Systems and methods for detecting security threats using application execution and connection lineage tracing with embodiments of the invention are disclosed. In one embodiment, detecting suspicious activity in a network includes receiving at a collector server a first activity data including a first set of attributes, combining a first set of context information with the activity data to generate a first activity record, comparing the first activity record to a set of baseline signatures, incrementing a count of a first matching baseline signature when the first activity record has the same values for all attributes, receiving from a second activity data including a third set of attributes, combining a second set of context information with the second activity data to generate a second activity record, and generating an alert when the attributes of the second activity record differ from all baseline signatures.