"Rule conversion can be performed manually by security experts, which are slow and imposes a heavy workload," the paper states.
What ARuleCon is: agentic rule translation for SIEMs
Academics from the National University of Singapore and Fudan University presented a paper titled “ARuleCon: Agentic Security Rule Conversion” that describes a new technique to translate detection rules between disparate Security Information and Event Management systems (SIEMs). The authors built an "agentic RAG [retrieval augmented generation] pipeline" that retrieves official vendor documentation to resolve schema and convention mismatches, and a Python-based consistency check that runs source and target rules in controlled test environments to reduce semantic drift.
Why SIEM rule translation matters — and why it's hard
SIEMs gather logs and let security teams encode alerting logic as rules — for example, an “impossible travel” alert that fires when the same user logs in from New York and London within an hour. In practice many organizations operate multiple SIEMs, which means a rule created for one product cannot be used verbatim in another because each vendor uses its own proprietary schema. The paper notes that manual conversion by security experts is slow and burdensome, and that commonly used tools and frameworks do not fully address the complexity: authors say the Sigma framework and other existing translation tools “don’t do well with complex or interlinked rules.” The researchers also point out that a Microsoft tool can shift Splunk rules into Microsoft Sentinel but cannot handle other SIEMs.
How ARuleCon works in practice
The authors describe a two-part approach. First, the agentic RAG pipeline retrieves authoritative, vendor-specific documentation as grounding information so the system can translate conventions and schemas correctly. Second, ARuleCon applies a Python-based consistency check that executes both the original and the converted rule in controlled test environments to detect subtle semantic differences. Together these steps aim to preserve the original rule’s detection value while producing a target-rule artifact that matches vendor-specific expectations.
Which products ARuleCon can translate — and how well
Long story short, the researchers developed agentic tech capable of translating rules across multiple commercial SIEMs. The paper lists Splunk, Microsoft Sentinel, IBM QRadar, Google Chronicle and RSA NetWitness as supported formats. The authors report that ARuleCon can map a proprietary rule format used by one vendor into formats for several rival platforms and that its conversions are more accurate than using a generic large language model (LLM) alone. The paper also cautions that not all conversions are “brilliant” — accuracy varies by rule complexity and vendor-specific details.
What this means for SOCs, consolidation, and migrations
Lead author Ming Xu told The Register she hopes ARuleCon will help organizations considering SIEM consolidation or migration by reducing the manual workload of rewriting rules. For security operations centers (SOCs), that potential means fewer hours spent hand-editing detection logic and less risk that an important alert is lost in translation. The paper positions ARuleCon as a scalable, vendor-neutral framework that retains existing rule value while easing SOC workloads.
What this means for technologists, procurement leaders, and defenders
- Technologists and security teams: ARuleCon offers a technical pathway to move rule sets without wholesale manual reauthoring; teams will want to validate conversions, especially for complex or interlinked rules where the paper reports mixed results.
- Procurement leaders and IT operations: The translation capability could lower the migration cost and friction associated with consolidating SIEM platforms, potentially enabling planning that takes rule portability into account.
- Defenders in SOCs: The approach emphasizes a test-driven consistency check — defenders should expect to audit converted rules in controlled environments before deployment to ensure alerts map to the intended semantics.
The researchers frame ARuleCon as an answer to a specific, practical problem: rules encoded in one vendor’s schema should not remain locked there. By combining vendor documentation retrieval with executable consistency checks, ARuleCon aims to close the gap generic LLMs leave when they lack vendor-specific schema knowledge. Ming Xu’s expressed hope is concrete: help organizations consider and plan SIEM consolidations or migrations, and emerge with SOCs better able to detect real signals while reducing noise from multiple alerts.
Source: The Register — ARuleCon: Agentic Security Rule Conversion
