SIEM Fundamentals

Overview

Security Information and Event Management (SIEM) platforms share common architectural patterns regardless of vendor.

Core Components

Log Collection

  • Agents - Installed on endpoints (Wazuh agent, Sentinel AMA, Splunk UF)

  • Syslog - Network devices, Linux systems

  • API Ingestion - Cloud services, SaaS applications

  • Windows Event Forwarding - Native Windows log collection

Normalization

Raw logs are mapped to a common schema:

  • QRadar: QID mapping, DSM parsing

  • Sentinel: ASIM (Advanced Security Information Model)

  • Splunk: CIM (Common Information Model)

  • Wazuh: Decoder + Rule matching

Detection

  • Correlation Rules - Multi-event pattern matching

  • Anomaly Detection - Baseline deviation

  • Threat Intelligence - IOC matching

  • MITRE ATT&CK - Technique-based detection

Query Language Comparison

Platform Language Example (Failed Logins)

QRadar

AQL

SELECT username, COUNT(*) FROM events WHERE qid=4625 GROUP BY username

Sentinel

KQL

SecurityEvent | where EventID == 4625 | summarize count() by Account

Splunk

SPL

index=windows EventCode=4625 | stats count by user

Wazuh

Rule XML

<rule id="18106" level="10"><if_sid>18105</if_sid><match>Logon failure</match></rule>

Related