Table of Contents
Fetching ...

SynRAG: A Large Language Model Framework for Executable Query Generation in Heterogeneous SIEM System

Md Hasan Saju, Austin Page, Akramul Azim, Jeff Gardiner, Farzaneh Abazari, Frank Eargle

TL;DR

SynRAG tackles the challenge of cross-SIEM query generation by using a Retrieval-Augmented Generation pipeline trained on platform-specific documentation to generate executable queries from a platform-agnostic YAML threat specification. It combines a knowledge base built from QRadar AQL and Google SecOps docs with a syntax-constrained generation step to produce valid AQL and YARA-L queries, respectively, for QRadar and SecOps. Evaluations against multiple baselines show SynRAG achieves higher syntactic and semantic fidelity (BLEU and ROUGE-L) and a higher rate of executable queries, demonstrating practical utility for SOC analysts operating across heterogeneous SIEM environments. The work lays a foundation for scalable cross-SIEM automation, with planned expansion to more platforms and larger benchmark datasets to broaden applicability and impact in enterprise security operations.

Abstract

Security Information and Event Management (SIEM) systems are essential for large enterprises to monitor their IT infrastructure by ingesting and analyzing millions of logs and events daily. Security Operations Center (SOC) analysts are tasked with monitoring and analyzing this vast data to identify potential threats and take preventive actions to protect enterprise assets. However, the diversity among SIEM platforms, such as Palo Alto Networks Qradar, Google SecOps, Splunk, Microsoft Sentinel and the Elastic Stack, poses significant challenges. As these systems differ in attributes, architecture, and query languages, making it difficult for analysts to effectively monitor multiple platforms without undergoing extensive training or forcing enterprises to expand their workforce. To address this issue, we introduce SynRAG, a unified framework that automatically generates threat detection or incident investigation queries for multiple SIEM platforms from a platform-agnostic specification. SynRAG can generate platformspecific queries from a single high-level specification written by analysts. Without SynRAG, analysts would need to manually write separate queries for each SIEM platform, since query languages vary significantly across systems. This framework enables seamless threat detection and incident investigation across heterogeneous SIEM environments, reducing the need for specialized training and manual query translation. We evaluate SynRAG against state-of-the-art language models, including GPT, Llama, DeepSeek, Gemma, and Claude, using Qradar and SecOps as representative SIEM systems. Our results demonstrate that SynRAG generates significantly better queries for crossSIEM threat detection and incident investigation compared to the state-of-the-art base models.

SynRAG: A Large Language Model Framework for Executable Query Generation in Heterogeneous SIEM System

TL;DR

SynRAG tackles the challenge of cross-SIEM query generation by using a Retrieval-Augmented Generation pipeline trained on platform-specific documentation to generate executable queries from a platform-agnostic YAML threat specification. It combines a knowledge base built from QRadar AQL and Google SecOps docs with a syntax-constrained generation step to produce valid AQL and YARA-L queries, respectively, for QRadar and SecOps. Evaluations against multiple baselines show SynRAG achieves higher syntactic and semantic fidelity (BLEU and ROUGE-L) and a higher rate of executable queries, demonstrating practical utility for SOC analysts operating across heterogeneous SIEM environments. The work lays a foundation for scalable cross-SIEM automation, with planned expansion to more platforms and larger benchmark datasets to broaden applicability and impact in enterprise security operations.

Abstract

Security Information and Event Management (SIEM) systems are essential for large enterprises to monitor their IT infrastructure by ingesting and analyzing millions of logs and events daily. Security Operations Center (SOC) analysts are tasked with monitoring and analyzing this vast data to identify potential threats and take preventive actions to protect enterprise assets. However, the diversity among SIEM platforms, such as Palo Alto Networks Qradar, Google SecOps, Splunk, Microsoft Sentinel and the Elastic Stack, poses significant challenges. As these systems differ in attributes, architecture, and query languages, making it difficult for analysts to effectively monitor multiple platforms without undergoing extensive training or forcing enterprises to expand their workforce. To address this issue, we introduce SynRAG, a unified framework that automatically generates threat detection or incident investigation queries for multiple SIEM platforms from a platform-agnostic specification. SynRAG can generate platformspecific queries from a single high-level specification written by analysts. Without SynRAG, analysts would need to manually write separate queries for each SIEM platform, since query languages vary significantly across systems. This framework enables seamless threat detection and incident investigation across heterogeneous SIEM environments, reducing the need for specialized training and manual query translation. We evaluate SynRAG against state-of-the-art language models, including GPT, Llama, DeepSeek, Gemma, and Claude, using Qradar and SecOps as representative SIEM systems. Our results demonstrate that SynRAG generates significantly better queries for crossSIEM threat detection and incident investigation compared to the state-of-the-art base models.
Paper Structure (13 sections, 3 figures, 1 table)

This paper contains 13 sections, 3 figures, 1 table.

Figures (3)

  • Figure 1: SynRAG Architecture
  • Figure 2: Output Query Comparison
  • Figure 3: Instructional prompt for the AQL Query Generation task.