Kernel audit logs are a valuable source of information in the forensic investigation of a cyber attack. However, the coarse gran- ularity of dependency information available in audit logs leads to the construction of huge attack graphs which contain false or inaccurate dependencies. To overcome this problem, we propose a system, called ProPatrol, which compartmentalizes the application logs by extract- ing high-level tasks from application contexts. For doing so, ProPatrol learns a model for an application’s high-level tasks based on analyzing the sequence of system calls it generates. The benefit of this approach is that it considers an application as a black-box and does not rely on binary code instrumentations or source code modifications. Our experiments with enterprise-level attacks show that ProPatrol adds only less than 2% runtime overhead, minimalizes the manual investigation effort required for forensic analysis, and can quickly pinpoint the root cause of attacks.