System for monitoring and managing datacenters

What is claimed is: 1. A system comprising: one or more processors; and memory storing instructions which, when executed by the one or more processors, cause the one or more processors to: obtain network data from sensor processes executing in a data center, the network data being at least partly based on operation system states associated with two or more operating systems in the data center; generate a log describing a connection between endpoints associated with one or more packets in the network data; determine a status of the data center based on the log describing the connection between endpoints associated with one or more packets in the network data; detect, based at least partly on the status of the data center, an indication of an attack within the data center; and in response to the indication of the attack, modify a security policy based on the status of the data center. 2. The system of claim 1 , wherein the network data comprises a respective indication of active or previously active processes on each of the two or more operating systems. 3. The system of claim 1 , wherein at least one of the log or the network data identifies files present on the two or more operating systems. 4. The system of claim 1 , wherein at least one of the log or the network data comprises data describing packets captured by the sensor processes executing in the data center. 5. The system of claim 1 , wherein at least one of the two or more operating systems comprises a first operating system of a virtual machine or a second operating system of a hypervisor. 6. The system of claim 1 , wherein detecting the indication of the attack comprises at least one of detecting a spike in an amount of resources used by at least one of the sensor processes or detecting spoofed packets. 7. The system of claim 1 , wherein detecting the indication of the attack comprises detecting a hidden process embedded in traffic between two or more reference points. 8. The system of claim 1 , wherein detecting the indication of the attack comprises detecting a scan of a network as initiated by a command from outside of the network or from an unexpected source inside the network. 9. The system of claim 1 , wherein detecting the indication of the attack comprises detecting a packet that has a packet header field that differs from an expected header pattern. 10. A method comprising: obtaining network data from sensor processes executing in a data center, the network data being at least partly based on operation system states associated with two or more operating systems in the data center; generating a log describing a connection between endpoints associated with one or more packets in the network data; determining a status of the data center based on the log describing the connection between endpoints associated with one or more packets in the network data; detecting, based at least partly on the status of the data center, an indication of an attack within the data center; and in response to the indication of the attack, modifying a security policy based on the status of the data center. 11. The method of claim 10 , wherein at least one of the log or the network data comprises a respective indication of active or previously active processes on each of the two or more operating systems. 12. The method of claim 10 , wherein at least one of the log or the network data identifies files present on the two or more operating systems. 13. The method of claim 10 , wherein at least one of the log or the network data comprises data describing packets captured by the sensor processes executing in the data center. 14. The method of claim 10 , wherein at least one of the two or more operating systems comprises a first operating system of a virtual machine or a second operating system of a hypervisor. 15. The method of claim 10 , wherein detecting the indication of the attack comprises at least one of detecting a spike in an amount of resources used by at least one of the sensor processes or detecting spoofed packets. 16. The method of claim 10 , wherein detecting the indication of the attack comprises detecting a hidden process embedded in traffic between two or more reference points. 17. The method of claim 10 , wherein detecting the indication of the attack comprises detecting a scan of a network as initiated by a command from outside of the network or from an unexpected source inside the network. 18. A non-transitory computer-readable medium having stored thereon computer-readable instructions that, when executed by one or more processors, cause the one or more processors to: obtain network data from sensor processes executing in a data center, the network data being at least partly based on operation system states associated with two or more operating systems in the data center; generate a log describing a connection between endpoints associated with one or more packets in the network data; determine a status of the data center based on the log describing the connection between endpoints associated with one or more packets in the network data; detect, based at least partly on the status of the data center, an indication of an attack within the data center; and in response to the indication of the attack, modify a security policy based on the status of the data center. 19. The non-transitory computer-readable medium of claim 18 , wherein_at least one of the log or the network data comprises a respective indication of active or previously active processes on each of the two or more operating systems. 20. The non-transitory computer-readable medium of claim 18 , wherein at least one of the log or the network data comprises at least one of information about files present on the two or more operating systems or information describing packets captured by the sensor processes executing in the data center.