SYSTEMS AND METHODS FOR PROCESSING HYPERVISOR-GENERATED EVENT DATA
First Claim
1. A computer-implemented method, comprising:
- for each server of a plurality servers identified in a server list;
determining, based on a mapping of servers to hypervisor types, a type of hypervisor running on the server; and
further determining, based on a mapping of hypervisor types to event definitions, a set of event definitions associated with the determined type of hypervisor running on the server;
wherein each event definition of the set of event definitions indicates whether occurrences of hypervisor events corresponding to the event definition are detected based on one of a push operation or a pull operation;
detecting, based on the set of event definitions, occurrences of a plurality of hypervisor events;
determining whether an occurrence of one or more hypervisor events of the plurality of hypervisor events satisfies a defined event list, the defined event list representing a normalized event; and
in response to determining that the occurrence of the one or more hypervisor events satisfies an internal event list, generating a normalized event.
4 Assignments
0 Petitions
Accused Products
Abstract
Systems, methods, and apparatuses enable a network security system to more efficiently process and respond to events generated by hypervisors and other associated components of a networked computer system. In this context, a hypervisor event refers broadly to any action that occurs related to one or more components of a hypervisor (including the hypervisor itself, virtual servers hosted by the hypervisor, etc.) and/or to data identifying the occurrence of the action(s) (e.g., a log entry, a notification message, etc.). A security service obtains and analyzes event data from any number of different types of hypervisors, where each different type of hypervisor may represent events differently and/or make event data accessible in different ways, among other differences.
13 Citations
30 Claims
-
1. A computer-implemented method, comprising:
-
for each server of a plurality servers identified in a server list; determining, based on a mapping of servers to hypervisor types, a type of hypervisor running on the server; and further determining, based on a mapping of hypervisor types to event definitions, a set of event definitions associated with the determined type of hypervisor running on the server; wherein each event definition of the set of event definitions indicates whether occurrences of hypervisor events corresponding to the event definition are detected based on one of a push operation or a pull operation; detecting, based on the set of event definitions, occurrences of a plurality of hypervisor events; determining whether an occurrence of one or more hypervisor events of the plurality of hypervisor events satisfies a defined event list, the defined event list representing a normalized event; and in response to determining that the occurrence of the one or more hypervisor events satisfies an internal event list, generating a normalized event. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A non-transitory computer-readable storage medium storing instructions which, when executed by one or more processors, cause performance of:
-
for each server of a plurality servers identified in a server list; determining, based on a mapping of servers to hypervisor types, a type of hypervisor running on the server; and further determining, based on a mapping of hypervisor types to event definitions, a set of event definitions associated with the determined type of hypervisor running on the server; wherein each event definition of the set of event definitions indicates whether occurrences of hypervisor events corresponding to the event definition are detected based on one of a push operation or a pull operation; detecting, based on the set of event definitions, occurrences of a plurality of hypervisor events; determining whether an occurrence of one or more hypervisor events of the plurality of hypervisor events satisfies a defined event list, the defined event list representing a normalized event; and in response to determining that the occurrence of the one or more hypervisor events satisfies an internal event list, generating a normalized event. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. An apparatus, comprising:
-
one or more processors; a non-transitory computer-readable storage medium coupled to the one or more processors, the computer-readable storage medium storing instructions which, when executed by the one or more processors, causes the apparatus to; for each server of a plurality servers identified in a server list; determine, based on a mapping of servers to hypervisor types, a type of hypervisor running on the server; and further determine, based on a mapping of hypervisor types to event definitions, a set of event definitions associated with the determined type of hypervisor running on the server; wherein each event definition of the set of event definitions indicates whether occurrences of hypervisor events corresponding to the event definition are detected based on one of a push operation or a pull operation; detect, based on the set of event definitions, occurrences of a plurality of hypervisor events; determine whether an occurrence of one or more hypervisor events of the plurality of hypervisor events satisfies a defined event list, the defined event list representing a normalized event; and in response to determining that the occurrence of the one or more hypervisor events satisfies an internal event list, generate a normalized event. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification