There really isn't a single answer to this:
You can check MyF5 for new SecurityAdvisories: https://my.f5.com/manage/s/new-updated-articles#sort=%40f5_updated_published_date%20descending&f:@f5_document_type=[Security%20Advisory]&periodFilter=0&dateField=0
You can also create an RSS feed to monitor this on an ongoing basis.
For first-party security advisories (the type of thing F5 discloses in our QSNs), you can subscribe to 'F5 Security Announcements' here https://interact.f5.com/Customer-Preference-Center.html
For attack signature updates you can subscribe to 'F5 Security Operations Notifications' on the same page. But you're better off using the automatic update/notification in the product than the email for this.
Note that there is very often no one-to-one mapping between WAF rules and a given CVE. You may have one rule that addresses may CVEs, or multiple rules that handle different aspects of one CVE, etc. It is very, very common that when a new CVE comes out there are already existing rules that block it - so nothing new is published. The long and short of that is there is no 'index' where you can look up a CVE and say 'these rules block this CVE'. There just isn't any exhaustive mapping, even internally.
There may be a rule that mentions a given CVE, but just because a CVE is *not* mentioned doesn't mean the WAF can't block it. More often than not it can - it is just one of the basic WAF rules that blocks a whole family of vulns that does it.