Exploit Protection (WAF) mitigation controls

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploit Protection (WAF) mitigation controls

    Exploit Protection (WAF) mitigation controls enable detection and management of servers protected by Web Application Firewalls (WAF) through API integrations and network data. This feature helps ServiceNow customers identify which virtual machines are safeguarded by WAF rules, integrating with tools like F5 BIG-IP and AWS WAF to import Web ACLs and related load balancer information. The controls rely on Discovery and Service Mapping patterns to map protection status accurately.

    Show full answer Show less

    Key Features

    • WAF Detection: Identifies servers behind WAFs using API integration (e.g., F5 BIG-IP) and ITOM IP-based Discovery data.
    • Web ACL Rule Import: Imports Web Access Control List (ACL) rules and associates them with load balancers and virtual machines to show protection coverage.
    • Support for Multiple Platforms: Includes integrations for F5 BIG-IP and Amazon Web Services (AWS) WAF environments.
    • Role-Based Access: Requires SPC Admin Group and SPC Analyst Group roles for configuration and monitoring.

    Prerequisites and Setup

    • F5 BIG-IP Integration:
      • Activate ITOM IP-based Discovery in environments with F5 BIG-IP WAF and application servers.
      • Enable API integration for F5 BIG-IP within the Security Posture Control Workspace.
    • AWS WAF Integration:
      • Install and activate the Discovery and Service Mapping Patterns [snitompattern] and Mitigation Controls Monitoring [snsecmitctrl] applications.
      • Define Web ACLs and rules in your AWS service account. Custom rules are possible but only SQL Injection and XSS attack types are supported by this integration.
      • Ensure the MID Server system property snitompattern.discoverawsapppoolmembers is set to true for AWS discovery.
      • Load balancers are the supported asset type for this integration.

    What Customers Can Expect

    By setting up these mitigation controls, ServiceNow customers gain visibility into which virtual machines are protected by WAF rules, helping to improve security posture management. The integration imports and correlates Web ACL rules and load balancer configurations, enabling comprehensive monitoring and compliance validation of web application defenses.

    This category of mitigation controls covers mitigations available in the form of Web Application Firewall.

    Exploit Protection (WAF)

    Security Posture Control detects servers that are running behind the web application firewall (WAF) by using the API integration with WAF tools such as F5 BIG-IP (F5) and network traffic data from ITOM IP-based Discovery, if necessary.

    Mitigation control imports the Web ACL rules and all associated load balancers to determine which rules are protecting your virtual machines with the help of Discovery and Service Mapping patterns.

    Roles required: SPC Admin Group and SPC Analyst Group.

    Prerequisites for Exploit Protection (WAF) with F5 BIG-IP

    1. Verify that you have activated ITOM IP-based Discovery in the environment where F5 BIG-IP F5 WAF and associated application servers are setup.
    2. Verify that the API integration for F5 BIG-IP F5 is activated in the Security Posture Control Workspace.

    Prerequisites for Exploit Protection (WAF) with Amazon Web Services AWS

    Data for this integration is imported by the Discovery and Service Mapping Patterns [sn_itom_pattern] and the Mitigations Controls Monitoring [sn_sec_mit_ctrl] application. Both applications are required. Follow the steps below in the order they are listed so that you can import all the Web ACLs, the Web ACL rules, and the mitigation data required to help you confirm that a virtual machine is protected. See AWS discovery using patterns for more information about AWS discovery patterns.
    1. Define Web ACLs and rules in your AWS service account you want to use. See Using web ACLs in AWS WAF for more information.
      Note:
      You can create your own Web ACL rules, however, you might prefer to use the AWS manged rules that are designed specifically to work with their Web ACLs. If you choose to create your own custom rules for Web ACLs, note that this integration with AWS WAF supports only attack types that match Contains SQL injection attacks and Contains XSS (cross site scripting) injection attacks. Load balancers are the assets (resources) supported by this integration.
    2. Install and activate the Discovery and Service Mapping Patterns [sn_itom_pattern] application in your instance so the names and default actions of the Web ACLs you defined in step 1 can be discovered. For more information, see Install the supported applications for Security Posture Control.
    3. Verify the sn_itom_pattern.discover_aws_app_pool_members MID Server system property is set to true. To activate this property, navigate to All > MID Server > Properties.
    4. Verify you have installed and activated the Mitigation Controls Monitoring [sn_sec_mit_ctrl] application. This application includes a pattern extension, Web ACL Rules and Associated Resources. This pattern extension permits you to import the actual Web ACL rules and their associations (relationships) to your resources (assets) into your instance.