At block 601, the security monitor retrieves those of the adaptive normal profiles of the process with a scope corresponding to an endpoint or multiple endpoints on which the process is running. The security monitor queries a profile database with a process identifier and scoping parameters that includes the endpoint(s). The profile database can return multiple adaptive profiles having multiple hierarchical scopes corresponding to the endpoints running the process. For example, endpoints in distinct business units both running the process can correspond to distinct adaptive normal profiles having hierarchical scopes for each business unit. The profile database can be a remote database or a database running on local memory (e.g., when the security monitor is running on a monitoring agent at an endpoint). The profile database can be configured to retrieve all adaptive normal profiles corresponding to a set of endpoints efficiently, without backtracking to previously retrieved adaptive normal profiles.

At block 602, example operations for monitoring a process proceed as indicated by blocks 603, 607, 609, 611, and 613. The flowchart in FIG. 6 depicts the operations in blocks 603, 607, 609, 611, and 613 as being performed for a single process in each iteration, however these operations can occur for multiple processes simultaneously depending upon implementation (e.g., a multi-threaded processor, prioritization of processes, etc.). Components performing each block can receive activity corresponding to multiple processes running on multiple endpoints independently of other components also evaluating process activity.