At block 501, a profile generator receives a query to create an adaptive normal profile for a specific process and a set of hierarchical endpoint groups. The query includes scoping parameters that specify hierarchical endpoint levels from which to create the adaptive normal profile.

At block 503, the profile generator begins iterating over the hierarchical endpoint levels indicated in the query. The profile generator can iterate through hierarchical endpoint levels in an arbitrary order, although in some embodiments database access will be more efficient when iterating from the narrowest to the broadest hierarchical endpoint levels. The loop of operations includes example operations at blocks 505 and 507.

At block 505, the profile generator determines frequent events for the current hierarchical endpoint level and process. The profile generator aggregates event data across a current hierarchical endpoint level corresponding to the process. The profile generator accesses a bucketed event database and queries the database according to the current hierarchical endpoint level. The database sends the profile generator a batch of frequent events corresponding to the current hierarchical endpoint level, unless there are no frequent events for the current hierarchical endpoint level.