Generating enriched events using enriched data and extracted features

What is claimed is: 1. A computer-implementable method for performing a risk assessment operation, comprising: receiving a stream of data via a protected endpoint of a plurality of protected endpoints, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the plurality of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device, the protected endpoint providing a policy-based approach to network security; enriching data associated with each of the plurality of events to provide enriched data associated with each of the plurality of events; extracting features from the plurality of events using the enriched data associated with each of the plurality of events; generating enriched events corresponding to each of the plurality of events based upon enriched data associated with each of the plurality of events and the features extracted from the plurality of events; performing a probability distribution operation on the enriched events, the probability distribution operation analyzing probability distributions of the features extracted from the plurality of events, the probability distribution operation comprising a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window across a sequence of time windows, the scoring container being implemented as a percentile container and a delta container, the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore; performing a scoring operation using contents of the percentile container, the scoring operation being performed as: P ^ 2 = P ^ 1 + ∑ i = 1 n VAL i where P 1 corresponds to a first point in time; P 2 corresponds to a second point in time; and, VAL i corresponds to a score value of an associated feature; generating a risk score for the user based upon the enriched events and the probability distribution; and, performing the risk assessment operation via a security analytics system based upon the enriched events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score, the plurality of protected endpoints communicating with the security analytics system via a network, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user. 2. The method of claim 1 , further comprising: storing the enriched events corresponding to each of the plurality of events within a datastore. 3. The method of claim 2 , wherein: the enriching data comprises validating event data associated with at least some of the plurality of events, disclaiming certain event data associated with at least some of the plurality of events; deduplicating at least some of the plurality of events; performing an entity resolution operation on at least some of the plurality of events; performing an attachment enrichment operation on data associated with at least some of the plurality of events; and, performing a domain enrichment on at least some of the plurality of events. 4. The method of claim 1 , further comprising: labeling at least some of the plurality of events prior to extracting features from the plurality of events. 5. The method of claim 1 , wherein: the extracting features comprises performing transformation operations on certain features associated with an event to generate a smaller set of derived features. 6. The method of claim 1 , further comprising: processing a query relating to the plurality of events, the processing the query being performed via a streaming query framework. 7. The method of claim 1 , further comprising: performing a container summation operation using contents of the delta container, the container summation operation being performed as: Δ = ∑ i = 1 n VAL i where VAL i corresponds to a score value of an associated feature. 8. The method of claim 7 , further comprising: performing a scoring data update operation using the results of the scoring operation and the container summation operation, the scoring data update operation being performed as: P 3 ={circumflex over (P)} 2 +Δ where P 3 corresponds to a third point in time. 9. A system comprising: a processor; a data bus coupled to the processor; and a non-transitory, computer-readable storage medium embodying computer program code for performing a risk assessment operation, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor and configured for: receiving a stream of data via a protected endpoint of a plurality of protected endpoints, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the plurality of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device, the protected endpoint providing a policy-based approach to network security; enriching data associated with each of the plurality of events to provide enriched data associated with each of the plurality of events; extracting features from the plurality of events using the enriched data associated wi