Systems and methods for processing hypervisor-generated event data
First Claim
1. A computer-implemented method, comprising:
- for each server of a plurality of servers identified in a server list, a hypervisor event proxy microservice;
determining, based on a mapping of servers to hypervisor types, a type of hypervisor running on the server, andfurther determining, based on a mapping of hypervisor types to event definitions, a set of event definitions associated with the determined type of hypervisor running on the server,wherein each event definition of the set of event definitions indicates whether occurrences of hypervisor events corresponding to the event definition are detected based on one of a push operation or a pull operation;
detecting, by the hypervisor event proxy microservice, occurrences of a plurality of hypervisor events, wherein each hypervisor event of the plurality of hypervisor events is detected by the hypervisor event proxy microservice based on one of;
a push operation performed by a hypervisor, or a pull operation performed by the hypervisor event proxy microservice;
determining, by an event normalization microservice, whether an occurrence of one or more hypervisor events of the plurality of hypervisor events satisfies a defined event list, the defined event list representing a normalized event; and
in response to determining that the occurrence of the one or more hypervisor events satisfies an internal event list, generating a normalized event.
4 Assignments
0 Petitions
Accused Products
Abstract
Systems, methods, and apparatuses enable a network security system to more efficiently process and respond to events generated by hypervisors and other associated components of a networked computer system. In this context, a hypervisor event refers broadly to any action that occurs related to one or more components of a hypervisor (including the hypervisor itself, virtual servers hosted by the hypervisor, etc.) and/or to data identifying the occurrence of the action(s) (e.g., a log entry, a notification message, etc.). A security service obtains and analyzes event data from any number of different types of hypervisors, where each different type of hypervisor may represent events differently and/or make event data accessible in different ways, among other differences.
-
Citations
30 Claims
-
1. A computer-implemented method, comprising:
-
for each server of a plurality of servers identified in a server list, a hypervisor event proxy microservice; determining, based on a mapping of servers to hypervisor types, a type of hypervisor running on the server, and further determining, based on a mapping of hypervisor types to event definitions, a set of event definitions associated with the determined type of hypervisor running on the server, wherein each event definition of the set of event definitions indicates whether occurrences of hypervisor events corresponding to the event definition are detected based on one of a push operation or a pull operation; detecting, by the hypervisor event proxy microservice, occurrences of a plurality of hypervisor events, wherein each hypervisor event of the plurality of hypervisor events is detected by the hypervisor event proxy microservice based on one of;
a push operation performed by a hypervisor, or a pull operation performed by the hypervisor event proxy microservice;determining, by an event normalization microservice, whether an occurrence of one or more hypervisor events of the plurality of hypervisor events satisfies a defined event list, the defined event list representing a normalized event; and in response to determining that the occurrence of the one or more hypervisor events satisfies an internal event list, generating a normalized event. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A non-transitory computer-readable storage medium storing instructions which, when executed by one or more processors, cause performance of:
-
for each server of a plurality of servers identified in a server list, a hypervisor event proxy microservice; determining, based on a mapping of servers to hypervisor types, a type of hypervisor running on the server, and further determining, based on a mapping of hypervisor types to event definitions, a set of event definitions associated with the determined type of hypervisor running on the server, wherein each event definition of the set of event definitions indicates whether occurrences of hypervisor events corresponding to the event definition are detected based on one of a push operation or a pull operation; detecting, by the hypervisor event proxy microservice, occurrences of a plurality of hypervisor events, wherein each hypervisor event of the plurality of hypervisor events is detected by the hypervisor event proxy microservice based on one of;
a push operation performed by a hypervisor, or a pull operation performed by the hypervisor event proxy microservice;determining, by an event normalization microservice, whether an occurrence of one or more hypervisor events of the plurality of hypervisor events satisfies a defined event list, the defined event list representing a normalized event; and in response to determining that the occurrence of the one or more hypervisor events satisfies an internal event list, generating a normalized event. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. An apparatus, comprising:
-
one or more processors; a non-transitory computer-readable storage medium coupled to the one or more processors, the computer-readable storage medium storing instructions which, when executed by the one or more processors, causes the apparatus to; for each server of a plurality of servers identified in a server list, a hypervisor event proxy microservice; determine, based on a mapping of servers to hypervisor types, a type of hypervisor running on the server, and further determine, based on a mapping of hypervisor types to event definitions, a set of event definitions associated with the determined type of hypervisor running on the server, wherein each event definition of the set of event definitions indicates whether occurrences of hypervisor events corresponding to the event definition are detected based on one of a push operation or a pull operation; detect, by the hypervisor event proxy microservice, occurrences of a plurality of hypervisor events, wherein each hypervisor event of the plurality of hypervisor events is detected by the hypervisor event proxy microservice based on one of;
a push operation performed by a hypervisor, or a pull operation performed by the hypervisor event proxy microservice;determine, by an event normalization microservice, whether an occurrence of one or more hypervisor events of the plurality of hypervisor events satisfies a defined event list, the defined event list representing a normalized event; and in response to determining that the occurrence of the one or more hypervisor events satisfies an internal event list, generate a normalized event. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification