The Challenge of SIEM Migration
When organizations switch security monitoring platforms or absorb another company’s IT infrastructure, their library of threat detection rules often breaks. Each Security Information and Event Management (SIEM) system from vendors like Splunk, Microsoft Sentinel, and IBM QRadar uses its own proprietary query language. Translating detection rules between these platforms is not a simple find and replace task; it can take human engineers months to painstakingly rewrite each rule by hand.
How ARuleCon Works
A research team from the National University of Singapore and Fudan University has developed an AI agent called ARuleCon to solve this bottleneck. The system works in three stages. First, it strips a source rule of its platform specific code, creating a plain language description of the rule’s logic, including filters, thresholds, and time windows. A large language model then drafts an equivalent rule in the target platform’s language.
Two automated checking agents refine this draft. One consults official vendor documentation to verify that operators and field names are correct. The other runs both the original and converted rules as Python code over synthetic log data to ensure they produce identical results. Any mismatches trigger a repair loop. In tests across nearly 1,500 rule conversions and five platforms, ARuleCon outperformed each large language model used alone by roughly 15% on average. The most substantial improvements were structural, semantic, and logical consistency.
Impact and Scope
The system achieved conversion error rates below 10% for most platforms, with near perfect results for Google Chronicle and Splunk (CVE-2025-12345). IBM QRadar and RSA NetWitness proved more challenging due to their less comprehensive documentation and more complex grammar. The researchers note that ARuleCon is designed for batch work like platform migrations and rule onboarding, not real time alerting. A single conversion can take around 140 seconds. The source code is available on GitHub, and the team’s industry partner, NCS Group’s Singtel Singapore, is commercializing a prototype. Validation remains a critical step, as the current consistency check uses synthetic data rather than noisy, real world security operations.
Source: Healthcareinfosecurity
