System and methods for transforming audit logs
Abstract
Systems, methods, and non-transitory computer readable media including instructions for determining utilized permissions in a cloud computing environment. Determining utilized permissions in a cloud computing environment includes receiving authorizations granted to each of a plurality of identities associated with the cloud computing environment; collecting a plurality of audit logs of activities performed in the cloud computing environment, including at least: cloud services accessed by the identities, and actions performed on resources associated with the cloud services; and transforming the audit logs to associate each specific action on each specific resource to one of the accessed services by one of the identities; generate a map mapping each identity to a plurality of objects, each object including an accessed service, a performed action, and a utilized resource; generate a report indicating at least one non-utilized authorization for at least one identity by comparing the map to the authorizations granted to each identity.
Claims
exact text as granted — not AI-modified1 - 20 . (canceled)
21 . A system for determining utilized permissions in a cloud computing environment, the system comprising:
at least one processor configured to:
receive authorizations granted to each identity of a plurality of identities associated with the cloud computing environment;
collect a plurality of audit logs of activities performed in the cloud computing environment, the plurality of audit logs including at least:
a plurality of cloud services accessed by the plurality of identities, and
a plurality of actions performed on a plurality of resources associated with the plurality of cloud services;
transform the plurality of audit logs to associate each specific action on each specific resource to one of the plurality of accessed services by one of the plurality of identities;
generate a map mapping each identity to a plurality of objects, each object including at least one of the plurality of accessed services, at least one performed action, and at least one utilized resource; and
generate a report indicating at least one non-utilized authorization for at least one identity by comparing the map to the authorizations granted to each identity.
22 . The system of claim 1 , wherein the plurality of audit logs includes audit logs acquired via processes independent from workloads associated with the activities.
23 . The system of claim 1 , wherein each identity of the plurality of identities is associated with at least one of a user, a device, a second system, or a group.
24 . The system of claim 1 , wherein the plurality of actions includes at least one of accessing, modifying, reading, writing, or deleting data.
25 . The system of claim 1 , wherein mapping a first identity of the plurality of identities to the plurality of objects includes identifying an Application Programming Interface (API) used by the first identity in association with one of the accessed services.
26 . The system of claim 5 , wherein the API is configured to perform a specific action on a specific resource.
27 . The system of claim 1 , wherein the plurality of audit logs includes a real-time stream of data, and wherein the collecting, and transforming operations are performed on a continual basis.
28 . The system of claim 1 , wherein transforming the plurality of audit logs includes transmitting the plurality of audit logs to an event streaming system.
29 . The system of claim 8 , wherein transforming the plurality of audit logs further includes filtering the plurality of audit logs stored in the event streaming system using a cloud-based processing service
30 . The system of claim 9 , wherein filtering the plurality of audit logs is based on a subset of the plurality of identities.
31 . The system of claim 9 , further comprising, for each activity performed within a timeframe, creating a data structure including at least an action, an associated service, an associated resource, and an associated identity, thereby creating the map.
32 . The system of claim 11 , wherein creating the data structure includes cleaning the plurality of audit logs and organizing the plurality of audit logs for uniformity in preparation for clustering based on a similarity measure.
33 . The system of claim 1 , wherein the map includes a multi-dimensional vector for each identity, wherein each of the accessed service, the at least one performed action, and the at least one utilized resource correspond to a different dimension of the multi-dimensional vector.
34 . The system of claim 1 , wherein transforming the plurality of audit logs includes building a directed acyclic graph.
35 . The system of claim 1 , wherein the plurality of audit logs further includes at least one systemic change.
36 . The system of claim 15 , wherein the at least one systemic change includes at least one of changing a system configuration setting, adding a resource, or removing a resource.
37 . The system of claim 15 , wherein transforming the plurality of audit logs further includes mapping the at least one systemic change to one of the plurality of accessed services by one of the plurality of identities, and wherein the plurality of objects includes the at least one systemic change.
38 . The system of claim 1 , wherein the at least one processor is further configured to provide at least one of the transformed plurality of audit logs or the report to a permission server configured to manage authorizations for the plurality of identities.
39 . A method for determining utilized permissions in a cloud computing environment, the method comprising:
receiving authorizations granted to each identity of a plurality of identities associated with in the cloud computing environment; collecting a plurality of audit logs of activities performed in the cloud computing environment, the plurality of audit logs including at least: a plurality of cloud services accessed by the plurality of identities, and a plurality of actions performed on a plurality of resources associated with the plurality of cloud services; and transforming the plurality of audit logs to associate each specific action on each specific resource to one of the plurality of accessed services by one of the plurality of identities; generate a map mapping each identity to a plurality of objects, each object including at least one accessed service, at least one performed action, and at least one utilized resource; generate a report indicating at least one non-utilized authorization for at least one identity by comparing the map to the authorizations granted to each identity.
40 . A non-transitory computer-readable medium storing instructions that, when executed by at least one processor, are configured to cause the at least one processor to perform operations for determining utilized permissions in a cloud computing environment, the operations comprising:
receiving authorizations granted to each identity of a plurality of identities associated with the cloud computing environment; collecting a plurality of audit logs of activities performed in the cloud computing environment, the plurality of audit logs including at least: a plurality of cloud services accessed by the plurality of identities, and a plurality of actions performed on a plurality of resources associated with the plurality of cloud services; transforming the plurality of audit logs to associate each specific action on each specific resource to one of the plurality of accessed services by one of the plurality of identities; generating a map mapping each identity to a plurality of objects, each object including at least one accessed service, at least one performed action, and at least one utilized resource; and generating a report indicating at least one non-utilized authorization for at least one identity by comparing the map to the authorizations granted to each identity.Join the waitlist — get patent alerts
Track US2023291743A1 — get alerts on status changes and closely related new filings.
We store only your email — no account needed. See our privacy policy.