ARuleCon: Agentic Security Rule Conversion

TL;DR

ARuleCon is an agentic framework that automates the conversion of security rules across different SIEM vendors, reducing manual effort and improving fidelity through semantic checks and testing.

Contribution

It introduces ARuleCon, a novel approach that automates cross-vendor SIEM rule conversion with high accuracy, semantic validation, and practical industry validation.

Findings

ARuleCon outperforms baseline LLM models by 15% in conversion fidelity.

High success rate in converting rules with minimal semantic drift.

Significant time savings for security experts in cross-platform rule management.

Abstract

Security Information and Event Management (SIEM) systems make it possible for detecting intrusion anomalies in real-time manner by their applied security rules. However, the heterogeneity of vendor-specific rules (e.g., Splunk SPL, Microsoft KQL, IBM AQL, Google YARA-L, and RSA ESA) makes cross-platform rule reuse extremely difficult, requiring deep domain knowledge for reliable conversion. As a result, an autonomous and accurate rule conversion framework can significantly lead to effort savings, preserving the value of existing rules. In this paper, we propose ARuleCon, an agentic SIEM-rule conversion approach. Using ARuleCon, the security professionals do not need to distill the source rules' logic, the documentation of the target rules and ARuleCon can purposely convert to the target vendors without more intervention. To achieve this, ARuleCon is equipped with conversion/schema mismatches, and Python-based consistency check that running both source and target rules in controlled test environments to mitigate subtle semantic drifts. We present a comprehensive evaluation of ARuleCon ranging from textual alignment and the execution success, showcasing ARuleCon can convert rules with high fidelity, outperforming the baseline LLM model by 15% averagely. Finally, we perform case studies and interview with our industry collaborators in Singtel Singapore, which showcases that ARuleCon can significantly save expert's time on understanding cross-SIEM's documentation and remapping logic.