Online services are under near constant risk from malicious parties who seek to compromise devices within those online services to subvert their functionality or compromise sensitive data stored in those services. Compromised devices may have data exfiltrated to an outside device, or may be commanded to perform various actions by the malicious party, such as, for example, as part of a botnet. Identifying individual hosts that have been compromised within the online service can be a resource and time intensive operation, which can leave the malicious party in control of one or more devices for a long period of time despite countermeasures deployed in the online service. Current Security Information and Event Management (SIEM) systems may miss some compromised devices or miss-identify secure devices as compromised, which lengthens the amount of time the malicious party remains in control and increases the processing resources needed to re-secure the online service.