The causality chain identifier can be pretrained on causality chains generated on endpoints with substantially similar context with known normal or abnormal behavior. The scope of the group of endpoints can contain the groups of endpoints corresponding to the causality graph and the causality chain identifier can be applied to multiple groups of endpoints. This avoids the need to train many identifiers for a large domain of endpoints. Abnormal event data used to train the causality chain identifier can correspond to a synthetic or real-world attack. A synthetic attack can be performed in a closed network using techniques from known real-world attacks. Real world or synthetic data can be augmented by appropriate randomization to generate more data. For example, identifiers for hierarchical endpoint levels can be randomized within certain identifier ranges, events can be added or removed at random, event severity indicators can be randomized within certain ranges, etc.

At block 815, the causality chain identifier provides the security monitor indications of the abnormal causality chains that have been identified. The identified abnormal causality chains can be used to train a thread detection model. This providing of the abnormal causality chains can be storing them in a database of abnormal causality chains or passing references to the security monitor.

FIG. 9 is a flowchart of example operations for detecting malicious attack chains. The security monitor relies on the abnormal causality chains that have been identified and a threat detection model that has been trained with the abnormal causality chains and benign causality chains.