Cloud Workload Discovery 4.5.0 Product Guide - Rev B

Product GuideRevision B

Cloud Workload Discovery 4.5.0For use with McAfee ePolicy Orchestrator

COPYRIGHT

© 2017 Intel Corporation

TRADEMARK ATTRIBUTIONSIntel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee ActiveProtection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfeeTotal Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 Cloud Workload Discovery 4.5.0 Product Guide

Contents

Preface 5About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1 Product overview 7Security management of your cloud assets made easy . . . . . . . . . . . . . . . . . . . 7Key features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Components and what they do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Cloud Workload Discovery packages and McAfee suites . . . . . . . . . . . . . . . . . . 10

2 Configuring the cloud accounts 11Configuring an AWS cloud account . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Create an AWS user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Create a user permission policy . . . . . . . . . . . . . . . . . . . . . . . . . 12Assign the policy to a user . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Create an IAM role with flow logs for your AWS account . . . . . . . . . . . . . . . 14Register an AWS account . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Configuring Microsoft Azure cloud accounts . . . . . . . . . . . . . . . . . . . . . . . 17Create an application in the Microsoft Azure console . . . . . . . . . . . . . . . . . 17Where to find Subscription ID, Tenant ID, and Client ID . . . . . . . . . . . . . . . 19Configure client key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Set delegated permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Assign the application to your subscription . . . . . . . . . . . . . . . . . . . . 20Register a Microsoft Azure account . . . . . . . . . . . . . . . . . . . . . . . 21Register Microsoft Azure classic account . . . . . . . . . . . . . . . . . . . . . 23

Register a VMware vSphere account . . . . . . . . . . . . . . . . . . . . . . . . . . 25Register an OpenStack cloud account . . . . . . . . . . . . . . . . . . . . . . . . . 27Registered cloud account details . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Virtual machine details for AWS cloud account . . . . . . . . . . . . . . . . . . . 29Virtual machine details for Microsoft Azure account . . . . . . . . . . . . . . . . . 31Virtual machine details for VMware vCenter account . . . . . . . . . . . . . . . . 33Virtual machine details for OpenStack account . . . . . . . . . . . . . . . . . . . 36

3 Managing policies with McAfee ePO 39Cloud Workload Discovery policies on McAfee ePO . . . . . . . . . . . . . . . . . . . . 39Where to find policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Create a new firewall policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Create a new assessment policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Assign custom policies to systems in your network . . . . . . . . . . . . . . . . . . . . 42

4 Visualization of your cloud accounts 43Problems or issues with your firewall settings or traffic . . . . . . . . . . . . . . . . . . . 44Viewing account properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Cloud Workload Discovery 4.5.0 Product Guide 3

Viewing security group information for your instance . . . . . . . . . . . . . . . . . . . 46Viewing threat prevention details on your instance . . . . . . . . . . . . . . . . . . . . 47Viewing intrusion prevention details on your instance . . . . . . . . . . . . . . . . . . . 48Viewing application control details on your instance . . . . . . . . . . . . . . . . . . . . 48Viewing change control details on your instance . . . . . . . . . . . . . . . . . . . . . 48Viewing volume encryption details for your instance . . . . . . . . . . . . . . . . . . . . 49Traffic details for your instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Instance properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Apply McAfee ePO tags to VMs in your network . . . . . . . . . . . . . . . . . . . . . . 51Automatic responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Set up automatic responses . . . . . . . . . . . . . . . . . . . . . . . . . . 52

5 Remediation 55Activate missing protection with few clicks . . . . . . . . . . . . . . . . . . . . . . . 55

Install McAfee Agent on your instances . . . . . . . . . . . . . . . . . . . . . . 55Install McAfee VirusScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Install McAfee MOVE AntiVirus . . . . . . . . . . . . . . . . . . . . . . . . . 56Install McAfee Host Intrusion Prevention on your instances . . . . . . . . . . . . . . 57Install McAfee Application Control on your instances . . . . . . . . . . . . . . . . 57Install McAfee Change Control . . . . . . . . . . . . . . . . . . . . . . . . . 58

Remediate firewall rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Edit the security group rules . . . . . . . . . . . . . . . . . . . . . . . . . . 59Detach the security group from an instance . . . . . . . . . . . . . . . . . . . . 59

6 Queries and reports 61Predefined queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

View default queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Create custom queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Dashboards and monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Data Center and Public Cloud dashboards . . . . . . . . . . . . . . . . . . . . . 65

7 Frequently asked questions 73

Index 77

Contents


Preface

This guide provides the information you need to work with your McAfee product.

Contents About this guide Find product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

ConventionsThis guide uses these typographical conventions and icons.

Italic Title of a book, chapter, or topic; a new term; emphasis

Bold Text that is emphasized

Monospace Commands and other text that the user types; a code sample; a displayed message

Narrow Bold Words from the product interface like options, menus, buttons, and dialog boxes

Hypertext blue A link to a topic or to an external website

Note: Extra information to emphasize a point, remind the reader of something, orprovide an alternative method

Tip: Best practice information

Caution: Important advice to protect your computer system, software installation,network, business, or data

Warning: Critical advice to prevent bodily harm when using a hardware product


Find product documentationOn the ServicePortal, you can find information about a released product, including productdocumentation, technical articles, and more.

Task1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.

2 In the Knowledge Base pane under Content Source, click Product Documentation.

3 Select a product and version, then click Search to display a list of documents.

PrefaceFind product documentation


https://support.mcafee.com

1 Product overview

Cloud Workload Discovery enables you to discover, import, manage, and secure your Amazon WebServices, Microsoft Azure, and VMware vCenter virtual infrastructure using McAfee® ePolicyOrchestrator® (McAfee ePO™).

Contents Security management of your cloud assets made easy Key features Components and what they do Cloud Workload Discovery packages and McAfee suites

Security management of your cloud assets made easyCloud Workload Discovery offers improved visibility and control to address the unique requirements ofpublic cloud security. It detects and imports virtual instances, security groups, and virtual networks tothe McAfee ePO server.To have better control over cloud infrastructure and threats you need better visibility across them.Cloud Workload Discovery provides better control over cloud infrastructure and insight into the threatsinformation across clouds. Also, it offers infrastructure visibility and security alerts so that you canquickly assess security issues at a deeper level and take immediate actions.

• It integrates the management feature of McAfee ePO with the configured clouds, which host andmanage the VMs.

• It synchronizes periodically with the cloud, and imports the virtual infrastructure details to McAfeeePO.

• You can choose to deploy the McAfee Agent to discovered instances during the discovery or after.Then, other McAfee products can be installed on these discovered instances.

• It has an innovative dashboard to view and monitor the security compliance of your cloud assets.

• You can flag systems at risk and can take corrective actions.

• You can view traffic flow from and to your AWS instances. It also provides traffic insights for AWS.

Key featuresThese features are important for your organization's security, protection, and performance.

Visualization of your cloud workloadsThe user interface gives you a hierarchical view into your cloud accounts and their assets. You canview your virtual networks, templates, VNet, system information, firewall (security group), and othersystem information of your virtual machines(VM).

1


Security posture assessment

You can view potential threats and unsafe settings so that you can take appropriate actions.

You can view these details in your network configuration.

• Security settings that include unsafe firewall settings for AWS and Microsoft Azure accounts.

• Systems that do not have threat prevention, change control, application control and intrusionprevention products installed on them.

• Security status of suspicious external connections and blocked internal connections for your AWSinstances.

Security group management

You can view security group information of your virtual instances across your cloud accounts. You cansee how many instances are associated with any firewall (security group). You can also manage thesefirewall (security groups) by adding, editing, or deleting rules. You can detach a firewall (securitygroup) from an instance.

Firewall audit and hardening

Cloud Workload Discovery assesses your cloud configuration and flags systems, templates, and virtualnetworks that are at risk. You can immediately take appropriate actions and secure your assets.

Activate missing protection with few clicks

After visualizing your cloud account structure, and seeing which systems are at risk, you can secureyour instances with just few clicks.

1 Manage your instances by installing McAfee Agent.

2 After installing McAfee Agent, you can install other McAfee products like McAfee VirusScan, McAfeeVirusScan for Linux, McAfee MOVE AntiVirus, McAfee Host Intrusion prevention, McAfee ApplicationControl, and McAfee Change Control on your instances.

Support for VMware vCenter cloud instances

You can view your VMware vCenter cloud infrastructure details. You can secure your instances bysetting appropriate firewall policies and also by installing McAfee security products on them.

Volume discovery for AWS instances

You can view the encryption status of your AWS volumes.

IP traffic visibility and threat insights for AWS instances

You can view IP traffic flow from and to the instances in your AWS cloud network configuration. Youcan also see the reputation of the traffic based on IP addresses, network ports, and communicationsprotocols to determine granular reputation intelligence, protecting products against both known andemerging network based attacks and adversarial activity.

Support for Microsoft Azure Resource Manager

You can now discover, manage and secure the Microsoft Azure Resource Manager virtual infrastructurewith McAfee ePO.

1 Product overviewKey features


Cloud usage metering

You can track the usage of AWS and Microsoft Azure running cloud VMs with the metering feature. Theusage of VMs is tracked in the sum of CPU hours that an account uses on a monthly basis.

Components and what they doEach component performs a specific function to discover, manage, and secure your cloud assets.

Amazon Web Services (AWS) — Collection of web services that make up the cloud computingsolution offered by Amazon.

Microsoft Azure — Cloud computing platform and infrastructure for building, deploying, andmanaging applications and services through a global network of Microsoft-managed datacenters.

Virtual Machines (VMs) — An isolated guest operating system installation in a normal hostoperating system that supports both virtual desktops and virtual servers.

Security Groups — A virtual firewall for your instances to control inbound and outbound traffic.

Network Security Groups — A list of rules in Microsoft Azure cloud network that allow or denynetwork traffic to your instances.

Azure Virtual Network — A logical isolation of your azure cloud dedicated to your subscription.

AWS Virtual Private Cloud — A logically isolated section of Amazon Web Services cloud to launchyour AWS resources in a virtual network.

Template — Templates are snap shots or images using with which you can span instances in AWSand Microsoft Azure cloud.

Amazon Machine Image — Amazon Machine Image provides the information required to launch aninstance.

McAfee ePO — Management software that allows you to register a cloud account, so that you canimport your VMs and view them.

McAfee Agent — The client‑side component providing secure communication between McAfee ePOand managed products.

Hypervisor (ESXi) — A virtual operating platform that manages the execution of the guest operatingsystems. They allow multiple operating systems to run concurrently on a hosted system. ESXi areembedded hypervisors for servers that run directly on server hardware, without requiring an additionalunderlying operating system.

VMware vCenter — Console that manages the ESXi servers, which host the guest VMs that requireprotection.

Product overviewComponents and what they do 1


Cloud Workload Discovery packages and McAfee suitesCloud Workload Discovery is packaged in public, hybrid, and private variants to support different cloudvendor accounts.

Table 1-1 Cloud Workload Discovery packages

Cloud WorkloadDiscovery variant

Support for vendoraccounts

Package names

Cloud Workload Discoveryfor Private cloud

VMware, OpenStack Cloud_Workload_Discovery_Private_4.5.0

Cloud Workload Discoveryfor Hybrid cloud

VMware, OpenStack, AWS,Microsoft Azure, andMicrosoft Azure classic

Cloud_Workload_Discovery_Hybrid_4.5.0

Cloud Workload Discoveryfor Public cloud

AWS, Microsoft Azure, andMicrosoft Azure classic

Cloud_Workload_Discovery_Public_4.5.0

Table 1-2 McAfee suites

Suite Cloud Workload Discovery package

McAfee Public Cloud Server Security Suite Cloud Workload Discovery for Public cloud

McAfee Server Security Suite Advanced Cloud Workload Discovery for Hybrid cloud

McAfee Server Security Suite Essentials Cloud Workload Discovery for Hybrid cloud

McAfee MOVE AntiVirus for Virtual Servers Cloud Workload Discovery for Private cloud

McAfee Security Suite for Virtual Desktop Infrastructure Cloud Workload Discovery for Private cloud

McAfee MOVE AntiVirus for Virtual Desktops Cloud Workload Discovery for Private cloud

1 Product overviewCloud Workload Discovery packages and McAfee suites


2 Configuring the cloud accounts

You must register cloud accounts with McAfee ePO to establish a connection to the McAfee ePO server.McAfee ePO then discovers, imports, and displays the cloud asset information.

For installing Cloud Workload Discovery on your McAfee ePO server, see the installation guide forMcAfee Public Cloud Server Security Suite.

After registering the cloud accounts, you can view:

• Virtual networks, templates, firewall (security group) information of your virtual machines in CloudWorkload Discovery.

• Imported VMs and virtualization properties on the McAfee ePO System Tree.

Contents Configuring an AWS cloud account Configuring Microsoft Azure cloud accounts Register a VMware vSphere account Register an OpenStack cloud account Registered cloud account details

Configuring an AWS cloud accountConfigure and register your AWS cloud accounts on McAfee ePO.

Create an AWS userOn the Amazon Web Services management console, create an AWS user with Access Key ID andSecret Access Key configured.

Task1 Log on to your Amazon Web Services management console.

2 Select IAM to load the Identity and Access Management (IAM) dashboard.

3 From the Users section, click Create New Users.

4 Type a name for the user and select Generate an access key for each user.

5 Click Create.

6 Click Download Credentials and save the CSV file. These credentials contain both the Access Key ID andthe Secret Access Key.

2


Create a user permission policyCreate a policy with minimum required permissions for a user to use Cloud Workload Discovery.


2 From Policies section, click Create New Policy.

3 From the Create Policy, click Create Your Own Policy.

2 Configuring the cloud accountsConfiguring an AWS cloud account


4 Type a name and description.

5 Copy and paste this policy.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:DeleteLogGroup", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:FilterLogEvents", "logs:GetLogEvents", "logs:CreateLogStream", "logs:PutLogEvents"

], "Resource": [ "*" ] }, { "Sid": "", "Effect": "Allow", "Action": [ "ec2:Describe*", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateFlowLogs", "ec2:CreateSecurityGroup", "ec2:DeleteFlowLogs", "ec2:DeleteSecurityGroup", "ec2:ModifyInstanceAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:AttachVolume", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteVolume", "ec2:DetachVolume" ], "Resource": [ "*" ] }, { "Sid": "", "Effect": "Allow", "Action": [ "iam:GetUser" ], "Resource": [ "*" ] }, { "Sid": "", "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:Encrypt", "kms:List*" ], "Resource": [ "*" ]

Configuring the cloud accountsConfiguring an AWS cloud account 2


} ]}

Assign the policy to a userAssign the required permissions policy to the user on the Amazon Web Services management console,so that you can register the AWS account with McAfee ePO.

Before you begin• You must have required user.

• You must have created a required permissions policy.


2 From the Users section, and select the user.

3 Select the policy that you made and then click Attach Policy.

Create an IAM role with flow logs for your AWS accountYou must create an IAM role with flow log policies to access the IP traffic flow in your virtual networks.Then you can view the IP traffic flows of your Virtual networks in Cloud Workload Discovery.


2 Select IAM to load the Identity and Access Management (IAM) dashboard.

3 Enter this name McafeeFlowLogger for your role, and then choose Next.

The name of the role has to be McafeeFlowLogger and it is case sensitive.

4 On the Select Role Type page next to Amazon EC2, click Select.

5 On the Attach Policy page, click Next Step.

6 On the Review page, make a note of the ARN for your role. When you are ready, choose Create Role.

7 Type a name for your role.

8 Under Permissions, expand the Inline Policies section, and then select Click here.

9 Select Custom Policy, and then choose Select.



10 Copy this policy and paste it in the Policy Document window. Enter a name for your policy in PolicyName, and then click Apply Policy.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "logs:DescribeLogStreams" ], "Effect": "Allow", "Resource": "*" } ]}

11 Select Edit Trust Relationship. Delete any existing policy document. Copy and paste this policy, and clickUpdate Trust Policy.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "vpc-flow-logs.amazonaws.com" }, "Action": "sts:AssumeRole" } ]}

Register an AWS accountRegister an AWS account with McAfee ePO so that McAfee ePO can communicate with the AWS cloud.

Before you begin• Make sure that you have your AWS account and its details ready.

• AWS users must have an access key ID and a secret access key set up for them in theAWS console.

• AWS users must have permissions to use Cloud Workload Discovery.

• To view IP traffic flows in your virtual network, the account you are registering withMcAfee ePO should have an IAM role with flow log policies.

• You must have installed the Cloud Workload Discovery extension on McAfee ePO.

• Make sure that your McAfee ePO system date and time is synchronized with internetdate and time.

Configuring the cloud accountsConfiguring an AWS cloud account 2


TaskFor details about product features, usage, and best practices, click ? or Help.

1 Log on to the McAfee ePO server as an administrator.

2 Select Menu | Configuration | Registered Cloud Accounts, then click Actions | Add Cloud Account to open the AddCloud Account page.

3 From the Choose Cloud Provider drop-down list on the Description page, select Amazon Web Service, thenclick OK.

4 On the AWS account details page, type these details:

• Name — Type a name for the AWS account in McAfee ePO. Account names can include charactersa-z, A–Z, 0–9, and [_.-], without space.

• Access Key Id — Type the access key ID to log on to AWS.

• Secret Access Key — Type the secret access key to log on to AWS.

Each user can be configured to have an access key ID and secret access key in the AWS console.



• Tags — List of McAfee ePO tags that are applied on VMs discovered for this AWS account. Tagname can include characters a-z, A–Z, 0–9, and [_.-], with space. For details about Tag usage,see the product documentation for your version of McAfee ePO.

• Sync interval (In Minutes) — Specify the interval for McAfee ePO to AWS synchronization (the defaultvalue is 5 minutes. The maximum value is 60 minutes). If you specify the sync interval as 5minutes, the next sync is scheduled 5 minutes after the completion of the current sync.

5 Enable GovCloud option if the AWS account belongs to the AWS GovCloud (US) region. For otherusers, leave it deselected.

6 Select Enable Traffic Discovery to discover and view traffic flow logs for instances in your AWS accounts.

7 Click Validate Parameters to validate the account details and verify the connection to the AWS cloud.

8 (Optional) Deploy McAfee Agent to the registered VMs, select Auto deploy Mcafee Agent on VMs, and typethe credentials to deploy the McAfee Agent package.

Make sure that the McAfee ePO server and the VMs in the AWS cloud can communicate with eachother.

9 Click Save to register the cloud account.

This action registers the AWS cloud and imports all discovered VMs, which are unmanaged, into theSystem Tree. The instances are imported with the structure and hierarchy of the AWS cloud. TheVMs that are already added and managed by McAfee ePO are retained with the existing policysettings.

10 View the imported VMs:

• Select Menu | Systems | Cloud Workload Discovery on McAfee ePO to view, assess, and remediate yourcloud asset information.

• Select Menu | Systems | System Tree in McAfee ePO. You can find your AWS account under the groupAWS. The virtual machines from AWS are logically grouped with the hierarchy AWS | Cloud accountname | Region | Avalibilty zone | instances.

Configuring Microsoft Azure cloud accountsConfigure and register your Microsoft Azure cloud accounts on McAfee ePO.

You can configure and register both Microsoft Azure classic account and Microsoft Azure account onMcAfee ePO.

• For Microsoft Azure account: You can view your cloud account details in System Tree and on theCloud Workload Discovery dashboard.

• For Microsoft Azure classic account: You can view your cloud account details in System Tree.

Create an application in the Microsoft Azure consoleCreate an application in Microsoft Azure Active Directory to access the resources in your subscription.

You can also get your client ID, tenant ID, and configure your Client key after creating the application.

You can create application by

• Logging in to Microsoft Azure portal and following our steps.

• By running the power shell scripts. For details, see KB87316. We have automated the steps tocreate application, get tenant ID, client ID and your client key. You can access these details fromthe file MicrosoftAzurecloudaccountdetails.txt.

Configuring the cloud accountsConfiguring Microsoft Azure cloud accounts 2


https://kc.mcafee.com/corporate/index?page=content&id=KB87316

Task1 Log on to the Microsoft Azure portal and select Active Directory from the left pane.

2 Select the directory that you want to use for creating the application.

3 Click Applications and then click Add.

4 On the What do you want to do? page, select Add an application my organization is developing.

5 Type a name for your application and select WEB APPLICATION AND/OR WEB API and click Next.

6 Type the properties for your application. For SIGN-ON URL, give the URI to a website that describesyour application. The existence of the website is not validated. For APP ID URI, provide the URI thatidentifies your application. The uniqueness or existence of the endpoint is not validated.

7 Click Complete to create your application.

2 Configuring the cloud accountsConfiguring Microsoft Azure cloud accounts


Where to find Subscription ID, Tenant ID, and Client IDAfter creating your application, you can make a note of tenant ID and client ID.

• The subscription ID for your Microsoft Azure account is listed in Subscriptions | SUBSCRIPTION ID.

• Select the application that you created and click Configure tab and you can see your Client ID.

• Click VIEW ENDPOINTS button on the bottom pane and you can see App Endpoints page.

You can get your Tenant ID from this page. Your tenant ID is given after the URLs for all theattributes in this page.



Configure client keyConfigure your client key on Microsoft Azure Active Directory for your application.

Before you beginYou must have created your application in your Microsoft Azure Active Directory.

Task1 Log on to the Microsoft Azure portal.

2 Select the application that you created and click the Configure tab.

3 Scroll down to the Keys section and select how long you would like your password to be valid. Selectthe duration and click Save to create the key.

Copy the key displayed in the application. You won't be able to retrieve it after you leave this page.

Set delegated permissionsSet the delegated permissions for your application.

Before you beginYou must have created your application.


1 Log on to the Microsoft Azure portal.

2 Select the application that you created, then click the Configure tab.

3 Select Add Application.

4 From the list in the Name field, select Windows Service Management API, then click Complete.

5 From Permissions to other applications section, for Windows Azure Service Management, set the Delegated Permissionas Access Azure Service Management as organization.

Assign the application to your subscriptionAssign a role to your application and also assign it to your Microsoft Azure subscription.

Before you begin• You must have created an application in the Microsoft Azure console.

• Configure Client key for your application and set the delegated permissions.


1 On the Microsoft Azure console, click Subscritions.

2 Select your subscription, and click Access icon.



3 Click Add | Select a role and select your role as Contributor.

4 Click Add users and search for your application, click Select and click OK.

Your application is assigned to your subscription.

Register a Microsoft Azure account Register a Microsoft Azure account with McAfee ePO so that McAfee ePO can communicate with theMicrosoft Azure cloud.

Before you begin• Make sure that you have your Microsoft Azure account and its details ready.

• Create an application in the Microsoft Azure console.

• Get Client ID and Tenant ID from the Microsoft Azure console after creating theapplication.

• Configure the Client key for your application.

• Set the delegated permissions for your application.

• Assign the newly created application to a role and to your Microsoft Azure cloud accountsubscription.





2 Select Menu | Configuration | Registered Cloud Accounts, then click Actions | Add Cloud Account.

3 From the Choose Cloud Provider drop-down list, select Microsoft Azure, then click OK.



4 On the Microsoft Azure Account details page, type these details:

• Name — A name for the Azure account in McAfee ePO. Account names can include characters a–z, A–Z, 0–9, and [_.-], without space.

• Azure Endpoint — The URL of Microsoft Azure endpoint.

The endpoint is pre-populated. Do not change the endpoint URL unless confirmed by the cloudprovider.

• Subscription ID — Type your subscription ID. This is the ID that you get for your Microsoft Azuresubscription.

• Tenant ID— Type the unique ID of the organization in Microsoft Azure Active Directory.

• Client ID — Type your unique ID of the application.

• Client Key — Type your client secret key of the application.



• Tags — List of McAfee ePO tags that are applied to VMs discovered for this cloud account. Tagname can include characters a–z, A–Z, 0–9, and [_.-], with space. For details about tag usage,see the product documentation for your version of McAfee ePO.

• Sync interval (in Minutes) — Specify the interval for McAfee ePO to synchronize with the cloud (thedefault value is 5 minutes. The maximum value is 60 minutes). If you specify the sync intervalas 5 minutes, the next sync is scheduled 5 minutes after the completion of the current sync.

5 Click Validate Parameters to validate the account details and verify the connection to the cloud.

6 (Optional) Deploy McAfee Agent on the registered VMs, select Create McAfee Agent deployment task andtype the credentials to deploy the McAfee Agent package.


This action registers the Microsoft Azure cloud account and imports all discovered VMs, which areunmanaged, into the System Tree. The instances are imported with the structure and hierarchy ofthe Azure cloud.

The VMs that are already added and managed by McAfee ePO are retained with the existing policysettings.


• Select Menu | Systems | Cloud Workload Discovery on McAfee ePO to view your cloud asset information.

• Select Menu | Systems | System Tree in McAfee ePO. After the discovery, you can find your accountunder the group Azure. The VMs from each Microsoft Azure account are logically grouped underdifferent geographical zones in McAfee ePO.

Register Microsoft Azure classic accountRegister a classic Microsoft Azure account with McAfee ePO so that McAfee ePO communicates with theMicrosoft Azure cloud.

Before you begin• Make sure that you have Microsoft Azure classic account and its details ready.


• You must have your JKS or PFX certificate and Keystore Password for your MicrosoftAzure classic account. See Microsoft Azure documentation for more details.







3 From the Choose Cloud Provider drop-down list, select Microsoft Azure Classic, then click OK.

4 On the Microsoft Azure Classic Account Details page, type these details:

• Name — A name for the Azure account in McAfee ePO. Account names can include characters a–z, A–Z, 0–9, and [_.-], without space.

• Azure Endpoint — The URL of Microsoft Azure endpoint.

The endpoint is pre-populated. Do not change the endpoint URL unless confirmed by the cloudprovider.

• Subscription ID — Type your subscription id.

• Keystore (JKS/PFX) containing private key of management certificate— Upload your JKS/PFX certificate.

• Keystore Password — Type the password you specified for the JKS/PFX file.

For details about creating .pfx file, see Microsoft Azure documentation.



• Tags — List of McAfee ePO tags that are applied to VMs discovered for this cloud account. Tagname can include characters a–z, A–Z, 0–9, and [_.-], with space. For details about tag usage,see the product documentation for your version of McAfee ePO.

• Sync interval (in Minutes) — Specify the interval for McAfee ePO to synchronize with the cloud (thedefault value is 5 minutes. The maximum value is 60 minutes). If you specify the sync intervalas 5 minutes, the next sync is scheduled 5 minutes after the completion of the current sync.




This action registers the Microsoft Azure cloud account and imports all discovered VMs, which areunmanaged, into the System Tree. The instances are imported with the structure and hierarchy of theAzure cloud.

The VMs that are already added and managed by McAfee ePO are retained with the existing policysettings.

8 View the imported VMs: Select Menu | Systems | System Tree in McAfee ePO.After the discovery, youcan find your account under the group Azure. The VMs from each azure account are logicallygrouped under different geographical zones in McAfee ePO.

Register a VMware vSphere accountRegister a VMware vSphere account with McAfee ePO so that McAfee ePO communicates with theVMware vCenter, which manages the ESXi servers.

Before you begin• Make sure that you have configured your VMware vCenter server that manages the ESXi

servers, which host the guest VMs.




2 Select Menu | Configuration | Registered Cloud Accounts, then click Actions | Add Cloud Account to open the AddCloud Account page.

Configuring the cloud accountsRegister a VMware vSphere account 2


3 From the Choose Cloud Provider drop-down list on the Description page, select VMware vSphere, then clickOK.

4 On the vCenter Account Details page, type these details:

• Account Name — A name for the VMware vCenter account in McAfee ePO. Account names caninclude characters a–z, A–Z, 0–9, and [_.-], without space.

• Server Address — (Required) IP address or the host name of the available VMware vCenter.

• vCenter Username — (Required) User name of the available VMware vCenter account.

• This user's minimum role can be read-only.

• This user can be a domain account.

• This user can also be a Single-Sign-On (SSO) user. The default user name of the SSO user isadmin@system-domain.

• vCenter Password — (Required) Password of the available VMware vCenter account.

• Sync Interval (In Minutes) — Specify the time interval for running subsequent vCenter discovery.

The default value is 5 minutes.

• Port — The port number required to establish the connection with the available VMware vCenter.

• Tag — This is given by the admin to identify the VMs. Tag name can include characters a–z, A–Z,0–9, and [_.-], with space.

2 Configuring the cloud accountsRegister a VMware vSphere account


5 Click Test Connection to validate VMware vCenter account details and verify the connection to theVMware vCenter, then click Next to open the vCenter Summary page.

The summary page has vCenter, vCNS and NSX summary.

6 Click Finish, then click OK on the confirmation page.

This action registers the VMware vCenter and imports all discovered virtual machines, which areunmanaged, into the McAfee ePO System Tree. The instances are imported with the similarstructure and hierarchy present in VMware vCenter.

The virtual machines that are already added and managed by McAfee ePO are retained with theexisting policy settings, but the virtualization properties for these machines are added.


• Select Menu | Systems | Cloud Workload Discovery on McAfee ePO to view your cloud asset information.

• Select Menu | Systems | System Tree in McAfee ePO. After the discovery, you can find your vCenteraccount under the group vSphere. The clusters and hosts from vCenter are logically groupedunder each Data Center group in McAfee ePO.

Register an OpenStack cloud accountRegister an OpenStack cloud account so that McAfee ePO communicates with the OpenStack cloud.

Before you begin• Make sure that you have your OpenStack cloud account and its details ready.





Configuring the cloud accountsRegister an OpenStack cloud account 2


3 From the Choose Cloud Provider drop-down list, select OpenStack Cloud, then click OK.

4 On the OpenStack Cloud account details page, type these details:

• Name — A name for the Rackspace account in McAfee ePO. Account names can includecharacters a–z, A–Z, 0–9, and [_.-], without space.

• Identity Service Endpoint — The URL of the account.

• User Name — The user name of the account in the format Project name:user logon. For example,Project1:admin.

• Password — The password of the account.

• Tags — List of McAfee ePO tags that are applied to VMs discovered for this cloud account. Tagname can include characters a-z, A–Z, 0–9, and [_.-], with space. For details about tag usage,see the product documentation for your version of McAfee ePO.

• Sync interval (in Minutes) — Specify the interval for McAfee ePO to synchronize with the cloud.

The default value is 5 minutes.


2 Configuring the cloud accountsRegister an OpenStack cloud account



Make sure that the McAfee ePO server and the VMs in the OpenStack cloud can communicate witheach other. Check the firewall settings for the machines in the cloud. For Linux VMs, SSH port (22)must be accessible. See the product documentation for your version of McAfee Agent.


This action registers the OpenStack cloud and imports all discovered VMs, which are unmanaged,into the System Tree. The instances are imported with similar structure and hierarchy of the cloud.

8 View the imported VMs: select Menu | Systems | System Tree in McAfee ePO.

Registered cloud account detailsAfter configuring and registering your cloud account with McAfee ePO, the account details aredisplayed in Registered Cloud Accounts on the McAfee ePO server.

Property Description

Name Name of your cloud account.

Type Name of cloud account vendor.

Last Successful Sync Displays the date and time of last successful synchronization between McAfee ePOand your cloud account.

Last Sync Status Displays the last synchronization status, including Sync Scheduled, Success, In Progress,and Failure. Hover your mouse over this property to know the start and end times ofyour account synchronization. If your account synchronization is in progress, youcan see the sync start time.

Total VMs Displays the number of VMs discovered for this account.

Running VMs Displays the number of VMs that are up and running in this account.

Managed VMs Displays the number of VMs that are managed by McAfee ePO.

Auto Deploy MA Specifies if the administrator has enabled the Auto deploy McAfee Agent task for theregistered cloud account.

Tags Displays the tags of the VMs.

Actions You can edit, delete, and synchronize the cloud account using McAfee ePO.When you delete an account, you have these options:• Delete System Tree group corresponding to this account — Deletes all virtual machines and

groups from this account.

• Delete Tags — Deletes the McAfee ePO tags for this account.

If you do not select any of these options, this action deletes only the accountdetails.

Virtual machine details for AWS cloud accountAfter importing the discovered VMs from the cloud accounts, the VM details are displayed in theSystem Tree.

To distinguish VMs imported by the Cloud Workload Discovery from other systems in the System Tree,check for the tags of the system. The VMs imported are tagged with dc_vm_auto.

Configuring the cloud accountsRegistered cloud account details 2



System Name Displays the name of the VM.

Managed State Specifies if the system is managed by McAfee Agent.

Tags Displays the tag applied to this VM.

IP Address Displays the IP address of the VM.

User Name Displays the user name of the user logged on to the system.

Last Communication Displays the time of the last synchronization.

You can view more details of your AWS account by selecting and adding the required column using theChoose Columns option under System Tree | Actions. By default, these columns don't appear under SystemTree.


Vendor Name Displays the name of the cloud vendor.

Account Name Displays name of the cloud account.

Unique ID Displays the Unique ID of the instance.

Power Status Displays if the instance is turned on or off.

Instance ID Displays the unique value provided to the instance from AWS.

Instance Name Displays the instance name as shown on AWS console.

Image ID Displays the unique value of Amazon machine image with which the instance wascreated.

Private DNS name Displays the private DNS name from AWS.

Public DNS name Displays the Public DNS name from AWS.

State Transition Reason Displays the reason for the instance to move from one state to another from theAWS console.

Key Name Displays the key name of the instance, which is provided during the launch.

Instance Type Displays the hardware configuration selected for an instance during the launch.

Launch Time Displays the time the instance is launched in AWS.

Availability Zone Displays the region where the instance is created in AWS.

Platform Specifies whether the platform is Microsoft Windows or Linux.

Private IP Address Displays the private IP address from AWS.

Public IP Address Displays the public IP address from AWS, are accessed by McAfee ePO.

VPC ID Displays the Amazon Virtual Private cloud ID.

MAC Address Displays the MAC address of an Instance in Amazon Virtual private cloud.

Architecture Provides details about the hardware specifications of the processor. For example,x86_64, i386.

Virtualization Type Displays the virtualization type of VM like HVM and paravirtualization.

Tags Displays the tags of the VMs.

Security Groups Displays the security group details where the instance is linked in AWS.

Network Interfaces Displays details about all network interfaces associated to the EC2 instance

2 Configuring the cloud accountsRegistered cloud account details


You can view the virtualization properties of the selected virtual machine by navigating to Menu |Systems | System Tree and double-clicking the target virtual machine.

Virtual machine details for Microsoft Azure accountAfter importing the discovered VMs from the cloud accounts, the VM details are displayed in theSystem Tree.

To distinguish VMs imported by the Cloud Workload Discovery from other systems in the System Tree,check for the tags of the system. The VMs imported are tagged with dc_vm_auto.

You will have VMs from your Microsoft Azure Classic account or Microsoft Azure accounts are displayedhere.




Tags Displays the tag applied on this VM.






You can view more details of the cloud accounts by selecting and adding the required columns usingthe Choose Columns option under System Tree | Actions. By default, these columns don't appear underSystem Tree.

From Choose Columns, select Vendor, and you can see the name of the vendor for your cloud account.


Vendor Name Displays the name of the cloud account vendor.

Account Name Displays the name of the account in McAfee ePO.

Power Status Displays if the system is in running or stopped state.

Created Time Displays the time when the instance is created.

Image ID Displays the unique image value provided to the instance from the cloud account.

Instance ID, Unique ID Displays the unique value provided to the instance from the cloud account.

Instance Size Displays the hardware configuration selected for an instance during the launch.

IP Address Displays the IP address from the cloud account.

Last Modified Time Displays the time when the instance was last modified in the cloud account.

Location Displays the location of the instance.


Public DNS Displays the public DNS name from the cloud account.

Virtual IP Address Displays the virtual IP address of the instance.

Network Security Group Displays the network security group associated with this instance.

Instance Endpoints Displays the instance endpoints.

You can view the virtualization properties of the selected VM by navigating to Menu | Systems | SystemTree. Double-click the target VM and click the Virtualization tab.



Virtual machine details for VMware vCenter accountAfter importing the discovered VMs from the cloud accounts, the VM details are displayed in theSystem Tree.

To distinguish VMs imported by the Cloud Workload Discovery from other systems in the System Tree,check for the tags of the system. The VMs imported are tagged dc_vm_auto.








You can view more details of the vCenter account by selecting and adding the required column usingthe Choose Columns option under System Tree | Actions. By default, these columns don't appear under SystemTree.




Unique ID Displays the unique ID of the instance.

Power Status Displays if the instance is powered on or off.

VM Name Displays the VM name of the instance as given in vCenter.

DNS Name Displays the DNS name of the instance.

Domain Name Displays the Domain of the instance.

System IP Address Displays the IP address of the instance.

Guest OS Displays the guest operating system of the instance.

Number of vCPU Displays the number of vSPhere CPUs associated with the VM.

Memory Size Displays the memory size of the VM.

VMware Tool Status Displays the status of the VM tool on a VM. For host, the status appears asN/A.

VMware Tool Version Displays the version of the VM tool.

Agentless Anti-MalwareProtection Status

Displays the McAfee MOVE AV Agentless protection status of the client VM:• On — The VM is protected.

• Off — The VM is not protected.

• Unknown — The protection status is not known.

You can view these protection properties only after installing the McAfeeMOVE AV Agentless extension.

Host Displays the host details like IP address of the VM. If the host is selected,the status appears as N/A.

MOR ID Displays the unique identifier given by vCenter to a VM.

UUID Displays the unique ID of the VM.



You can view the virtualization properties of the selected virtual machine by navigating to Menu |Systems | System Tree and double-clicking the target virtual machine.

You can view the virtualization properties of the selected hypervisor by navigating to Menu | Systems |System Tree and double-clicking the target hypervisor.




Unique ID Displays the unique ID of the instance.

Power Status Displays if the instance is powered on or off.

SVA Deployed Displays the SVA deployment status for host and VM:• Yes — SVA is deployed to host.

• No — SVA is not deployed to host.

• N/A — For VM.

DNS name Displays the DNS name of the hypervisor.

Domain name Displays the Domain name of the hypervisor.

System IP Displays the IP address of the hypervisor.




Memory Size Displays the memory size of the hypervisor.

Processor Type Displays processor type of the hypervisor.

CPU Cores Displays the number of CPU cores.

Model Displays the model of the physical server.

Manufacturer Displays the manufacturer of the physical server.

Number of NICs Displays the number of network interface cards.

ESX info Displays the ESX hypervisor version.

VM Count Displays the number of VM's.

vMotion Enabled Displays if the VM's can be moved from one hypervisor host to another.

Connection State Displays the connection state of the hypervisor.

Computer Name Displays the computer name of the hypervisor.

BIOS Version Displays the BIOS version of the hypervisor.

MOR-ID Displays the unique identifier given by vCenter to the hypervisor.

Cluster ID Displays the ID of the cluster.

UUID Displays the unique ID of the hypervisor.




Data Stores Displays the repository for storing VM files.

Networks Displays the network interfaces of hosts or VM.

Virtual machine details for OpenStack accountAfter importing the discovered VMs from the cloud accounts, the VM details are displayed in theSystem Tree.










You can view more details of the cloud accounts by selecting and adding the required columns usingthe Choose Columns option under System Tree | Actions. By default, these columns don't appear under SystemTree.


Availability Zone Displays the region where the instance is created.

Image ID Displays the unique value provided to the instance from the cloud account.

Instance ID Displays the unique value provided to the instance from the cloud account.


Key Name Displays the key name, which is provided during the launch of the instance.

Launch time Displays the time when the instance is launched in the cloud account.


Private IP address Displays the private IP address from the cloud account.

Public IP Address Displays the public IP address from the cloud account.

Tags Displays the tags of the systems on McAfee ePO.

Hypervisor Name Displays the DNS name of the Hypervisor host.

Hypervisor Version Displays the version of the Hypervisor.

Hypervisor Type Displays the type of the Hypervisor.

You can view the virtualization properties of the selected VM by navigating to Menu | Systems | SystemTree. Double-click the target VM and click the Virtualization tab.





3 Managing policies with McAfee ePO

Integrate and manage assessment policies using McAfee ePO software.

McAfee ePO provides centralized policy management and enforcement of your McAfee securityproducts and the systems where they are installed. It also provides comprehensive reporting andproduct deployment capabilities through a single point of control.

Contents Cloud Workload Discovery policies on McAfee ePO Where to find policies Create a new firewall policy Create a new assessment policy Assign custom policies to systems in your network

Cloud Workload Discovery policies on McAfee ePO The default policies fit the broadest set of customer environments. You can tune these policies to fityour environment.

Cloud Workload Discovery adds these categories in the Policy Catalog.

Category Description

Assessment Rules -Firewall

This policy defines the firewall settings for the systems. You can set inboundrules for the systems. It also defines how the systems are flagged if theyviolate the specified rules.

Assessment Rules -General

This policy defines how the systems are flagged if the products are notinstalled.

Assessment Rules - General has Core Protection, Full Compliance, McAfee Default, and My Default policies.

Assessment Rules - Firewall has McAfee Default and My Default policies.

You can use these policies as is or you can edit My Default policies.

Policy Description

McAfee Default Defines the out-of-the-box policy that takes effect if no other policy is applied. Youcan duplicate this policy, but you can't delete or change it.

My Default Defines the customizable default policy for your environment.

Modify this policy to create your own customized default.

Core Protection Defines the core or important protection that you can have in your environment.

Full Compliance Defines the strongest protection that you can have in your environment.

3


Where to find policiesYou can view and manage your firewall policies from two locations in the McAfee ePO console.

The Assigned Policies tab (Systems | System Tree | Assigned Policies tab for a selected group in the SystemTree), and the Policy Catalog tab (Systems | Policy Catalog).

Use the Policy Catalog to:

• Create policies.

• View and edit policy information.

• View where a policy is assigned.

• View the settings and owner of a policy.

• View assignments where policy enforcement is disabled.

Use the Assigned Policies tab to:

• View the available policies of a particular feature of the product.

• View details of the policy.

• View inheritance information.

• Edit policy assignment.

• Edit custom policies.

Create a new firewall policy Create a custom firewall policy to suit your environment.



2 Select Menu | Policy | Policy Catalog, then from the Product list, select Cloud Workload Discovery.

3 From the Category list, select Assesment Rules - Firewall.

4 Select New Policy, type a name for the policy, then click OK.

5 Click the name of an editable policy.

You can edit the My Default policies, or any policies that you create. McAfee Default policies aren'teditable.

3 Managing policies with McAfee ePOWhere to find policies


6 Specify which inbound firewall rules can come from which IP addresses and their severities.

Option Definition

If inbound firewall rule to port Select the inbound port from the list

Then flag as Select the flag value from Safe or Critical

If you do not specify a rule for a port, then it is flagged as Warning.

Critical alerts are flagged for unrestricted IP addresses (with suffix '/0') only. For example

Policy Setting 8443 Critical

The alerts flagged for

IP address x.x.x.x/0 flagged as critical and color coded as red (as per the policy setting)

IP address x.x.x.x/32 flagged as warning and color coded as yellow

7 Click Save.

The new policy appears in the Policy Catalog.

Create a new assessment policyCreate a custom assessment policy to suit your environment.


1 Log on to McAfee ePO as an administrator.

2 Select Menu | Policy | Policy Catalog, then from the Product list, select Cloud Workload Discovery.

3 From the Category list, select Assesment Rules - General.

Managing policies with McAfee ePOCreate a new assessment policy 3


4 Click the name of an editable policy.

You can edit the My Default policies, or any policies that you create. McAfee Default policies aren'teditable.

5 Set the product flags to Must Have, Good to Have, or Optional.

If Must Have products are missing, critical alerts (red) are flagged.

If Good to Have products are missing, warnings (yellow) are flagged.

If Optional products are missing, no alerts are flagged.

You can set these flags for Strong Security Groups, Volume Encryption, Intrusion Prevention, Threat Prevention,Application Control, and Change Control (FIM).

Strong Security Groups are always set as Must Have for your AWS and Microsoft Azure accounts. Thissetting cant be changed for AWS and Microsoft Azure accounts.

6 Click Save.

The new policy appears in the Policy Catalog.

Assign custom policies to systems in your networkAssign the custom policies to the systems in your network to suit your environment.

When you assign custom policies to a set of systems, they are effective after the next synchronization.If you want them to be effective immediately, then schedule a manual sync.



2 Select Menu | Systems | System Tree, then select your group of systems from the hierarchy.

3 From the Assigned Policies, you can see policies assigned to these systems. Click Edit Assignment.

4 Select Break inheritance and assign the policy and settings below for Inherit from.

5 Select your custom policy from the Assigned Policy list, then specify the values for other fields.

6 Click Save.

3 Managing policies with McAfee ePOAssign custom policies to systems in your network


4 Visualization of your cloud accounts

After configuring and registering the cloud accounts with McAfee ePO, you can view your cloud accountinformation from Menu | Systems | Cloud Workload Discovery.

This graphical visualization of your cloud accounts gives you visibility into your cloud infrastructureassets and their hierarchy.

The left Issues pane highlights any issues or violations on your firewall settings or your IP trafficsettings.

The user interface is very initiative and you can expand and collapse the menus, select appropriatefilters to view what you want.

Contents Problems or issues with your firewall settings or traffic Viewing account properties Viewing security group information for your instance Viewing threat prevention details on your instance Viewing intrusion prevention details on your instance Viewing application control details on your instance Viewing change control details on your instance Viewing volume encryption details for your instance Traffic details for your instance Instance properties Apply McAfee ePO tags to VMs in your network Automatic responses

4


Problems or issues with your firewall settings or trafficAny issues or problems you have with your firewall settings or traffic settings are listed here.

Select the toggle to view either critical issues or warnings.

These issues are due to

• Workload Security - Instances which do not have defined security settings for threat prevention,intrusion prevention, application control, change control, or encryption.

• Platform Security - Instances which do not have defined security settings for firewall and the oneswith unencrypted volumes.

• Traffic - Instances with suspicious external connections or blocked internal connections.

Viewing account propertiesThe new Cloud Workload Discovery dashboard gives a holistic view of your cloud account and all itsaspects.

You can view:

4 Visualization of your cloud accountsProblems or issues with your firewall settings or traffic


• Accounts • Workload

• Virtual networks or Data Centers/Clusters • Virtual Machine properties

• Templates or Hypervisors

Accounts panel lists the cloud vendor accounts registered in McAfee ePO.

• Select your account and you can see list of Virtual Networks in your account. For a VMware vCenteraccount you can see the list of Datacenters/Clusters in the account.

• Select the Virtual network and you can see the workloads under that Virtual Network.

• Select a Datacenter/Cluster and you can see the list of Hypervisors in it. Select a Hypervisor, andyou can see list of workloads in the hypervisor.

• If you select the VM, you can see the security status, management status, and system propertiesfor that VM.

• If you have any VMs which are not grouped under any VPC, they are placed under Ungrouped VMs forAWS instances.

• You can see if the VM is managed. If its not managed, you can install McAfee Agent.

Visualization of your cloud accountsViewing account properties 4


By default, we list all virtual networks in your account, which have at least one running instance. Toview all instances either running or stopped in your account, select filter Show All.

By default we show Accounts | Virtual Networks | Workload, to see the templates in your virtual networks,select the filter Group by Templates.

All account properties are color-coded to reflect their security status.

• Red - Critical

• Yellow - Warning

Templates and workloads are classified as critical or warning if they violate the security policies andcolor-coded. This is determined on how you defined your policies on McAfee ePO Policy Catalog. Ifyour virtual network has any one instance or template that violates the security policies, it is classifiedas critical and color-coded red.

Viewing security group information for your instanceView all security groups associated with this instance. Based on the enterprise rules set, the status iseither red or yellow.

Select View details to view more information of your security groups.

4 Visualization of your cloud accountsViewing security group information for your instance


Table 4-1 Firewall (Security Groups)

Property Definition

Security Groups Displays the name of the Security or Network Security group.

ID Displays the ID of the Security or Network Security group.

Association Displays how many instances this security or the network security group is associatedwith.

Some VMs in Microsoft Azure accounts might not be associated with any security groups.

To view the rules in each security group, click Edit or double click the security group.

Table 4-2 Rules

Property Definition

Name Name of the security group rule. For Azure instances, every security group rule hasa name. This is not applicable for AWS instances.

Associated Instances Displays other instances which are associated with this security group (firewall).

Type Displays the Protocol type. You can change the protocol type.

Protocol Displays the protocol allowed.

Port range Displays the port range allowed.

Priority Displays the priority of this rule in the security group.

Priority is applicable only for Microsoft Azure Network Security Groups.

Access Displays if this is a allow rule or deny rule for Microsoft Azure instances. You cannot edit the deny rules. Deny rules are not assessed.

Source Displays the source IP address. You can choose Anywhere to allow connections fromall traffic or Custom IP to provide a IP address that you want to allow. For AWSinstances you can also provide the security group for which you want to allowtraffic.

Viewing threat prevention details on your instanceYou can see if your instance has McAfee anti-malware software installed on it.

Your instance will be color-coded and classified as per the anti-malware policy that you set on McAfeeePO Policy Catalog.

We check for the presence of McAfee anti-malware software such as McAfee VirsuScan Enterprise orMcAfee VirusScan Enterprise for Linux for your AWS and Microsoft Azure instances.

For VMware vCenter instances, we assess for the presence of McAfee®

MOVE AntiVirus.

If this product is installed on the instance, you can view these McAfee VirusScan Enterprise properties.

• McAfee Acess Protection

• On-Access General

• On-Access ScriptScan

• Buffer Overflow Detection

Visualization of your cloud accountsViewing threat prevention details on your instance 4


• Email Detection

• System Status (for McAfee® MOVE AntiVirus (Multi-Platform))

You can see if any of these properties are either enabled or disabled. For details see the product guidefor McAfee VirusScan Enterprise or McAfee VirusScan Enterprise for Linux.

You can install McAfee Anti-Malware product (McAfee VirusScan Enterprise or McAfee VirusScanEnterprise for Linux) on your instances.

You can also choose to install McAfee®

MOVE AntiVirus (Multi-Platform) for your vCenter instances.

You can also tag this system with the McAfee ePO tags related to product deployment tasks of theseproducts. To know about product deployment tasks and tags, see the product guide for your version ofMcAfee ePO.

See also Apply McAfee ePO tags to VMs in your network on page 51

Viewing intrusion prevention details on your instanceYour instance will be color-coded and classified as per the policy that you set on the McAfee ePO PolicyCatalog.

We check for the presence of the software McAfee Host Intrusion Prevention.

If this product is installed, then you can see these properties

• IPS status

• NIPS status

• Firewall status

For details, see the product guide for McAfee Host Intrusion Prevention.

Viewing application control details on your instanceYou can see if your instance has McAfee Application Control software installed on it.

Your instance will be color-coded and classified as per the policy that you set on McAfee ePO PolicyCatalog.

You can see if McAfee Application Control is installed and enabled on the instance. For details, see theproduct guide for McAfee Application Control.

Viewing change control details on your instanceYou can see if your instance has McAfee Change Control software installed on it.

Your instance will be color-coded and classified as per the policy that you set on McAfee ePO PolicyCatalog.

You can see if McAfee Change Control is installed and enabled on the instance. For details, see theproduct guide for McAfee Change Control.

4 Visualization of your cloud accountsViewing intrusion prevention details on your instance


Viewing volume encryption details for your instanceYou can view if your AWS volumes encrypted or not and also the number of your root and datavolumes for your instances.

Though both root and data volumes are shown, only data volumes are assessed for your AWSinstances.

Your instance will be color-coded and classified as per the policy that you set on McAfee ePO PolicyCatalog for volume encryption.

You can view these details for your volumes

Property Definition

Status Displays the encryption status of the volumes

Type Displays the Type of the volume (root or data volume)

ID Displays the Volume ID

Size Displays the size of the volume

Traffic details for your instanceYou can view the number of blocked internal connections and suspicious external connections to andfrom your instance.

You can also see the number of ports that were active.

The traffic displayed here is the data accumulated from a week or from the time you install yourextension which ever is the earliest. The traffic records are retained in McAfee ePO for 7 days.

On the AWS management console, we enable VPC flow log service and create a log file with the namelog_Mcafee_regionname for a particular region. You can view this log file from your VPC under FlowLogs section on the AWS management console.

Visualization of your cloud accountsViewing volume encryption details for your instance 4


Click View details to see traffic properties.

Property Definition

Traffic Displays the number of blocked, inbound, and outbound connections to this instance.

Status Displays if this traffic is blocked or allowed.

Direction Displays if the traffic is Inbound (N-S), Outbound (N-S), Inbound (E-W), Outbound (E-W),Bi-Directional (E-W), Bi-Directional (N-S).

N-S indicates external traffic and E-W indicates internal traffic.

From/To Displays the source IP address or the destination IP address for the traffic to this instance.If there are multiple IPs, you can expand the row and view all the IP addresses.

Port Displays the port number.

Protocol Displays the protocol name.

If any instance is receiving traffic from multiple IP addresses from the same port, protocol, status, anddirection, the From/To field lists multiple IP addresses. You can view the different IP addresses bygenerating a report from Queries and Reports.

You can unblock your internal connections and block your external connections by remediating yoursecurity groups. Click Firewall (Security Groups) to open the security groups associated with this instance.

See also Create custom queries on page 64Remediate firewall rules on page 58

4 Visualization of your cloud accountsTraffic details for your instance


Instance propertiesView the properties of your virtual systems from your cloud account.

Property Definition

Location Displays the region of the instance as shown in your cloud account.

Instance ID Displays the instance ID as shown in your cloud account.

Instance Name Displays the instance name as shown in your cloud account.


Platform Displays whether the platform is Microsoft Windows or Linux.

Private DNS Name Displays the private DNS name from the cloud account.

Private IP Address Displays the private IP address from the cloud account.

Public DNS Name Displays the Public DNS name from the cloud account.

Public IP Address Displays the public IP address from the cloud account.

McAfee ePO Managed Displays if this instance is managed by McAfee ePO.

Virtual Network ID Displays the ID of the Virtual network of this instance.

Power Status Displays if this instance is running or if it is stopped.

McAfee ePO Tags Displays McAfee ePO tags for this instance.

See also Apply McAfee ePO tags to VMs in your network on page 51

Apply McAfee ePO tags to VMs in your networkTags are used to identify and sort systems. They can also be used to select groups of systems andsimplify the creation of tasks and queries.

TaskUse this option to apply tags to your VM. You can manage your tags from Menu | Systems | Tag Catalog.For details about managing tags, see the product documentation for your version of McAfee ePO. Fordetails about product features, usage, and best practices, click ? or Help.


2 Select Menu | Systems Section | Cloud Workload Discovery.

3 Select a VM from Accounts | VPCs | Templates | Workload.

4 On the Summary pane, click Add Tag.

5 Specify a name for your tag and click the green check mark.

Automatic responsesConfigure your McAfee ePO server to trigger an action in response to critical or warning issues.

Set automatic responses from Menu | Automation | Automatic Responses if you want a notification sent toyou.

The standard templates for Cloud Workload Discovery are

Visualization of your cloud accountsInstance properties 4


• Non-compliant critical workloads for AWS & Azure

• Non-compliant warning workloads for AWS & Azure

• Non-compliant critical workloads for vSphere

• Non-compliant warning workloads for vSphere

You can set up responses for other events also as required.

Set up automatic responsesConfigure McAfee ePO server to receive automatic responses through email.

Before you beginSpecify the SMTP server name and the SMTP server port in Email Server from Menu | Configuration |Server Settings.For details about automatic responses and specifying the email server, see the productguide for your version of McAfee ePO.


1 Click Menu | Automation | Automatic Responses.

2 Select Preset as Cloud Workload Discovery.

3 Click New Response or click Edit next to an existing template.

4 On the Description page, type a unique name and any notes for the rule, if you are creating atemplate.

5 In the Event field, select:

• Event Group — Cloud Workload Discovery

• Event Type — Critical Issues or Warning Issues.

6 Click Next.

7 On the Filter page, select:

• Account Name — Filter the cloud account name.

• Datacenter — Filter the datacenter name. This is applicable for vSphere.

• ePO Tags — Filter ePO tags assigned to instances.

• Instance ID — Filter workload ID. This is applicable for Amazon or Azure.

• Issue Subtype — Select any option from the drop-down list depending on your requirement.

• Issue Type — Select any option from the drop-down list depending on your requirement.

• Platform — Filter the operating system running on the instance.

• Region — Filter the region. Type the name of the region or the location of the instance. Forexample, if you want instances in the ap-southeast-1 location, type ap-southeast-1/Asia Pacific(Singapore).

• UUID — Filter UUID of the workload. This is applicable for vSphere.

• Vendor Type — Filter the cloud service provider. Type AWS, Azure, or vSphere.

4 Visualization of your cloud accountsAutomatic responses


8 Click Next.

9 Define when the event triggers the rule on the Aggregation page. For details, see Set thresholds forthe rule in the McAfee ePolicy Orchestrator Product Guide.

10 Click Next.

11 On the Actions page, compose the email and select the recipients. For details, see Configure theaction for Automatic Response rules in the McAfee ePolicy Orchestrator Product Guide.

12 On the Summary page, verify the information, then click Save.

The new response template for Cloud Workload Discovery appears in the Automatic Responses list.

Visualization of your cloud accountsAutomatic responses 4


4 Visualization of your cloud accountsAutomatic responses


5 Remediation

Secure the instances in your network by installing McAfee products and correcting your firewallsettings.

Contents Activate missing protection with few clicks Remediate firewall rules

Activate missing protection with few clicksAfter visualizing your cloud account structure, and seeing which systems are at risk, you can activateany missing protection with just few clicks.

1 Manage your instances by installing McAfee Agent.

2 After installing McAfee Agent, you can install other McAfee products on your instances.

Tasks• Install McAfee Agent on your instances on page 55

If your instance does not have McAfee Agent installed on it, you need to first install theMcAfee Agent software.

• Install McAfee VirusScan on page 56Protect your instance by installing McAfee VirusScan or McAfee VirusScan for Linux on it.

• Install McAfee MOVE AntiVirus on page 56Protect your VMware vSphere instance by installing McAfee MOVE AntiVirus on it.

• Install McAfee Host Intrusion Prevention on your instances on page 57Protect your instance by installing McAfee Host Intrusion Prevention on it.

• Install McAfee Application Control on your instances on page 57Protect your instance by installing McAfee Application Control on it.

• Install McAfee Change Control on page 58Protect your instance by installing McAfee Change Control on it.

Install McAfee Agent on your instancesIf your instance does not have McAfee Agent installed on it, you need to first install the McAfee Agentsoftware.




5


3 Select your workload from Accounts | VPCs | Templates | Workload.

4 From McAfee ePO Management, select Install McAfee Agent from the Take Action combo box.

5 You can choose

• to enter the Logon Credentials

• or use the Deployment URL

See the KB85233 for details to install McAfee Agent on AWS, Microsoft Azure, or VMware vSphereinstances using deployment URL.

6 Use the option Regenerate URL to generate a new deployment URL if the agent handler settings forthat group has changed or if you want to use a new URL for your requirements. For example if youwant to share a different URL to different people to check whether they downloaded, installed, ornot installed.

To avoid regenerating multiple URLs you can delete or disable the old URLs from the System Tree.If the URL is disabled, automatically new URL will be generated and displayed.

7 Click Install.

You can see the installation status on the dashboard. If your McAfee ePO server does not receiveinstallation status, it will be timed out after 60 minutes.

Install McAfee VirusScanProtect your instance by installing McAfee VirusScan or McAfee VirusScan for Linux on it.

Before you beginIf your instance does not have McAfee Agent installed on it, you need to first install theMcAfee Agent software.





4 Select Security | Threat Prevention and click Install VirusScan.

McAfee VirsuScan is installed on Windows Workloads and McAfee VirusScan for Linux is installed onLinux workloads.


Install McAfee MOVE AntiVirusProtect your VMware vSphere instance by installing McAfee MOVE AntiVirus on it.


5 RemediationActivate missing protection with few clicks






3 Select your workload from Accounts | DataCenters/Clusters | Hypervisors | Workload.

4 Select Security | Threat Prevention and click Install MOVE MP.


Install McAfee Host Intrusion Prevention on your instancesProtect your instance by installing McAfee Host Intrusion Prevention on it.






4 Select Security | Intrusion Prevention and click Install Intrusion Prevention.


Install McAfee Application Control on your instancesProtect your instance by installing McAfee Application Control on it.

Before you begin• If your instance does not have McAfee Agent installed on it, you need to first install the

McAfee Agent software.

• Make sure you have the appropriate license before installing this product.

• See the Product Guide for McAfee Application Control before installing this product.




RemediationActivate missing protection with few clicks 5



4 Select Security | Application Control and click Install Application Control.


McAfee Application Control is activated in Observe Mode for your windows workloads.

The Widows workloads are not restarted and all the features except Memory Protection are available.Memory protection is available after restarting your instance.

Install McAfee Change ControlProtect your instance by installing McAfee Change Control on it.

Before you begin• If your instance does not have McAfee Agent installed on it, you need to first install the

McAfee Agent software.

• Make sure that you have appropriate license before installing this product.

• See the Product Guide for McAfee Change Control before installing this product.





4 Select Security | Change Control and click Install Change Control.


Remediate firewall rulesTo protect and secure your cloud instances that are classified as red, correct the firewall rules..

You can correct the firewall settings from:

• Policy Catalog: See Where to find policies.

• Issues: Select Menu | Systems section | Cloud Workload Discovery | Issues | Secuirty | Unsafe Firewall Settings,select a system and select Security | Security Groups | View details.

5 RemediationRemediate firewall rules


• Accounts | Virtual Networks, then select a VM. You can view and correct the firewall rules from Security |Security Groups | View details.

• For AWS instances, Select Accounts | Virtual Networks | Workloads, then select a VM. You can view andcorrect the firewall rules from Traffic | View details | Firewall (Security Groups).

Tasks• Edit the security group rules on page 59

Change the rules in your security group policy and secure your critical instances.

• Detach the security group from an instance on page 59To secure your critical systems, remove the association of the security group to your AWSinstance.

Edit the security group rulesChange the rules in your security group policy and secure your critical instances.



2 Select the critical system and its security group policy from:

• Menu | Systems section | Cloud Workload Discovery | Issues | Secuirty | Unsafe Firewall Settings

• Menu | Systems section | Cloud Workload Discovery | Accounts | Virtual Networks | Worklaods then select a VM.Select Security | Firewall (Security Groups)

3 Click View details to see security groups, select one and click Edit to edit the security group policy. Thenon-compliant rules are highlighted by a red dot.

4 Edit the security group rules by changing Type, Protocol, Port range, or Source. For Microsoft Azureinstances, you cannot edit rules that have Access as Deny.

5 While editing Source, you can choose Anywhere to allow connections from all traffic or Custom IP toprovide a IP address that you want to allow. For AWS instances you can also provide the securitygroup for which you want to allow traffic.

6 To add a rule, select Add rule and type in the values.

7 To delete a non-complaint rule, click the delete icon.

8 Click Apply Changes.

You can see the action details for edit, delete, update, or add in Menu | User Management | Audit Log.

Detach the security group from an instanceTo secure your critical systems, remove the association of the security group to your AWS instance.

• If your workload has only one security group associated with it, then you can not detach it.

• A security group which is associated with this workload can also be associated with many NICs.

• You can not detach a security group if it is the only security group associated with a NIC.

• You can detach a security group only from your AWS instances.

RemediationRemediate firewall rules 5




2 Select the critical system and its security group policy from:

• Menu | Systems section | Cloud Workload Discovery | Issues | Security | Unsafe Firewall Settings

• Menu | Systems section | Cloud Workload Discovery | Accounts | Virtual Networks | Workloads then select a VM.Select Security | Firewall (Security Groups)

3 Click View details to see security groups associated with this instance.

4 Select one of them and click Detach to detach the security group policy form this instance

You can see the detach failure or success details in Menu | User Management | Audit Log.

5 RemediationRemediate firewall rules


6 Queries and reports

With the Cloud Workload Discovery, you can quickly generate a summary view of all registered DataCenters.

The predefined queries and dashboards provide out‑of‑the‑box functionality, because they are added toyour McAfee ePO server when the software is installed. You can configure these queries to displayresults in charts or tables, which you can use as dashboard monitors. Query results can be exported toseveral formats, which you can download or send as an attachment to an email message.

You can view the list of predefined queries for the Data Centers from Queries and reports | McAfee Groups |Data Center.

You can view the list of predefined queries for the public cloud accounts from Queries and reports | McAfeeGroups | Public Cloud.

Contents Predefined queries Create custom queries Dashboards and monitors

Predefined queriesYou can use predefined queries as is, edit them, or create queries from events and properties stored inthe McAfee ePO database.

To create custom queries, your assigned permission set must include the ability to create and editprivate queries.

6


Data Center provides these predefined queries:

Query Definition

Anti-Malware Status Specifies whether the system is in one of these states:• Application Control Enabled — These VMs have McAfee® Application Control installed

and enabled.

• Only Anti-Virus Enabled — These VMs have a McAfee anti-malware product installedand enabled.

• Unprotected — These VMs don't have any McAfee anti-malware product enabled.

ApplicationReputation

Categorizes the applications based on McAfee® Global Threat Intelligence™ (McAfeeGTI) file reputation:• Good

• Bad

• Unclassified

For details about file reputation, see the product documentation for McAfeeApplication Control.

AV Protection byProduct

Displays the anti-virus protection status of McAfee products.

Security Incidents(last 14 days)

Displays the events reported for these components on the VMs in the last 14 days.• Antivirus

• Firewall

• Memory Protection

Data Centers Displays all registered data centers.

File IntegrityMonitoring Status

Displays the number of VMs with File Integrity Monitoring (FIM) installed andenabled.For details about FIM, see the product documentation for McAfee® Change Control.

Host Firewall Status Specifies whether the system is in one of these states:• Firewall Enabled — These VMs have McAfee® Host Intrusion Prevention (McAfee

Agent-based) installed.

• Not in use — These VMs don't have McAfee Host Intrusion Prevention (McAfeeAgent-based) installed.

OS Distribution The OS Type shows the template value selected while creating the VMs. However, itmight not be the actual operating system installed on the VM.

Usage MeteringReport

Displays the usage of cloud accounts in number of hours per month.• CPU cores->Usage Month — Specifies if the CPU cores used are single, dual or quad

core plus and the usage month.

• Sum of: Hours used — Specifies the sum of usage hours.

6 Queries and reportsPredefined queries


Query Definition

Endpoint ScanReport

Displays the details of the last scan of the endpoints.

Best Practice: To get accurate data in this report, first run the Data Center: ComputeEndpoint Reports server task from Menu | Automation | Server Tasks.

• Endpoint — Displays the name of the endpoint.

• IP Address— Displays the IP address of the endpoint.

• Category — Displays the group/resource pool/host of the endpoint.

• Operating System — Displays the operating system details.

• Last Scan — Displays the last on-demand scan time for an endpoint with anti-virussoftware.

Endpoint SecurityReport

Displays the protection status of the endpoints.

Best Practice: To get accurate data in this report, first run the Data Center: ComputeEndpoint Reports server task from Menu | Automation | Server Tasks.



• Virtual — Specifies whether the endpoint is a virtual system.

• VM Classification — Specifies if the VM is a part of public (Cloud Machine) or private(Virtual Machine) cloud.

• Vendor — Displays the name of the cloud service provider of the endpoint.

• Power Status — Specifies the power status of the endpoint.



• AntiVirus/Antimalware — Displays the name of the McAfee anti-virus and anti-malwaresoftware installed on the endpoint.

• Firewall — Displays the name of the McAfee software with the firewall protectionactive on the endpoint.

• Whitelisting — Specifies whether the whitelisting feature is enabled.

• Access Protection — Displays the name of the McAfee software that provides accessprotection.

• Memory Protection — Displays the name of the McAfee software that providesmemory protection.

• Last Communication — Displays the time details of the last server-clientcommunication.

InstanceAssessment Status

Displays the number of instances that are classified as critical and the number ofinstances that are classified as warning.

Data Protection perCloud VM

Displays the number of VMs that are encrypted and not encrypted.

View default queriesRun the predefined queries to generate reports based on Data Center components.

Queries and reportsPredefined queries 6




2 Select Menu | Reporting | Queries & Reports.

3 From the Groups pane, select Data Center to display the queries for the selected group. Reports aregrouped under McAfee Groups.

4 From the Queries list, select a query, then click Run.

5 In the query results page, click any item in the results to drill down further.

6 Click Close when finished.

Create custom queriesYou can create custom queries that retrieve and display the details related to the Usage MeteringReport and IP traffic reports. . With this wizard, you can configure which data is retrieved anddisplayed, and how it is displayed.

Before you beginYou must have administrator rights to perform this task.



2 Select Menu | Reporting | Queries & Reports, then click Actions | New to open the Query Builder wizard.

3 To view Usage Metering records, Select Public Cloud on the Feature Group list and on the Result Type page,select Usage Metering records, then click Next.

If you have upgraded from 3.6.1 to this version, you can also see Usage Metering Report- Legacy to viewthe old usage metering reports.

4 To view IP traffic reports for your AWS instances, select Data Center on the Feature Group list and on theResult Type page, select Amazon Network Traffic Logs, then click Next.

5 Select the type of chart or table to display the primary results of the query, then click Next to openthe Columns page.

If you select Boolean Pie Chart, you must configure the criteria to include in the query.

6 Select the columns to include in the query, then click Next to open the Filter page.

If you had selected Table on the Chart page, the columns you select here are the columns of thattable. Otherwise, these are the columns that make up the query details table.

7 Select properties to narrow the search results, then click Run.

The Unsaved Query page displays the results of the query, which is actionable. You can take anyavailable actions on items in any tables or drill-down tables. Selected properties appear in the

6 Queries and reportsCreate custom queries


content pane with operators that can specify criteria to narrow the data that is returned for thatproperty.

• If the query does not return the expected results, click Edit Query to go back to the Query Builderand edit the details of this query.

• If you don’t want to save the query, click Close.

• If this is a query you want to use again, click Save and continue to the next step.

8 On the Save Query page, type a name for the query, add any notes, and select one of these options:

• New Group — Type the new group name and select whether the group is private or public.

• Existing Group — Select the group from the list of Shared Groups.

9 Click Save.

Dashboards and monitorsDashboards, which are comprised of monitors, help you track key metrics from all Data Centerproducts.Reports are grouped under McAfee Dashboards at Menu | Queries and reports | Groups.

Data Center and Public Cloud dashboardsThe Data Center and the Public Cloud dashboards are added to your McAfee ePO server when youinstall the software.

• The Data Center dashboard displays a collection of monitors based on the results of the defaultdata center software queries.

• The Public Cloud dashboard displays the collection of monitors for default public cloud accountqueries.

The data in these monitors on the dashboard is refreshed every 15 minutes.

The default monitors that appear under these dashboards are:

• Data Centers — Displays all registered data centers.

Queries and reportsDashboards and monitors 6


• OS Distribution — Displays the operating system type. It shows the template value selected whilecreating the VMs. However, it might not be the actual operating system installed on the VM.

• Security Incidents (last 14 days) — Specifies events reported for these components on the VMs in the last14 days.

• Application Control

• Antivirus

• Firewall

• Memory Protection

6 Queries and reportsDashboards and monitors


• Anti-Malware Status — Displays the state of the VM.

• Application Control Enabled — These VMs have McAfee Application Control installed and enabled.

• Only Anti-Virus Enabled — These VMs have a McAfee anti-virus product installed and enabled.

• Unprotected — These VMs don't have any McAfee anti-malware product enabled.

• Host Firewall Status — Displays the state of the system.

• Firewall Enabled — These VMs have McAfee Host Intrusion Prevention installed.

• Not in use — These VMs don't have McAfee Host Intrusion Prevention installed.



• File Integrity Monitoring Status — Displays the number of VMs with File Integrity Monitoring (FIM)installed and enabled.

• Enabled — File Integrity Monitoring is enabled on these VMs.

• Not enabled — File Integrity Monitoring is disabled on these VMs.

• Not installed — File Integrity Monitoring isn't installed on these VMs.

For more details about FIM, see the product documentation for McAfee Change Control.

• Instance Assesment status — Displays the number of instances that are classified as critical and thenumber of instances that are classified as warning.



• Data protection per Cloud VM — Displays the number of VMs that are encrypted versus the number ofVMs that are not encrypted.

• Encrypted — These VMs are encrypted.

• Not Encrypted — These VMs are not encrypted.

• Usage Metering Report — Displays the usage of running AWS and Microsoft Azure cloud instances, innumber of hours per month.

You can see how many hours are used by your single core, dual core, and your quad core instancesfor every month.



• Application Reputation — Categorizes the applications based on McAfee GTI file reputation.

• Good

• Bad

• Unclassified

This dashboard retrieves data from the McAfee Application Control extension.

For details about file reputation, see the product documentation for McAfee Application Control.

• Endpoint Scan Report — Displays the last scan details of the endpoints. This report is run every eighthours.





• Last Scan — Displays the last on-demand scan time for an endpoint with different anti-virussoftware.

Best Practice: To get accurate data in this report, first run the Data Center: Compute Endpoint Reportsserver task from Menu | Automation | Server Tasks.

• Endpoint Security Report — Displays the protection status of the endpoints. This report is run everyeight hours.



• Virtual — Specifies whether the endpoint is a virtual system.

• VM Classification — Specifies if the VM is a part of public (Cloud Machine) or private (Virtual Machine)cloud.

• Vendor — Displays the name of the cloud service provider of the endpoint.



• Power Status — Specifies the power status of the endpoint.



• AntiVirus/Antimalware — Displays the name of the McAfee anti-virus and anti-malware software thatis installed on the endpoint.

• Firewall — Displays the name of the McAfee software with the firewall protection active on theendpoint.

• Whitelisting — Specifies whether the whitelisting feature is enabled.

• Access Protection — Displays the name of the McAfee software that provides access protection.

• Memory Protection — Displays the name of the McAfee software that provides memory protection.

• Last Communication — Displays the time details of the last server-client communication.

Best Practice: To get accurate data in this report, first run the Data Center: Compute Endpoint Reportsserver task from Menu | Automation | Server Tasks.





7 Frequently asked questions

Here are answers to frequently asked questions.

See KB87466 for more FAQs.

Installation

Can I install McAfee Agent on AWS instances using the McAfee ePO Agent Deployment URLfeature and Amazon User Data?

Yes. For details, see KB85233.

Can I use scripts for Puppet, Chef, or Amazon OpsWorks to install and configure securitysolutions offered by Intel Security?

Yes.• For Puppet sample scripts, see KB82585.

• For Chef sample scripts, see KB82584.

• For Amazon OpsWorks scripts, see KB82586.

What happens to my policies when I upgrade from Cloud Workload Discovery 4.0.0 to4.5.0?

When upgrading from 4.0.0 to 4.5.0, since the policy structure has changed in the latestversion, your previous policies, policy settings, and policy assignments are lost.

Configuration

How do I troubleshoot AWS instance connectivity issues?

See AWS documentation.

How many cloud accounts can I register under one McAfee ePO server?

There is no limit to the number of cloud accounts that can be registered under one McAfee ePOserver.

How do I get the subscription ID, tenant ID, and client ID?

You can get your client ID, tenant ID, and subscription ID after creating an application. You needto configure your client key. You can create application by following steps listed in Create anapplication in the Microsoft Azure console. You can also run power shell scripts which automatethis process. For details, see KB87316.

A firewall policy rule which has port as any, and IP address as 0.0.0.0/0 matches withwhat criteria?

This firewall policy rule matches withIn AWS,

7







http://aws.amazon.com/vpc/faqs/


Port IP

All Anywhere (0.0.0.0/0)

0-65535 Anywhere (0.0.0.0/0)

In Azure,

Port IP

* *

0-65535 *

Functionality

When AWS instances are switched off, will they be reported "powered off" in McAfee ePO?

Yes. If the computers are managed, they are not deleted, even on termination. Unmanagedsystems, when terminated, are no longer seen in the McAfee ePO System Tree.

How long until a new instance gets discovered by the Cloud Workload Discovery?

After the synchronization occurs, the new instance is discovered. Synchronization depends onthe Sync Interval that you specified. If you specify the sync interval as 5 minutes, the next sync isscheduled 5 minutes after the completion of the current sync. You can also schedule a manualsync and the synchronization will start immediately.

What happens when an instance is terminated in EC2?

After the instance is terminated (and a synchronization occurs), the instance is no longerdisplayed in the McAfee ePO System Tree. However, any events from this instance are stillpresent.

What are the reasons for my cloud account synchronisation to fail?

• Check your cloud account details. Your access key and secret Key pair might have beendisabled.

• Check if your network is connected.

• Check if your McAfee ePO system date and time is synchronized with internet date and time.

• Check if you are registering the same AWS account again in McAfee ePO.

Visualization of your cloud accounts

McAfee VirusScan Enterprise is installed on my instance, but the instance is stillcolor-coded as red.

If your instance is not managed with this McAfee ePO then the status is shown as red. Forassessment to show correct result, the instance should be managed by the same McAfee ePO.

When I try to detach a security group from my AWS instance it fails.

• If there is one NIC associated with an instance, and you are trying to detach a security groupfrom it then it fails.

• If your instance is associated with multiple NICs and you are trying to detach a securitygroup which is the only security group associated with another NIC, then also the detachfails.

I cant see the Virtual networks when I click Accounts.

If you just installed the Cloud Workload Discovery extension and completed registering youraccounts, then wait for the synchronization and assessment to complete and then you can seeyour virtual networks in your accounts.



I can't see all the Virtual Networks in my account.

By default you can see all virtual networks which has at least one running workload. If yourvirtual network does not have any running workloads then it is not shown. Select Show All filteron the Accounts panel to see all the virtual networks.

I can see some names and some IDs under Virtual Networks and Workloads.

By default you can see the name of the your virtual networks and workloads. If they don't havea name then you can see their IDs.

Which vendor cloud accounts are supported in Cloud Workload Discovery dashboard.

Currently we support AWS and Microsoft Azure cloud accounts. Microsoft Azure classic accountsare not shown here.

I can't see IP traffic for some workloads on Cloud Workload Discovery dashboard.

• IP traffic records are available only for AWS workloads.

• If you can't view traffic for your AWS workloads, make sure that you have selected EnableTraffic Discovery for your AWS account.

• When creating IAM role for flow logs for your AWS account, make sure that the name of yourrole is McafeeFlowLogger.

My traffic discovery is disabled, but I can still see traffic details for AWS instances.

Data retention period for AWS traffic data is 7 days. So you might still see some traffic detailsuntil the retention period.

How long is the AWS traffic data stored in McAfee ePO?

Data retention period for AWS traffic data is 7 days.

Sometimes the Cloud Workload Discovery screen remains in collapsed state.

Do a browser refresh using F5.

Can i get a detailed server log file if McAfee Agent deployment fails?

Yes.• From Menu | Automation | Server Task Log, look for Data Center: Auto Deploy McAfee Agent.

• Select the task with start date of your deployment task.

• Select a sub task with your machine IP address.

Can i get a detailed server log file if any product installation fails?

Yes.• From Menu | Automation | Server Task Log, search for "wake up" task that has details about the

feature.

• Select the task with start date of your deployment task.

• Select a sub task with your machine IP address.

Will the installation of McAfee Agent or any of the products time out?

If your McAfee ePO server does not receive the installation status of McAfee Agent or any of theproducts, it will be timed out after 60 minutes.

What number is displayed in the tool tip of Datacenter, Cluster, Hypervisor, or workloads?

The corresponding ID of the Datacenter, cluster, Hypervisor or the workload is displayed in thetool tip.

Frequently asked questions 7




Index

Aabout this guide 5access protection 61

accounts, registering 15, 21, 23, 25

AWS 15

Microsoft Azure account 21

Microsoft Azure classic account 23

OpenStack 27

VMware vCenter 25

antimalware status dashboard 65

application control 61, 65

application reputation dashboard, GTI 65

assessmentpolicies, configuring 41

AWS (Amazon Web Services)account 15

AWS accountediting and deleting 29

registering 15

AWS usercreating 11

creating access key, secret access key 11

Cchange control

file integrity monitoring status 61, 65

cloud account, choosing 25, 27

Cloud Workload Discoverycustom policies, assigning 42

conventions and icons used in this guide 5custom policies, Cloud Workload Discovery

assigning 42

Ddashboards, datacenter

anti-malware status 65

application reputation 65

datacenter 65

File Integrity Monitoring Status 65

Firewall Status 65

OS Distribution 65

security incidents 65

default queries, displaying 63

displayingprotection status 15

registered cloud account details 29

tags 29

documentationaudience for this guide 5product-specific, finding 6typographical conventions and icons 5

Ffile reputation 65

FIM (File Integrity Monitoring Status) 65

firewall policies, configuring 40

policies, overview 39

firewall status 65

frequently asked questions 73

GGTI (Global Threat Intelligence), file reputation 65

HHost Intrusion Prevention

host firewall status 61, 65

hypervisors 25

Iinstallation

OpenStack cloud account, registering 27

MMcAfee ServicePortal, accessing 6Microsoft Azure account

about 21

editing and deleting 29

registering 21

Microsoft Azure classic accountabout 23

registering 23

monitors, Data Center 65


OOpenStack cloud

account 27

registering 27

Ppolicies, assessment

configuring 41

policies, firewallconfiguring 40

overview 39

policywhere to find 40

protection status, displaying 63, 65

Qqueries, Data Center

default, viewing 63

pie charts 63

viewing default queries 63

queries, datacenterpredefined 61

queries, public cloudcreating 64

Rreports, datacenter 61

anti-malware status 65

application reputation 65

File Integrity Monitoring Status 65

Firewall Status 65

OS Distribution 65

reports, datacenter 61 (continued)security incidents 65

required permissions policy on AWSassigning 14

requirementsother requirements 61

reports, Data Center 61

Ssecurity incidents dashboard 65

ServicePortal, finding product documentation 6status

firewall 65

trust 65

Ttags

defining 15, 21, 23, 25, 27

deleting 29

technical support, finding product information 6

Vvirtual machines

trust status 15

virtual machines, discoveringOpenStack cloud 27

virtual properties, displaying 15, 21, 23, 25

VMsapplying tags 51

tagging 51

VMware vCenter accountdefining 25

registering 25

Index


B00

Documents

Cloud Workload Discovery 4.5.0 Product Guide - Rev B