A system, method, and computer-readable medium are disclosed for performing a security operation. The security operation includes: monitoring a data entity, the monitoring observing at least one electronically-observable data source, the data entity exhibiting a data entity behavior; deriving an observable based upon the monitoring of the electronically-observable data source, the observable comprising event information corresponding to the data entity behavior; identifying an event of analytic utility, the event of analytic utility being derived from the observable from the electronic data source and the data entity behavior; analyzing the event of analytic utility, the analyzing the event of analytic utility using the data entity behavior; and, performing the security operation in response to the analyzing the event of analytic utility.