these Permissions to your new Custom Role

(x) Click on Review & Create\Create to create your new Custom Role e.g. ExecuteScriptFiles with these Permissions.

 

*12. Add the Executing Container Script Files Custom Role to Application Registration\Service Principal - Enabling Deep Discovery Step

 

*This step can only be performed by the owner of the Azure Tenant

 

In this step you will be assigning the Executing Container Script Files Custom Role that you created in the previous step e.g. ExecuteScriptFiles to your Application Registration\Service Principal e.g. Azure Service Graph Connector.

 

(i) Navigate to your Azure Subscription and open it

(ii) Navigate down to Access Control (IAM) from the Subscription Menu associated with your Subscription

(iii) Click on Add\Add Role Assignment to bring up the Add Role Assignment screen

(iv) Highlight the new Accessing Containers Custom Role e.g. ExecuteScriptFiles row in the Role Tab on this screen to select it.

(v) Navigate to the Member Tab and leave the Assign access to User, group, or service principal Radio Button selected as shown in the below screen shot.

(vi) Click on Select Members to bring up the Select Members Screen

(vii) Pick your newly Registered Application\Service Principal e.g. Azure Service Graph Connector as the Member to assign your  Custom Role e.g. ExecuteScriptFiles role to.

(vii) Click on the Select Pushbutton to save your assignment

(viii) Click on the Review + Assign Pushbutton (shown as enabled once Member has been selected) on the Add Role Assignment screen to add your Executing Container Script Files Custom Role e.g. ExecuteScriptFiles role to your newly Registered Application\Service Principal e.g. Azure Service Graph Connector. This will allow your newly Registered Application\Service Principal to Execute the Script Files in the Containers in your Storage Account against your Azure VM's via the Azure Service Graph Connector SG-Run Command scheduled job.

 

 

Creating Azure Log Analytics Workspace

 

13. Create Azure Log Analytics Workspace - Enabling Software Application Data Collection step

 

In this step you will be creating an Azure Log Analytics Workspace that will be used for capturing data generated by the below Azure Monitoring Agent Extensions installed on the Windows VM to be monitored, e.g. WinServer2019VM. More specifically it will be used for capturing CI Change data generated by the ChangeTracking-Windows Azure Monitoring Agent Extension. The Azure Log Analytics Workspace contains ConfigurationData and ConfigurationChange Tables that the ChangeTracking-Windows Extension (installed on the Windows VM) writes CI Change data to that includes what Software Applications are installed on the CI.

 

(i)  Navigate to Log Analytics Workspaces in your Azure Subscription

(ii) Click Create to bring up the Create Log Analytics workspace Screen

(iii) Create Log Analytics workspace Screen

 

Subscription Field - Ensure that it is prepopulated with your Subscription. If it's not, select your  Subscription from the Subscription Pulldown Menu

Resource Group Field - If you have not yet created a Resource Group click on Create New to create a new one e.g. AzureSGCResourceGroup.

 

Note: The Resource Group that you chose for your Log Analytics Workspace does not have to be the same as the Resource Group associated with your Virtual Machines.

 

Name Field - Populate with a Name for your new Log Analytics Workspace e.g. AzureServiceGraphConnector-LogAnalytics

 

Region Field - Specify the Region that you want to store your Log Analytics Workspace in e.g. East US

 

Note: The Region that you specify for your Log Analytics Workspace does not have to be the same as the Region that your Virtual Machines are in.

 

(iv)   Click on Review & Create, Create to Create the new Log Analytics Workspace

(v)    Click on the Go to Resource Push Button that appears when the Workspace is successfully created to bring you to the Workspace Overview Screen

(vi)   Make note of the Workspace ID shown on this screen. You will be providing it in the Create Connection for the Software Import section of the Guided Setup step outlined in the C. Installing & Configuring Azure Service Graph Connector on your ServiceNow Instance Section further down.

(vii)  Click on the JSON View link shown to the right of the Workspace Overview Screen

(viii) Make note of the Resource ID shown at the top of the Resource JSON Screen displayed. You will providing this as the Workspace Resource ID parameter in the next 14. Create Change Tracking and Inventory Data Collection Rule step.

 

Creating Change Tracking and Inventory Azure Data Collection Rule

 

14. Create Change Tracking and Inventory Data Collection Rule - Enabling Software Application Data Collection step

 

In Azure, Data Collection Rules define what data should be collected by Azure Monitoring Agents, how it should be processed and where the processed data should be sent (Please refer to the Microsoft Data collection rules (DCRs) in Azure Monitor and Azure Monitor Overview Documentation pages for more details).

 

In this step you will be creating the Change Tracking and Inventory Data Collection Rule that will be used for processing the data collected by the ChangeTracking-Windows Extension referenced in the above 13. Create Azure Log Analytics Workspace step.

 

The Change Tracking and Inventory Data Collection Rule will be used for processing Software Inventory Change Data that is captured by the ChangeTracking-Windows Extension installed on your Windows Virtual Machines.

 

(i) Follow the steps outlined in the Create data collection rule section of the Microsoft Azure Enable Change Tracking and Inventory using Azure Monitoring Agent Documentation Page in order to create Change Tracking and Inventory Data Collection Rule paying particular attention to the below points.

 

Custom deployment > Basics Tab outlined in Step 6 of this Create data collection rule section in the Microsoft Azure Enable Change Tracking and Inventory using Azure Monitoring Agent Documentation Page.

 

Subscription Field - Populate with your Subscription (The one containing the Log Analytics Workspace that you created in Step 13. Create Azure Log Analytics Workspace above)

Resource Group Field - Populate with the Resource Group that you want to contain your Change Tracking and Inventory Data Collection Rule.

Region Field - Populate with the Region associated with the Log Analytics Workspace that you created in Step 13. Create Azure Log Analytics Workspace above.

Data Collection Rule Name Field - You can leave as the prepopulated Microsoft-CT-DCR default value or you can specify your own Change Tracking and Inventory Data Collection Rule Name.

Workspace Resource ID Field - Populate with the Workspace Resource ID value that you recorded in (viii) of the above 13. Create Azure Log Analytics Workspace step.

 

You should have a newly created Change Tracking and Inventory Data Collection Rule e.g. Microsoft-CT-DCR at the end of this step that will be used by Azure Monitor for collecting Software Inventory Change data from your Virtual Machines.

 

(ii) Navigate to the new Change Tracking and Inventory Data Collection Rule e.g. Microsoft-CT-DCR and open it.

(iii) Click on the JSON View link to the right of the Data Collection Rule Overview Screen to bring up the Resource JSON Screen for this Data Collection Rule.

(iv) Make Note of the Data Collection Rule Resource ID displayed at the top of the Resource JSON screen. This will be provided as 1 of the Parameters in the 15. Assign Enable ChangeTracking and Inventory for virtual machines Policy Initiative to your Subscription step further down.

 

Assigning Enable ChangeTracking and Inventory for virtual machines Azure Policy Initiative to your Subscription

 

In Azure, Azure Policy Initiative's allow you to apply Policy Enforcement on Azure Resources at Scale where an Azure Policy Initiative is a collection of related Azure Policies grouped together (please refer to the Microsoft What is Azure Policy? Documentation Page for more information on Azure Policies). 

 

In this step you will be assigning the Enable ChangeTracking and Inventory for virtual machines Policy Initiative (Policy Initiative for ensuring that the ChangeTracking-Windows Extension is installed on all Azure Virtual Machines) to your Subscription.

 

15. Assign Enable ChangeTracking and Inventory for virtual machines Policy Initiative to your Subscription - Enabling Software Application Data Collection step

 

(i)    Navigate to Policy in Azure

(ii)   Navigate to Authoring\Definitions in the Policy Menu

(iii)  Search for the Enable ChangeTracking and Inventory for virtual machines Policy Initiative in the Policy Definitions List that is displayed.

(iv) Open the Enable ChangeTracking and Inventory for virtual machines Policy Initiative to bring up it's Initiative Definition Screen.

(v)  Click on Assign Initiative from the Initiative Definition Screen to bring up the Assign Initiative Screen

(vi) Ensure that the Scope Field on the Basics Tab on this screen is prepopulated with your Subscription. If it's not, select your Subscription from the Subscription Pulldown Menu

(vii)  Navigate to the Parameters Tab and populate the fields on this Tab as specified below:

 

Bring Your Own User-Assigned Managed Identity - False

Data Collection Rule Resource Id - Populate with the Data Collection Rule Resource ID that you made note of in (iv) of the above 14. Create Change Tracking and Inventory Data Collection Rule step.

 

(viii) Click on the Review + Save, Save Pushbuttons to assign this Enable ChangeTracking and Inventory for virtual machines Policy Initiative to your Subscription.

 

Having this Policy Initiative assigned to your Subscription will mean that for any new Windows Virtual Machines that you are creating in your Subscription the AzureMonitorWindowsAgent and ChangeTracking-Windows Extensions will automatically be installed on them when they created. 

 

Note: The enforcement of the Policies in this Enable ChangeTracking and Inventory for virtual machines Policy Initiative are applied asynchronously meaning that you need to allow some time before checking to see if the AzureMonitorWindowsAgent and ChangeTracking-Windows Extensions have been installed on any new Windows VM's that you create.

 

Verifying that the Azure Monitoring Agent and Change Tracking Windows Extensions are automatically installed on New Azure Windows Virtual Machines

 

16. Verifying that the Azure Monitoring Agent and Change Tracking Windows Extensions are automatically installed on New Azure Windows Virtual Machines, e.g. WinServer2019VM

 

In this step you will be creating a New Windows Virtual Machine and verifying that the Azure Monitoring Agent and related Extensions are installed on it.

 

(i) Navigate to Virtual Machines

(ii) Click on Create, Azure Virtual Machine to bring up the Create a virtual machine Screen

(iii) Populate the fields on this Screen as indicated below:

 

Subscription -  Ensure that it is prepopulated with your Subscription. If it's not, select your  Subscription from the Subscription Pulldown Menu

Resource Group Field - Populate with the Resource Group that you want this VM to be created in e.g. AzureSGCResourceGroup.

 

Note: The Resource Group does not have to be the same as the Resource Group that the Log Analytics Workspace is created in. 

 

Virtual Machine Name - Populate with a Name like e.g. WinServer2019VM

Region - Populate with the Region that you want the VM to be created in e.g. (US) East US.

 

Note: The Region does not have to be the same as the Region that the Log Analytics Workspace is created in. 

 

Image - Select any Windows Server Image like e.g. Windows Server 2019 Data Center

Admin Account User Name - Provide an Admin Account User Name

Admin Account Password - Provide an Admin Account Password

 

(iv) Click on Review+Create, Create to Create the new Windows Virtual Machine

(v)  After some time (approx 1 hr) navigate to the newly created Windows Virtual Machine

(vi) Navigate down to the Extensions + Applications section of the Properties Tab that is displayed for the new Windows Virtual Machine.

(vii) Verify that the AzureMonitorWindowsAgent & ChangeTracking-Windows Azure Extensions are shown as installed on the New Windows Virtual Machine as shown in the below screenshot:

 

 

 

 

 

 

 

 

Note: If you find that your VM has the deprecated MicrosoftMonitoringAgent extension installed, please reach out to your Azure administrator.  There may be an Automation Account or Policy configured to deploy the MicrosoftMonitoringAgent.  This should be disabled as part of the migration to the Azure Monitoring Agent and related extensions.

 

Verifying that the Azure Monitoring Agent and Change Tracking Windows Extensions are automatically installed on already existing Azure Windows Virtual Machines

 

17. Verifying that the Azure Monitoring Agent and Change Tracking Windows Extensions are automatically installed on already existing Azure Windows Virtual Machines

 

In this step you will be checking to see that the Azure Monitoring Agent and related Extensions were automatically installed on already existing Windows Virtual Machines.

 

(i)  Navigate to Policy in Azure

(ii) Navigate to Compliance in the Policy Menu to bring up the Policy Compliance Screen. The Policy Compliance Screen lists all Assigned Policy's associated with your Azure Tenant along with their Compliance State. The Enable ChangeTracking and Inventory for virtual machines Policy Initiative that you assigned in step 15. Assign Enable ChangeTracking and Inventory for virtual machines Policy Initiative to your Subscription should be included in this list.

 

The below screen shot shows an example Policy Compliance Screen that includes the Enable ChangeTracking and Inventory for virtual machines Policy Initiative (highlighted in yellow) being shown in a Non-Compliant State.

 

 

(iii) Click into this Enable ChangeTracking and Inventory for virtual machines Policy Initiative that is shown as Non-Compliant to bring up it's Policy Initiative Compliance Screen.

 

The screen shot below shows the Enable ChangeTracking and Inventory for virtual machines Policy Initiative Compliance Screen. It lists all the Policies in the Enable ChangeTracking and Inventory for virtual machines Policy Initiative along with their Compliance State.

 

 

(iv) Pick a Non Compliant Policy listed on this screen, like the Configure Windows Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Policy highlighted in the above screen shot and Click into it to bring up its Resource Compliance Screen.

 

The screen shot below shows the Configure Windows Machines to be associated with a Data Collection Rule ChangeTracking and Inventory Resource Compliance Screen. It lists all the Resources associated with the Policy along with their Compliance State.

 

 

(v) Click on the Create remediation task action shown at the top of the this screen to bring up the New Remediation Task Screen for that Policy.

 

The screenshot below shows the Configure Windows Machines to be associated with a Data Collection Rule ChangeTracking and Inventory New Remediation Task Screen. All Non Compliant Resources are listed under the Applicable resources to remediate List on this screen.

 

 

(vi)  Click on the Re-evaluate resource compliance before remediating checkbox

(vii) Click on the Remediate Pushbutton on this screen to trigger Remediation of this Policy for all the Non Compliant Resources listed under the Applicable resources to remediate List.

(viii) Repeat steps (iii),(iv),(v),(vi) & (vii) for all Non-Compliant Policies in the Enable ChangeTracking and Inventory for virtual machines Policy Initiative.

(ix) After some time (approx 1 hour) navigate to the VM's that were shown as Non-Compliant in the Resource Compliance screen associated with the Non-Compliance Policies to confirm that all 2 Extensions were installed. i.e. The AzureMonitorWindowsAgent and ChangeTracking-Windows Extensions.

 

C. Analyze your Windows VM in Azure

 

The data associated with your Windows VM is provided by the following Azure Modules within the Azure Portal:

 

• Azure Virtual Machines - Detailed CI Data
• Azure Change Tracking & Inventory - Installed Software Applications & CI Changes

 

Azure Virtual Machines

 

(i)   Log into your Azure Account

(ii)  Switch to the Subscription that contains your Windows Virtual Machines

(iii) Navigate to Virtual Machines to see the list of Windows Virtual Machines associated with your Subscription like the one shown in the below screen shot:

 

 

(iv) Click on any of the Virtual Machines in this list, like e.g. the WinServer2019VM Virtual Machine to bring up the Virtual Machine Menu associated with that Virtual Machine.

(v) Navigate to the Overview Menu Option (shown by default) and click on it to bring up the Overview Screen  showing details for that VM. The top half of the screen shows the Key Attributes associated with the VM like e.g. Operating System, Size, Location, IP Address along with any Tags that may be associated with the VM while the bottom half of the Screen is Tabbed with the Properties Tab being displayed by default.

 

The below screenshot shows an example of this for the WinServer2019VM Virtual Machine that we are monitoring where the details associated with the WinServer2019VM Virtual Machine are displayed.

 

 

Tags

 

The Tags section of the Overview Screen shows any Tags that may be associated with the VM. The above Overview screenshot for the WinServer2019VM Virtual Machine shows the following 2 Tags that were added to this VM:

 

• Cloud Provider: Azure
• Instance Type: Windows

 

Networking 

 

(vi) Scroll to the Networking Section of the Properties Tab to see the list of Network Interfaces associated with your VM. The below screenshot shows the winserver2019vm943_z1 Network Interface for our WinServer2019VM Virtual Machine along with it's associated Public IP Address, Private IP Address and Virtual Network.

 

 

(vii) Click on the Network Interface link associated with your Virtual Machine like to bring up the Network Interface Details screen for that Network Interface with the below Network Interface details listed:

 

• Public IP Address
• Private IP Address
• Virtual Network/subnet
• Network Security Group

 

The below screen shot shows the Network Interface Details screen for the the winserver2019vm943_z1 Network Interface with its associated Public IP Address, Private IP Address, Network Security Group and Virtual Network being shown.

 

 

(viii) Click on the Browser Back button to return to the Virtual Machine Overview Screen.

 

Size

 

(ix) Scroll to the Size Section of the Properties Tab to see the size associated with your VM. The below screenshot shows that our WinServer2019VM Virtual Machine was provisioned with a Standard DS1 v2 size configuration.

 

 

Source Image Details

 

(x) Scroll to the Source Image Details Section of the Properties Tab to see what Image your VM was provisioned from. The below screenshot shows that our WinServer2019VM Virtual Machine was provisioned from the Microsoft Windows 2019 Server Gen 2 Image.

 

 

Disk

 

(xi) Scroll to the Disk Section of the Properties Tab to see the Disks associated with your VM. The below screenshot shows that our WinServer2019VM Virtual Machine was provisioned with a Disk named WinServer2019VM_disk1_22cac8bf339042c4bd68959c4sd06d3.

 

 

Azure Change Tracking and Inventory 

 

Software Installations

 

(i) Navigate to the Operations\Inventory Menu Option in the Virtual Machine Menu associated with your VM to bring up the list of Software Applications that are installed on your VM. The below screenshot shows the list of Software Applications (6) that are installed on our WinServer2019VM Virtual Machine.

 

 

The Software Installation data shown in this screen was captured by the ChangeTracking-Windows Extension installed on our WinServer2019VM Virtual Machine.

 

D. Configuring Azure Service Graph Connector on your ServiceNow Instance

 

(i)  Login to your ServiceNow Instance

(ii) Navigate to Setup under Azure in the Filter Menu

(iii) Go through the remaining Guided Setup Steps as per the ServiceNow Documentation: Configure Service Graph Connector for Microsoft Azure

 

Create Connection for the Hardware Import

 

Your ServiceNow Instance will be authenticating against your Azure Account using an OAuth Token. You will be providing Azure OAuth Credential Details in the below Create or Edit Connection step of this Create Connection for the Hardware Import Guided Setup Section.

 

Create or Edit Connection

  

(i) Click on the Configure pushbutton for the Create or Edit Connection step to bring up the SG-Azure Hardware Connection Tile in Workflow Studio. The below screenshot shows the SG-Azure Hardware Connection Tile screen that you should expect to be brought to in Workflow Studio.

 

 

Note: If clicking on the Configure pushbutton brings you to the Workflow Studio Homepage instead of bringing you directly to the SG-Azure Hardware Connection then navigate to the Integrations Tab and click View Details on the SG-Azure Hardware Connection (Parent Connection & Credential Alias) Connection Tile.

 

(ii) Click on Edit on the SG-Azure Hardware Connection Connection to bring up the below Dialog Box:

 

 

Connection name: Prepopulated with the "SG-Azure Hardware Connection" Name associated with the Connection Record in the Parent SG-Azure Hardware Connection Connection & Credential Alias.

 

Connection URL: Prepopulated with the Global https://management.azure.com Azure Management URL. Change to a Scope specific Azure Management URL like e.g. https://management.microsoftazure.de/ for the German Azure Management URL.

 

OAuth client ID:  Populate with the Client ID that was generated in the 1. Register Azure Service Graph Connector Application in Azure step of the above A. Set up Windows VM to be monitored in Azure Section.

 

OAuth client secret:  Populate with the Client Secret that was generated in the 2. Create a Client Secret Key for the Registered Application step of the above A. Set up Windows VM to be monitored in Azure Section.

 

OAuth token URL: Replace the <tenantid> section of the Prepopulated OAuth Token URL with the Tenant ID that was noted in the 1. Register Azure Service Graph Connector Application in Azure step of the above A. Set up Windows VM to be monitored in Azure Section.

 

(iii) Click on the Edit and Get OAuth pushbutton to save the SG-Azure Hardware Connection Connection Credentials and go back to the original SG-Azure Hardware Connection screen. 

 

The already existing SG-Azure Hardware Connection.Credential Credentials Record (associated with the Parent SG-Azure Hardware Connection Connection & Credential Alias) is updated with the OAuth Client ID, OAuth Client Secret, and OAuth token URL values specified.

 

(iv) Click on the View Connection Alias pushbutton on the SG-Azure Hardware Connection Screen to view the Parent SG-Azure Hardware Connection Connection & Credential Alias Record. The screen shot below shows the Parent SG-Azure Hardware Connection Connection & Credential Alias Record. Notice the SG-Azure Hardware Connection.Credential Credentials Record listed in the Connections Tab of this Parent SG-Azure Hardware Connection Connection & Credential Alias Record.

 

 

Note: Any Child Connection & Credential Aliases that may be created when you click on Add Connection from the SG-Azure Hardware Connection Screen for connecting to a different Log Analytics Workspace within the same Tenant will be associated with this Parent Connection & Credential Alias and shown in the Child Aliases Tab of this Record.

 

Test the connection

 

(i) Return to Guided Setup and Click on Configure to the right of Test the Connection to bring up the Hardware Type Connection Records in the SG-Azure Service Graph Connections[sn_sg_azure_integ_service_graph_connection] Table.

(ii) Select the SG-Azure Hardware Connection Record and click on the Test Connection Related link to Test the Connection

 

If the Connection is successful you will see a Success Information message at the top of the SG-Azure Service Graph Connections Screen and the Status Field associated with the Connection will change from Pending to Success as shown in the below screen shot.

 

 

Set up scheduled import jobs

 

Azure Service Graph Connector Hardware Scheduled Import Jobs will be run at the interval you specify to ingest data from all Azure Accounts that the Azure Service Graph Connector has Permissions for. The CMDB database on your ServiceNow Instance will be populated with this ingested data.

 

The Azure Service Graph Connector comes with 23 Out of the Box Hardware Data Sources and Scheduled  Data Imports shown in the below screenshot. They are shown in the Order that they run in (You need to Personalize your List Columns to include the Order column).

 

 

 

Please refer to the ServiceNow Service Graph Connector for Microsoft Azure Documentation Page for details on these Scheduled Import Jobs.

 

(i) Return to Guided Setup and Click on the Configure button for the Set up scheduled import jobs step to bring up the Inactive SG-Azure Subscriptions, SG-Azure Hardware Template & SG-Azure VM Config Data Hardware Scheduled Data Import Records associated with the Azure Service Graph Connector as shown in the below screen shot.

 

 

(ii) Turn on the SG-Azure-Subscriptions (Parent Scheduled Import Job), SG-Azure Hardware Template & SG-Azure VM Config Data Hardware Scheduled Import Jobs, by changing the Active Field for these jobs from false to true as shown in the below screen shot.

 

 

(iii) The SG-Azure Subscriptions job is set to run Periodically by default. Specify at what Repeat Intervals that you want this Job to run. 

 

Creating Multiple Hardware connections - Not a specific Guided Setup step but instructions on how to create multiple connections (i.e. for multiple Azure Tenants, multiple Service Principals, or to support multiple Log Analytic Workspaces)

 

For example, if you need to connect to more than one Azure Tenant like e.g. USGOV you can do this by creating a new Child SG-Azure Hardware Connection & Credential Alias that will be associated with the Parent SG-Azure Hardware Connection & Credential Alias. Please follow the steps outlined below for doing this:

 

(i) Return to Guided Setup and Click on the Configure button for the Create or Edit Connection step to bring up the SG-Azure Hardware Connection Tile in Workflow Studio.

 

Note: If clicking on the Configure pushbutton brings you to the Workflow Studio Homepage instead of bringing you directly to the SG-Azure Hardware Connection Tile then navigate to the Integrations Tab and click View Details on the SG-Azure Hardware Connection (Parent Connection & Credential Alias) Connection Tile.

 

(ii) Click on the Add Connection Pushbutton on the SG-Azure Hardware Connection (Parent Connection & Credential Alias) Connection Tile to bring up the below Create Connection Dialog box:

 

 

Connection name: Enter a Name that will allow you to easily identity the Azure Tenant, Service Principal or Log Analytics Workspace that you are connecting to, e.g. USGOV. This Name will be used as part of the naming convention for the newly created Azure Connection Specific Hardware Data Sources & Scheduled Import Jobs  as per below.

 

Azure Connection Specific Data Sources	Connection Name - Data Source Name
Azure Connection Specific Scheduled Import Jobs	Connection Name - Import Job Name

 

OAuth Client ID, OAuth client secret: Specify the Client ID and Client Secret associated with the Azure Tenant being connected to.

 

OAuth token URL: Replace the <tenantid> section of the URL with the Tenant ID associated with the Azure Tenant being connected to.

 

(iii) Click on Create and Get OAuth Token

 

• A new Child Connection & Credential Alias Record is created with the OAuth Client ID, OAuth Client secret and OAuth token URL values specified. This Child Connection & Credential Alias Record is associated with the Parent SG-Azure-Hardware Connection Connection & Credential Alias Record as shown in the below screen shot. We specified USGOV for our example so USGOV is shown as the Child Connection & Credential Alias below.

 

• A new set of Azure Connection specific Hardware Data Sources and Scheduled Imports are created that contain the Connection Name specified in the Create Connection Dialog Box. An example of Azure Connection specific Data Sources and Scheduled Imports that get created is shown below, where USGOV was used to identify your Azure USGOV Connection specific Scheduled Imports and Data Sources:

 

(iv) Return to Guided Setup and Click on Configure to the right of Set up scheduled import jobs to bring up the newly created Azure Connection Specific SG-Azure-Subscriptions (Parent Scheduled Import Job), SG-Azure Hardware Template & SG-Azure VM Config Data Hardware Scheduled Data Import Records, e.g.   e.g. USGOV-SG-Azure-Subscriptions. 

(v)  Mark these jobs as Active

(vi) The Azure Connection specific SG-Azure-Subscriptions (Parent Scheduled Import Job) job is set to run Periodically by default. Specify at what Repeat Intervals that you want this Job to run.

 

Create Connection for the Software Import

 

Your ServiceNow Instance will be authenticating against your Azure Account using an OAuth Token. You will be providing Azure OAuth Credential Details in the below Create or Edit Connection step of this Create Connection for the Software Import Guided Setup Section.

 

Create or Edit Connection

  

(i) Click on the Configure button for the Configure or Edit Connection step to bring up the SG-Azure log analytics connection Tile in Workflow Studio. The below screenshot shows the SG-Azure log analytics Connection Tile screen that you should expect to be brought to in Workflow Studio.

 

 

Note: If clicking on the Configure pushbutton brings you to the Workflow Studio Homepage instead of bringing you directly to the SG-Azure log analytics Connection then navigate to the Integrations Tab and click View Details on the SG-Azure log analytics Connection (Parent Connection & Credential Alias) Connection Tile.

 

(ii) Click on Edit on the SG-Azure log analytics connection connection to bring up the below Dialog Box:

 

 

Software connection name: Prepopulated with the "SG-Azure log analytics Connection" Name associated with the Connection Record in the Parent SG-Azure log analytics connection Connection & Credential Alias.

 

Hardware connection name: Populate with the "SG-Azure Hardware Connection" Name associated with the Connection Record in the Parent SG-Azure Hardware Connection Connection & Credential Alias (specified in part (iii) of the Create or Edit Connection step under the above Create Connection for the Hardware Import sub section)

 

Connection URL: Prepopulated with the https://api.loganalytics.io/v1/workspaces/<workspace_id> Azure Log Analytics REST API URL. Replace the <workspace_id> section of the URL with the Workspace ID associated with the Log Analytics Workspace that you created in the 5. Create new Log Analytics Workspace step of the above A. Set up Windows VM to be monitored in Azure Section.

 

OAuth client ID:  Populate with the Client ID that was generated in the 1. Register Azure Service Graph Connector Application in Azure step of the above A. Set up Windows VM to be monitored in Azure Section.

 

OAuth client secret:  Populate with the Client Secret that was generated in the 2. Create a Client Secret Key for the Registered Application step of the above A. Set up Windows VM to be monitored in Azure Section.

 

OAuth token URL: Replace the <tenantid> section of the Prepopulated OAuth Token URL with the Tenant ID that was noted in the 1. Register Azure Service Graph Connector Application in Azure step of the above A. Set up Windows VM to be monitored in Azure Section.

 

(iii) Click on the Edit and Get OAuth button

 

• The already existing SG-Azure log analytics connection.Credential Credentials Record (associated with the Parent SG-Azure log analytics Connection & Credential Alias) is updated with the OAuth Client ID, OAuth Client Secret, and OAuth token URL values specified.

• The already existing SG-Azure log analytics connection Connection Record associated (associated with the Parent SG-Azure log analytics Connection & Credential Alias) is updated with the Connection URL value specified.

 

The screen shot below shows the Parent SG-Azure log analytics Connection & Credential Alias Record.

 

 

Note: Any Child Connection & Credential Aliases that may be created when you click on Add Connection from the  SG-Azure log analytics connection (Parent Connection & Credential Alias) Screen (shown in step (ii) above) for connecting to a different Azure Tenant, Service Principal or Log Analytics Workspace will be associated with this Parent Connection & Credential Alias and shown in the Child Aliases Tab of this Record.

 

Test the connection

 

(i) Return to Guided Setup and Click on Configure to the right of Test the Connection to bring up the Software Type connections in the SG-Azure Service Graph Connections[sn_sg_azure_integ_service_graph_connection] Table.

(ii) Select the SG-Azure Log Analytics Connection Record and click on the Test Connection Related link to Test the Connection

 

If the Connection is successful you will see a Success Information message at the top of the SG-Azure Service Graph Connections Screen and the Status Field associated with the Connection will change from Pending to Success as shown in the below screen shot.

 

Set up scheduled import jobs

 

Azure Service Graph Connector Software Scheduled Import Jobs will be run at the interval you specify to ingest data from all Azure Accounts that the Azure Service Graph Connector has Permissions for. The CMDB database on your ServiceNow Instance will be populated with this ingested data.

 

The Azure Service Graph Connector comes with the 3 Out of the Box Software Data Sources and Scheduled Data Imports shown in the below screenshot.

 

 

Note: The SG-Azure TCP Scheduled Import Job captures CI Process and TCP Connection data associated with the Azure VM's. Please refer to the ServiceNow Service Graph Connector for Microsoft Azure Documentation Page for details on these Scheduled Import Jobs.

 

(i) Return to Guided Setup and Click on the Configure button to the right of the Set up scheduled import jobs step to bring up these Scheduled Data Import Records

(ii) Mark these jobs as Active

(iii) These jobs are set to run After Parent Runs by default, after the Parent SG-Azure Subscriptions Scheduled Import Job.

 

Creating Multiple Software connections - Not a specific Guided Setup step but instructions on how to create Multiple Software connections (i.e. for multiple Azure Tenants, multiple Service Principals, or to support multiple Log Analytic Workspaces)

 

For example, if you need to connect to more than one Azure Tenant like e.g. USGOV you can do this by creating a new Child SG-Azure log analytics Connection & Credential Alias that will be associated with the Parent SG-Azure log analytics Connection & Credential Alias. Please follow the steps outlined below for doing this:

 

(i) Return to Guided Setup and Click on the Configure button for the Create or Edit Connection step to bring up the Workflow Studio. 

 

Note: If clicking on the Configure pushbutton brings you to the Workflow Studio Homepage instead of bringing you directly to the SG-Azure log analytics connection Tile then navigate to the Integrations Tab and click View Details on the SG-Azure log analytics connection (Parent Connection & Credential Alias) Connection Tile.

 

(ii) Click on the Add Connection pushbutton on the SG-Azure log analytics connection (Parent Connection & Credential Alias) Connection Tile to bring up the below Create Connection Dialog box:

 

 

Software connection name: Enter a Name that will allow you to easily identity the Azure Tenant, Service Principal or Log Analytics Workspace that you are connecting to and also allow you to identify the Scheduled Import Jobs that get created as Software Scheduled Import Jobs, e.g. USGOV-S. This Name will be used as part of the naming convention for the newly created Azure Connection Specific Software Data Sources & Scheduled Import Jobs as per below.

 

Azure Connection Specific Data Sources	Connection Name - Data Source Name
Azure Connection Specific Scheduled Import Jobs	Connection Name - Import Job Name

 

Hardware connection name: Specify the Connection Name associated with the Child Connection & Credential Alias that you would have already created for the Parent SG-Azure-Hardware Connection Connection & Credential Alias. 

 

Note: There should always be a 1:1 Mapping for Hardware Connections to Software Connections.

 

Connection URL:  Replace the <workspace_id> section of the URL with the Workspace ID associated with the Log Analytics Workspace in the Azure Tenant being connected to.

 

OAuth Client ID, OAuth client secret: Specify the Client ID and Client Secret associated with the Azure Tenant being connected to.

 

OAuth token URL: Replace the <tenantid> section of the URL with the Tenant ID associated with the Azure Tenant being connected to.

 

The screen shot below shows how you would populate this Dialog Box for creating the Software Scheduled Import Jobs associated with an e.g. USGOV Azure Tenant.

 

 

(iii) Click on Create and Get OAuth Token

 

• A new Child Connection & Credential Alias Record is created with the Connection URL, OAuth Client ID, OAuth Client secret and OAuth token URL values specified. This Child Connection & Credential Alias Record is associated with the Parent SG-Azure log analytics  Connection Connection & Credential Alias Record as shown in the below screen shot. We specified USGOV-S as Software connection name for our example so USGOV-S is shown as the Child Connection & Credential Alias below.

 

 

• A new set of Azure Connection specific Software Data Sources and Scheduled Imports are created that contain the Software Connection Name specified in the Create Connection Dialog Box. An example of the Azure Connection Software Data Sources and Scheduled Imports that get created is shown below, where USGOV-S was used to identify your Azure Connection specific Software Scheduled Imports and Data Sources:

 

 

Note: The SG-Azure TCP Scheduled Import Job captures CI Process and TCP Connection data associated with the Azure VM's.

 

(iv) Return to Guided Setup and Click on the Configure button to the right of the Set up scheduled import jobs step to bring up these newly created Azure Connection specific Software Scheduled Data Import Records

(v) Mark these jobs as Active

(vi) These jobs are set to run After Parent Runs by default, after the Parent USGOV-SG-Azure Subscriptions Scheduled Import Job.

 

Setup Run Command for extended discovery

 

In this section of Guided Setup you will be updating the Connection Properties associated with your Hardware Import Connection with the Container specific data associated with the Containers you created and Script Files that you uploaded in the above 5. Create Containers in Storage Account and 6. Upload Script Files to the Containers in your Storage Account steps of the above B. Configuring Azure for monitoring your Azure VMs section.

Configure connection properties

 

(i) Return to Guided Setup and Click on Configure to the right Configure connection properties to bring up the below SG-Azure Configuration Properties screen:

 

(ii) Populate the fields on this screen as below:

 

Connection: Populate with the Hardware Imports Connection Alias that you created in the previous Create Connection for the Hardware Import subsection.

Name of the storage account where the containers are created: Populate with the name of the Storage Account e.g. deepdiscovery that you created in the 4. Create Storage Account step of the previous B. Configuring Azure for monitoring your Azure VMs section.

Subscription ID where the storage account has been created: Populate with the Subscription ID associated with the Subscription that you created with the Storage Account in.

Resource group of the storage account: Populate with the Resource Group associated with your Storage Account.

Name of the container where the sh and ps1 files are uploaded in Azure: Populate with the name of the Script Files Container e.g. scriptfiles that you created in the 5. Create Containers in Storage Account step of the previous B. Configuring Azure for monitoring your Azure VMs section.

Name of the container where the results of the commands have to be stored: Populate with the name of the Discovery Output Container e.g. discoutput that you created in the 5. Create Containers in Storage Account step of the previous B. Configuring Azure for monitoring your Azure VMs section.

URI of the sh file which as to be run on linux machines: Populate with the URL field that you made note of in (vi) of the 6. Upload Script Files to the Containers in your Storage Account step in the previous B. Configuring Azure for monitoring your Azure VMs section.

URI of the ps1 file which as to be run on windows machines: Populate with the URL field that you made note of in (ix) of the 6. Upload Script Files to the Containers in your Storage Account step in the previous B. Configuring Azure for monitoring your Azure VMs section.

 

(iii) Click on the Save pushbutton on this screen to save these Connection properties.

 

E. Run Azure Service Graph Connector Scheduled Data Import Jobs on your ServiceNow Instance

 

Before running these Scheduled Data Imports, I would recommend enabling CMDB 360 by setting the glide.identification_engine.multisource_enabled system property to True in System Properties.

 

Doing this allows the following for CI's that are Created\Updated by the Scheduled Data Import Jobs:

 

1. For CI's that have Reconciliation Rules, see Proposed Values for Lower Priority Discovery Sources that were Rejected
2. For CI's that allow more than 1 Discovery Source to update them (i.e. No Reconciliation Rules or Reconciliation Rules with same Priority), Identify the Source of an Attribute and see the Proposed Values for that Attribute from the other Discovery Sources.

 

Refer to the ServiceNow CMDB 360/Multisource CMDB Documentation page for more details.

 

(i) Navigate to Import Schedules under Azure in the Filter Menu. 26 OOTB Scheduled Data Imports should be listed, with all of them being marked Active as shown below. The Order Column shows the Order that the Import Jobs will run in (You need to Personalize your List Columns to include the Order column). Please refer to the ServiceNow Service Graph Connector for Microsoft Azure Documentation Page for details on these Scheduled Import Jobs.

 

 

Note: It is recommended that you create an Azure Connection Specific Version of these Scheduled Data Imports as discussed in the Creating Multiple Hardware Connections and Creating Multiple Software Connections Guided Setup steps of the above C. Installing & Configuring Azure Service Graph Connector on your ServiceNow Instance section. There will be 24 Azure Connection specific Scheduled Import Jobs created per Connection Specific Setup.

 

Open your SG-Azure Subscriptions Parent Scheduled Import job record and click on the Execute button

(ii) Navigate to Concurrent Import Sets in the Filter Menu.

- Wait for your Active Scheduled Data Import jobs to finish. 

 

F. Analyze the CMDB Records created\updated by the Azure Service Graph Connector for your Windows VM in your ServiceNow Instance

 

There are 6 types of Records created by the Azure Service Graph Connector in the CMDB:

 

• CMDB CI[cmdb_ci] Records
• Software Installation[cmdb_sam_sw_install] Records - If Software Asset Management(SAM) enabled
• Software Instance[cmdb_software_instance] + Software Package[cmdb_ci_spkg] Records - If Software Asset Management(SAM) not enabled
• Running Process[cmdb_running_process] Records
• TCP Connection[cmdb_tcp] Records
• Key Value[cmdb_key_value] Records
• Serial Number[cmdb_serial_Number] Records

 

CMDB CI Records

 

(i) Navigate to cmdb_ci.list in the Filter Menu

(ii) Group by Discovery Source

(iii) Navigate to the SG-Azure Discovery Source and double click on its Discovery source:SG-Azure(n) link where n represents the Number of CMDB records(entities) Created\Updated by the SG-Azure Service Graph Connector.

(iv) Group By Class

 

A List of CMDB CI Records Created\Updated by the SG-Azure Service Graph Connector will be displayed grouped by Class. The screen shot below shows the Class Records displayed in this Class List for the data that was ingested by the SG-Azure Service Graph Connector for our Azure Subscription that includes CI's associated with our WinServer2019VM Virtual Machine.

 

Note: For ServiceNow Instances that do not have Software Asset Management(SAM) enabled, you would see an extra Software Class listed for representing all the Software Package[cmdb_ci_spkg] Records that would have been populated by the SG-Azure Software Scheduled Data Import Job ( referenced in the above C. Installing and Configuring Azure Service Graph Connector on your ServiceNow Instance section).

 

 

• The WinServer2019VM Windows Virtual Machine is listed as a Windows Server CI along with it's associated WinServer2019VM Virtual Machine CI.
• The Cloud Mgmt Network Interface, Image and Storage Volume CI's associated  with the WinServer2019VM Windows Server are shown. These were populated from the WinServer2019VM Virtual Machine Entity in Azure and it's associated Network Interface Card, Image and Disk Entities described in the above C. Analyze your Windows VM in Azure section.
• The Public IP Address, Private IP Address, Cloud Network, Cloud Network Subnet and Cloud Security Group CI's associated with the WinServer2019VM Windows Server's winserver2019vm943_z1 Network Interface Card are shown. These were populated from the winserver2019vm943_z1 Network Interface Card details described  in the Networking sub section of the above C. Analyze your Windows VM in Azure section.
• The Cloud Service Account CI associated with the Azure Subscription, that our WinServer2019VM Virtual Machine was provisioned in, is shown.

 

WinServer2019VM Windows Server

 

The screen shot below shows all the Windows Server Summary fields that were populated by the Azure Service Graph Connector for the WinServer2019VM Windows Server CI. The Serial Number, Model ID, Manufacturer, RAM and CPU fields that were populated by the Deep Discovery Feature are circled. 

 

Note: The Serial number field is populated with the Operating System Serial Number associated with the Windows VM as oppose to uuid Serial Number. In previous versions of the Azure Service Graph Connector, the Serial Number field was being populated with the uuid Serial Number associated with the Windows VM.

 

Related Tabs

 

The screen shot below shows the Running Processes(62) and TCP Connections(22) that were populated by the Deep Discovery Feature. The Software Installed Records(6) were populated by the SG-Azure Software Import Job.

 

 

 

Related Items

 

The screen shot below shows the Network Interface, Image and Storage Volume for the WinServer2019VM  Windows Virtual Machine that came from the Network Interface, Azure Disk and Azure Image associated with WinServer2019VM as shown in the above C. Analyze your Windows VM in Azure Section.

 

 

Software Installation Records

 

Software Asset Management(SAM) enabled

 

For ServiceNow Instances that have Software Asset Management(SAM) enabled, the Software Install Records associated with Created\Updated Computer CI's will be ingested into the Software Installations[cmdb_sam_sw_install] Table.

 

Software Asset Management(SAM) not enabled

 

For ServiceNow Instances that do not have Software Asset Management(SAM) enabled, the Software Install Records associated with Created\Updated Computer CI's will be ingested into the Software Instances[cmdb_software_instance] Table along with associated Software Package Records being ingested into the Software Packages[cmdb_ci_spkg] Table.

 

Note: All that is needed to enable Software Asset Management is the free SAM Foundation plugin. Installing this plugin triggers the Software Install Records being populated into the Software Installations[cmdb_sam_sw_install] Table. Installing this free SAM Foundation plugin is a recommended Best Practice for customers that believe that they may be using Software Asset Management Professional (SAM Pro) in the future. These customers would then not have to migrate Software Records from the Software Instances[ cmdb_software_instance] Table to the Software Installations[cmdb_sam_sw_install] Table at the point in time that they would be installing Software Asset Management Professional (SAM Pro).

 

The Use Case outlined in this Article is for a ServiceNow Instance with Software Asset Management(SAM) enabled. To see the Software Install Records associated with Computer CI's that were Created\Updated by the SG-Azure Service Graph Connector, the steps below direct you to navigate to the Software Installations[cmdb_sam_sw_install] Table:

 

(i) Navigate to cmdb_sam_sw_install.list in the Filter Menu

(ii) Group by Discovery Source

(iii) Navigate to the SG-Azure Discovery Source and double click on its Discovery source:SG-Azure (n) link where n represents the Number of Software Install Records Created\Updated by the SG-Azure Service Graph Connector.

(iv) A List of Software Install Records Created\Updated by the SG-Azure Service Graph Connector will be displayed. The screen shot below shows the Software Install Records displayed in this List for the WinServer2019VM Windows Virtual Machine in our Azure Subscription.

 

Notice the 6 Records are shown at the bottom of the screen. This matches the Software Installations (6) count in the Software Installations Tab shown above for the WinServer2019VM Windows Server. It also matches the (6) count shown in the Azure Software Applications screen shot in the above C. Analyze your Windows VM in Azure Section for the WinServer2019VM Windows Virtual Machine. 

 

Running Process Records

 

(i) Navigate to cmdb_running_process.list in the Filter Menu

(ii) Search for the e.g. WinServer2019VM Windows Server in the Computer column

(iii) A List of Running Process Records for the Server being searched e.g. WinServer2019VM will be displayed.

 

The Screen shot below shows the Running Process Records displayed in this List for our WinServer2019VM Windows Server.

 

Notice the 62 Records are shown at the bottom of the screen. This matches the Running Processes (62) count in the Running Processes Tab shown above for the WinServer2019VM Windows Server. 

 

TCP Connection Records

 

(i) Navigate to cmdb_tcp.list in the Filter Menu

(ii) Search for the e.g. WinServer2019VM Windows Server in the Computer column

(iii) A List of TCP Connection Records for the Server being searched e.g. WinServer2019VM will be displayed.

 

The Screen shot below shows the TCP Connection Records displayed in this List for our WinServer2019VM Windows Server

 

 

Notice the 22 Records are shown at the bottom of the screen. This matches the TCP Connections (22) count in the TCP Connections Tab shown above for the WinServer2019VM Windows Server.

 

Key Value Records

 

(i) Navigate to cmdb_key_value.list in the Filter Menu

(ii) For the Key Column filter on the Tags that you know are set up for your Virtual Machines in your Azure Subscription

 

The below screen shot shows all the Tags associated with the WinServer2019VM Virtual Machine in Azure. Notice how they are the same Tags that are shown for the WinServer2019VM Virtual Machine screen in the Tags sub section of the the above B. Analyse your Windows VM in Azure Section.

 

 

Serial Number Records

 

(i) Navigate to cmdb_serial_number.list in the Filter Menu

(ii) A List of all the Serial Number Records in your ServiceNow Instance will be displayed

(iii) To see the Serial Number Records associated with any of your Virtual Machines from Azure, type it's name into the Configuration Item Search Field in this list. The screen shot below shows the Serial Number Record associated with our WinServer2019VM Windows Server.

 

 

 

G. When to use Azure Service Graph Connector vs Cloud Discovery

 

ITOM Visibility (Horizontal Discovery + Cloud Discovery) is the recommended solution for populating the CMDB with Cloud based Resources like Azure Virtual Machines etc. ITOM Visibility (Horizontal Discovery + Cloud Discovery) requires a MID Server with connectivity to the Hosts (including Cloud based Resources) being targeted for discovery.

 

When to use the Azure Service Graph Connector for Discovering your Azure Resources

 

You should use the Azure Service Graph Connector for Discovering your Azure Resources for the below Use Cases:

 

• You don't want to have a MID Server as a requirement for your overall Solution Architecture 
• You don't want to (or can't) use ITOM Horizontal Discovery in your overall Solution Architecture.
• You don't want to (or can't) use Agent Client Collector for Visibility in your overall Solution Architecture.
• You want the below data to be populated in the Target CI's that get created:

- Installed Software running on Azure Virtual Machines

- Running Process & TCP Connections on Azure Virtual Machines 

 

Cloud Discovery provides the ability to get High Level Azure Virtual Machine Metadata only. For cases where Horizontal Discovery and Agent Client Collector for Visibility are not options, but you need to get Installed Software, Running Process or TCP Connection data from your Azure Virtual Machines, then the Azure Service Graph Connector is recommended.

 

 

When to use ITOM Visibility (Horizontal Discovery + Cloud Discovery) for Discovering your Azure Resources

 

You should use ITOM Visibility (Horizontal Discovery + Cloud Discovery)for discovering your Azure Resources when you want the richest set of data in the CMDB, the most capabilities, and have the ability to obtain the necessary credentials and network connectivity.