Retention and accessibility of data characterizing events on an endpoint computer

What is claimed is: 1. A system for retaining data regarding potential software-based attacks on a computer, the system comprising: computer hardware configured to perform operations comprising: harvesting, by an endpoint computer system, data relating to a plurality of events occurring within an operating environment of the endpoint computer system, the harvesting comprising receiving and/or inferring the data using one or more sensors executing on the endpoint computer system; adding the data to a local data store maintained on the endpoint computer system; and generating a query response in response to a query, the generating comprising identifying and retrieving responsive data from the local data store, the responsive data being related to an artifact on the endpoint computer system and/or to an event of the plurality of events; wherein: the data is initially harvested according to a first set of data collection criteria; a software-based threat detection module executing on the endpoint computer system determines that a heightened level of alert is necessary; and in response to the heightened level of alert, the data is harvested according to a second set of data collection criteria that are broader than the first set of data collection criteria which captures more data than what was harvested according to the first set of data collection criteria; wherein the generating the query response comprises mitigating an amount of the data returned as part of the responsive data, the mitigating comprising interpreting the query at the endpoint computer system and focusing on specific data of the responsive data that are most likely to be relevant to a subject of the query. 2. A system as in claim 1 , wherein the harvesting according to at least one of the first set of data collection criteria and the second set of data collection criteria further comprises receiving and/or inferring at least some of the data using additional data generated external to the endpoint computer system. 3. A system as in claim 1 , wherein the adding of the data to the local data store further comprises determining, based on one or more criteria, to retain in the local data store a first subset of the data as more likely to be relevant and to exclude from the local data store and a second subset of the data as more likely to be irrelevant. 4. A system as in claim 1 , wherein the event comprises an action occurring on the endpoint computer system and involving one or more artifacts on the endpoint computer system. 5. A system as in claim 4 , wherein the event comprises a capture of what occurred at a specific point in time relating to the at least one artifact. 6. A system as in claim 1 , wherein the responsive data comprises one or more of one or more times that a particular file was accessed on the endpoint computer system, how the particular file was used on the endpoint computer system, when the particular file was first detected on the endpoint computer system, location of a registry persistence point, and use of a registry by a software routine to allow itself to persist after a reboot of the endpoint computing system. 7. A system as in claim 1 , wherein the mitigating of the amount of the data returned further comprises pruning the data to a reduced data set, the pruning comprising analyzing the data with a machine learning model running on the endpoint computer system and/or on one or more remote servers. 8. A system as in claim 7 , wherein the analyzing comprises the machine learning model enriching the data according to a likelihood of events of the plurality of events or artifacts on the endpoint being having forensic relevance. 9. A system as in claim 1 , wherein the one or more sensors comprises at least one of a kernel mode collector, a removable media sensor, a sensor that collects data about a current state of a computing environment executing on the endpoint computer, a malware detection and/or interdiction process, a user authentication process, and a user authentication re-verification process. 10. A system as in claim 1 , wherein the operations further comprise receiving the query from a server over a network connection. 11. A system as in claim 1 , wherein the operations further comprise initiating the query based on detection of a factor by a malware detection and/or interdiction process and/or by a user authentication verification process. 12. A system as in claim 1 , wherein the operations further comprise analyzing, in response to the query, the data added to the local data store by a machine learning model running on the endpoint compute system, the analyzing comprising: eliminating, by the machine learning model, first data from the data that are not likely to be relevant; identifying, by the machine learning model, second data from the data that are likely to be relevant; and classifying third data that are not the first data or the second data as potentially relevant; wherein the query response excludes the first data. 13. A system as in claim 12 , wherein the operations further comprise discarding the first data and pushing the second data and the third data to a cloud-based, second machine learning model as part of the query response for further analysis. 14. A system as in claim 12 , wherein the operations further comprise receiving the query at the endpoint computer system from the cloud-based, second machine learning model and responding to the query as part of the query response using the second data and the third data based on attributes specified in the query. 15. A system as in claim 12 , wherein the operations further comprise the machine learning model building a causality chain over one or more forensically applicable events from the plurality of events, the one or more forensically applicable events being applicable to a given event and/or artifact specified in the query. 16. A system as in claim 15 , wherein the building of the causality chain comprises consideration of definitions for the first data, the second data, and the third data. 17. A system as in claim 1 , further comprising triggering the generating of the query response in reaction to detection of a suspicious artifact and/or a significant event by a malware detection and/or interdiction process executing on the endpoint computer system and/or by an user authentication verification process. 18. A system as in claim 1 , wherein the operations further comprise triggering the generating of the query response in reaction to detection of a suspicious file and/or a suspicious event by a malware detection and/or interdiction process executing not on the endpoint computer system and/or by an user authentication verification process. 19. A system as in claim 1 , wherein the threat detection module comprises a machine learning component. 20. A system as in claim 19 , wherein the machine learning component performs at least one operation selected from determining that the heightened level of alert is necessary, blocking or terminating execution of a process or thread, and determining that the alert level can be lowered back to the first set of data collection criteria. 21. A system as in claim 20 , wherein the machine learning component accomplishes the at least one operation by processing data already in the local data store to determine that a potentially undesirable event has occurred and/or by processing the harvested data as it is received to determine that a potentially undesirable event is currently occurring.