FIG. 1 is a conceptual diagram of a profile generator generating adaptive normal profiles. Agent 1 102, agent 2 104, and agent N 106 are embedded on endpoint 1 101, endpoint 2 103, and endpoint N 105 respectively. The embedded agents 102, 104, and 106 generate event data and send the event data to event processor 110. In this illustration, the agent N 106 on endpoint N 105 detects event data 108 and sends the event data 108 to the event processor 110. The event processor 110 sends the event data to event database 107 for future use. The event processor 110 also comprises an event importance filter 109 and an event normalizer 111 that process the event data into bucketed event data that the event processor 110 sends to a bucketed event database 113. In response to a query of scoping parameters such as scoping parameters 121, 123, and 125, a profile generator 119 accesses the bucketed event database 113 in order to generate adaptive normal profiles. The profile database 117 stores the generated adaptive normal profiles corresponding to the scoping parameters.
