Abstract: Methods, apparatus and articles of manufacture for behavioral detection of suspicious host activities in an enterprise are provided herein. A method includes processing log data derived from one or more data sources associated with an enterprise network over a given period of time, wherein the enterprise network comprises multiple host devices; extracting one or more features from said log data on a per host device basis, wherein said extracting comprises: determining a pattern of behavior associated with the multiple host devices based on said processing; and identifying said features representative of host device behavior based on the determined pattern of behavior; clustering the multiple host devices into one or more groups based on said one or more features; and identifying a behavioral anomaly associated with one of the multiple host devices by comparing said host device to the one or more groups across the multiple host devices.