Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for a system to create and employ associative memory maps for analysis of security file and/or logs are disclosed. In one aspect, a method includes the actions of receiving, from an external application, a request for a recommended action; extracting information regarding the entities and relationships between the entities from a data source; constructing an associative memory map from the extracted information; selecting a subgraph from the associative memory map based on a result of employing a vector to search nodes in the associative memory map; identifying the nodes most relevant to the requested recommend action base on a shortest paths of traversal in the selected subgraph of nodes; determining the requested recommended action based on an event identified in the relationships between the identified most relevant nodes; and transmitting the recommended action to the external application.