The Migration Challenge
When organizations switch security monitoring platforms or integrate acquired IT environments, their existing threat-detection rules often become unusable. Each SIEM vendor uses a proprietary query language, and translating rules manually is labor intensive, taking months. A research team from the National University of Singapore and Fudan University developed an artificial intelligence agent, named ARuleCon, to automate this process with improved accuracy.
How ARuleCon Works
ARuleCon converts detection rules in three stages. It first extracts the core logic from a source rule, removing platform specific code and producing a plain language description of filters, time windows, thresholds, and grouping conditions. A large language model then drafts an equivalent rule in the target platform’s language. Two automated checking agents refine the output. One verifies operators and field names against official vendor documentation. The other runs both the original and converted rules as Python code over synthetic log data to confirm identical behavior, triggering a repair loop when mismatches occur.
Impact and Scope
In benchmarks across GPT-5, DeepSeek-V3, and LLaMA-3, ARuleCon outperformed each model used alone by roughly 15% on average across structural, semantic, and logical consistency measures. Most conversions ran without errors on target platforms, with rates above 90% in most cases and near perfect for Google Chronicle and Splunk. IBM QRadar and RSA NetWitness proved harder due to less comprehensive documentation and more complex grammar. The team notes that the system’s Python based consistency check uses generated logs, not real security data, and that rules involving stateful processing or vendor specific enrichment can be problematic. The source code is available on GitHub, and the team’s industry partner NCS Group’s Singtel Singapore is commercializing a prototype. Researchers recommend staged validation including testing against historical logs and running in monitoring-only mode before deployment.
Source: Healthcareinfosecurity
