Access to both internal and external networked resources is fundamental to the operation of modern malware, and thus it is employed at nearly every phase of the attack lifecycle, from reconnaissance and initial Infection, to subsequent command and control (C2), lateral movement, data collection, and exfiltration. Telemetry is the in situ collection of measurements or other data at remote points -- the word is derived from the Greek roots tele, "remote", and metron, "measure". Thus, it's not surprising that the collection and analysis of network telemetry plays a critical role in enabling the early detection of network infections and rapid response to halt them before they spread beyond the initial point of infection. Purely signature-based analysis of malware is a legacy approach that requires at least one user (the'sacrificial lamb') to get infected in order for the antivirus (AV) product to obtain a sample of the malware to create a signature -- which it then takes more time to deploy via updates. A more powerful and watertight method of threat detection to model the'normal' network usage behavior of the organization, its end users, and the endpoints they use for legitimate access, so that unusual behavior induced by malware may be detected -- even in cases when the particular attack mode is novel and does not yet have a known signature, or is purposely employing malleable C2 to minimize the possibility that a distinct, persistent signature may be identified and used as the basis for subsequent detection and thread eradication.