Disclosed is a system for detecting security threats in a local network. A security analytics system collects data about entities in the local network. The security analytics system parses the raw data into data fields. The security analytics system identifies a subset of the data fields based on the relevance of the data fields to detecting security threats in the local network. The security analytics system generates filtered data containing the subset of data fields and generates structured data based on the filtered data. The security analytics system identifies relationships between the plurality of entities, generates a set of features based on the structured data and the identified relationships, and generates one or more threat scores based on the set of features. The security analytics system detects malicious behavior performed by an entity in the local network based on the generated threat scores.