A security system obtains data logs from a set of security applications that each output data of different data types and in different formats. A filtering module obtains the data from the security applications as an input message stream and processes the into message stream into an output message stream with messages in a standardized format for processing by a security engine. The filtering module includes a set of filters each tailored to process data from a different data source. The filtering module detects the data source from analysis of the data and applies the corresponding filter to generate the output message stream. The security engine then detects patterns in the output data stream and provides alerts to an administrative interface when it detects a pattern indicative of malicious activity.