Disclosed herein is a system and method for identifying potential sources of malicious activity as well as identifying potentially malicious files that originated from suspected malicious sources. Using an anchor event and telemetry data from devices known to have been infected by malicious activity similar events in the telemetry data between two devices can be identified. These satellite events are then used to identify other files that may have been deposited by the satellite event such that those files can be highlighted to a malware researcher. Additionally, the malware protection may be updated based on this analysis to label an associated site with the satellite event as a malicious site such that the site may be blocked or quarantined.