Azure Web Application Firewall Policy pattern-based discovery

  • Release version: Zurich
  • Updated June 16, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Azure Web Application Firewall Policy pattern-based discovery

    The Azure Web Application Firewall (WAF) Policy pattern-based discovery enables ServiceNow customers to identify and map Azure WAF policies within their cloud environments using the Discovery and Service Mapping Patterns application. This helps maintain accurate and up-to-date configuration data in the Configuration Management Database (CMDB) and associated non-CMDB tables.

    Show full answer Show less

    This discovery requires adherence to Microsoft Azure discovery prerequisites and may involve updating to the latest version of the Discovery and Service Mapping Patterns application from the ServiceNow Store.

    Key Features

    • Pattern Activation: The Azure WAF Policy pattern is disabled by default. Activating or deactivating patterns in Visibility Content version 6.28.0 and above is not considered a customization and patterns reset to the latest version upon upgrade while retaining active state.
    • GovCloud Support: Discovery of Azure GovCloud (US) accounts requires configuring the Azure service account with the appropriate datacenter URL.
    • Data Population: The discovery populates detailed WAF policy data in both CMDB and non-CMDB tables, providing comprehensive visibility.
    • CMDB Tables: The pattern populates the Web ACL [cmdbciwebacl] table with key fields such as Object ID, Name, Location, Default Action (allow or detect), Install Status, Operational Status, and Description.
    • Non-CMDB Tables: Additional policy details are stored in the Azure Web Application Firewall Policy [cmdbazurewebapplicationfirewallpolicy] table, including Object Id, Kind, Azure region, Resource Group, Subscription Id, Tenant Id, Provisioning State, and Policy State.
    • Tag Discovery: Azure tags are collected during discovery and stored in the Key Value [cmdbkeyvalue] table for enhanced asset categorization and management.
    • CI Relationships: The pattern creates relationships linking WAF policies to related configuration items such as Cloud Load Balancers, Resource Groups, and Azure Datacenters, supporting comprehensive service mapping.

    Practical Application for ServiceNow Customers

    By using this pattern-based discovery, ServiceNow customers can automatically detect and track Azure Web Application Firewall policies, ensuring accurate CMDB data that supports security compliance, operational management, and cloud governance.

    Customers should verify Azure discovery prerequisites, enable the pattern as needed, and configure discovery schedules especially when working with Azure GovCloud environments. The discovery results enhance visibility into WAF policy states, deployment locations, and configurations, enabling informed decision-making and efficient incident or change management related to Azure web security policies.

    Discovery and Service Mapping Patterns finds Azure services on your cloud environment. Discovering some of these resources may require updating to the latest version of the Discovery and Service Mapping Patterns application from the ServiceNow Store.

    Pattern-based discovery and mapping requirements

    Verify the Microsoft Azure discovery prerequisites
    For more information, see the prerequisites section in Microsoft Azure Cloud discovery using patterns.
    Enable the relevant pattern
    The pattern for this service is disabled by default. Starting with Visibility Content version 6.28.0, activating or deactivating a pattern won't be considered a customization, and it will continue to receive updates. Patterns that were previously activated or deactivated will reset to the latest predefined version after upgrading while retaining the last active field value. For more information on enabling patterns, see Activate a disabled pattern.
    Configure the Discovery schedule to support GovCloud
    Discovering Azure GovCloud (US) accounts requires using a datacenter URL when setting up an Azure service account. For more information, see Set up Azure service accounts.

    Discovery and Service Mapping Patterns application populates data in both CMDB and non-CMDB tables.

    Data stored in non-CMDB tables

    Discovery and Service Mapping Patterns application populates data in the non-CMDB table when running the Azure - Web Application Firewall Policy - Extended Inventory(LP) pattern.

    You can review the non-CMDB Azure tables by navigating to All > Configuration > Azure. You can also search the navigation filter for the specific pattern name.

    Table 1. Azure Web Application Firewall - Policy [cmdb_azure_web_application_firewall_policy]
    Field Description
    Object Id [object_id] The unique identifier of the resource.
    Kind [kind] The specific kind or variant of the resource.
    DC Location [location] The Azure region where the resource is deployed.
    Resource Group [resource_group] The name of the resource group containing the resource.
    Subscription Id [subscription_id] The subscription ID associated with the resource.
    Tenant Id [tenant_id] The Azure Active Directory tenant ID associated with the resource.
    Provisioning State [provisioning_state] The latest provisioning status of the resource.
    Configuration Item [configuration_item] References the Web ACL [cmdb_ci_web_acl] table.
    Policy State [policy_state] The current state of the policy applied to the resource.

    Data stored in CMDB tables

    Discovery and Service Mapping Patterns application populates data in the CMDB when running the Azure - Web Application Firewall Policy - Extended Inventory(LP) pattern.

    Table 2. Web ACL [cmdb_ci_web_acl]
    Field Description
    Object ID [object_id] The unique identifier of the resource.
    Name [name] The name of the resource.
    Location [location] The Azure region where the resource is deployed.
    Default Action [default_action] Indicates the effective operation mode of the web application firewall (WAF) policy. Possible values are allow and detect.
    • allow: policy is running in Prevention mode and is blocking traffic
    • detect: policy is running in Detection mode and is logging only
    Install Status [install_status] Install status of the resource. Default value is Installed.
    Operational status [operational_status] Operational status of the resource. Default value is Operational.
    Description [short_description] Type of resource. The value is set to microsoft.network/applicationgatewaywebapplicationfirewallpolicies.

    CI relationships

    The Azure - Web Application Firewall Policy - Extended Inventory(LP) pattern creates these relationships to support Azure Web Application Firewall Policy discovery.

    CI Relationship CI
    Cloud Load Balancer [cmdb_ci_cloud_load_balancer] Protected by::Protects Web ACL [cmdb_ci_web_acl]
    Resource Group [cmdb_ci_resource_group] Contains::Contained by Web ACL [cmdb_ci_web_acl]
    Web ACL [cmdb_ci_web_acl] Hosted on::Hosts Azure Datacenter [cmdb_ci_azure_datacenter]
    Azure Web Application Firewall - Policy [cmdb_azure_web_application_firewall_policy] References Web ACL [cmdb_ci_web_acl]

    Azure tag discovery

    The pattern collects tags and populates them in the Key Value [cmdb_key_value] table.
    Table 3. Key Value [cmdb_key_value]
    Field Description
    Key [key] Tag name.
    Value [value] Tag value.