Security, privacy and freedom of people are the values that must be protected whenever it is possible but not for the sake of criminals. In the Internet those values are often endangered or misused by individuals with bad intentions. Thus, we need smart security monitoring to protect ourselves and provide tools for legal investigators. We would like to show how the network level information can be combined with user centric data (e.g. authentication logs, mail logs) in the graph model and analysed in NoSQL like graph database. Our initial graph model for network flows is like social network of hosts. It allows us to spot interacting groups of hosts and services, to observe changes in communication patterns from the topological and volumetric points of view. In current research we would like to add an additional dimension – people. Data from the authentication systems will allow to link the particular user account with network flows and hosts, thus for example in the case of a security breach we will be able to identify potentially broader spectrum of affected users (users that have direct and indirect links with the compromised machine). This is an ongoing work and multiple scenarios will be investigated including frauds and data leaks.