| CPC G06F 21/554 (2013.01) [G06F 9/545 (2013.01); G06F 16/2358 (2019.01)] | 20 Claims |
|
1. A method, comprising:
intercepting an event at a filter driver, wherein the event is associated with a resource of a computing system;
identifying metadata associated with the event by a correlating engine, wherein the correlating engine resides at a user space and not at a kernel space;
storing, by the correlating engine, the metadata associated with the event in a session associated with the resource, wherein the session is included in a session cache of the correlating engine;
performing the event in the computing system;
generating a logical timeline of the session that includes information for each entry in the session; and
determining that a subsequent event causes the session to be finalized,
wherein, when it is determined that the session is to be finalized based on the subsequent event, entries in the session are exported from the session cache to a data store external to the correlating engine.
|