A system and method for detecting anomalous activity, the method includes collecting data from a plurality of data sources, wherein each data source generates a data stream; harmonizing each data stream using a computer processor so that the harmonized data is in a common format; generating behavior models based on the harmonized data using the computer processor; analyzing the harmonized data at a first level using the behavior models and the computer processor to generate meta-events, wherein the meta-events represent anomalous behavior; analyzing the meta-events at a second level using the computer processor to determine if an alert should be issued; and when an alert should be issued, displaying the alert is disclosed.