Enterprise threat detection (ETD) typically collects and stores a large amount/large sets of log data associated with various heterogeneous systems (often referred to as “big data”). The stored data can be analyzed computationally using forensic-type data analysis tools to identify suspicious behavior in revealed patterns, trends, interactions, and associations, especially relating to ETD behavior. Appropriate responses can then be taken if malicious behavior is suspected or identified. The forensic environment permits the creation of ETD patterns based on created filters to generate alerts when log data meeting the filter criteria is detected.