Skip to main content
McAfee MVISION Cloud

Continuous Evaluation for Configuration Audit

MVISION Cloud provides Continuous Evaluation (CE) for IaaS services including Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). It constantly monitors activities that lead to configuration changes for IaaS services and triggers Security Configuration Audit policies to report the violations. When CE is enabled, you will see Configuration Audit violations faster, as they are monitored continuously, instead of catching violations only once in 24 hours as reported by On-Demand Scans. CE is the default and recommended option.

For comparison:

Also note that:

  • CE requires User Activity Monitoring to be enabled. 
  • When CE is enabled:
    • On-Demand Scan frequency is disabled by default. In other words, the scans are created and present, but won't run once a day by default.
    • On-Demand Scans are scheduled when accounts, subscriptions, or projects are added or removed to either baseline or update the status of existing incidents.

Enable Continuous Evaluation

  1. Go to Service Management, choose the IaaS CSP, and an instance. 
  2. Under Setup, click Edit
    ce_config.png
  3. Under Activity Monitoring, make sure User Activity Monitoring is enabled. 
  4. Under Security Configuration Audit, Continuous Evaluation is the default selection. 
  5. Click Next and finish configuring the instance as needed. 

When Continuous Evaluation is Enabled

When CE is enabled:

  • You will receive violations on the Incidents > Policy Incidents page more frequently and throughout the day, compared to before CE was enabled, when incidents were updated only once in 24 hours.
  • If you have configured Email Notification for Incidents, you will receive those emails throughout the day, instead of once in 24 hours. 
  • Activities are populated much faster in the Incidents> User Activity > Activity Monitoring page. 
  • On the Policy > On-Demand Scans page, scan instances are not updated. Also, fewer scan incidents are reported. So when you select the scan, in the Scan Details pane, you see the message, "Continuous Evaluation is enabled. Scheduled Scan is disabled by default." IaaS services in your environment are monitored continuously for any violations and they are reported by CE, so fewer incidents are reported by On-Demand Scans.
    ce_scans_details_message.png
  • Also, on the Scan Instances page, you see the message, "Continuous Evaluation is enabled. Scheduled Scan is disabled by default."
    ce_scan_instances_message.png

 

  • Was this article helpful?