One type of existing enterprise network defense is the Security Information & Event Management (SIEM) solution, which is typically driven by rules. However, the downside to using rules for network defense is that they are limited and static. For example, once rules are deployed, they do not adapt to traffic patterns to determine what is normal or not over time. In some cases, a rule-based system may yield high false positive rates, which renders the system to be less effective. Another type of enterprise network defense is the point solution, which addresses single aspects of network traffic at a time rather than a holistic view on all the information on the network. For example, a point solution such as the software Snort may capture packet-level anomaly but not higher level application anomaly. Yet another type of enterprise network defense is the data loss prevention (DLP) solution, which generally examines file data content without context of how files are received or from where. It would be desirable to have a solution that leverages more types of information associated with the enterprise network to capture anomalous behavior.