Database Security

Product Guide
Cloud Workload Discovery 4.0.0

For use with McAfee ePolicy Orchestrator
COPYRIGHT
© 2016 Intel Corporation
TRADEMARK ATTRIBUTIONS
Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee Active
Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,
McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfee
Total Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.
Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
2 Cloud Workload Discovery 4.0.0 Product Guide

Contents
Preface 5
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1 Product overview 7
Security management of your cloud assets made easy . . . . . . . . . . . . . . . . . . . 7
Key features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Components and what they do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2 Configuring the cloud accounts 11

Configuring an AWS cloud account . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Create an AWS user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Create a user permission policy . . . . . . . . . . . . . . . . . . . . . . . . . 12
Assign the policy to a user . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Create an IAM role with flow logs for your AWS account . . . . . . . . . . . . . . . 14
Register an AWS account . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Configuring Microsoft Azure cloud accounts . . . . . . . . . . . . . . . . . . . . . . . 17
Create an application in the Microsoft Azure console . . . . . . . . . . . . . . . . . 17
Where to find Subscription ID, Tenant ID, and Client ID . . . . . . . . . . . . . . . 19
Configure client key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Set delegated permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Assign the application to your subscription . . . . . . . . . . . . . . . . . . . . 20
Register a Microsoft Azure account . . . . . . . . . . . . . . . . . . . . . . . 21
Register Microsoft Azure classic account . . . . . . . . . . . . . . . . . . . . . 23
Registered cloud account details . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Virtual machine details for AWS cloud account . . . . . . . . . . . . . . . . . . . 26
Virtual machine details for Microsoft Azure account . . . . . . . . . . . . . . . . . 28
3 Managing policies with McAfee ePO 31

Cloud Workload Discovery policies on McAfee ePO . . . . . . . . . . . . . . . . . . . . 31
Where to find policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Create a new firewall policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Create a new anti-malware policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Assign custom policies to systems in your network . . . . . . . . . . . . . . . . . . . . 33
4 Visualization of your cloud accounts 35

Problems or issues with your firewall settings or traffic . . . . . . . . . . . . . . . . . . . 35
Viewing account properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Instance properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Security group information for your instance . . . . . . . . . . . . . . . . . . . . . . . 38
McAfee anti-malware details on your instance . . . . . . . . . . . . . . . . . . . . . . 39
Traffic details for your instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Apply McAfee ePO tags to VMs in your network . . . . . . . . . . . . . . . . . . . . . . 41
Cloud Workload Discovery 4.0.0 Product Guide 3

Contents
5 Remediation 43
Remediate firewall rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Edit the security group rules . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Detach the security group from an instance . . . . . . . . . . . . . . . . . . . . 44
6 Queries and reports 45

Predefined queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
View default queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Create custom queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Dashboards and monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Data Center and Public Cloud dashboards . . . . . . . . . . . . . . . . . . . . . 49
7 Frequently asked questions 57
Index 61

Preface
This guide provides the information you need to work with your McAfee product.
Contents
About this guide
Find product documentation
About this guide

This information describes the guide's target audience, the typographical conventions and icons used
in this guide, and how the guide is organized.
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
• Administrators — People who implement and enforce the company's security program.
Conventions
This guide uses these typographical conventions and icons.
Italic Title of a book, chapter, or topic; a new term; emphasis

Bold Text that is emphasized
Monospace Commands and other text that the user types; a code sample; a displayed message
Narrow Bold Words from the product interface like options, menus, buttons, and dialog boxes
Hypertext blue A link to a topic or to an external website
Note: Extra information to emphasize a point, remind the reader of something, or
provide an alternative method
Tip: Best practice information
Caution: Important advice to protect your computer system, software installation,

network, business, or data
Warning: Critical advice to prevent bodily harm when using a hardware product

Preface

On the ServicePortal, you can find information about a released product, including product
documentation, technical articles, and more.
Task
1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.
2 In the Knowledge Base pane under Content Source, click Product Documentation.
3 Select a product and version, then click Search to display a list of documents.

1 Product overview
Cloud Workload Discovery enables you to discover, import, manage, and secure your Amazon Web
Services and Microsoft Azure virtual infrastructure using McAfee® ePolicy Orchestrator® (McAfee ePO™).
Contents
Security management of your cloud assets made easy
Key features
Components and what they do
Security management of your cloud assets made easy

Cloud Workload Discovery offers improved visibility and control to address the unique requirements of
public cloud security. It detects and imports virtual instances, security groups, and virtual networks to
the McAfee ePO server.
To have better control over cloud infrastructure and threats you need better visibility across them.
Cloud Workload Discovery provides better control over cloud infrastructure and insight into the threats
information across clouds. Also, it offers infrastructure visibility and security alerts so that you can
quickly assess security issues at a deeper level and take immediate actions.
• It integrates the management feature of McAfee ePO with the configured clouds, which host and
manage the VMs.
• It synchronizes periodically with the cloud, and imports the virtual infrastructure details to McAfee
ePO.
• You can choose to deploy the McAfee Agent to discovered instances during the discovery or after.
Then, other McAfee products can be installed on these discovered instances.
• It has an innovative dashboard to view and monitor the security compliance of your cloud assets.
• You can flag systems at risk and can take corrective actions.
• You can view traffic flow from and to your AWS instances. It also provides traffic insights for AWS.
Key features
These features are important for your organization's security, protection, and performance.
Visualization of your cloud workloads

The user interface gives you a hierarchical view into your cloud accounts and their assets. You can
view your virtual networks, templates, and firewall (security group) information of your virtual
machines(VM).

1
Product overview
Security posture assessment

You can view potential threats and unsafe settings so that you can take appropriate actions.
You can view these details in your network configuration.

• Security settings that include unsafe firewall settings.
• Systems that do not have McAfee anti-malware products installed on them.
• Security status of suspicious external connections and blocked internal connections for your AWS
instances.
Security group management

You can view security group information of your virtual instances across your cloud accounts. You can
see how many instances are associated with any firewall (security group). You can also manage these
firewall (security groups) by adding, editing, or deleting rules. You can detach a firewall (security
group) from an instance.
Firewall audit and hardening

Cloud Workload Discovery assesses your cloud configuration and flags systems, templates, and virtual
networks that are at risk. You can immediately take appropriate actions and secure your assets.
IP traffic visibility and threat insights for AWS instances

You can view IP traffic flow from and to the instances in your AWS cloud network configuration. You
can also see the reputation of the traffic.
Support for Microsoft Azure Resource Manager

You can now discover, manage and secure the Microsoft Azure Resource Manager virtual infrastructure
with McAfee ePO.
Cloud usage metering

You can track the usage of AWS and Microsoft Azure running cloud VMs with the metering feature. The
usage of VMs is tracked in the sum of CPU hours that an account uses on a monthly basis.

Each component performs a specific function to discover, manage, and secure your cloud assets.
Amazon Web Services (AWS) — Collection of web services that make up the cloud computing
solution offered by Amazon.
Microsoft Azure — Cloud computing platform and infrastructure for building, deploying, and
managing applications and services through a global network of Microsoft-managed datacenters.
Virtual Machines (VMs) — An isolated guest operating system installation in a normal host
operating system that supports both virtual desktops and virtual servers.
Security Groups — A virtual firewall for your instances to control inbound and outbound traffic.
Network Security Groups — A list of rules in Microsoft Azure cloud network that allow or deny
network traffic to your instances.
Azure Virtual Network — A logical isolation of your azure cloud dedicated to your subscription.

1
Product overview
AWS Virtual Private Cloud — A logically isolated section of Amazon Web Services cloud to launch
your AWS resources in a virtual network.
Template — Templates are snap shots or images using with which you can span instances in AWS
and Microsoft Azure cloud.
Amazon Machine Image — Amazon Machine Image provides the information required to launch an
instance.
McAfee ePO — Management software that allows you to register a cloud account, so that you can
import your VMs and view them.
McAfee Agent — The client‑side component providing secure communication between McAfee ePO
and managed products.
McAfee Suites — Cloud Workload Discovery is in these suites.
• McAfee Server Security Essentials
• McAfee Server Security Advanced
• McAfee Public Cloud Server Security
For installation instructions, see the installation guide for McAfee Public Cloud Server Security Suite.

1
Product overview

2 Configuring the cloud accounts
You must register cloud accounts with McAfee ePO to establish a connection to the McAfee ePO server.
McAfee ePO then discovers, imports, and displays the cloud asset information.
After registering the cloud accounts, you can view:
• Virtual networks, templates, firewall (security group) information of your virtual machines in Cloud
Workload Discovery.
• Imported VMs and virtualization properties on the McAfee ePO System Tree.
Contents
Configuring an AWS cloud account
Configuring Microsoft Azure cloud accounts
Registered cloud account details

Configure and register your AWS cloud accounts on McAfee ePO.
Create an AWS user

On the Amazon Web Services management console, create an AWS user with Access Key ID and
Secret Access Key configured.
Task
1 Log on to your Amazon Web Services management console.
2 Select IAM to load the Identity and Access Management (IAM) dashboard.
3 From the Users section, click Create New Users.
4 Type a name for the user and select Generate an access key for each user.
5 Click Create.
6 Click Download Credentials and save the CSV file. These credentials contain both the Access Key ID and
the Secret Access Key.

2
Configuring the cloud accounts
Create a user permission policy

Create a policy with minimum required permissions for a user to use Cloud Workload Discovery.
Task
2 From Policies section, click Create New Policy.
3 From the Create Policy, click Create Your Own Policy.

2
4 Type a name and description.
5 Copy and paste this policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:FilterLogEvents",
"logs:GetLogEvents",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateFlowLogs",
"ec2:CreateSecurityGroup",
"ec2:DeleteFlowLogs",
"ec2:DeleteSecurityGroup",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AttachVolume",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteVolume",
"ec2:DetachVolume
],
"Resource": [
"*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"iam:GetUser"
],
"Resource": [
"*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:Encrypt",
"kms:List*" ],
"Resource": [
"*"
]

2
}
]
}
Assign the policy to a user

Assign the required permissions policy to the user on the Amazon Web Services management console,
so that you can register the AWS account with McAfee ePO.
Before you begin

• You must have required user.
• You must have created a required permissions policy.
Task
2 From the Users section, and select the user.
3 Select the policy that you made and then click Attach Policy.
Create an IAM role with flow logs for your AWS account
You must create an IAM role with flow log policies to access the IP traffic flow in your virtual networks.
Then you can view the IP traffic flows of your Virtual networks in Cloud Workload Discovery.
Task
2 Select IAM to load the Identity and Access Management (IAM) dashboard.
3 Enter this name McafeeFlowLogger for your role, and then choose Next.
The name of the role has to be McafeeFlowLogger and it is case sensitive.
4 On the Select Role Type page next to Amazon EC2, click Select.
5 On the Attach Policy page, click Next Step.
6 On the Review page, make a note of the ARN for your role. When you are ready, choose Create Role.
7 Type a name for your role.
8 Under Permissions, expand the Inline Policies section, and then select Click here.
9 Select Custom Policy, and then choose Select.

2
10 Copy this policy and paste it in the Policy Document window. Enter a name for your policy in Policy
Name, and then click Apply Policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
11 Select Edit Trust Relationship. Delete any existing policy document. Copy and paste this policy, and click
Update Trust Policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "vpc-flow-logs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Register an AWS account

Register an AWS account with McAfee ePO so that McAfee ePO can communicate with the AWS cloud.
Before you begin

• Make sure that you have your AWS account and its details ready.
• AWS users must have an access key ID and a secret access key set up for them in the
AWS console.
• AWS users must have permissions to use Cloud Workload Discovery.
• To view IP traffic flows in your virtual network, the account you are registering with
McAfee ePO should have an IAM role with flow log policies.
• You must have installed the Cloud Workload Discovery extension on McAfee ePO.
• Make sure that your McAfee ePO system date and time is synchronized with internet
date and time.

2
Task
For details about product features, usage, and best practices, click ? or Help.
1 Log on to the McAfee ePO server as an administrator.
2 Select Menu | Configuration | Registered Cloud Accounts, then click Actions | Add Cloud Account to open the Add
Cloud Account page.
3 From the Choose Connector drop-down list on the Description page, select Amazon Web Service, then click
OK.
4 On the AWS account details page, type these details:
• Name — Type a name for the AWS account in McAfee ePO. Account names can include characters
a-z, A–Z, 0–9, and [_.-], without space.
• Access Key Id — Type the access key ID to log on to AWS.
• Secret Access Key — Type the secret access key to log on to AWS.
Each user can be configured to have an access key ID and secret access key in the AWS console.

2
• Tags — List of McAfee ePO tags that are applied on VMs discovered for this AWS account. Tag
name can include characters a-z, A–Z, 0–9, and [_.-], with space. For details about Tag usage,
see the product documentation for your version of McAfee ePO.
• Sync interval (In Minutes) — Specify the interval for McAfee ePO to AWS synchronization (the default
value is 5 minutes. The maximum value is 60 minutes). If you specify the sync interval as 5
minutes, the next sync is scheduled 5 minutes after the completion of the current sync.
5 Enable GovCloud option if the AWS account belongs to the AWS GovCloud (US) region. For other
users, leave it deselected.
6 Select Enable Traffic Discovery to discover and view traffic flow logs for instances in your AWS accounts.
7 Click Validate Parameters to validate the account details and verify the connection to the AWS cloud.
8 (Optional) Deploy McAfee Agent to the registered VMs, select Auto deploy Mcafee Agent on VMs, and type
the credentials to deploy the McAfee Agent package.
Make sure that the McAfee ePO server and the VMs in the AWS cloud can communicate with each
other.
9 Click Save to register the cloud account.
This action registers the AWS cloud and imports all discovered VMs, which are unmanaged, into the
System Tree. The instances are imported with the structure and hierarchy of the AWS cloud. The
VMs that are already added and managed by McAfee ePO are retained with the existing policy
settings.
10 View the imported VMs:

• Select Menu | Systems | Cloud Workload Discovery on McAfee ePO to view, assess, and remediate your
cloud asset information.
• Select Menu | Systems | System Tree in McAfee ePO. You can find your AWS account under the group
AWS. The virtual machines from AWS are logically grouped with the hierarchy AWS | Cloud account
name | Region | Avalibilty zone | instances.

Configure and register your Microsoft Azure cloud accounts on McAfee ePO.
You can configure and register both Microsoft Azure classic account and Microsoft Azure account on
McAfee ePO.
• For Microsoft Azure account: You can view your cloud account details in System Tree and on the
Cloud Workload Discovery dashboard.
• For Microsoft Azure classic account: You can view your cloud account details in System Tree.
Create an application in the Microsoft Azure console

Create an application in Microsoft Azure Active Directory to access the resources in your subscription.
You can also get your client ID, tenant ID, and configure your Client key after creating the application.
You can create application by

• Logging in to Microsoft Azure portal and following our steps.
• By running the power shell scripts. For details, see KB87316. We have automated the steps to
create application, get tenant ID, client ID and your client key. You can access these details from
the file MicrosoftAzurecloudaccountdetails.txt.

2
Task
1 Log on to the Microsoft Azure portal and select Active Directory from the left pane.
2 Select the directory that you want to use for creating the application.
3 Click Applications and then click Add.
4 On the What do you want to do? page, select Add an application my organization is developing.
5 Type a name for your application and select WEB APPLICATION AND/OR WEB API and click Next.
6 Type the properties for your application. For SIGN-ON URL, give the URI to a website that describes
your application. The existence of the website is not validated. For APP ID URI, provide the URI that
identifies your application. The uniqueness or existence of the endpoint is not validated.
7 Click Complete to create your application.

2
Where to find Subscription ID, Tenant ID, and Client ID

After creating your application, you can make a note of tenant ID and client ID.
• The subscription ID for your Microsoft Azure account is listed in Subscriptions | SUBSCRIPTION ID.
• Select the application that you created and click Configure tab and you can see your Client ID.
• Click VIEW ENDPOINTS button on the bottom pane and you can see App Endpoints page.
You can get your Tenant ID from this page. Your tenant ID is given after the URLs for all the
attributes in this page.

2
Configure client key

Configure your client key on Microsoft Azure Active Directory for your application.
Before you begin

You must have created your application in your Microsoft Azure Active Directory.
Task
1 Log on to the Microsoft Azure portal.
2 Select the application that you created and click the Configure tab.
3 Scroll down to the Keys section and select how long you would like your password to be valid. Select
the duration and click Save to create the key.
Copy the key displayed in the application. You won't be able to retrieve it after you leave this page.
Set delegated permissions

Set the delegated permissions for your application.
Before you begin

You must have created your application.
Task
1 Log on to the Microsoft Azure portal.
2 Select the application that you created, then click the Configure tab.
3 Select Add Application.
4 From the list in the Name field, select Windows Service Management API, then click Complete.
5 From Permissions to other applications section, for Windows Azure Service Management, set the Delegated Permission
as Access Azure Service Management as organization.
Assign the application to your subscription

Assign a role to your application and also assign it to your Microsoft Azure subscription.
Before you begin

• You must have created an application in the Microsoft Azure console.
• Configure Client key for your application and set the delegated permissions.
Task
1 On the Microsoft Azure console, click Subscritions.
2 Select your subscription, and click Access icon.

2
3 Click Add | Select a role and select your role as Contributor.
4 Click Add users and search for your application, click Select and click OK.
Your application is assigned to your subscription.
Register a Microsoft Azure account

Register a Microsoft Azure account with McAfee ePO so that McAfee ePO can communicate with the
Microsoft Azure cloud.
Before you begin

• Make sure that you have your Microsoft Azure account and its details ready.
• Create an application in the Microsoft Azure console.
• Get Client ID and Tenant ID from the Microsoft Azure console after creating the
application.
• Configure the Client key for your application.
• Set the delegated permissions for your application.
• Assign the newly created application to a role and to your Microsoft Azure cloud account
subscription.
date and time.
Task
2 Select Menu | Configuration | Registered Cloud Accounts, then click Actions | Add Cloud Account.
3 From the Choose Connector drop-down list, select Microsoft Azure, then click OK.

2
4 On the Microsoft Azure Account details page, type these details:
• Name — A name for the Azure account in McAfee ePO. Account names can include characters a–
z, A–Z, 0–9, and [_.-], without space.
• Azure Endpoint — The URL of Microsoft Azure endpoint.
The endpoint is pre-populated. Do not change the endpoint URL unless confirmed by the cloud
provider.
• Subscription ID — Type your subscription ID. This is the ID that you get for your Microsoft Azure
subscription.
• Tenant ID— Type the unique ID of the organization in Microsoft Azure Active Directory.
• Client ID — Type your unique ID of the application.
• Client Key — Type your client secret key of the application.

2
• Tags — List of McAfee ePO tags that are applied to VMs discovered for this cloud account. Tag
name can include characters a–z, A–Z, 0–9, and [_.-], with space. For details about tag usage,
• Sync interval (in Minutes) — Specify the interval for McAfee ePO to synchronize with the cloud (the
default value is 5 minutes. The maximum value is 60 minutes). If you specify the sync interval
as 5 minutes, the next sync is scheduled 5 minutes after the completion of the current sync.
5 Click Validate Parameters to validate the account details and verify the connection to the cloud.
6 (Optional) Deploy McAfee Agent on the registered VMs, select Create McAfee Agent deployment task and
type the credentials to deploy the McAfee Agent package.
This action registers the Microsoft Azure cloud account and imports all discovered VMs, which are
unmanaged, into the System Tree. The instances are imported with the structure and hierarchy of
the Azure cloud.
The VMs that are already added and managed by McAfee ePO are retained with the existing policy
settings.
8 View the imported VMs:

• Select Menu | Systems | Cloud Workload Discovery on McAfee ePO to view your cloud asset information.
• Select Menu | Systems | System Tree in McAfee ePO. After the discovery, you can find your account
under the group Azure. The VMs from each Microsoft Azure account are logically grouped under
different geographical zones in McAfee ePO.
Register Microsoft Azure classic account

Register a classic Microsoft Azure account with McAfee ePO so that McAfee ePO communicates with the
Microsoft Azure cloud.
Before you begin

• Make sure that you have Microsoft Azure classic account and its details ready.
• You must have your JKS or PFX certificate and Keystore Password for your Microsoft
Azure classic account. See Microsoft Azure documentation for more details.
date and time.
Task
2 Select Menu | Configuration | Registered Cloud Accounts, then click Actions | Add Cloud Account.

2
3 From the Choose Connector drop-down list, select Microsoft Azure Classic, then click OK.
4 On the Microsoft Azure Classic Account Details page, type these details:
• Name — A name for the Azure account in McAfee ePO. Account names can include characters a–
z, A–Z, 0–9, and [_.-], without space.
• Azure Endpoint — The URL of Microsoft Azure endpoint.
The endpoint is pre-populated. Do not change the endpoint URL unless confirmed by the cloud
provider.
• Subscription ID — Type your subscription id.
• Keystore (JKS/PFX) containing private key of management certificate— Upload your JKS/PFX certificate.
• Keystore Password — Type the password you specified for the JKS/PFX file.
For details about creating .pfx file, see Microsoft Azure documentation.

2
• Tags — List of McAfee ePO tags that are applied to VMs discovered for this cloud account. Tag
name can include characters a–z, A–Z, 0–9, and [_.-], with space. For details about tag usage,
• Sync interval (in Minutes) — Specify the interval for McAfee ePO to synchronize with the cloud (the
default value is 5 minutes. The maximum value is 60 minutes). If you specify the sync interval
as 5 minutes, the next sync is scheduled 5 minutes after the completion of the current sync.
5 Click Validate Parameters to validate the account details and verify the connection to the cloud.
6 (Optional) Deploy McAfee Agent on the registered VMs, select Create McAfee Agent deployment task and
type the credentials to deploy the McAfee Agent package.
This action registers the Microsoft Azure cloud account and imports all discovered VMs, which are
unmanaged, into the System Tree. The instances are imported with the structure and hierarchy of the
Azure cloud.
The VMs that are already added and managed by McAfee ePO are retained with the existing policy
settings.
8 View the imported VMs: Select Menu | Systems | System Tree in McAfee ePO.After the discovery, you
can find your account under the group Azure. The VMs from each azure account are logically
grouped under different geographical zones in McAfee ePO.

After configuring and registering your cloud account with McAfee ePO, the account details are
displayed in Registered Cloud Accounts on the McAfee ePO server.
Property Description
Name Name of your cloud account.
Type Name of cloud account vendor.
Last Successful Sync Displays the date and time of last successful synchronization between McAfee ePO
and your cloud account.
Last Sync Status Displays the last synchronization status, including Sync Scheduled, Success, In Progress,
and Failure. Hover your mouse over this property to know the start and end times of
your account synchronization. If your account synchronization is in progress, you
can see the sync start time.
Total VMs Displays the number of VMs discovered for this account.
Running VMs Displays the number of VMs that are up and running in this account.
Managed VMs Displays the number of VMs that are managed by McAfee ePO.
Auto Deploy MA Specifies if the administrator has enabled the Auto deploy McAfee Agent task for the
registered cloud account.

2
Tags Displays the tags of the VMs.
Actions You can edit, delete, and synchronize the cloud account using McAfee ePO.
When you delete an account, you have these options:
• Delete System Tree group corresponding to this account — Deletes all virtual machines and
groups from this account.
• Delete Tags — Deletes the McAfee ePO tags for this account.
If you do not select any of these options, this action deletes only the account
details.
Virtual machine details for AWS cloud account

After importing the discovered VMs from the cloud accounts, the VM details are displayed in the
System Tree.
To distinguish VMs imported by the Cloud Workload Discovery from other systems in the System Tree,
check for the tags of the system. The VMs imported are tagged with dc_vm_auto.
System Name Displays the name of the VM.
Managed State Specifies if the system is managed by McAfee Agent.
Tags Displays the tag applied to this VM.
IP Address Displays the IP address of the VM.
User Name Displays the user name of the user logged on to the system.
Last Communication Displays the time of the last synchronization.
You can view more details of your AWS account by selecting and adding the required column using the
Choose Columns option under System Tree | Actions. By default, these columns don't appear under System
Tree.
Vendor Name Displays the name of the cloud vendor.
Account Name Displays name of the cloud account.
Unique ID Displays the Unique ID of the instance.
Power Status Displays if the instance is turned on or off.
Instance ID Displays the unique value provided to the instance from AWS.
Instance Name Displays the instance name as shown on AWS console.
Image ID Displays the unique value of Amazon machine image with which the instance was
created.
Private DNS name Displays the private DNS name from AWS.
Public DNS name Displays the Public DNS name from AWS.
State Transition Reason Displays the reason for the instance to move from one state to another from the
AWS console.
Key Name Displays the key name of the instance, which is provided during the launch.
Instance Type Displays the hardware configuration selected for an instance during the launch.
Launch Time Displays the time the instance is launched in AWS.
Availability Zone Displays the region where the instance is created in AWS.

2
Platform Specifies whether the platform is Microsoft Windows or Linux.
Private IP Address Displays the private IP address from AWS.
Public IP Address Displays the public IP address from AWS, are accessed by McAfee ePO.
VPC ID Displays the Amazon Virtual Private cloud ID.
MAC Address Displays the MAC address of an Instance in Amazon Virtual private cloud.
Architecture Provides details about the hardware specifications of the processor. For example,
x86_64, i386.
Virtualization Type Displays the virtualization type of VM like HVM and paravirtualization.
Tags Displays the tags of the VMs.
Security Groups Displays the security group details where the instance is linked in AWS.
Network Interfaces Displays details about all network interfaces associated to the EC2 instance
You can view the virtualization properties of the selected virtual machine by navigating to Menu |
Systems | System Tree and double-clicking the target virtual machine.

2
Virtual machine details for Microsoft Azure account

After importing the discovered VMs from the cloud accounts, the VM details are displayed in the
System Tree.
To distinguish VMs imported by the Cloud Workload Discovery from other systems in the System Tree,
check for the tags of the system. The VMs imported are tagged with dc_vm_auto.
You will have VMs from your Microsoft Azure Classic account or Microsoft Azure accounts are displayed
here.
System Name Displays the name of the VM.
Managed State Specifies if the system is managed by McAfee Agent.
Tags Displays the tag applied on this VM.
IP Address Displays the IP address of the VM.
User Name Displays the user name of the user logged on to the system.
Last Communication Displays the time of the last synchronization.
You can view more details of the cloud accounts by selecting and adding the required columns using
the Choose Columns option under System Tree | Actions. By default, these columns don't appear under
System Tree.
From Choose Columns, select Vendor, and you can see the name of the vendor for your cloud account.
Vendor Name Displays the name of the cloud account vendor.
Account Name Displays the name of the account in McAfee ePO.
Power Status Displays if the system is in running or stopped state.
Created Time Displays the time when the instance is created.
Image ID Displays the unique image value provided to the instance from the cloud account.
Instance ID, Unique ID Displays the unique value provided to the instance from the cloud account.
Instance Size Displays the hardware configuration selected for an instance during the launch.
IP Address Displays the IP address from the cloud account.
Last Modified Time Displays the time when the instance was last modified in the cloud account.
Location Displays the location of the instance.
Platform Specifies whether the platform is Microsoft Windows or Linux.
Public DNS Displays the public DNS name from the cloud account.
Virtual IP Address Displays the virtual IP address of the instance.
Network Security Group Displays the network security group associated with this instance.
Instance Endpoints Displays the instance endpoints.
You can view the virtualization properties of the selected VM by navigating to Menu | Systems | System
Tree. Double-click the target VM and click the Virtualization tab.

2

2

3 Managing policies with McAfee ePO
Integrate and manage firewall and anti-malware policies using McAfee ePO software.
McAfee ePO provides centralized policy management and enforcement of your McAfee security
products and the systems where they are installed. It also provides comprehensive reporting and
product deployment capabilities through a single point of control.
Contents
Cloud Workload Discovery policies on McAfee ePO
Where to find policies
Create a new firewall policy
Create a new anti-malware policy
Assign custom policies to systems in your network
Cloud Workload Discovery policies on McAfee ePO

The default policies fit the broadest set of customer environments. You can tune these policies to fit
your environment.
Cloud Workload Discovery adds these categories in the Policy Catalog.
Category Description
Assessment Rules - This policy defines the firewall settings for the systems. You can set
Firewall inbound rules for the systems. It also defines how the systems are flagged
if they violate the specified rules.
Assessment Rules - This policy defines how the systems are flagged if McAfee Anti-Malware
Anti-Malware products are not installed.
Each policy category includes McAfee Default and My Default policies. Initially, the settings for both
policies are the same. You can use policies as is, edit My Default policies, or create policies.
Policy Description
McAfee Default Defines the out-of-the-box policy that takes effect if no other policy is applied. You
can duplicate this policy, but you can't delete or change it.
My Default Defines the customizable default policy for your environment.
Modify this policy to create your own customized default.

3
Managing policies with McAfee ePO

You can view and manage your firewall policies from two locations in the McAfee ePO console.
The Assigned Policies tab (Systems | System Tree | Assigned Policies tab for a selected group in the System
Tree), and the Policy Catalog tab (Systems | Policy Catalog).
Use the Policy Catalog to:
• Create policies.
• View and edit policy information.
• View where a policy is assigned.
• View the settings and owner of a policy.
• View assignments where policy enforcement is disabled.
Use the Assigned Policies tab to:

• View the available policies of a particular feature of the product.
• View details of the policy.
• View inheritance information.
• Edit policy assignment.
• Edit custom policies.
Create a new firewall policy

Create a custom firewall policy to suit your environment.
Task
2 Select Menu | Policy | Policy Catalog, then from the Product list, select Cloud Workload Discovery.
3 From the Category list, select Assesment Rules - Firewall.
4 Select New Policy, type a name for the policy, then click OK.
5 Click the name of an editable policy.
You can edit the My Default policies, or any policies that you create. McAfee Default policies aren't
editable.
6 Specify which inbound firewall rules can come from which IP addresses and their severities.
Option Definition
If inbound firewall rule to port Select the inbound port from the list
Is from Enter the source IP address
Then flag as Select the flag value from Critical or Warning
7 Click Save.
The new policy appears in the Policy Catalog.

3

Create a custom anti-malware policy to suit your environment.
Task
1 Log on to McAfee ePO as an administrator.
2 Select Menu | Policy | Policy Catalog, then from the Product list, select Cloud Workload Discovery.
3 From the Category list, select Assesment Rule - Anti-Malware.
4 Click the name of an editable policy.
You can edit the My Default policies, or any policies that you create. McAfee Default policies aren't
editable.
5 Set If Anti-malware not installed then flag as to Warning or Safe.
6 Click Save.
The new policy appears in the Policy Catalog.

Assign the custom firewall or anti-malware policies to the systems in your network to suit your
environment.
When you assign custom policies to a set of systems, they are effective after the next synchronization.
If you want them to be effective immediately, then schedule a manual sync.
Task
2 Select Menu | Systems | System Tree, then select your group of systems from the hierarchy.
3 From the Assigned Policies, you can see policies assigned to these systems. Click Edit Assignment.
4 Select Break inheritance and assign the policy and settings below for Inherit from.
5 Select your custom policy from the Assigned Policy list, then specify the values for other fields.
6 Click Save.

3

4 Visualization of your cloud accounts
After configuring and registering the cloud accounts with McAfee ePO, you can view your cloud account
information from Menu | Systems | Cloud Workload Discovery.
This graphical visualization of your cloud accounts gives you visibility into your cloud infrastructure
assets and their hierarchy.
The left Issues pane highlights any immediate issues or violations on your firewall settings or your IP
traffic settings.
The user interface is very initiative and you can expand and collapse the menus, select appropriate
filters to view what you want.
Contents
Problems or issues with your firewall settings or traffic
Viewing account properties
Instance properties
Security group information for your instance
McAfee anti-malware details on your instance
Traffic details for your instance
Apply McAfee ePO tags to VMs in your network
Problems or issues with your firewall settings or traffic

Any issues or problems you have with your firewall settings or traffic settings are listed here.

4
Visualization of your cloud accounts
These issues are due to

• Security issues
• Instances with security group rules that are not compliant to firewall policy settings.
• Instances which do not have McAfee anti-malware products installed on them.
• Traffic issues
• Suspicious external connections
• Blocked internal connections

The new Cloud Workload Discovery dashboard gives a holistic view of your cloud account and all its
aspects.
You can view:

• Accounts • Workload
• Virtual networks • Virtual Machine properties
• Templates
Accounts list the cloud vendor accounts registered in McAfee ePO.

• Select your account and you can see list of Virtual Networks in your account.
• Select the Virtual network and you can see the workloads under that Virtual Network.
• If you select the VM, you can see the system properties for that VM.
• If you have any VMs which are not grouped under any VPC, they are placed under Ungrouped VMs for
AWS instances.

4
Instance properties
By default, we list all virtual networks in your account, which have at least one running instance. To
view all instances either running or stopped in your account, select filter Show All.
By default we show Accounts | Virtual Networks | Workload, to see the templates in your virtual networks,
select the filter Group by Templates.
All account properties are color-coded to reflect their security status.

• Red - Critical
• Yellow - Warning
Templates and workloads are classified as critical or warning if they violate the security policies and
color-coded. This is determined on how you defined your policies on McAfee ePO Policy Catalog. If
your virtual network has any one instance or template that violates the security policies, it is classified
as critical and color-coded red.
Instance properties
View the properties of your virtual systems from your cloud account.
Property Definition
Location Displays the region of the instance as shown in your cloud account.
Instance ID Displays the instance ID as shown in your cloud account.

4
Property Definition
Instance Name Displays the instance name as shown in your cloud account.
Instance Type Displays the hardware configuration selected for an instance during the launch.
Platform Displays whether the platform is Microsoft Windows or Linux.
Private DNS Name Displays the private DNS name from the cloud account.
Private IP Address Displays the private IP address from the cloud account.
Public DNS Name Displays the Public DNS name from the cloud account.
Public IP Address Displays the public IP address from the cloud account.
McAfee ePO Managed Displays if this instance is managed by McAfee ePO.
Virtual Network ID Displays the ID of the Virtual network of this instance.
Power Status Displays if this instance is running or if it is stopped.
McAfee ePO Tags Displays McAfee ePO tags for this instance.
See also
Apply McAfee ePO tags to VMs in your network on page 41

View all security groups associated with this instance. Based on the enterprise rules set, the status is
either red or yellow.
Select View details to view more information of your security groups.
Table 4-1 Firewall (Security Groups)

Property Definition
Security Groups Displays the name of the Security or Network Security group.
ID Displays the ID of the Security or Network Security group.
Association Displays how many instances this security or the network security group is associated
with.
Some VMs in Microsoft Azure accounts might not be associated with any security groups.
To view the rules in each security group, click Edit or double click the security group.
Table 4-2 Rules

Property Definition
Name Name of the security group rule. For Azure instances, every security group rule has
a name. This is not applicable for AWS instances.
Associated Instances Displays other instances which are associated with this security group (firewall).
Type Displays the Protocol type. You can change the protocol type.
Protocol Displays the protocol allowed.
Port range Displays the port range allowed.
Priority Displays the priority of this rule in the security group.
Priority is applicable only for Microsoft Azure Network Security Groups.

4
Table 4-2 Rules (continued)

Property Definition
Access Displays if this is a allow rule or deny rule for Microsoft Azure instances. You can
not edit the deny rules.
Source Displays the source IP address. You can choose Anywhere to allow connections from
all traffic or Custom IP to provide a IP address that you want to allow. For AWS
instances you can also provide the security group for which you want to allow
traffic.

You can see if your instance has McAfee anti-malware software installed on it.
Your instance will be color-coded and classified as per the anti-malware policy that you set on McAfee
ePO Policy Catalog.
We check for the presence of McAfee anti-malware software such as McAfee VirsuScan Enterprise or
McAfee VirusScan Enterprise for Linux.
If this product is installed on the instance, you can view these McAfee VirusScan Enterprise properties.
• McAfee Acess Protection • Buffer Overflow Detection
• On-Access General • Email Detection
• On-Access ScriptScan
You can see if any of these properties are either enabled or disabled. For details see the product guide
for McAfee VirusScan Enterprise or McAfee VirusScan Enterprise for Linux.
To install McAfee Anti-Malware product (McAfee VirusScan Enterprise or McAfee VirusScan Enterprise
for Linux) on your instances, you can use McAfee ePO tags. You can tag this system with the McAfee
ePO tags related to product deployment tasks of these products. To know about product deployment
tasks and tags, see the product guide for your version of McAfee ePO.
See also
Apply McAfee ePO tags to VMs in your network on page 41

You can view the number of blocked internal connections and suspicious external connections to and
from your instance.
You can also see the number of ports that were active.
The traffic displayed here is the data accumulated from a week or from the time you install your
extension which ever is the earliest. The traffic records are retained in McAfee ePO for 7 days.
On the AWS management console, we enable VPC flow log service and create a log file with the name
log_Mcafee_regionname for a particular region. You can view this log file from your VPC under Flow
Logs section on the AWS management console.

4
Click View details to see traffic properties.
Property Definition
Traffic Displays the number of blocked, inbound, and outbound connections to this instance.
Status Displays if this traffic is blocked or allowed.
Direction Displays if the traffic is Inbound (N-S), Outbound (N-S), Inbound (E-W), Outbound (E-W),
Bi-Directional (E-W), Bi-Directional (N-S).
N-S indicates external traffic and E-W indicates internal traffic.
From/To Displays the source IP address or the destination IP address for the traffic to this instance.
Port Displays the port number.
Protocol Displays the protocol name.
If any instance is receiving traffic from multiple IP addresses from the same port, protocol, status, and
direction, the From/To field lists multiple IP addresses. You can view the different IP addresses by
generating a report from Queries and Reports.
You can unblock your internal connections and block your external connections by remediating your
security groups. Click Firewall (Security Groups) to open the security groups associated with this instance.
See also
Create custom queries on page 48
Remediate firewall rules on page 43

4

Tags are used to identify and sort systems. They can also be used to select groups of systems and
simplify the creation of tasks and queries.
Task
Use this option to apply tags to your VM. You can manage your tags from Menu | Systems | Tag Catalog.
For details about managing tags, see the product documentation for your version of McAfee ePO. For
details about product features, usage, and best practices, click ? or Help.
2 Select Menu | Systems Section | Cloud Workload Discovery.
3 Select a VM from Accounts | VPCs | Templates | Workload.
4 On the Summary pane, click Add Tag.
5 Specify a name for your tag and click the green check mark.

4

5 Remediation
Secure the instances in your network by correcting your firewall settings.
Remediate firewall rules

To protect and secure your cloud instances that are classified as red, correct the firewall rules..
You can correct the firewall settings from:
• Policy Catalog: See Where to find policies.
• Issues: Select Menu | Systems section | Cloud Workload Discovery | Issues | Secuirty | Unsafe Firewall Settings,
select a system and select Security | Security Groups | View details.
• Accounts | Virtual Networks, then select a VM. You can view and correct the firewall rules from Security |
Security Groups | View details.
• For AWS instances, Select Accounts | Virtual Networks | Workloads, then select a VM. You can view and
correct the firewall rules from Traffic | View details | Firewall (Security Groups).
Tasks
• Edit the security group rules on page 43
Change the rules in your security group policy and secure your critical instances.
• Detach the security group from an instance on page 44
To secure your critical systems, remove the association of the security group to your AWS
instance.
Edit the security group rules

Change the rules in your security group policy and secure your critical instances.
Task
2 Select the critical system and its security group policy from:
• Menu | Systems section | Cloud Workload Discovery | Issues | Secuirty | Unsafe Firewall Settings
• Menu | Systems section | Cloud Workload Discovery | Accounts | Virtual Networks | Worklaods then select a VM.
Select Security | Firewall (Security Groups)
3 Click View details to see security groups, select one and click Edit to edit the security group policy. The
non-compliant rules are highlighted by a red dot.
4 Edit the security group rules by changing Type, Protocol, Port range, or Source. For Microsoft Azure
instances, you cannot edit rules that have Access as Deny.

5
Remediation
Remediate firewall rules
5 While editing Source, you can choose Anywhere to allow connections from all traffic or Custom IP to
provide a IP address that you want to allow. For AWS instances you can also provide the security
group for which you want to allow traffic.
6 To add a rule, select Add rule and type in the values.
7 To delete a non-complaint rule, click the delete icon.
8 Click Apply Changes.

You can see the action details for edit, delete, update, or add in Menu | User Management | Audit Log.
Detach the security group from an instance

To secure your critical systems, remove the association of the security group to your AWS instance.
• If your workload has only one security group associated with it, then you can not detach it.
• A security group which is associated with this workload can also be associated with many NICs.
• You can not detach a security group if it is the only security group associated with a NIC.
• You can detach a security group only from your AWS instances.
Task
2 Select the critical system and its security group policy from:
• Menu | Systems section | Cloud Workload Discovery | Issues | Security | Unsafe Firewall Settings
• Menu | Systems section | Cloud Workload Discovery | Accounts | Virtual Networks | Workloads then select a VM.
Select Security | Firewall (Security Groups)
3 Click View details to see security groups associated with this instance.
4 Select one of them and click Detach to detach the security group policy form this instance
You can see the detach failure or success details in Menu | User Management | Audit Log.

6 Queries and reports
With the Cloud Workload Discovery, you can quickly generate a summary view of all registered Data
Centers.
The predefined queries and dashboards provide out‑of‑the‑box functionality, because they are added to
your McAfee ePO server when the software is installed. You can configure these queries to display
results in charts or tables, which you can use as dashboard monitors. Query results can be exported to
several formats, which you can download or send as an attachment to an email message.
You can view the list of predefined queries for the Data Centers from Queries and reports | McAfee Groups |
Data Center.
You can view the list of predefined queries for the public cloud accounts from Queries and reports | McAfee
Groups | Public Cloud.
Contents
Predefined queries
Create custom queries
Dashboards and monitors
Predefined queries
You can use predefined queries as is, edit them, or create queries from events and properties stored in
the McAfee ePO database.
To create custom queries, your assigned permission set must include the ability to create and edit
private queries.

6
Queries and reports
Predefined queries
Data Center provides these predefined queries:
Query Definition
Anti-Malware Status Specifies whether the system is in one of these states:
• Application Control Enabled — These VMs have McAfee Application Control installed
®
and enabled.
• Only Anti-Virus Enabled — These VMs have a McAfee anti-malware product installed
and enabled.
• Unprotected — These VMs don't have any McAfee anti-malware product enabled.
Categorizes the applications based on McAfee Global Threat Intelligence (McAfee

® ™
Application
Reputation GTI) file reputation:
• Good
• Bad
• Unclassified
For details about file reputation, see the product documentation for McAfee
Application Control.
AV Protection by Displays the anti-virus protection status of McAfee products.

Product
Security Incidents Displays the events reported for these components on the VMs in the last 14 days.
(last 14 days)
• Antivirus
• Firewall
• Memory Protection
Data Centers Displays all registered data centers.

File Integrity Displays the number of VMs with File Integrity Monitoring (FIM) installed and
Monitoring Status enabled.
For details about FIM, see the product documentation for McAfee Change Control.
®
Host Firewall Status Specifies whether the system is in one of these states:
• Firewall Enabled — These VMs have McAfee Host Intrusion Prevention (McAfee
®
Agent-based) installed.
• Not in use — These VMs don't have McAfee Host Intrusion Prevention (McAfee
Agent-based) installed.
OS Distribution The OS Type shows the template value selected while creating the VMs. However, it
might not be the actual operating system installed on the VM.
Boot Attestation Displays the boot attestation status of VMs. For details, see the product
Status of Hypervisors documentation for McAfee Boot Attestation Service.
®
Usage Metering Displays the usage of cloud accounts in number of hours per month.
Report
• CPU cores->Usage Month — Specifies if the CPU cores used are single, dual or quad
core plus and the usage month.
• Sum of: Hours used — Specifies the sum of usage hours.

6
Queries and reports
Predefined queries
Query Definition
Endpoint Scan Displays the details of the last scan of the endpoints.
Report
Best Practice: To get accurate data in this report, first run the Data Center: Compute
Endpoint Reports server task from Menu | Automation | Server Tasks.
• Endpoint — Displays the name of the endpoint.

• IP Address— Displays the IP address of the endpoint.
• Category — Displays the group/resource pool/host of the endpoint.
• Operating System — Displays the operating system details.
• Last Scan — Displays the last on-demand scan time for an endpoint with anti-virus
software.
Endpoint Security Displays the protection status of the endpoints.

Report
Best Practice: To get accurate data in this report, first run the Data Center: Compute
Endpoint Reports server task from Menu | Automation | Server Tasks.

• Virtual — Specifies whether the endpoint is a virtual system.
• VM Classification — Specifies if the VM is a part of public (Cloud Machine) or private
(Virtual Machine) cloud.
• Vendor — Displays the name of the cloud service provider of the endpoint.
• Power Status — Specifies the power status of the endpoint.
• AntiVirus/Antimalware — Displays the name of the McAfee anti-virus and
anti-malware software installed on the endpoint.
• Firewall — Displays the name of the McAfee software with the firewall protection
active on the endpoint.
• Whitelisting — Specifies whether the whitelisting feature is enabled.
• Access Protection — Displays the name of the McAfee software that provides access
protection.
• Memory Protection — Displays the name of the McAfee software that provides
memory protection.
• Last Communication — Displays the time details of the last server-client
communication.
Instance Assessment Displays the number of instances that are classified as critical and the number of
Status instances that are classified as warning.
Data Protection per Displays the number of VMs that are encrypted and not encrypted.
Cloud VM
View default queries

Run the predefined queries to generate reports based on Data Center components.

6
Queries and reports
Task
2 Select Menu | Reporting | Queries & Reports.
3 From the Groups pane, select Data Center to display the queries for the selected group. Reports are
grouped under McAfee Groups.
4 From the Queries list, select a query, then click Run.
5 In the query results page, click any item in the results to drill down further.
6 Click Close when finished.

You can create custom queries that retrieve and display the details related to the Usage Metering
Report and IP traffic reports. . With this wizard, you can configure which data is retrieved and
displayed, and how it is displayed.
Before you begin

You must have administrator rights to perform this task.
Task
2 Select Menu | Reporting | Queries & Reports, then click Actions | New to open the Query Builder wizard.
3 To view Usage Metering records, Select Public Cloud on the Feature Group list and on the Result Type page,
select Usage Metering records, then click Next.
If you have upgraded from 3.6.1 to this version, you can also see Usage Metering Report- Legacy to view
the old usage metering reports.
4 To view IP traffic reports for your AWS instances, select Data Center on the Feature Group list and on the
Result Type page, select Amazon Network Traffic Logs, then click Next.
5 Select the type of chart or table to display the primary results of the query, then click Next to open
the Columns page.
If you select Boolean Pie Chart, you must configure the criteria to include in the query.
6 Select the columns to include in the query, then click Next to open the Filter page.
If you had selected Table on the Chart page, the columns you select here are the columns of that
table. Otherwise, these are the columns that make up the query details table.
7 Select properties to narrow the search results, then click Run.

The Unsaved Query page displays the results of the query, which is actionable. You can take any
available actions on items in any tables or drill-down tables. Selected properties appear in the

6
Queries and reports
content pane with operators that can specify criteria to narrow the data that is returned for that
property.
• If the query does not return the expected results, click Edit Query to go back to the Query Builder
and edit the details of this query.
• If you don’t want to save the query, click Close.
• If this is a query you want to use again, click Save and continue to the next step.
8 On the Save Query page, type a name for the query, add any notes, and select one of these options:
• New Group — Type the new group name and select whether the group is private or public.
• Existing Group — Select the group from the list of Shared Groups.
9 Click Save.

Dashboards, which are comprised of monitors, help you track key metrics from all Data Center
products.
Reports are grouped under McAfee Dashboards at Menu | Queries and reports | Groups.
Data Center and Public Cloud dashboards

The Data Center and the Public Cloud dashboards are added to your McAfee ePO server when you
install the software.
• The Data Center dashboard displays a collection of monitors based on the results of the default
data center software queries.
• The Public Cloud dashboard displays the collection of monitors for default public cloud account
queries.
The data in these monitors on the dashboard is refreshed every 15 minutes.
The default monitors that appear under these dashboards are:
• Data Centers — Displays all registered data centers.

6
Queries and reports
• OS Distribution — Displays the operating system type. It shows the template value selected while
creating the VMs. However, it might not be the actual operating system installed on the VM.
• Security Incidents (last 14 days) — Specifies events reported for these components on the VMs in the last
14 days.
• Application Control
• Antivirus
• Firewall
• Memory Protection

6
Queries and reports
• Anti-Malware Status — Displays the state of the VM.

• Application Control Enabled — These VMs have McAfee Application Control installed and enabled.
• Only Anti-Virus Enabled — These VMs have a McAfee anti-virus product installed and enabled.
• Unprotected — These VMs don't have any McAfee anti-malware product enabled.
• Host Firewall Status — Displays the state of the system.

• Firewall Enabled — These VMs have McAfee Host Intrusion Prevention installed.
• Not in use — These VMs don't have McAfee Host Intrusion Prevention installed.

6
Queries and reports
• File Integrity Monitoring Status — Displays the number of VMs with File Integrity Monitoring (FIM)
installed and enabled.
• Enabled — File Integrity Monitoring is enabled on these VMs.
• Not enabled — File Integrity Monitoring is disabled on these VMs.
• Not installed — File Integrity Monitoring isn't installed on these VMs.
For more details about FIM, see the product documentation for McAfee Change Control.
• Instance Assesment status — Displays the number of instances that are classified as critical and the
number of instances that are classified as warning.

6
Queries and reports
• Data protection per Cloud VM — Displays the number of VMs that are encrypted versus the number of
VMs that are not encrypted.
• Encrypted — These VMs are encrypted.
• Not Encrypted — These VMs are not encrypted.
• Usage Metering Report — Displays the usage of running AWS and Microsoft Azure cloud instances, in
number of hours per month.
You can see how many hours are used by your single core, dual core, and your quad core instances
for every month.

6
Queries and reports
• Application Reputation — Categorizes the applications based on McAfee GTI file reputation.
• Good
• Bad
• Unclassified
This dashboard retrieves data from the McAfee Application Control extension.
For details about file reputation, see the product documentation for McAfee Application Control.
• Boot Attestation Status for Hypervisors — Displays the Boot Attestation status of vCenter hypervisors. For
details, see the product documentation for Boot Attestation Service.
• Endpoint Scan Report — Displays the last scan details of the endpoints. This report is run every eight
hours.
• Last Scan — Displays the last on-demand scan time for an endpoint with different anti-virus
software.
Best Practice: To get accurate data in this report, first run the Data Center: Compute Endpoint Reports
server task from Menu | Automation | Server Tasks.
• Endpoint Security Report — Displays the protection status of the endpoints. This report is run every
eight hours.
• Virtual — Specifies whether the endpoint is a virtual system.

6
Queries and reports
• VM Classification — Specifies if the VM is a part of public (Cloud Machine) or private (Virtual Machine)
cloud.
• Vendor — Displays the name of the cloud service provider of the endpoint.
• Power Status — Specifies the power status of the endpoint.
• AntiVirus/Antimalware — Displays the name of the McAfee anti-virus and anti-malware software that
is installed on the endpoint.
• Firewall — Displays the name of the McAfee software with the firewall protection active on the
endpoint.
• Whitelisting — Specifies whether the whitelisting feature is enabled.
• Access Protection — Displays the name of the McAfee software that provides access protection.
• Memory Protection — Displays the name of the McAfee software that provides memory protection.
• Last Communication — Displays the time details of the last server-client communication.
Best Practice: To get accurate data in this report, first run the Data Center: Compute Endpoint Reports
server task from Menu | Automation | Server Tasks.

6
Queries and reports

7 Frequently asked questions
Here are answers to frequently asked questions.
See KB87466 for more FAQs.
Installation
Can I install McAfee Agent on AWS instances using the McAfee ePO Agent Deployment URL
feature and Amazon User Data?
Yes. For details, see KB85233.
Can I use scripts for Puppet, Chef, or Amazon OpsWorks to install and configure security
solutions offered by Intel Security?
Yes.
• For Puppet sample scripts, see KB82585.
• For Chef sample scripts, see KB82584.
• For Amazon OpsWorks scripts, see KB82586.
Configuration
How do I troubleshoot AWS instance connectivity issues?
See AWS documentation.
How many cloud accounts can I register under one McAfee ePO server?
There is no limit to the number of cloud accounts that can be registered under one McAfee ePO
server.
How do I get a subscription ID and JKS or PFX certificate for a Microsoft Azure classic
account?
See Microsoft Azure documentation.
How do I get the subscription ID, tenant ID, and client ID?
You can get your client ID, tenant ID, and subscription ID after creating an application. You need
to configure your client key. You can create application by following steps listed in Create an
application in the Microsoft Azure console. You can also run power shell scripts which automate
this process. For details, see KB87316.
A firewall policy rule which has port as any, and IP address as 0.0.0.0/0 matches with
what criteria?
This firewall policy rule matches with
In AWS,
Port IP
All Anywhere (0.0.0.0/0)
0-65535 Anywhere (0.0.0.0/0)

7
Frequently asked questions
In Azure,
Port IP
* *
0-65535 *
Functionality
When AWS instances are switched off, will they be reported "powered off" in McAfee ePO?
Yes. If the computers are managed, they are not deleted, even on termination. Unmanaged
systems, when terminated, are no longer seen in the McAfee ePO System Tree.
How long until a new instance gets discovered by the Cloud Workload Discovery?
After the synchronization occurs, the new instance is discovered. Synchronization depends on
the Sync Interval that you specified. If you specify the sync interval as 5 minutes, the next sync is
scheduled 5 minutes after the completion of the current sync. You can also schedule a manual
sync and the synchronization will start immediately.
What happens when an instance is terminated in EC2?
After the instance is terminated (and a synchronization occurs), the instance is no longer
displayed in the McAfee ePO System Tree. However, any events from this instance are still
present.
What are the reasons for my cloud account synchronisation to fail?
• Check your cloud account details. Your access key and secret Key pair might have been
disabled.
• Check if your network is connected.
• Check if your McAfee ePO system date and time is synchronized with internet date and time.
• Check if you are registering the same AWS account again in McAfee ePO.

McAfee VirusScan Enterprise is installed on my instance, but the instance is still
color-coded as red.
If your instance is not managed with this McAfee ePO then the status is shown as red. For
assessment to show correct result, the instance should be managed by the same McAfee ePO.
When I try to detach a security group from my AWS instance it fails.
• If there is one NIC associated with an instance, and you are trying to detach a security group
from it then it fails.
• If your instance is associated with multpitle NICs and you are trying to detach a security
group which is the only security group associated with another NIC, then also the detach
fails.
I cant see the Virtual networks when I click Accounts.

If you just installed the Cloud Workload Discovery extension and completed registering your
accounts, then wait for the synchronization and assessment to complete and then you can see
your virtual networks in your accounts.
I can't see all the Virtual Networks in my account.
By default you can see all virtual networks which has at least one running workload. If your
virtual network does not have any running workloads then it is not shown. Select Show All filter
on the Accounts panel to see all the virtual networks.

7
I can see some names and some IDs under Virtual Networks and Workloads.
By default you can see the name of the your virtual networks and workloads. If they don't have
a name then you can see their IDs.
Which vendor cloud accounts are supported in Cloud Workload Discovery dashboard.
Currently we support AWS and Microsoft Azure cloud accounts. Microsoft Azure classic accounts
are not shown here.
I can't see IP traffic for some workloads on Cloud Workload Discovery dashboard.
• IP traffic records are available only for AWS workloads.
• If you can't view traffic for your AWS workloads, make sure that you have selected Enable
Traffic Discovery for your AWS account.
• When creating IAM role for flow logs for your AWS account, make sure that the name of your
role is McafeeFlowLogger.
My traffic discovery is disabled, but I can still see traffic details for AWS instances.
Data retention period for AWS traffic data is 7 days. So you might still see some traffic details
until the retention period.
How long is the AWS traffic data stored in McAfee ePO?
Data retention period for AWS traffic data is 7 days.
Sometimes the Cloud Workload Discovery screen remains in collapsed state.
Do a browser refresh using F5.

7

Index
A default queries, displaying 47

displaying
about this guide 5
protection status 15
access protection 45
registered cloud account details 25
accounts, registering 15, 21, 23
tags 25
AWS 15
documentation
Microsoft Azure account 21
audience for this guide 5
Microsoft Azure classic account 23
product-specific, finding 6
anti-malware
typographical conventions and icons 5
policies, configuring 33
antimalware status dashboard 49
application control 45, 49 F
application reputation dashboard, GTI 49 file reputation 49
AWS (Amazon Web Services) FIM (File Integrity Monitoring Status) 49
account 15 firewall
AWS account policies, configuring 32
editing and deleting 25 policies, overview 31
registering 15 firewall status 49
AWS user frequently asked questions 57
creating 11
creating access key, secret access key 11 G
GTI (Global Threat Intelligence), file reputation 49
B
Boot Attestation Service 45, 49 H
Host Intrusion Prevention
C host firewall status 45, 49
change control
file integrity monitoring status 45, 49 M
Cloud Workload Discovery
McAfee ServicePortal, accessing 6
custom policies, assigning 33
Microsoft Azure account
conventions and icons used in this guide 5
about 21
custom policies, Cloud Workload Discovery
editing and deleting 25
assigning 33
registering 21
Microsoft Azure classic account
D about 23
dashboards, datacenter registering 23
anti-malware status 49 monitors, Data Center 49
application reputation 49
datacenter 49 P
File Integrity Monitoring Status 49 policies, anti malware
Firewall Status 49 configuring 33
OS Distribution 49 policies, firewall
security incidents 49 configuring 32

Index
policies, firewall (continued) requirements (continued)

overview 31 reports, Data Center 45
policy
where to find 32 S
protection status, displaying 47, 49
security incidents dashboard 49
ServicePortal, finding product documentation 6
Q
status
queries, Data Center firewall 49
default, viewing 47 trust 49
pie charts 47
viewing default queries 47
T
queries, datacenter
predefined 45 tags
queries, public cloud defining 15, 21, 23
creating 48 deleting 25
technical support, finding product information 6
R
V
reports, datacenter 45
virtual machines
anti-malware status 49
trust status 15
application reputation 49
virtual properties, displaying 15, 21, 23
File Integrity Monitoring Status 49
VMs
Firewall Status 49
applying tags 41
OS Distribution 49
tagging 41
security incidents 49
required permissions policy on AWS
assigning 14
requirements
other requirements 45

0-00

Database Security

Enviado por

Dados do documento

Direitos autorais

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Database Security

Enviado por

Direitos autorais:

Product Guide

Cloud Workload Discovery 4.0.0

2 Cloud Workload Discovery 4.0.0 Product Guide

2 Configuring the cloud accounts 11

3 Managing policies with McAfee ePO 31

4 Visualization of your cloud accounts 35

Cloud Workload Discovery 4.0.0 Product Guide 3

6 Queries and reports 45

7 Frequently asked questions 57

4 Cloud Workload Discovery 4.0.0 Product Guide

About this guide

Italic Title of a book, chapter, or topic; a new term; emphasis

Caution: Important advice to protect your computer system, software installation,

Cloud Workload Discovery 4.0.0 Product Guide 5

Find product documentation

6 Cloud Workload Discovery 4.0.0 Product Guide

Security management of your cloud assets made easy

Visualization of your cloud workloads

Cloud Workload Discovery 4.0.0 Product Guide 7

Security posture assessment

You can view these details in your network configuration.

• Systems that do not have McAfee anti-malware products installed on them.

Security group management

Firewall audit and hardening

IP traffic visibility and threat insights for AWS instances

Support for Microsoft Azure Resource Manager

Cloud usage metering

Components and what they do

8 Cloud Workload Discovery 4.0.0 Product Guide

McAfee Suites — Cloud Workload Discovery is in these suites.

• McAfee Server Security Essentials

• McAfee Server Security Advanced

• McAfee Public Cloud Server Security

Cloud Workload Discovery 4.0.0 Product Guide 9

10 Cloud Workload Discovery 4.0.0 Product Guide

Configuring an AWS cloud account

Create an AWS user

3 From the Users section, click Create New Users.

Cloud Workload Discovery 4.0.0 Product Guide 11

Create a user permission policy

2 From Policies section, click Create New Policy.

3 From the Create Policy, click Create Your Own Policy.

12 Cloud Workload Discovery 4.0.0 Product Guide

4 Type a name and description.

5 Copy and paste this policy.

Cloud Workload Discovery 4.0.0 Product Guide 13

Assign the policy to a user

Before you begin

• You must have created a required permissions policy.

2 From the Users section, and select the user.

5 On the Attach Policy page, click Next Step.

7 Type a name for your role.

9 Select Custom Policy, and then choose Select.

14 Cloud Workload Discovery 4.0.0 Product Guide

Register an AWS account

Before you begin

• AWS users must have permissions to use Cloud Workload Discovery.

Cloud Workload Discovery 4.0.0 Product Guide 15

1 Log on to the McAfee ePO server as an administrator.

4 On the AWS account details page, type these details:

• Access Key Id — Type the access key ID to log on to AWS.

16 Cloud Workload Discovery 4.0.0 Product Guide

9 Click Save to register the cloud account.

10 View the imported VMs:

Configuring Microsoft Azure cloud accounts

Create an application in the Microsoft Azure console

You can create application by