Endpoint with remotely programmable data recorder

What is claimed is: 1. A computer program product comprising a non-transitory computer readable medium embodying computer executable code that, when executing on one or more computing devices, causes the one or more computing devices to perform steps of: storing in a data recorder an event stream of data indicating events on an endpoint including a plurality of types of changes to a plurality of computing objects on the endpoint; processing the event stream with a filter into a filtered event stream including a subset of the plurality of types of changes to the plurality of computing objects; transmitting the filtered event stream over an enterprise network to a threat management facility; responding to a local change in security posture detected on the endpoint by adjusting the filter to modify the subset of the plurality of types of changes included in the filtered event stream; receiving a query from the threat management facility for additional event data from the event stream stored in the data recorder in response to the change in security posture; and responding to the query from the threat management facility by retrieving data stored in the data recorder over a time window before the query and excluded from the filtered event stream. 2. The computer program product of claim 1 , wherein the local change is based on a reputation score for one or more processes on the endpoint. 3. The computer program product of claim 1 , wherein the local change is based on a reputation score for one or more files on the endpoint. 4. The computer program product of claim 1 , wherein the local change includes a change in policy compliance posture of the endpoint. 5. The computer program product of claim 1 , wherein the local change includes a malware detection. 6. The computer program product of claim 1 , wherein adjusting the filter includes decreasing filtering of the types of changes included in the filtered event stream. 7. The computer program product of claim 1 , wherein adjusting the filter includes decreasing filtering for one or more of the plurality of computing objects. 8. A method comprising: storing, in a data recorder, an event stream of data indicating events on an endpoint including a plurality of types of changes to a plurality of computing objects on the endpoint; processing the event stream with a filter into a filtered event stream including a subset of the plurality of types of changes to the plurality of computing objects; transmitting the filtered event stream over an enterprise network to a threat management facility; responding to a change in security posture of the endpoint by adjusting the filter to modify the subset of the plurality of types of changes included in the filtered event stream; receiving a query from the threat management facility for additional event data from the event stream stored in the data recorder in response to the change in security posture; and responding to the query from the threat management facility by retrieving data stored in the data recorder over a time window before the query and excluded from the filtered event stream. 9. The method of claim 8 , wherein the change in security posture includes a change in policy compliance of the endpoint. 10. The method of claim 8 , wherein the change in security posture includes a malware detection by a local security agent. 11. The method of claim 8 , wherein the change in security posture is based on a change in a reputation score for one or more processes on the endpoint. 12. The method of claim 8 , wherein the change in security posture is based on a change in a reputation score for one or more files on the endpoint. 13. The method of claim 8 , wherein adjusting the filter includes decreasing filtering for one or more of the plurality of computing objects. 14. An endpoint coupled in a communicating relationship with an enterprise network, the endpoint comprising: a data recorder configured to store an event stream of data indicating events on the endpoint including a plurality of types of changes to a plurality of computing objects on the endpoint; a filter configured to locally process the event stream into a filtered event stream including a subset of the plurality of types of changes to the plurality of computing objects; and a local security software agent configured to: transmit the filtered event stream over the enterprise network to a threat management facility; respond to a change in a security posture of the endpoint by adjusting the filter to modify the subset of the plurality of types of changes included in the filtered event stream; receive a query from the threat management facility for additional event data from the event stream stored in the data recorder in response to the change in security posture; and respond to the query from the threat management facility by retrieving data stored in the data recorder over a time window before the query and excluded from the filtered event stream. 15. The endpoint of claim 14 , wherein the change in security posture includes a change in policy compliance of the endpoint. 16. The endpoint of claim 14 , wherein the change in security posture includes a malware detection by the local security software agent. 17. The endpoint of claim 14 , wherein the change in security posture is based on a change in a reputation score for one or more processes on the endpoint. 18. The endpoint of claim 14 , wherein the change in security posture is based on a change in a reputation score for one or more files on the endpoint. 19. The endpoint of claim 14 , wherein adjusting the filter includes decreasing filtering for one or more of the plurality of computing objects.