In order to improve security, online software services monitor activities performed on behalf of their users to help identify fraudulent behavior. Each of the monitored activities may be logged for later security review and to trigger a security action such as disabling an account. In some scenarios, a common fraudulent behavior may be associated with a particular activity, a collection of activities, or an ordered sequence of activities. For example, a fraudulent payment may be associated with changing an administrator password of an account, adding a new form of payment, and then purchasing an advertisement. Traditionally, service operators may utilize tools to identify fraudulent behaviors by piecing together different activities and the time they each occurred. Due to the complexity in the number and occurrences of the monitored activities, the process is tedious and may be difficult to extrapolate more general results. Therefore, a need exists to identify a fingerprint from monitored activities that can be associated with and help identify past and future fraudulent behavior.