Well, now you know that the logs from different devices are being forwarded into the SIEM. Take an example: A port scan is initiated against a specific machine. In such a case, the machine would generate a lot of unusual logs.
Analyzing the logs, it will be clear that a number of connection failures are occurring to different ports in regular intervals.
Seeing packet information if possible, we can detect the SYN requests being sent from the same IP to the same IP but to different ports in regular intervals. That concludes that somebody initiated an SYN scan against our asset.
The SIEM automates this process and raises alerts. Different solutions do this in different ways but produce same results.