SIEM Integration Framework

Architecture and patterns from three production Wazuh integrations — documented for humans and LLMs.

This repo captures what I learned building three production Wazuh wodle integrations (1Password, Proofpoint TAP, Cortex XDR). The architecture was the same each time. The templates, docs, and LLM-ready references here let you apply the same approach to any vendor API.

Documentation

Architecture

• Overview — The integration architecture and its components
• Data flow — How events move from vendor API to SIEM dashboard
• Design principles — The production lessons behind every decision

Build process

• Phase 1: Planning — API research, event mapping, rule ID reservation
• Phase 2: Building — Implementing the integration
• Phase 3: Testing — Validation, debugging, edge cases
• Phase 4: Deploying — Installation and production rollout
• Phase 5: Documenting — The three standard guides and README

Guides

• AI-assisted building — How to use LLMs effectively throughout the process
• Adapting to other SIEMs — Splunk, Sentinel, Elastic, QRadar
• Security checklist — Pre-release security review

Reference

• Repository structure — Standard layout every integration follows
• Coding conventions — Python style, naming, error handling
• Rule design — Decoder and rule patterns for Wazuh

Quick links

• GitHub repo — Templates, LLM references, and source
• LLM reference files — Machine-readable blueprints for AI-assisted development
• Templates — Scaffold files to copy and customize
• Production integrations — wazuh-1password · wazuh-proofpoint · wazuh-cortex-xdr