Enterprise threat detection (ETD) typically collects and stores a large amount/large sets of log data associated with various heterogeneous systems (often referred to as “big data”). The collected log data is usually analyzed using forensic-type data analysis tools to identify suspicious behavior based on log events and to allow an appropriate response. In some cases, a computer system may be intruded by a malicious attacker that executes jobs that may compromise the confidentially, integrity, or availability of the computer system. Malicious activities can be identified and distinguished from normal, non-malicious, activities based on comparisons of frequency characteristics of detected events.