Security Information and Event Management (SIEM) systems are essential for large enterprises to monitor their IT infrastructure by ingesting and analyzing millions of logs and events daily. Security Operations Center (SOC) analysts are tasked with monitoring and analyzing this vast data to identify potential threats and take preventive actions to protect enterprise assets. However, the diversity among SIEM platforms, such as Palo Alto Networks Qradar, Google SecOps, Splunk, Microsoft Sentinel and the Elastic Stack, poses significant challenges. As these systems differ in attributes, architecture, and query languages, making it difficult for analysts to effectively monitor multiple platforms without undergoing extensive training or forcing enterprises to expand their workforce. To address this issue, we introduce SynRAG, a unified framework that automatically generates threat detection or incident investigation queries for multiple SIEM platforms from a platform-agnostic specification. SynRAG can generate platformspecific queries from a single high-level specification written by analysts. Without SynRAG, analysts would need to manually write separate queries for each SIEM platform, since query languages vary significantly across systems. This framework enables seamless threat detection and incident investigation across heterogeneous SIEM environments, reducing the need for specialized training and manual query translation. We evaluate SynRAG against state-of-the-art language models, including GPT, Llama, DeepSeek, Gemma, and Claude, using Qradar and SecOps as representative SIEM systems. Our results demonstrate that SynRAG generates significantly better queries for crossSIEM threat detection and incident investigation compared to the state-of-the-art base models.

翻译：安全信息与事件管理（SIEM）系统对大型企业监控其IT基础设施至关重要，其每日需摄入并分析数百万条日志与事件。安全运营中心（SOC）分析师负责监控和分析这些海量数据，以识别潜在威胁并采取防护措施保护企业资产。然而，SIEM平台（如Palo Alto Networks Qradar、Google SecOps、Splunk、Microsoft Sentinel和Elastic Stack）的多样性带来了重大挑战。由于这些系统在属性、架构和查询语言上存在差异，分析师难以在不接受大量培训或企业被迫扩充人力的情况下有效监控多平台。为解决此问题，我们提出了SynRAG——一个统一框架，能够从平台无关的规范自动生成适用于多个SIEM平台的威胁检测或事件调查查询。SynRAG可从分析师编写的单一高层规范生成平台特定的查询。若无SynRAG，由于各系统查询语言差异显著，分析师需为每个SIEM平台手动编写独立查询。该框架实现了跨异构SIEM环境的无缝威胁检测与事件调查，减少了对专业培训和手动查询翻译的需求。我们以Qradar和SecOps作为代表性SIEM系统，将SynRAG与包括GPT、Llama、DeepSeek、Gemma和Claude在内的前沿语言模型进行对比评估。实验结果表明，相较于当前最先进的基线模型，SynRAG能为跨SIEM威胁检测和事件调查生成显著更优的查询。