There is provided data-efficient threat detection method in a computer network. The method can include: receiving raw data related to a network node, generating local 5 behaviour models related to the network node; generating at least one common model of normal behaviour on the basis of local behaviour models related to multiple network nodes; filtering input events by using a measure for estimating the likelihood that the input event is produced by the generated common model of normal behaviour and/or by the generated one or more local behaviour models, wherein only input events having a 10 likelihood below a predetermined threshold of being produced by any one of the models are passed through the filtering; and processing input events passed through the filtering for generating a security related decision.