Abstract: A monitoring system is configured to receive information regarding a microservice run in one or more containers at a computing cluster; submit a request to a cluster manager of the computing cluster via an application programming interface (API) for adding one or more configurations for monitoring the microservice to a configuration dataset managed by the cluster manager; receive monitoring data related to the microservice in accordance with the one or more configurations; and transmit the monitoring data to a user device associated with the microservice.

Abstract: A method of automatically determining operation rules for access control related to container operations on a plurality of computing nodes is disclosed. The method comprises receiving operation datasets representing operations that have been performed by one or more processes associated with one or more computer applications instantiated within one or more containers on the computing nodes; generating a baseline dataset of operations having operation properties from the operation datasets; computing a score for each operation in the baseline dataset, the score indicating whether the operation is a candidate for generating a rule that defines one or more expected values for an operation property of the operation; automatically generating a set of baseline operation rules for only those operations in the baseline dataset that score more than a score threshold; and causing modifying an orchestrator configuration file for the plurality of computing nodes based on the set of baseline operation rules.

Abstract: A clustered application infrastructure troubleshooting system performs a set of queries on a database of infrastructure data to retrieve a set of metrics for each of a plurality of issues. For each issue, the system analyzes a corresponding set of metrics based on detection criteria associated with the issue to detect one or more issues. The system identifies a set of remediation steps for resolving each issue and infrastructure objects affected by each of the one or more detected issues. The system performs queries on the database of infrastructure data to retrieve a set of data associated with the affected infrastructure objects. The system generates a GUI with advisories corresponding to the detected issues. Responsive to the user selecting an advisory, the system causes the GUI to present the remediation steps and the set of data associated with the one or more affected infrastructure objects corresponding to the selected advisory.

Abstract: In one embodiment, a method includes accessing a loaded but paused source process executable and disassembling the source process executable to identify a system call to be instrumented and an adjacent relocatable instruction. Instrumenting the system call includes building a trampoline for the system call that includes a check flag instruction at or near an entry point to the trampoline and two areas of the trampoline that are selectively executed according to results of the check flag instruction. Building a first area of the trampoline includes providing instructions to execute a relocated copy of the adjacent relocatable instruction and return flow to an address immediately following the adjacent relocatable instruction. Building a second area of the trampoline includes providing instructions to invoke at least one handler associated with executing a relocated copy of the system call and return flow to an address immediately following the system call.

Abstract: Techniques for categorizing and prioritizing security issues is disclosed. A security management system is implemented to receive security events describing potential security issues from clients. The security events contain attributes describing the security issue, affected resources, and a risk score defining a level of security risk associated with the event. The security events may be aggregated into a set of recommendation categories based on the type of security issue to be remedied. Aggregated risk scores may be computed for each of the recommendation categories. The security management system causes displaying of a graphical user interface to display information representing the set of recommendation categories. User input may be received selecting a particular recommendation category. In response to selecting the particular recommendation category, recommendation instruction options are displayed for remedying the events within the particular recommendation category.

Abstract: A computer-implemented method of monitoring programmatic containers (containers) through executing a computer program in a kernel space is disclosed. The method comprises storing trace data in a memory buffer that is shared by the kernel space and a user space, the trace data being related to execution of a process associated with a container at an execution point of the process. The method also comprises retrieving container data related to the container through raw access of one or more kernel data structures when execution of the process is stopped. In addition, the method comprises storing the container data in association with the trace data in the memory buffer.

Abstract: Techniques related to communication between independent containers are provided. In an embodiment, a first programmatic container includes one or more first namespaces in which an application program is executing. A second programmatic container includes one or more second namespaces in which a monitoring agent is executing. The one or more first namespaces are independent of the one or more second namespaces. A monitoring agent process hosts the monitoring agent. The monitoring agent is programmed to receive an identifier of the application program. The monitoring agent is further programmed to switch the monitoring agent process from the one or more second namespaces to the one or more first namespaces. After the switch, the monitoring agent process continues to execute in the second programmatic container, but communication is enabled between the application program and the monitoring agent via the monitoring agent process.

Abstract: A computer-implemented method of providing unified event monitoring and log processing is disclosed. The method comprises receiving streaming event data comprising a plurality of event entries from a plurality of domains including a cloud manager for a cloud platform and an application running within a container on the cloud platform; processing the streaming event data into a normalized, domain-independent format; evaluating a plurality of policy rules on the streaming event data, wherein the plurality of policy rules is defined with a unified syntax; and in response to the evaluating satisfying a condition of a first rule of the plurality of policy rules, transmitting to a remote device data related to an action defined in the first rule, wherein the receiving, processing, evaluating, and transmitting for each event entry for the plurality of event entries are performed in real time.

Abstract: In an embodiment, a data processing method comprises receiving, from one or more service monitoring processes configured to monitor operations of one or more computer applications instantiated within one or more containers, operation datasets representing operations that have been performed by one or more processes associated with the one or more computer applications; generating a baseline dataset of operations having operation properties from the operation datasets; computing a score for each operation in the baseline dataset, from the operation datasets, the score indicating whether the operation is a candidate for generating a rule that defines one or more expected values for an operation property of the operation; automatically generating a set of baseline operations rules for only those operations in the baseline dataset that score more than a score threshold.

Abstract: Techniques for selectively remediating vulnerabilities for assets of a computing system is disclosed. The vulnerability management system identifies “active” vulnerabilities associated with “active” computing assets that have been determined to be currently running, or to have been recently run, on the system using system call data. By limiting remediation to vulnerabilities associated with software packages of active computing assets, remediation/mediation efforts can be focused on vulnerabilities that may be currently exploited for the system. The list of active vulnerabilities identified for a system may be updated in real time based on continued monitoring of runtime operations of the system. Additional context metadata may be associated with the active vulnerabilities to allow for further prioritization of vulnerability management activities.

Abstract: In one embodiment, a method includes accessing a loaded but paused source process executable and disassembling the source process executable to identify a system call to be instrumented and an adjacent relocatable instruction. Instrumenting the system call includes building a trampoline for the system call that includes a check flag instruction at or near an entry point to the trampoline and two areas of the trampoline that are selectively executed according to results of the check flag instruction. Building a first area of the trampoline includes providing instructions to execute a relocated copy of the adjacent relocatable instruction and return flow to an address immediately following the adjacent relocatable instruction. Building a second area of the trampoline includes providing instructions to invoke at least one handler associated with executing a relocated copy of the system call and return flow to an address immediately following the system call.

Abstract: When it is detected that microservices have been created at a computing cluster running the microservices in containers, a respective monitoring subsystem is assigned to each microservice. Monitoring data for each of the microservices is then collected via the respective monitoring subsystems. Respective graphical user interfaces are then provided presenting at least a portion of the respective monitoring data for each microservice.

Abstract: A computer-implemented method of monitoring programmatic containers (containers) through executing a computer program in a kernel space is disclosed. The method comprises storing trace data in a memory buffer that is shared by the kernel space and a user space, the trace data being related to execution of a process associated with a container at an execution point of the process. The method also comprises retrieving container data related to the container through raw access of one or more kernel data structures when execution of the process is stopped. In addition, the method comprises storing the container data in association with the trace data in the memory buffer.

Abstract: Techniques related to communication between independent containers are provided. In an embodiment, a first programmatic container includes one or more first namespaces in which an application program is executing. A second programmatic container includes one or more second namespaces in which a monitoring agent is executing. The one or more first namespaces are independent of the one or more second namespaces. A monitoring agent process hosts the monitoring agent. The monitoring agent is programmed to receive an identifier of the application program. The monitoring agent is further programmed to switch the monitoring agent process from the one or more second namespaces to the one or more first namespaces. After the switch, the monitoring agent process continues to execute in the second programmatic container, but communication is enabled between the application program and the monitoring agent via the monitoring agent process.

Abstract: In an embodiment, a data processing method comprises transmitting, from a monitoring computer system that is programmed for monitoring one or more services, a request for information relating to new services to a cluster of computing nodes that are managing the one or more services; receiving from the cluster of nodes an indication that a new service not included in the one or more services has been created; in response to receiving the indication, creating a monitoring subsystem for performing one or more functions, which may include monitoring the new service, verifying security and/or compliance, logging the new security, and network management; assigning the monitoring subsystem to the new service; sending access information for the monitoring subsystem to one or more user computers.

Abstract: A computer-implemented method comprises executing, in a first container of a first computer system, input source instructions; executing, using the same first computer system, a plurality of containerized application programs in different corresponding containers; monitoring, by the input source instructions, the one or more different containerized application programs by identifying one or more system calls that resulted from the different container applications generating statistical messages relating to operation of the containerized application programs; generating, by the input source instructions, one or more enriched messages based on the system calls that were identified and based on the statistical messages; transmitting the one or more enriched messages to a first metric collector, and aggregating a plurality of the enriched messages into a set of aggregated metrics values; sending, from the first metric collector to a monitoring application that is hosted on a second computer system, the aggregated

Abstract: In an embodiment, a data processing method comprises creating and storing a scoring threshold value that is associated with determining whether a baseline operation rule is to be generated; receiving, from service monitoring processes, datasets of operations performed on digital objects by processors associated with computer applications; aggregating operations and identifying operation properties from the aggregated operations to generate an aggregated baseline dataset that represents operation properties from aggregated operations; assigning score values to each of the operation properties, wherein each assigned score value represents whether a particular operation property is a candidate for generating a rule that defines expected operation property values for the particular operation property; automatically generating a set of baseline operations rules for only those operation properties that have assigned values that exceed the score threshold value.

Abstract: A computer-implemented method of monitoring programmatic containers (containers) performed through executing a monitoring component in a user space is disclosed.