Azure Service Graph Connector

Anne Marie Duff · ‎12-17-2024

How do I configure the Azure Service Graph Connector?

Version: 1.10

Sample Windows VM to Monitor: WinServer2019VM

Software Asset Management Enabled(Yes\No): Yes

Enabling Software Application Data Collection from Azure VM's (Yes\No): Yes

Enabling Process & TCP Connection Data Collection from Azure VM's (Yes\No): Yes

The following topics are covered in this How do I configure the Azure Service Graph Connector? Article:

A. Set up Windows VM to be monitored in Azure

B. Analyze your Windows VM in Azure

C. Installing & Configuring Azure Service Graph Connector on your ServiceNow Instance

D. Run Azure Service Graph Connector Scheduled Data Import Jobs on your ServiceNow Instance

E. Analyze the CMDB Records created\updated by the Azure Service Graph Connector for your Windows VM in your ServiceNow Instance

F. When to use Azure Service Graph Connector vs Cloud Discovery

A. Set up Windows VM to be monitored in Azure

The sub sections listed below describe all the Setup that needs to be done in Azure before Configuring and Running the Azure Service Graph Connector:

Registering Web Application in Azure
Creating Azure Log Analytics Workspace
Creating Azure Data Collection Rules
Assigning Azure Policy Initiative's to your Subscription
Verifying that the Azure Monitoring Agent and related Extensions are automatically installed on New Azure Virtual Machines, e.g. WinServer2019VM
Verifying that the Azure Monitoring Agent and related Extensions are automatically installed on already existing Azure Windows Virtual Machines

Registering Web Application in Azure

1. *Register Azure Service Graph Connector Application in Azure

*This step can only be performed by your Azure Administrator.

This setup involves creating a new Application Registration for the Azure Service Graph Connector in Azure for the purposes of allowing the Azure Service Graph Connector to Authenticate with Azure when accessing your Azure Resources (Refer to the Azure Register a web application in Azure Active Directory B2C Documentation Page for details on how to Register a Web Application in Azure)

For the purposes of Authentication, an Application Registration is considered an Azure Service Principal (Azure Security Identity) with assigned Permissions that Applications Authenticate against when accessing Azure Resources.

There will be an Application (Client) ID and Directory (Tenant) ID associated with this new Application Registration that you will be providing as part of the Guided Setup step outlined in the C. Installing & Configuring Azure Service Graph Connector on your ServiceNow Instance Section further down.

(i) Log into the Azure Portal using your Azure Account

(ii) Navigate to App Registrations

(iii) Click on New Registration to bring up the Register an Application Form shown below:

(iv) Provide a name like e.g. Azure Service Graph Connector in the Name Field (to represent the Azure Service Graph Connector that will be authenticating with Azure when accessing your Azure Resources) and click on Register.

(v) Make note of the Application (Client) ID and Directory (Tenant) ID shown in the Application Registration Overview Screen for later use in the Guided Setup step outlined in the C. Installing & Configuring Azure Service Graph Connector on your ServiceNow Instance Section further down.

2. *Create a Client Secret Key for the Registered Application

*This step can only be performed by your Azure Administrator

In this Step you will be creating a new Client Secret Key for your newly Registered Application e.g. Azure Service Graph Connector. This will be provided along with the Application (Client) ID and Directory (Tenant) ID from the above step as part of the Guided Setup step outlined in the C. Installing & Configuring Azure Service Graph Connector on your ServiceNow Instance Section further down.

(i) Navigate down to Certificates & Secrets under the Manage menu associated with your newly Registered Application

(ii) Click on the New Client Secret to bring up the Add a Client Secret Screen

(iii) Add a Client Secret Screen

Description Field: Populate with the Client Secret Name that you want to associate with your Client Secret.

Expires Field: Select an Menu Option from the Expires Pulldown Menu to specify when you want your Client Secret to expire.

(iii) Click on the Add Pushbutton to save your Client Secret and go back to the Certificates and Secrets Screen

(iv) Make Note of the Client Secret Value shown for your New Client Secret on this screen for later use in Guided Setup.

3. *Assign Delegated API Permissions to the Registered Application

*This step can only be performed by your Azure Administrator

In this Step you will be assigning Microsoft Graph API User.Read and Log Analytics Data.Read Delegated Permissions to your newly Registered Application e.g. Azure Service Graph Connector (Please refer to these Microsoft Understanding delegated access and Scopes and permissions in the Microsoft identity platform Documentation Pages for more details on Azure API Permissions).

(i) Navigate down to API Permissions under the Manage menu associated with your newly Registered Application

(ii) Click on Add Permission to bring up the Request API Permissions Screen

(iii) Click on the Microsoft Graph Tile shown on the Microsoft API's Tab (Default Tab on this screen) to select the Microsoft Graph API

(iv) Click on the Delegated Permission Tile under the What type of permissions does your application require? question that is displayed to bring up the list of available Delegated Permissions for this API.

(v) Scroll down to the Users category in this list and expand it to see the list of available Permissions in this Category

(vi) Select the User.Read Delegated Permission shown under this Users Category

(vii) Click on the Add Permissions Pushbutton on this screen to add this Permission to your Registered Application e.g. Azure Service Graph Connector.

(viii) Navigate to the APIs my organization uses Tab on this same Request Permissions Screen.

(ix) Click on the Log Analytics API shown on this APIs my organization uses Tab

(x) Click on the Delegated Permission Tile under the What type of permissions does your application require? question that is displayed to bring up the list of available Delegated Permissions.

(xi) Expand the Data category show in this list.

(xii) Select the Data.Read Delegated Permission shown under this Data Category

(xiii) Click on the Add Permissions Pushbutton on this screen to add this Permission to your Registered Application e.g. Azure Service Graph Connector.

*4. Add Application Registration\Service Principal to the Reader Role associated with your Azure Subscription

*This step can only be performed by the owner of the Azure Subscription

In this step you will be assigning your Application Registration\Service Principal e.g. Azure Service Graph Connector to the Reader Role associated with the Azure Subscription containing your Azure Resources.

(i) Navigate to your Azure Subscription and open it

(ii) Navigate down to Access Control (IAM) from the Subscription Menu associated with your Subscription

(iii) Click on Add\Add Role Assignment to bring up the Add Role Assignment screen

(iv) Highlight the 1st Reader Role row in the Role Tab on this screen to select it.

(v) Navigate to the Member Tab and leave the Assign access to User, group, or service principal Radio Button selected as shown in the below screen shot.

(vi) Click on Select Members to bring up the Select Members Screen

(vii) Pick your newly Registered Application\Service Principal e.g. Azure Service Graph Connector as a Member to be added to the Reader Role associated with your Subscription as shown in the below screen shot.

(viii) Click on the Select Pushbutton to save your assignment

(ix) Click on the Review + Assign Pushbutton (shown as enabled once Member has been selected) on the Add Role Assignment screen to add your newly Registered Application\Service Principal e.g. Azure Service Graph Connector to the Reader Role associated with your Subscription. This will allow your newly Registered Application\Service Principal to access the Resources in your Subscription via the API's whose Permissions were granted to your Registered Application\Service Principal in the previous step.

Creating Azure Log Analytics Workspace

5. Create Azure Log Analytics Workspace

In this step you will be creating an Azure Log Analytics Workspace that will be used for capturing data generated by the below Azure Monitoring Agent Extensions installed on the Windows VM to be monitored, e.g. WinServer2019VM. More specifically it will be used for capturing CI Change data as well as CI Process and TCP Connection data generated by the below Azure Monitoring Agent Extensions.

ChangeTracking-Windows - Needed for Enabling Software Application Data Collection

The Azure Log Analytics Workspace contains ConfigurationData and ConfigurationChange Tables that the ChangeTracking-Windows Extension (installed on the Windows VM) writes CI Change data to, including what Software Applications are installed on the CI.

DependencyAgentWindows - Needed for Enabling Process & TCP Connection Data Collection

The Azure Log Analytics Workspace contains VMProcess and VMConnection Tables that the DependencyAgentWindows Extension (installed on the Windows VM) writes CI Process and TCP Connection data to respectively.

(i) Navigate to Log Analytics Workspaces in your Azure Subscription

(ii) Click Create to bring up the Create Log Analytics workspace Screen

(iii) Create Log Analytics workspace Screen

Subscription Field - Ensure that it is prepopulated with your Subscription. If it's not, select your Subscription from the Subscription Pulldown Menu

Resource Group Field - If you have not yet created a Resource Group click on Create New to create a new one e.g. AzureSGCResourceGroup.

Note: The Resource Group that you chose for your Log Analytics Workspace does not have to be the same as the Resource Group associated with your Virtual Machines.

Name Field - Populate with a Name for your new Log Analytics Workspace e.g. AzureServiceGraphConnector-LogAnalytics(Will be capturing Process & TCP Connection CI data as well as CI Change data)

Region Field - Specify the Region that you want to store your Log Analytics Workspace in e.g. East US

Note: The Region that you specify for your Log Analytics Workspace does not have to be the same as the Region that your Virtual Machines are in.

(iv) Click on Review & Create, Create to Create the new Log Analytics Workspace

(v) Click on the Go to Resource Push Button that appears when the Workspace is successfully created to bring you to the Workspace Overview Screen

(vi) Make note of the Workspace ID shown on this screen. You will be providing it in the Create Connection for the Software Import section of the Guided Setup step outlined in the C. Installing & Configuring Azure Service Graph Connector on your ServiceNow Instance Section further down.

(vii) Make note of the Location shown on this screen. You will be providing this as the Workspace Location Parameter in the 7. Create Processes and TCP Connections Data Collection Rule Step further down.

(viii) Click on the JSON View link shown to the right of the Workspace Overview Screen

(ix) Make note of the Resource ID shown at the top of the Resource JSON Screen displayed. You will providing this as the Workspace Resource ID parameter in the next 6. Create Change Tracking and Inventory Data Collection Rule and 7. Create Processes and TCP Connections Data Collection Rule steps.

Creating Azure Data Collection Rules

In Azure, Data Collection Rules define what data should be collected by Azure Monitoring Agents, how it should be processed and where the processed data should be sent (Please refer to the Microsoft Data collection rules (DCRs) in Azure Monitor and Azure Monitor Overview Documentation pages for more details). The steps below outline how to create the below Data Collection Rules that will be used for processing the data collected by the ChangeTracking-Windows and DependencyAgentWindows Extensions referenced in the above 5. Create Azure Log Analytics Workspace step.

Change Tracking and Inventory - DCR Rule for ChangeTracking-Windows Extension - Needed for Enabling Software Application Data Collection
Processes and TCP Connections - DCR Rule for DependencyAgentWindows Extension - Needed for Enabling Process & TCP Connection Data Collection

6. Create Change Tracking and Inventory Data Collection Rule - Enabling Software Application Data Collection step

The Change Tracking and Inventory Data Collection Rule will be used for processing Software Inventory Change Data that is captured by the ChangeTracking-Windows Extension installed on your Windows Virtual Machines.

(i) Follow the steps outlined in the Create data collection rule section of the Microsoft Azure Enable Change Tracking and Inventory using Azure Monitoring Agent Documentation Page in order to create Change Tracking and Inventory Data Collection Rule paying particular attention to the below points.

Custom deployment > Basics Tab outlined in Step 6 of this Create data collection rule section in the Microsoft Azure Enable Change Tracking and Inventory using Azure Monitoring Agent Documentation Page.

Subscription Field - Populate with your Subscription (The one containing the Log Analytics Workspace that you created in Step 5. Create Azure Log Analytics Workspace above)

Resource Group Field - Populate with the Resource Group that you want to contain your Change Tracking and Inventory Data Collection Rule.

Region Field - Populate with the Region associated with the Log Analytics Workspace that you created in Step 5. Create Azure Log Analytics Workspace above.

Data Collection Rule Name Field - You can leave as the prepopulated Microsoft-CT-DCR default value or you can specify your own Change Tracking and Inventory Data Collection Rule Name.

Workspace Resource ID Field - Populate with the Workspace Resource ID value that you recorded in (ix) of the above 5. Create Azure Log Analytics Workspace step.

You should have a newly created Change Tracking and Inventory Data Collection Rule e.g. Microsoft-CT-DCR at the end of this step that will be used by Azure Monitor for collecting Software Inventory Change data from your Virtual Machines.

(ii) Navigate to the new Change Tracking and Inventory Data Collection Rule e.g. Microsoft-CT-DCR and open it.

(iii) Click on the JSON View link to the right of the Data Collection Rule Overview Screen to bring up the Resource JSON Screen for this Data Collection Rule.

(iv) Make Note of the Data Collection Rule Resource ID displayed at the top of the Resource JSON screen. This will be provided as 1 of the Parameters in the 8. Assign [Preview]: Enable ChangeTracking and Inventory for virtual machines Policy Initiative to your Subscription step further down.

7. Create Processes and TCP Connections Data Collection Rule - Enabling Process & TCP Connection Data Collection step

The Processes and TCP Connections Data Collection Rule will be used for processing Process and TCP Connection Data that is captured by the DependencyAgentWindows Extension installed on your Windows Virtual Machines.

(i) Download the DeployDcr.zip zip file by clicking on the VM insights data collection rule template Link in the Create a VM insights DCR section of the Microsoft Enable VM Insights Documentation Page.

(ii) Unzip the file to a Directory of your choice on your Hard Disk

(ii) Navigate to Deploy a Custom Template in your Azure Portal to bring up the Custom Template Screen

(iii) Click on the Build your own template in the editor link on this screen to bring up the Azure Resource Manager template Editor

(iv) Click on the Load File link from this Editor and select the DeployDcrTemplate JSON file from the unzipped DeployDcr\PerfAndMapDcr Directory to load the PerfandMapDcr Template into this Editor

(v) Click on Save to save the Template and bring up the Custom Deployment Screen. Populate the Fields on this screen as indicated below:

Subscription - Ensure that it is prepopulated with your Subscription. If it's not, configure the Scope field and select your Subscription from the Subscription Pulldown Menu.

Resource Group - Populate with the Resource Group that you want to contain your Processes and TCP Connections Data Collection Rule.

Region - Ensure that it is prepopulated with the Region associated with your Log Analytics Workspace. If it's not, populate with the Region associated with the Log Analytics Workspace that you created in Step 5. Create Azure Log Analytics Workspace above.

Workspace Resource ID - Populate with the Workspace Resource ID value that you recorded in (ix) of the 5. Create Azure Log Analytics Workspace step.

Workspace Location - Populate with the Location value that you recorded in (vii) of the 5. Create Azure Log Analytics Workspace step.

User Given Dcr Name - You can leave as the prepopulated ama-vmi-default-perfAndda-dcr.

Note: The User Given Dcr Name will be concatenated with a MSVMI-PerfandDa Prefix to form the full MSVMI-PerfandDa-ama-vmi-default-perfAndda-dcr Data Collection Rule Name that Azure assigns to it when it is created.

(vi) Click on Review + Create, Create to create the new MSVMI-PerfandDa-ama-vmi-default-perfAndda-dcr Data Collection Rule.

(vii) Navigate to the new Processes and TCP Connections Data Collection Rule e.g. MSVMI-PerfandDa-ama-vmi-default-perfAndda-dcr and open it.

(viii) Click on the JSON View link to the right of the Data Collection Rule Overview Screen to bring up the Resource JSON Screen for this Data Collection Rule.

(ix) Make Note of the Data Collection Rule Resource ID displayed at the top of the Resource JSON screen. This will be provided as 1 of the Parameters in the 9. Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA) Policy Initiative to your Subscription step further down.

Assigning Azure Policy Initiative's to your Subscription

In Azure, Azure Policy Initiative's allow you to apply Policy Enforcement on Azure Resources at Scale where an Azure Policy Initiative is a collection of related Azure Policies grouped together (please refer to the Microsoft What is Azure Policy? Documentation Page for more information on Azure Policies). The steps below outline how to assign the below Azure Policy Initiatives to your Subscription.

[Preview]: Enable ChangeTracking and Inventory for virtual machines - Policy Initiative for ensuring that the ChangeTracking-Windows Extension is installed on all Azure Virtual Machines (Needed as part of Software Application Data Collection)
Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA) - Policy Initiative for ensuring that the DependencyAgentWindows Extension is installed on all Azure Virtual Machines (Needed as part of Process and TCP Data Collection)

8. Assign [Preview]: Enable ChangeTracking and Inventory for virtual machines Policy Initiative to your Subscription - Enabling Software Application Data Collection step

(i) Navigate to Policy in Azure

(ii) Navigate to Authoring\Definitions in the Policy Menu

(iii) Search for the [Preview]: Enable ChangeTracking and Inventory for virtual machines Policy Initiative in the Policy Definitions List that is displayed.

(iv) Open the [Preview]: Enable ChangeTracking and Inventory for virtual machines Policy Initiative to bring up it's Initiative Definition Screen.

(v) Click on Assign Initiative from the Initiative Definition Screen to bring up the Assign Initiative Screen

(vi) Ensure that the Scope Field on the Basics Tab on this screen is prepopulated with your Subscription. If it's not, select your Subscription from the Subscription Pulldown Menu

(vii) Navigate to the Parameters Tab and populate the fields on this Tab as specified below:

Bring Your Own User-Assigned Managed Identity - False

Data Collection Rule Resource Id - Populate with the Data Collection Rule Resource ID that you made note of in (vii) of the above 6. Create Change Tracking and Inventory Data Collection Rule step.

(viii) Click on the Review + Save, Save Pushbuttons to assign this [Preview]: Enable ChangeTracking and Inventory for virtual machines Policy Initiative to your Subscription.

Having this Policy Initiative assigned to your Subscription will mean that for any new Windows Virtual Machines that you are creating in your Subscription the AzureMonitorWindowsAgent and ChangeTracking-Windows Extensions will automatically be installed on them when they created.

Note: The enforcement of the Policies in this [Preview]: Enable ChangeTracking and Inventory for virtual machines Policy Initiative are applied asynchronously meaning that you need to allow some time before checking to see if the AzureMonitorWindowsAgent and ChangeTracking-Windows Extensions have been installed on any new Windows VM's that you create.

9. Assign Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA) Policy Initiative to your Subscription - Enabling Process and TCP Data Collection step

(i) Navigate to Policy in Azure

(ii) Navigate to Authoring\Definitions in the Policy Menu

(iii) Search for the Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA) Policy Initiative in the Policy Definitions List that is displayed.

(iv) Open the Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA) Policy Initiative to bring up it's Initiative Definition Screen.

(v) Click on Assign Initiative from the Initiative Definition Screen to bring up the Assign Initiative Screen

(vi) Ensure that the Scope Field on the Basics Tab on this screen is prepopulated with your Subscription. If it's not, select your Subscription from the Subscription Pulldown Menu

(vii) Navigate to the Parameters Tab and turn off the only show parameters that need input or review checkbox to display all Parameters on this Tab. Populate the fields on this Tab as specified below:

Enable Processes and Dependencies - True

Bring Your Own User-Assigned Managed Identity - False

VMI Data Collection Rule Resource Id - Populate with the Data Collection Rule Resource ID that you made note of in (xii) of the above 7. Create TCP Connections and Processes Data Collection Rule step.

*Optional: List of VM images that have supported Windows/Linux OS to add to scope - Populate these fields with the Resource Ids of the Images used to deploy Virtual Machines.

*This is only required if the Images are non-standard images (i.e. custom built images, Golden images from a CCOE team, or other non-Marketplace images). The Resource Ids should be in the format /subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Compute/images/<imageName>

or /subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Compute/galleries/<galleryName>/images/<imageName>

or

/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Compute/galleries/<galleryName>/images/<imageName>/versions/<version>

(viii) Click on the Review + Save, Save Pushbuttons to assign this Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA) Policy Initiative to your Subscription.

Having this Policy Initiative assigned to your Subscription will mean that for any new Windows Virtual Machines that you are creating in your Subscription the DependencyAgentWindows Extension will automatically be installed on them when they are created.

Note: The enforcement of the Policies in this Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA) Policy Initiative are applied asynchronously meaning that you need to allow some time before checking to see if the DependencyAgentWindows Extension has been installed on any new Windows VM's that you create.

Verifying that the Azure Monitoring Agent and related Extensions are automatically installed on New Azure Windows Virtual Machines

10. Verifying that the Azure Monitoring Agent and related Extensions are automatically installed on New Azure Windows Virtual Machines, e.g. WinServer2019VM

In this step you will be creating a New Windows Virtual Machine and verifying that the Azure Monitoring Agent and related Extensions are installed on it.

(i) Navigate to Virtual Machines

(ii) Click on Create, Azure Virtual Machine to bring up the Create a virtual machine Screen

(iii) Populate the fields on this Screen as indicated below:

Subscription - Ensure that it is prepopulated with your Subscription. If it's not, select your Subscription from the Subscription Pulldown Menu

Resource Group Field - Populate with the Resource Group that you want this VM to be created in e.g. AzureSGCResourceGroup.

Note: The Resource Group does not have to be the same as the Resource Group that the Log Analytics Workspace is created in.

Virtual Machine Name - Populate with a Name like e.g. WinServer2019VM

Region - Populate with the Region that you want the VM to be created in e.g. (US) East US.

Note: The Region does not have to be the same as the Region that the Log Analytics Workspace is created in.

Image - Select any Windows Server Image like e.g. Windows Server 2019 Data Center

Admin Account User Name - Provide an Admin Account User Name

Admin Account Password - Provide an Admin Account Password

(iv) Click on Review+Create, Create to Create the new Windows Virtual Machine

(v) After some time (approx 1 hr) navigate to the newly created Windows Virtual Machine

(vi) Navigate down to the Extensions + Applications section of the Properties Tab that is displayed for the new Windows Virtual Machine.

(vii) Verify that the below Azure Extensions are shown as installed on the new Windows Virtual Machine as shown in the below screenshot:

Note: If you find that your VM has the deprecated MicrosoftMonitoringAgent extension installed, please reach out to your Azure administrator. There may be an Automation Account or Policy configured to deploy the MicrosoftMonitoringAgent. This should be disabled as part of the migration to the Azure Monitoring Agent and related extensions.

(viii) Navigate to the Capabilities Tab

(ix) Verify that the VM Insights Capability is shown as being enabled on the new Windows Virtual Machine as shown in the below screenshot:

Verifying that the Azure Monitoring Agent and related Extensions are automatically installed on already existing Azure Windows Virtual Machines

11. Verifying that the Azure Monitoring Agent and related Extensions are automatically installed on already existing Azure Windows Virtual Machines

In this step you will be checking to see that the Azure Monitoring Agent and related Extensions were automatically installed on already existing Windows Virtual Machines.

(i) Navigate to Policy in Azure

(ii) Navigate to Compliance in the Policy Menu to bring up the Policy Compliance Screen. The Policy Compliance Screen lists all Assigned Policy's associated with your Azure Tenant along with their Compliance State. The [Preview]: Enable ChangeTracking and Inventory for virtual machines and Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA) Policy Initiatives, that you assigned in steps 8. Assign [Preview]: Enable ChangeTracking and Inventory for virtual machines Policy Initiative to your Subscription and 9. Assign Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA) Policy Initiative to your Subscription respectively, should be included in this list. The below screen shot shows an example Policy Compliance Screen that includes the [Preview]: Enable ChangeTracking and Inventory for virtual machines and Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA) Policy Initiatives (highlighted in yellow).

(iii) Click into any of these Policy Initiatives that are shown as Non-Compliant in this List, like the Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA) Policy Initiative shown in the above screen shot, to bring up it's Policy Initiative Compliance Screen.

The screen shot below shows the Policy Initiative Compliance Screen for the Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA) Policy Initiative.

The Policy Initiative Compliance Screen lists all the Policies in the Initiative along with it's Compliance State.

(iv) Pick a Non Compliant Policy listed on this screen, like the Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint one highlighted in the above screen shot and Click into it to bring up the Resource Compliance Screen for that Policy.

The screen shot below shows the Resource Compliance Screen for the Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Policy.

The Resource Compliance screen lists all the Resources associated with the Policy along with their Compliance State.

(v) Click on the Create remediation task action shown at the top of the Resource Compliance screen to bring up the New Remediation Task Screen for that Policy like the one shown in the below screenshot.

All Non Compliant Resources are listed under the Applicable resources to remediate List on this screen, like the one shown in the above screenshot.

(vi) Click on the Re-evaluate resource compliance before remediating checkbox

(vii) Click on the Remediate Pushbutton on this screen to trigger Remediation of this Policy for all the Non Compliant Resources listed under the Applicable resources to remediate List.

(viii) Repeat steps (iii),(iv),(v),(vi) & (vii) for all Non-Compliant Policies in the Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA) and [Preview]: Enable ChangeTracking and Inventory for virtual machines Policy Initiatives.

(ix) After some time (approx 1 hour) navigate to the VM's that were shown as Non-Compliant in the Resource Compliance screen associated with the Non-Compliance Policies to confirm that all 3 Extensions were installed. i.e. The AzureMonitorWindowsAgent, ChangeTracking-Windows and DependencyAgentWindows Extensions.

B. Analyze your Windows VM in Azure

The data associated with your Windows VM is provided by the following Azure Modules within the Azure Portal:

Azure Virtual Machines - Detailed CI Data
Azure Change Tracking & Inventory - Installed Software Applications & CI Changes
Azure VM Insights - CI Processes and TCP Connections

Azure Virtual Machines

(i) Log into your Azure Account

(ii) Switch to the Subscription that contains your Windows Virtual Machines

(iii) Navigate to Virtual Machines to see the list of Windows Virtual Machines associated with your Subscription like the one shown in the below screen shot:

(iv) Click on any of the Virtual Machines in this list, like e.g. the WinServer2019VM Virtual Machine to bring up the Virtual Machine Menu associated with that Virtual Machine.

(v) Navigate to the Overview Menu Option (shown by default) and click on it to bring up the Overview Screen showing details for that VM. The top half of the screen shows the Key Attributes associated with the VM like e.g. Operating System, Size, Location, IP Address along with any Tags that may be associated with the VM while the bottom half of the Screen is Tabbed with the Properties Tab being displayed by default.

The below screenshot shows an example of this for the WinServer2019VM Virtual Machine that we are monitoring where the details associated with the WinServer2019VM Virtual Machine are displayed.

Tags

The Tags section of the Overview Screen shows any Tags that may be associated with the VM. The above Overview screenshot for the WinServer2019VM Virtual Machine shows the following 2 Tags that were added to this VM:

Cloud Provider: Azure
Instance Type: Windows

Networking

(vi) Scroll to the Networking Section of the Properties Tab to see the list of Network Interfaces associated with your VM. The below screenshot shows the winserver2019vm401_z1 Network Interface for our WinServer2019VM Virtual Machine along with it's associated Public IP Address, Private IP Address and Virtual Network.

(vii) Click on the Network Interface link associated with your Virtual Machine like to bring up the Network Interface Details screen for that Network Interface with the below Network Interface details listed:

Public IP Address
Private IP Address
Virtual Network/subnet
Network Security Group

The below screen shot shows the Network Interface Details screen for the the winserver2019vm401_z1 Network Interface with its associated Public IP Address, Private IP Address, Network Security Group and Virtual Network being shown.

(viii) Click on the Browser Back button to return to the Virtual Machine Overview Screen.

Size

(ix) Scroll to the Size Section of the Properties Tab to see the size associated with your VM. The below screenshot shows that our WinServer2019VM Virtual Machine was provisioned with a Standard DS1 v2 size configuration.

Source Image Details

(x) Scroll to the Source Image Details Section of the Properties Tab to see what Image your VM was provisioned from. The below screenshot shows that our WinServer2019VM Virtual Machine was provisioned from the Microsoft Windows 2019 Server Gen 2 Image.

Disk

(xi) Scroll to the Disk Section of the Properties Tab to see the Disks associated with your VM. The below screenshot shows that our WinServer2019VM Virtual Machine was provisioned with a Disk named WinServer2019VM_OsDisk_1_8b286f5f49de45018935ca624f3a2c43.

Change Tracking and Inventory

Software Installations

(i) Navigate to the Operations\Inventory Menu Option in the Virtual Machine Menu associated with your VM to bring up the list of Software Applications that are installed on your VM. The below screenshot shows the list of Software Applications (42) that are installed on our WinServer2019VM Virtual Machine.

The Software Installation data shown in this screen was captured by the ChangeTracking-Windows Extension installed on our WinServer2019VM Virtual Machine.

VM Insights

Running Processes

(i) Navigate to the Monitoring\Logs Menu Option in the Virtual Machine Menu associated with your VM to bring up a New Query Window (You may need to close a Query Hub Popup Window before you get to the New Query Window).

- You should see a VMProcess Table displayed under the Tables Tab of this Window like the one shown in the below screen shot:

(ii) Double click on the VMProcess Table in the Tables Tab to add the VMProcess Table to the Query.

(iii) Click on the Run Pushbutton at the top of the New Query Window to run the VMProcess query in order to see a list of the Running processes on your VM. The screenshot below shows the list of running processes on our WinServer2019VM Virtual Machine for a particular point in time (all occurrences of Running Processes over a Time Range specified is shown by default)

The Running Process data shown in this screen was captured by the DependencyAgentWindows Extension installed on our WinServer2019VM Virtual Machine.

TCP Connections

(iv) Navigate to the Monitoring\Logs Menu Option in the Virtual Machine Menu associated with your VM to bring up a New Query Window (You may need to close a Query Hub Popup Window before you get to the New Query Window).

- You should see a VMConnection Table displayed under the Tables Tab of this Window like the one shown in the below screen shot:

(v) Double click on the VMConnection Table in the Tables Tab to add the VMConnection Table to the Query.

(vi) Click on the Run Pushbutton at the top of the New Query Window to run the VMConnection query in order to see a list of the TCP Connections on your VM. The screenshot below shows the list of TCP Connections on our WinServer2019VM Virtual Machine for a particular point in time (all occurrences of TCP Connections over a Time Range specified is shown by default)

The TCP Connection data shown in this screen was captured by the DependencyAgentWindows Extension installed on our WinServer2019VM Virtual Machine.

C. Installing & Configuring Azure Service Graph Connector on your ServiceNow Instance

(i) Login to your ServiceNow Instance

(ii) Install the following Application from the ServiceNow Store:

Service Graph Connector for Azure: sn_sg_azure_integ

The following Applications are automatically installed\activated when you install this application

Discovery and Service Mapping Patterns: sn_itom_pattern
Integration Commons for CMDB: sn_cmdb_int_util
CMDB CI Class Model: sn_cmdb_ci_class

The following Plugins are automatically installed\activated when you install this application

Discovery Core: com.snc.discovery.core
Discovery - IP Based: com.snc.discovery.ip_based
ITOM Discovery License: com.snc.itom.discovery.license (Included with full Discovery Product)
ITOM Licensing: com.snc.itom.license
Pattern Designer (NG version): com.snc.ng.pattern.designer
ServiceNow IntegrationHub Action Template: com.glide.hub.action_type.datastream

(iii) Navigate to Setup under Azure in the Filter Menu

(iv) Go through all Guided Setup Steps as per the ServiceNow Documentation: Configure Service Graph Connector for Microsoft Azure

Create Connection for the Hardware Import

Your ServiceNow Instance will be authenticating against your Azure Account using an OAuth Token. You will be providing Azure OAuth Credential Details in the below Create or Edit Connection step of this Create Connection for the Hardware Import Guided Setup Section.

Create or Edit Connection

(i) Click on the Configure pushbutton for the Create or Edit Connection step to bring up the SG-Azure Hardware Connection Tile in Workflow Studio. The below screenshot shows the SG-Azure Hardware Connection Tile screen that you should expect to be brought to in Workflow Studio.

Note: If clicking on the Configure pushbutton brings you to the Workflow Studio Homepage instead of bringing you directly to the SG-Azure Hardware Connection then navigate to the Integrations Tab and click View Details on the SG-Azure Hardware Connection (Parent Connection & Credential Alias) Connection Tile.

(ii) Click on Edit on the SG-Azure Hardware Connection Connection to bring up the below Dialog Box:

Connection name: Prepopulated with the "SG-Azure Hardware Connection" Name associated with the Connection Record in the Parent SG-Azure Hardware Connection Connection & Credential Alias.

Connection URL: Prepopulated with the Global https://management.azure.com Azure Management URL. Change to a Scope specific Azure Management URL like e.g. https://management.microsoftazure.de/ for the German Azure Management URL.

OAuth client ID: Populate with the Client ID that was generated in the 1. Register Azure Service Graph Connector Application in Azure step of the above A. Set up Windows VM to be monitored in Azure Section.

OAuth client secret: Populate with the Client Secret that was generated in the 2. Create a Client Secret Key for the Registered Application step of the above A. Set up Windows VM to be monitored in Azure Section.

OAuth token URL: Replace the <tenantid> section of the Prepopulated OAuth Token URL with the Tenant ID that was noted in the 1. Register Azure Service Graph Connector Application in Azure step of the above A. Set up Windows VM to be monitored in Azure Section.

(iii) Click on the Edit and Get OAuth pushbutton to save the SG-Azure Hardware Connection Connection Credentials and go back to the original SG-Azure Hardware Connection screen.

The already existing SG-Azure Hardware Connection.Credential Credentials Record (associated with the Parent SG-Azure Hardware Connection Connection & Credential Alias) is updated with the OAuth Client ID, OAuth Client Secret, and OAuth token URL values specified.

(iv) Click on the View Connection Alias pushbutton on the SG-Azure Hardware Connection Screen to view the Parent SG-Azure Hardware Connection Connection & Credential Alias Record. The screen shot below shows the Parent SG-Azure Hardware Connection Connection & Credential Alias Record. Notice the SG-Azure Hardware Connection.Credential Credentials Record listed in the Connections Tab of this Parent SG-Azure Hardware Connection Connection & Credential Alias Record.

Note: Any Child Connection & Credential Aliases that may be created when you click on Add Connection from the SG-Azure Hardware Connection Screen for connecting to a different Log Analytics Workspace within the same Tenant will be associated with this Parent Connection & Credential Alias and shown in the Child Aliases Tab of this Record.

Test the connection

(i) Return to Guided Setup and Click on Configure to the right of Test the Connection to bring up the Hardware Type Connection Records in the SG-Azure Service Graph Connections[sn_sg_azure_integ_service_graph_connection] Table.

(ii) Select the SG-Azure Hardware Connection Record and click on the Test Connection Related link to Test the Connection

If the Connection is successful you will see a Success Information message at the top of the SG-Azure Service Graph Connections Screen and the Status Field associated with the Connection will change from Pending to Success as shown in the below screen shot.

Set up scheduled import jobs

Azure Service Graph Connector Hardware Scheduled Import Jobs will be run at the interval you specify to ingest data from all Azure Accounts that the Azure Service Graph Connector has Permissions for. The CMDB database on your ServiceNow Instance will be populated with this ingested data.

The Azure Service Graph Connector comes with 19 Out of the Box Hardware Data Sources and Scheduled Data Imports shown in the below screenshot. They are shown in the Order that they run in (You need to Personalize your List Columns to include the Order column).

Please refer to the ServiceNow Service Graph Connector for Microsoft Azure (1.10.0) Documentation Page for details on these Scheduled Import Jobs.

(i) Return to Guided Setup and Click on the Configure button for the Set up scheduled import jobs step to bring up the Inactive Scheduled Data Import SG-Azure Subscriptions Record associated with the Azure Service Graph Connector as shown in the below screen shot.

(ii) Turn on the SG-Azure-Subscriptions Scheduled Import Job (Parent Scheduled Import Job) job by changing the Active Field for this job from false to true as shown in the below screen shot.

(iii) The job is set to run Periodically by default. Specify at what Repeat Intervals that you want the Job to run.

Creating Multiple Hardware connections - Not a specific Guided Setup step but instructions on how to create multiple connections (i.e. for multiple Azure Tenants, multiple Service Principals, or to support multiple Log Analytic Workspaces)

For example, if you need to connect to more than one Azure Tenant like e.g. USGOV you can do this by creating a new Child SG-Azure Hardware Connection & Credential Alias that will be associated with the Parent SG-Azure Hardware Connection & Credential Alias. Please follow the steps outlined below for doing this:

(i) Return to Guided Setup and Click on the Configure button for the Create or Edit Connection step to bring up the SG-Azure Hardware Connection Tile in Workflow Studio.

Note: If clicking on the Configure pushbutton brings you to the Workflow Studio Homepage instead of bringing you directly to the SG-Azure Hardware Connection Tile then navigate to the Integrations Tab and click View Details on the SG-Azure Hardware Connection (Parent Connection & Credential Alias) Connection Tile.

(ii) Click on the Add Connection Pushbutton on the SG-Azure Hardware Connection (Parent Connection & Credential Alias) Connection Tile to bring up the below Create Connection Dialog box:

Connection name: Enter a Name that will allow you to easily identity the Azure Tenant, Service Principal or Log Analytics Workspace that you are connecting to, e.g. USGOV. This Name will be used as part of the naming convention for the newly created Azure Connection Specific Hardware Data Sources & Scheduled Import Jobs as per below.

Azure Connection Specific Data Sources	Connection Name - Data Source Name
Azure Connection Specific Scheduled Import Jobs	Connection Name - Import Job Name

OAuth Client ID, OAuth client secret: Specify the Client ID and Client Secret associated with the Azure Tenant being connected to.

OAuth token URL: Replace the <tenantid> section of the URL with the Tenant ID associated with the Azure Tenant being connected to.

(iii) Click on Create and Get OAuth Token

A new Child Connection & Credential Alias Record is created with the OAuth Client ID, OAuth Client secret and OAuth token URL values specified. This Child Connection & Credential Alias Record is associated with the Parent SG-Azure-Hardware Connection Connection & Credential Alias Record as shown in the below screen shot. We specified USGOV for our example so USGOV is shown as the Child Connection & Credential Alias below.

A new set of Azure Connection specific Hardware Data Sources and Scheduled Imports are created that contain the Connection Name specified in the Create Connection Dialog Box. An example of Azure Connection specific Data Sources and Scheduled Imports that get created is shown below, where USGOV was used to identify your Azure USGOV Connection specific Scheduled Imports and Data Sources:

(iv) Return to Guided Setup and Click on Configure to the right of Set up scheduled import jobs to bring up the newly created Azure Connection Specific SG-Azure-Subscriptions Scheduled Import Job Record (Parent Scheduled Import Job) e.g. USGOV-SG-Azure-Subscriptions.

(v) Mark this job as Active

(vi) The job is set to run Periodically by default. Specify at what Repeat Intervals that you want the Job to run.

Create Connection for the Software Import

Your ServiceNow Instance will be authenticating against your Azure Account using an OAuth Token. You will be providing Azure OAuth Credential Details in the below Create or Edit Connection step of this Create Connection for the Software Import Guided Setup Section.

Create or Edit Connection

(i) Click on the Configure button for the Configure or Edit Connection step to bring up the SG-Azure log analytics connection Tile in Workflow Studio. The below screenshot shows the SG-Azure log analytics Connection Tile screen that you should expect to be brought to in Workflow Studio.

Note: If clicking on the Configure pushbutton brings you to the Workflow Studio Homepage instead of bringing you directly to the SG-Azure log analytics Connection then navigate to the Integrations Tab and click View Details on the SG-Azure log analytics Connection (Parent Connection & Credential Alias) Connection Tile.

(ii) Click on Edit on the SG-Azure log analytics connection connection to bring up the below Dialog Box:

Software connection name: Prepopulated with the "SG-Azure log analytics Connection" Name associated with the Connection Record in the Parent SG-Azure log analytics connection Connection & Credential Alias.

Hardware connection name: Populate with the "SG-Azure Hardware Connection" Name associated with the Connection Record in the Parent SG-Azure Hardware Connection Connection & Credential Alias (specified in part (iii) of the Create or Edit Connection step under the above Create Connection for the Hardware Import sub section)

Connection URL: Prepopulated with the https://api.loganalytics.io/v1/workspaces/<workspace_id> Azure Log Analytics REST API URL. Replace the <workspace_id> section of the URL with the Workspace ID associated with the Log Analytics Workspace that you created in the 5. Create new Log Analytics Workspace step of the above A. Set up Windows VM to be monitored in Azure Section.

OAuth client ID: Populate with the Client ID that was generated in the 1. Register Azure Service Graph Connector Application in Azure step of the above A. Set up Windows VM to be monitored in Azure Section.

OAuth client secret: Populate with the Client Secret that was generated in the 2. Create a Client Secret Key for the Registered Application step of the above A. Set up Windows VM to be monitored in Azure Section.

OAuth token URL: Replace the <tenantid> section of the Prepopulated OAuth Token URL with the Tenant ID that was noted in the 1. Register Azure Service Graph Connector Application in Azure step of the above A. Set up Windows VM to be monitored in Azure Section.

(iii) Click on the Edit and Get OAuth button

The already existing SG-Azure log analytics connection.Credential Credentials Record (associated with the Parent SG-Azure log analytics Connection & Credential Alias) is updated with the OAuth Client ID, OAuth Client Secret, and OAuth token URL values specified.

The already existing SG-Azure log analytics connection Connection Record associated (associated with the Parent SG-Azure log analytics Connection & Credential Alias) is updated with the Connection URL value specified.

The screen shot below shows the Parent SG-Azure log analytics Connection & Credential Alias Record.

Note: Any Child Connection & Credential Aliases that may be created when you click on Add Connection from the SG-Azure log analytics connection (Parent Connection & Credential Alias) Screen (shown in step (ii) above) for connecting to a different Azure Tenant, Service Principal or Log Analytics Workspace will be associated with this Parent Connection & Credential Alias and shown in the Child Aliases Tab of this Record.

Test the connection

(i) Return to Guided Setup and Click on Configure to the right of Test the Connection to bring up the Software Type connections in the SG-Azure Service Graph Connections[sn_sg_azure_integ_service_graph_connection] Table.

(ii) Select the SG-Azure Log Analytics Connection Record and click on the Test Connection Related link to Test the Connection

If the Connection is successful you will see a Success Information message at the top of the SG-Azure Service Graph Connections Screen and the Status Field associated with the Connection will change from Pending to Success as shown in the below screen shot.

Set up scheduled import jobs

Azure Service Graph Connector Software Scheduled Import Jobs will be run at the interval you specify to ingest data from all Azure Accounts that the Azure Service Graph Connector has Permissions for. The CMDB database on your ServiceNow Instance will be populated with this ingested data.

The Azure Service Graph Connector comes with the 3 Out of the Box Software Data Sources and Scheduled Data Imports shown in the below screenshot.

Note: The SG-Azure TCP Scheduled Import Job captures CI Process and TCP Connection data associated with the Azure VM's. Please refer to the ServiceNow Service Graph Connector for Microsoft Azure (1.10.0) Documentation Page for details on these Scheduled Import Jobs.

(i) Return to Guided Setup and Click on the Configure button to the right of the Set up scheduled import jobs step to bring up these Scheduled Data Import Records

(ii) Mark these jobs as Active

(iii) These jobs are set to run Periodically by default. Specify at what Repeat Intervals that you want the Job to run.

Creating Multiple Software connections - Not a specific Guided Setup step but instructions on how to create Multiple Software connections (i.e. for multiple Azure Tenants, multiple Service Principals, or to support multiple Log Analytic Workspaces)

For example, if you need to connect to more than one Azure Tenant like e.g. USGOV you can do this by creating a new Child SG-Azure log analytics Connection & Credential Alias that will be associated with the Parent SG-Azure log analytics Connection & Credential Alias. Please follow the steps outlined below for doing this:

(i) Return to Guided Setup and Click on the Configure button for the Create or Edit Connection step to bring up the Workflow Studio.

Note: If clicking on the Configure pushbutton brings you to the Workflow Studio Homepage instead of bringing you directly to the SG-Azure log analytics connection Tile then navigate to the Integrations Tab and click View Details on the SG-Azure log analytics connection (Parent Connection & Credential Alias) Connection Tile.

(ii) Click on the Add Connection pushbutton on the SG-Azure log analytics connection (Parent Connection & Credential Alias) Connection Tile to bring up the below Create Connection Dialog box:

Software connection name: Enter a Name that will allow you to easily identity the Azure Tenant, Service Principal or Log Analytics Workspace that you are connecting to and also allow you to identify the Scheduled Import Jobs that get created as Software Scheduled Import Jobs, e.g. USGOV-S. This Name will be used as part of the naming convention for the newly created Azure Connection Specific Software Data Sources & Scheduled Import Jobs as per below.

Azure Connection Specific Data Sources	Connection Name - Data Source Name
Azure Connection Specific Scheduled Import Jobs	Connection Name - Import Job Name

Hardware connection name: Specify the Connection Name associated with the Child Connection & Credential Alias that you would have already created for the Parent SG-Azure-Hardware Connection Connection & Credential Alias.

Note: There should always be a 1:1 Mapping for Hardware Connections to Software Connections.

Connection URL: Replace the <workspace_id> section of the URL with the Workspace ID associated with the Log Analytics Workspace in the Azure Tenant being connected to.

OAuth Client ID, OAuth client secret: Specify the Client ID and Client Secret associated with the Azure Tenant being connected to.

OAuth token URL: Replace the <tenantid> section of the URL with the Tenant ID associated with the Azure Tenant being connected to.

The screen shot below shows how you would populate this Dialog Box for creating the Software Scheduled Import Jobs associated with an e.g. USGOV Azure Tenant.

(iii) Click on Create and Get OAuth Token

A new Child Connection & Credential Alias Record is created with the Connection URL, OAuth Client ID, OAuth Client secret and OAuth token URL values specified. This Child Connection & Credential Alias Record is associated with the Parent SG-Azure log analytics Connection Connection & Credential Alias Record as shown in the below screen shot. We specified USGOV-S as Software connection name for our example so USGOV-S is shown as the Child Connection & Credential Alias below.

A new set of Azure Connection specific Software Data Sources and Scheduled Imports are created that contain the Software Connection Name specified in the Create Connection Dialog Box. An example of the Azure Connection Software Data Sources and Scheduled Imports that get created is shown below, where USGOV-S was used to identify your Azure Connection specific Software Scheduled Imports and Data Sources:

Note: The SG-Azure TCP Scheduled Import Job captures CI Process and TCP Connection data associated with the Azure VM's.

(iv) Return to Guided Setup and Click on the Configure button to the right of the Set up scheduled import jobs step to bring up these newly created Azure Connection Specific Software Scheduled Data Import Records

(v) Mark these jobs as Active

(vi) These jobs are set to run Periodically by default. Specify at what Repeat Intervals that you want the Job to run.

D. Run Azure Service Graph Connector Scheduled Data Import Jobs on your ServiceNow Instance

Before running these Scheduled Data Imports, I would recommend enabling CMDB 360 by setting the glide.identification_engine.multisource_enabled system property to True in System Properties.

Doing this allows the following for CI's that are Created\Updated by the Scheduled Data Import Jobs:

1. For CI's that have Reconciliation Rules, see Proposed Values for Lower Priority Discovery Sources that were Rejected
2. For CI's that allow more than 1 Discovery Source to update them (i.e. No Reconciliation Rules or Reconciliation Rules with same Priority), Identify the Source of an Attribute and see the Proposed Values for that Attribute from the other Discovery Sources.

Refer to the ServiceNow CMDB 360/Multisource CMDB Documentation page for more details.

(i) Navigate to Import Schedules under Azure in the Filter Menu. 22 OOTB Scheduled Data Imports should be listed, with all of them being marked Active as shown below. The Order Column shows the Order that the Import Jobs will run in (You need to Personalize your List Columns to include the Order column). Please refer to the ServiceNow Service Graph Connector for Microsoft Azure (1.10.0) Documentation Page for details on these Scheduled Import Jobs.

Note: It is recommended that you create an Azure Connection Specific Version of these Scheduled Data Imports as discussed in the Creating Multiple Hardware Connections and Creating Multiple Software Connections Guided Setup steps of the above C. Installing & Configuring Azure Service Graph Connector on your ServiceNow Instance section. There will be 22 Azure Connection Specific Scheduled Import Jobs created per Connection Specific Setup.

Open your SG-Azure Subscriptions Parent Scheduled Import job record and click on the Execute button

(ii) Navigate to Concurrent Import Sets in the Filter Menu.

- Wait for your Active Scheduled Data Import jobs to finish.

E. Analyze the CMDB Records created\updated by the Azure Service Graph Connector for your Windows VM in your ServiceNow Instance

There are 6 types of Records created by the Azure Service Graph Connector in the CMDB:

CMDB CI[cmdb_ci] Records
Software Installation[cmdb_sam_sw_install] Records - If Software Asset Management(SAM) enabled
Software Instance[cmdb_software_instance] + Software Package[cmdb_ci_spkg] Records - If Software Asset Management(SAM) not enabled
Running Process[cmdb_running_process] Records
TCP Connection[cmdb_tcp] Records
Key Value[cmdb_key_value] Records
Serial Number[cmdb_serial_Number] Records

CMDB CI Records

(i) Navigate to cmdb_ci.list in the Filter Menu

(ii) Group by Discovery Source

(iii) Navigate to the SG-Azure Discovery Source and double click on its Discovery source:SG-Azure(n) link where n represents the Number of CMDB records(entities) Created\Updated by the SG-Azure Service Graph Connector.

(iv) Group By Class

A List of CMDB CI Records Created\Updated by the SG-Azure Service Graph Connector will be displayed grouped by Class. The screen shot below shows the Class Records displayed in this Class List for the data that was ingested by the SG-Azure Service Graph Connector for our Azure Subscription that includes CI's associated with our WinServer2019VM Virtual Machine.

Note: For ServiceNow Instances that do not have Software Asset Management(SAM) enabled, you would see an extra Software Class listed for representing all the Software Package[cmdb_ci_spkg] Records that would have been populated by the SG-Azure Software Scheduled Data Import Job ( referenced in the above C. Installing and Configuring Azure Service Graph Connector on your ServiceNow Instance section).

The WinServer2019VM Windows Virtual Machine is listed as a Windows Server CI along with it's associated WinServer2019VM Virtual Machine CI.
The Cloud Mgmt Network Interface, Image and Storage Volume CI's associated with the WinServer2019VM Windows Server are shown. These were populated from the WinServer2019VM Virtual Machine Entity in Azure and it's associated Network Interface Card, Image and Disk Entities described in the above B. Analyze your Windows VM in Azure section.
The Public IP Address, Private IP Address, Cloud Network, Cloud Network Subnet and Cloud Security Group CI's associated with the WinServer2019VM Windows Server's winserver2019vm401_z1 Network Interface Card are shown. These were populated from the winserver2019vm401_z1 Network Interface Card details described in the Networking sub section of the above B. Analyze your Windows VM in Azure section.
The Cloud Service Account CI associated with the Azure Subscription, that our WinServer2019VM Virtual Machine was provisioned in, is shown.

WinServer2019VM Windows Server

The screen shot below shows all the Windows Server Summary fields that were populated by the connector for the WinServer2019VM Windows Server CI created by the Azure Service Graph Connector.

Related Tabs

The screen shot below shows the Network Adapter(1) and CI IPs(1) Tabs that were populated with the winserver2019vm401_z1 Cloud Mgmt Network Interface Record and it's associated Private IP Address Record (shown in the above cmdb_ci List screen shot). For example the winserver2019vm401_z1 Network Adapter shown can be seen for this WinServer2019VM Windows Virtual Machine under theNetworkingsub section of the above B. Analyze your Windows VM in Azure Section.

Note: The 24 Processes in the Running Process(24) Tab and the 14 TCP Connections in the TCP Connections(14) Tab were populated by the SG-Azure TCP Import job with the 41 Software Installed Records being populated by the SG-Azure Software Import Job.