Dynamic filtering of endpoint event streams

What is claimed is: 1 . A computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of: instrumenting an endpoint with a local agent to detect a plurality of types of changes to a plurality of computing objects; creating an event stream from the local agent including each type of change to each of the plurality of computing objects detected on the endpoint; storing the event stream in a data recorder on the endpoint; processing the event stream with a filter at the endpoint to provide a filtered event stream including a subset of the types of changes to a subset of the plurality of computing objects; transmitting the filtered event stream to a threat management facility; processing the filtered event stream at the threat management facility to evaluate a security state of the endpoint; and in response to a predetermined security state detected by the threat management facility, transmitting an adjustment to the endpoint for at least one of the types of changes or computing objects used by the filter to process the event stream. 2 . The computer program product of claim 1 wherein the plurality of computing objects includes a number of files. 3 . The computer program product of claim 1 wherein the plurality of computing objects includes a number of processes. 4 . The computer program product of claim 1 wherein the plurality of computing objects includes a number of executables. 5 . The computer program product of claim 1 wherein the plurality of computing objects includes at least one of an electronic communication, a registry of system settings, and a secure kernel cache. 6 . A method comprising: receiving a filtered event stream from an endpoint at a threat management facility for an enterprise network, the filtered event stream including a subset of types of changes to a subset of computing objects from a plurality of types of changes to a plurality of computing objects monitored by a data recorder on the endpoint; processing the filtered event stream at the threat management facility to evaluate a security state of the endpoint; and in response to a predetermined change in the security state of the endpoint, transmitting an adjustment to a filter used by the endpoint to select which of the plurality of types of changes to the plurality of computing objects the data recorder reports in the filtered event stream. 7 . The method of claim 6 wherein the subset of computing objects includes one or more of a file, an executable, a process, a database, and a message. 8 . The method of claim 6 wherein the types of changes include at least one of a file read, a file write, a file copy, a file encrypt, a file decrypt, a network communication, a registry update, a software installation, a change in permissions, and a query to a remote resource. 9 . The method of claim 6 further comprising correlating the filtered event stream to a malware event on the endpoint and searching for the malware event on one or more other endpoints coupled to the enterprise network based on a pattern of events in the filtered event stream. 10 . The method of claim 6 further comprising storing the filtered event stream at the threat management facility. 11 . The method of claim 6 further comprising storing an unfiltered event stream on the data recorder at the endpoint, the unfiltered event stream including additional ones of the plurality of types of changes to the plurality of computing objects. 12 . The method of claim 6 further comprising storing an unfiltered event stream on the data recorder at the endpoint, the unfiltered event stream including one or more of the plurality of types of changes to additional ones of the plurality of computing objects. 13 . The method of claim 6 wherein processing the filtered event stream includes searching for potential malicious activity on the endpoint. 14 . The method of claim 6 wherein processing the filtered event stream includes searching for a security exposure on the endpoint. 15 . The method of claim 6 further comprising, when the filtered event stream shows that the security state of the endpoint is compromised, initiating a remedial action. 16 . The method of claim 6 wherein processing the filtered event stream includes securely verifying a status of the endpoint. 17 . The method of claim 6 wherein the adjustment includes a change to the subset of types of changes included in the filtered event stream. 18 . The method of claim 6 wherein the adjustment includes a change to the subset of computing objects included in the event stream. 19 . A system comprising: an endpoint executing a data recorder to store an event stream including a plurality of types of changes to a plurality of computing objects detected on the endpoint, the endpoint further executing a local agent to process the event stream with a filter into a filtered event stream including a subset of the plurality of types of changes to a subset of the plurality of computing objects, the local agent further configured to communicate the filtered event stream to a remote resource over a data network; and a threat management facility configured to receive the filtered event stream from the endpoint and to process the filtered event stream to evaluate a security state of the endpoint, the threat management facility further configured to respond to a predetermined change in the security state by transmitting an adjustment to the endpoint for at least one of the types of changes or computing objects used by the filter to process the event stream. 20 . The system of claim 19 wherein the threat management facility is further configured to initiate a remediation of the endpoint when the security state of the endpoint is compromised.