SIEM Operations

Project Summary

Field Value

Field	Value
PRJ ID	PRJ-SPOKE-004
Owner	Evan Rosado
Priority	P1 (High)
Status	Active
Repository	`~/atelier/_bibliotheca/domus-siem-ops`
Antora Component	`siem-ops`
Antora Title	SIEM Operations
Category	Observability
2026 Commits	18
Site URL	docs.domusdigitalis.dev/siem-ops/

PRJ ID

PRJ-SPOKE-004

Owner

Evan Rosado

Priority

P1 (High)

Status

Active

Repository

~/atelier/_bibliotheca/domus-siem-ops

Antora Component

siem-ops

Antora Title

SIEM Operations

The SIEM Operations component documents security information and event management across multiple platforms: IBM QRadar, Microsoft Sentinel, Wazuh, and Splunk. It provides detection engineering patterns, AQL/KQL query references, Windows Event ID mappings, LOLBin detection rules, and investigation playbooks.

This repo directly supports the QRadar-to-Sentinel migration project at CHLA and captures enterprise SIEM operational knowledge portable across vendors.

Scope

In Scope

QRadar AQL query patterns and detection rules
Microsoft Sentinel KQL analytics and workbooks
Wazuh manager deployment and agent configuration
Splunk SPL query patterns
Windows Event ID reference and detection mappings
Remote access tool detection (LogMeIn, VNC, RDP anomalies)
LOLBin and suspicious process detection
Investigation playbook templates
SIEM API integration (QRadar SEC token, Sentinel OAuth)

Out of Scope

Prometheus/Grafana observability (covered by o11y-ops)
Network device monitoring (covered by infra-ops)
Endpoint agent deployment (covered by linux-ops / windows-ops)

Status

Indicator	Detail
Activity Level	Active — 18 commits, detection engineering focus
Maturity	Early Production — comprehensive attribute system, multi-SIEM coverage
Last Activity	2026
Key Milestone	QRadar-to-Sentinel migration documentation
Deployment Status	Wazuh running on k3s in home lab; QRadar/Sentinel at CHLA

Indicator

Detail

Activity Level

Active — 18 commits, detection engineering focus

Maturity

Early Production — comprehensive attribute system, multi-SIEM coverage

Last Activity

2026

Key Milestone

QRadar-to-Sentinel migration documentation

Deployment Status

Wazuh running on k3s in home lab; QRadar/Sentinel at CHLA

Metadata

Field	Value
PRJ ID	PRJ-SPOKE-004
Author	Evan Rosado
Date Created	2026-03-30
Last Updated	2026-03-30
Status	Active
Next Review	2026-04-15

Field

Value

PRJ ID

PRJ-SPOKE-004

Author

Evan Rosado

Date Created

2026-03-30

Last Updated

2026-03-30

Status

Active

Next Review

2026-04-15