Mike: A Splunk-Native Intelligent Agent That Converts SOC Analysts' Reasoning into Queryable Knowledge Graphs

Mike is a Splunk-native intelligent agent designed specifically for Security Operations Centers (SOCs). Its core innovation lies in converting analysts' reasoning processes into structured, queryable organizational knowledge graphs, addressing the challenges of knowledge precipitation and reuse in the security analysis field. It supports access via three methods—SPL, Python CLI, and MCP servers—to facilitate the intelligent transformation of SOCs.

• Original Author/Maintainer: shiwani42
• Source Platform: GitHub
• Original Link: https://github.com/shiwani42/Mike
• Release Date: 2026-06-13

Knowledge Graph Construction

Mike automatically constructs knowledge graphs by analyzing SOC analysts' query behaviors and investigation paths. It not only records "what was queried" but, more importantly, the "why behind the query" and the reasoning logic underneath.

Multi-Interface Access Support

Provide three access methods:

1. SPL (Search Processing Language): Access the knowledge graph directly in the Splunk environment using the native query language
2. Python CLI: Provide a command-line interface for automated scripts and batch operations
3. MCP (Model Context Protocol) Server: Support integration with modern AI assistants and intelligent agents

Reasoning Process Capture

Unlike traditional log recording tools, Mike focuses on capturing analysts' reasoning chains:

• Track the contextual relationships of query sequences
• Identify key decision points and branching paths
• Extract reusable investigation patterns

Organizational Knowledge Precipitation

Convert individual analysts' experiences into structured knowledge to help organizations:

• Shorten the learning curve for new analysts
• Establish standardized investigation processes
• Preserve the valuable experience of departing analysts

1. Threat Hunting: Use the knowledge graph to quickly identify historical investigation paths for similar threats, accelerating threat discovery
2. Incident Response: Recommend best-practice investigation steps based on historical cases in emergency scenarios
3. Training and Knowledge Inheritance: New analysts learn the investigation ideas and techniques of senior colleagues by querying the knowledge graph

Compared to traditional SIEM tools and security orchestration platforms, Mike's unique features include:

• Focus on reasoning rather than just results: Not only records query results but also the reasoning process
• Native Splunk integration: No additional data migration or complex integration required
• Open interfaces: The MCP protocol supports collaboration with various modern AI tools

Mike represents a new paradigm for knowledge management in the security operations field. By converting human analysts' intuition and experience into machine-queryable knowledge graphs, it provides the infrastructure for the intelligent transformation of SOCs. In the future, it is expected to play a greater role in areas such as automated threat detection, intelligent incident classification, and predictive security analysis.