A method, system and computer-usable medium are disclosed for operating a collector at an endpoint device are disclosed. Certain embodiments include a computer-implemented method for operating an endpoint collector at an endpoint device, including: receiving, at an endpoint collector operating on the endpoint device, information corresponding to activities occurring on an endpoint platform; receiving, at the endpoint collector, one or more filter definitions; and selectively placing, by the endpoint collector, a plurality of events on a message bus, wherein a determination as to which events are placed by the endpoint collector on the message bus is based on the one or more filter definitions. Certain embodiments may include corresponding stand-alone and/or network computer systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform one or more of these actions.