Azure Application Security Group pattern-based discovery

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Azure Application Security Group pattern-based discovery

    The Azure Application Security Group pattern-based discovery enables ServiceNow customers to find and map Azure Application Security Groups within their cloud environments. This functionality is part of the Discovery and Service Mapping Patterns application and assists in populating detailed resource data into both Configuration Management Database (CMDB) and non-CMDB tables. It supports comprehensive visibility and management of Azure security groups, which is critical for maintaining cloud resource security and governance.

    Show full answer Show less

    Key Features

    • Pattern Activation: The Azure Application Security Group discovery pattern is disabled by default. Starting with Visibility Content version 6.28.0, enabling or disabling this pattern is no longer treated as a customization, allowing it to receive automatic updates while retaining activation status after upgrades.
    • Discovery Prerequisites: Customers must verify Microsoft Azure discovery prerequisites and configure Azure service accounts properly, especially when discovering Azure GovCloud (US) accounts, which require specific datacenter URLs.
    • Data Population: The discovery process populates detailed resource information in two types of tables:
      • Non-CMDB tables: Using the Azure - Application Security Group - Extended Inventory (LP) pattern, data such as location, object ID, provisioning state, resource group, subscription ID, tenant ID, and configuration item references is stored in the cmdbazureapplicationsecuritygroupapplicationsecuritygroup table.
      • CMDB tables: Corresponding cloud resource data like install status, location, name, object ID, operational status, and resource type is stored in the cmdbcicmpresource table, with the resource type set to microsoft.network/applicationsecuritygroups.
    • CI Relationships: The pattern establishes relationships between Azure Application Security Groups and other configuration items, such as resource groups, datacenters, and cloud resources, enhancing the CMDB’s relational accuracy.
    • Azure Tag Discovery: Tags associated with Azure resources are collected and stored in the cmdbkeyvalue table, enabling better categorization and filtering of resources via key-value pairs.

    Practical Considerations for ServiceNow Customers

    • Ensure the Discovery and Service Mapping Patterns application is updated to the latest version from the ServiceNow Store to access the newest Azure patterns.
    • Activate the Azure Application Security Group discovery pattern to begin capturing relevant security group data in your environment.
    • Configure discovery schedules carefully, particularly for GovCloud accounts, to ensure accurate and complete data collection.
    • Use the populated CMDB and non-CMDB tables to gain comprehensive insights into your Azure Application Security Groups, their statuses, relationships, and tags for effective cloud resource management.

    Discovery and Service Mapping Patterns finds Azure services on your cloud environment. Discovering some of these resources may require updating to the latest version of the Discovery and Service Mapping Patterns application from the ServiceNow Store.

    Pattern-based discovery and mapping requirements

    Verify the Microsoft Azure discovery prerequisites
    For more information, see the prerequisites section in Microsoft Azure Cloud discovery using patterns.
    Enable the relevant pattern
    The pattern for this service is disabled by default. Starting with Visibility Content version 6.28.0, activating or deactivating a pattern won't be considered a customization, and it will continue to receive updates. Patterns that were previously activated or deactivated will reset to the latest predefined version after upgrading while retaining the last active field value. For more information on enabling patterns, see Activate a disabled pattern.
    Configure the Discovery schedule to support GovCloud
    Discovering Azure GovCloud (US) accounts requires using a datacenter URL when setting up an Azure service account. For more information, see Set up Azure service accounts.

    Discovery and Service Mapping Patterns application populates data in both CMDB and non-CMDB tables.

    Data stored in non-CMDB tables

    Discovery and Service Mapping Patterns application populates data in the non-CMDB table when running the Azure - Application Security Group - Extended Inventory(LP) pattern.

    You can review the non-CMDB Azure tables by navigating to All > Configuration > Azure. You can also search the navigation filter for the specific pattern name.

    Table 1. Azure Application Security Group [cmdb_azure_application_security_group_application_security_group]
    Field Description
    Location [location] The geographical region where the resource is deployed.
    Object Id [object_id] The unique identifier for the resource in Azure.
    Provisioning State [provisioning_state] Current state of the provisioning process for the resource.
    Resource Group [resource_group] Name of the resource group.
    Subscription ID [subscription_id] The subscription ID.
    Tenant ID [tenant_id] The identifier for the tenant under which the resource belongs.
    Configuration Item [configuration_item] References the Cloud Resource [cmdb_ci_cmp_resource] table.

    Data stored in CMDB tables

    Discovery and Service Mapping Patterns application populates data in the CMDB when running the Azure - Application Security Group - Extended Inventory(LP) pattern.

    Table 2. Cloud Resource [cmdb_ci_cmp_resource]
    Field Description
    Install Status [install_status] Install status of the resource. Default value is Installed.
    Location [location] The geographical region where the resource is deployed.
    Name [name] The name of the resource.
    Object ID [object_id] The unique identifier for the resource in Azure.
    Operational status [operational_status] Operational status of the resource. Default value is Operational.
    Resource type [resource_type] Type of resource. The value is set to microsoft.network/applicationsecuritygroups.

    CI relationships

    The pattern creates these relationships to support discovery.

    CI Relationship CI
    Resource Group [cmdb_ci_resource_group] Contains::Contained by Cloud Resource [cmdb_ci_cmp_resource]
    Cloud Resource [cmdb_ci_cmp_resource] Hosted on::Hosts Azure Datacenter [cmdb_ci_azure_datacenter]
    Azure Application Security Group [cmdb_azure_application_security_group_application_security_group] References Cloud Resource [cmdb_ci_cmp_resource]

    Azure tag discovery

    The pattern collects tags and populates them in the Key Value [cmdb_key_value] table.
    Table 3. Key Value [cmdb_key_value]
    Field Description
    Key [key] Tag name.
    Value [value] Tag value.