The hardest question after a breach is rarely 'were we hit' — it's 'what exactly happened, in what order, and how far did it reach.' Logs answer fragments of that, but logs are flat: a list of events with no inherent sense of which event caused which. Reconstructing the chain — this process spawned that one, which opened this file, which phoned out to that server — is painstaking manual work, and the gaps are where attackers hide.
The grant US11095669B2, "Forensic analysis of computing activity" (issued August 17, 2021, assigned to Sophos Limited), addresses this by structuring the record differently. Its CPC classifications are revealing: alongside the intrusion-detection classes (H04L 63/1416, H04L 63/1425, H04L 63/1433, H04L 63/145, H04L 63/20) sits G06F 16/9024, the class for graph databases. The activity is stored as a graph of relationships, not a flat log.
“A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files. When a security event is detected, an event graph may be generated based on these causal relationships among the computing objects.”— U.S. Patent No. 11,095,669 source
The mechanism that matters is that a graph captures causality. When process, file, and network events are nodes connected by the relationships between them, an investigator can start from a known-bad indicator and walk the graph outward — backward to find the entry point, forward to find everything the attacker touched. The reconstruction that used to take days of log-grepping becomes a traversal.
For defenders, the practical value is in the speed and completeness of incident response. A forensic graph turns 'we think this is what happened' into 'here is the documented chain.' That precision matters operationally for scoping remediation, and it matters increasingly for disclosure — a company that has to describe an incident's scope in a regulatory filing benefits enormously from a defensible activity record.
The cost is storage and instrumentation: capturing this much relational detail across an endpoint fleet is expensive, and the art is in deciding what to keep. But the conceptual move — from logs as a flat stream to activity as a graph — is one of the more important shifts in how modern endpoint defense supports investigation rather than just detection.