Change monitoring and detection for a cloud computing environment
First Claim
1. A computer-implemented method comprising:
- configuring a change order monitoring application, wherein the change order monitoring application receives one or more audit logs from one or more application services in a cloud computing environment, wherein the one or more audit logs comprises a plurality of change events and a plurality of noise events, wherein the plurality of change events require a change order and the plurality of noise events do not require a change order;
detecting and filtering, by the change order monitoring application, the plurality of change events from the plurality of noise events in the one or more audit logs;
matching, by the change order monitoring application, the plurality of change events to the one or more application services in the cloud computing environment, wherein matching the plurality of change events to the one or more application services is based on associating each change event with a corresponding taggable resource;
matching, by the change order monitoring application, the plurality of change events to one or more change orders in the cloud computing environment;
training a machine learning algorithm based on the plurality of change events, wherein training the machine learning algorithm comprises;
clustering the plurality of change events using a weighted event graph comprising the plurality of change events with one or more related connections between the plurality of change events;
forming one or more change clusters based on the clustering of the plurality of change events;
determining one or more patterns of performance based on the one or more change clusters, wherein the one or more patterns of performance indicates a potential correlation between the one or more change clusters and the plurality of change events; and
updating the machine learning algorithm based on the one or more patterns of performance;
determining one or more unauthorized changes from the one or more change clusters, wherein the unauthorized changes are one or more change events that are not matched with one or more change orders and not matched with one or more application services; and
generating, using the machine learning algorithm and the change order monitoring application, an alert for the one or more unauthorized changes and sending the alert to an implementer of the one or more unauthorized changes.
1 Assignment
0 Petitions
Accused Products
Abstract
Aspects described herein allow for systems and methods to monitor production changes to resources in a cloud computing environment and determine whether those changes were performed in accordance with a change management policy. A change order monitoring application receives data from cloud computing audit logs to detect infrastructure changes and combines that data with application information to determine which application was affected. The change order monitoring application then uses a machine learning algorithm to cluster multiple change events together when it is likely that the change events were part of the same change. If cluster of change activity does not appear to be authorized, the change order monitoring application sends an alert to a change management team and an application team to get more information about the activity.
51 Citations
20 Claims
-
1. A computer-implemented method comprising:
-
configuring a change order monitoring application, wherein the change order monitoring application receives one or more audit logs from one or more application services in a cloud computing environment, wherein the one or more audit logs comprises a plurality of change events and a plurality of noise events, wherein the plurality of change events require a change order and the plurality of noise events do not require a change order; detecting and filtering, by the change order monitoring application, the plurality of change events from the plurality of noise events in the one or more audit logs; matching, by the change order monitoring application, the plurality of change events to the one or more application services in the cloud computing environment, wherein matching the plurality of change events to the one or more application services is based on associating each change event with a corresponding taggable resource; matching, by the change order monitoring application, the plurality of change events to one or more change orders in the cloud computing environment; training a machine learning algorithm based on the plurality of change events, wherein training the machine learning algorithm comprises; clustering the plurality of change events using a weighted event graph comprising the plurality of change events with one or more related connections between the plurality of change events; forming one or more change clusters based on the clustering of the plurality of change events; determining one or more patterns of performance based on the one or more change clusters, wherein the one or more patterns of performance indicates a potential correlation between the one or more change clusters and the plurality of change events; and updating the machine learning algorithm based on the one or more patterns of performance; determining one or more unauthorized changes from the one or more change clusters, wherein the unauthorized changes are one or more change events that are not matched with one or more change orders and not matched with one or more application services; and generating, using the machine learning algorithm and the change order monitoring application, an alert for the one or more unauthorized changes and sending the alert to an implementer of the one or more unauthorized changes. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system comprising:
-
a database configured to store one or more audit logs from one or more application services in a cloud computing environment, wherein the one or more audit logs comprises a plurality of change events and a plurality of noise events, wherein the plurality of change events require a change order and the plurality of noise events do not require a change order; one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the one or more processors to; receive, by a change order monitoring application executing on the one or more processors, the one or more audit logs; detect and filter the plurality of change events from the plurality of noise events in the one or more audit logs; match the plurality of change events to the one or more application services in the cloud computing environment, wherein matching the plurality of change events to the one or more application services is based on associating each change event with a corresponding taggable resource; match the plurality of change events to one or more change orders in the cloud computing environment, further including; match a change order configuration item to one of the one or more application services through mapping to a change management database, determine an event time window for the one or more change orders and ensure the matched plurality of change events are within the event time window, and determine the implementer is a member of an implementing group for the change order; train a Louvain community detection algorithm based on the plurality of change events, wherein the instructions cause the change order monitoring application to train the Louvain community detection algorithm by causing the change order monitoring application to; cluster the plurality of change events using a weighted event graph comprising the plurality of change events with one or more related connections between the plurality of change events; form one or more change clusters based on the clustering of the plurality of change events; determine one or more patterns of performance based on the one or more change clusters, wherein the one or more patterns of performance indicates a potential correlation between the one or more change clusters and the plurality of change events; and update the Louvain community detection algorithm based on the one or more patterns of performance; determine one or more unauthorized changes from the one or more change clusters, wherein the unauthorized changes are one or more change events that are not matched with one or more change orders and not matched with one or more application services; and generate an alert for the one or more unauthorized changes and automatically send the alert to an implementer of the one or more unauthorized changes. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
-
19. One or more non-transitory media storing instructions that, when executed by one or more processors, cause the one or more processors to perform steps comprising:
-
configuring a change order monitoring application, wherein the change order monitoring application receives one or more audit logs from one or more application services in a cloud computing environment, wherein the one or more audit logs comprises a plurality of change events and a plurality of noise events, wherein the plurality of change events require a change order and the plurality of noise events do not require a change order; detecting and filtering, by the change order monitoring application, the plurality of change events from the plurality of noise events in the one or more audit logs; matching, by the change order monitoring application, the plurality of change events to the one or more application services in the cloud computing environment, wherein matching the plurality of change events to the one or more application services is based on associating each change event with a taggable resource; matching, by the change order monitoring application, the plurality of change events to one or more change orders in the cloud computing environment, the matching further including; matching a change order configuration item to one of the one or more application services through mapping to a change management database, determining an event time window for the one or more change orders and ensuring the matched plurality of change events are within the event time window, and determining the implementer is a member of an implementing group for the change order; training a Louvain community detection algorithm based on the plurality of change events, wherein the Louvain community detection algorithm comprises; clustering the plurality of change events using a weighted event graph comprising the plurality of change events with one or more related connections between the plurality of change events, wherein the weighted event graph comprises weighted edges and the Louvain community detection algorithm assigns each vertex to a cluster to maximize a graph modularity; forming one or more change clusters based on the clustering of the plurality of change events, wherein the change order monitoring application creates the weighted event graph with the plurality of change events as vertices and edges between the plurality of events that are part of the same change event, and the Louvain community detection algorithm partitions the same change events into the change clusters, wherein the edges are determined by one or more edge variables that comprise a resource environment identifier, a resource identifier, and an access key identifier; determining one or more patterns of performance based on the one or more change clusters, wherein the one or more patterns of performance indicates a potential correlation between the one or more change clusters and the plurality of change events; and updating the Louvain community detection algorithm based on the one or more patterns of performance; determining one or more unauthorized changes from the one or more change clusters, wherein the unauthorized changes are one or more change events that are not matched with one or more change orders and not matched with one or more application services; and generating, using the Louvain community detection algorithm and the change order monitoring application, an alert for the one or more unauthorized changes, automatically sending the alert to an implementer of the one or more unauthorized changes, requesting additional information from the implementer of the one or more unauthorized changes, wherein the alert appears on a dashboard. - View Dependent Claims (20)
-
Specification