Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Xu, Ming, Wang, Hongtai, Guo, Yanpei, Yu, Zhengmin, Han, Weili, Lim, Hoon Wei, Dong, Jin Song, Zhang, Jiaheng
Format: Preprint
Veröffentlicht: 2026
Schlagworte:
Online-Zugang:https://arxiv.org/abs/2604.06762
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
_version_ 1866917391433203712
author Xu, Ming
Wang, Hongtai
Guo, Yanpei
Yu, Zhengmin
Han, Weili
Lim, Hoon Wei
Dong, Jin Song
Zhang, Jiaheng
author_facet Xu, Ming
Wang, Hongtai
Guo, Yanpei
Yu, Zhengmin
Han, Weili
Lim, Hoon Wei
Dong, Jin Song
Zhang, Jiaheng
contents Security Information and Event Management (SIEM) systems make it possible for detecting intrusion anomalies in real-time manner by their applied security rules. However, the heterogeneity of vendor-specific rules (e.g., Splunk SPL, Microsoft KQL, IBM AQL, Google YARA-L, and RSA ESA) makes cross-platform rule reuse extremely difficult, requiring deep domain knowledge for reliable conversion. As a result, an autonomous and accurate rule conversion framework can significantly lead to effort savings, preserving the value of existing rules. In this paper, we propose ARuleCon, an agentic SIEM-rule conversion approach. Using ARuleCon, the security professionals do not need to distill the source rules' logic, the documentation of the target rules and ARuleCon can purposely convert to the target vendors without more intervention. To achieve this, ARuleCon is equipped with conversion/schema mismatches, and Python-based consistency check that running both source and target rules in controlled test environments to mitigate subtle semantic drifts. We present a comprehensive evaluation of ARuleCon ranging from textual alignment and the execution success, showcasing ARuleCon can convert rules with high fidelity, outperforming the baseline LLM model by 15% averagely. Finally, we perform case studies and interview with our industry collaborators in Singtel Singapore, which showcases that ARuleCon can significantly save expert's time on understanding cross-SIEM's documentation and remapping logic.
format Preprint
id arxiv_https___arxiv_org_abs_2604_06762
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle ARuleCon: Agentic Security Rule Conversion
Xu, Ming
Wang, Hongtai
Guo, Yanpei
Yu, Zhengmin
Han, Weili
Lim, Hoon Wei
Dong, Jin Song
Zhang, Jiaheng
Cryptography and Security
Security Information and Event Management (SIEM) systems make it possible for detecting intrusion anomalies in real-time manner by their applied security rules. However, the heterogeneity of vendor-specific rules (e.g., Splunk SPL, Microsoft KQL, IBM AQL, Google YARA-L, and RSA ESA) makes cross-platform rule reuse extremely difficult, requiring deep domain knowledge for reliable conversion. As a result, an autonomous and accurate rule conversion framework can significantly lead to effort savings, preserving the value of existing rules. In this paper, we propose ARuleCon, an agentic SIEM-rule conversion approach. Using ARuleCon, the security professionals do not need to distill the source rules' logic, the documentation of the target rules and ARuleCon can purposely convert to the target vendors without more intervention. To achieve this, ARuleCon is equipped with conversion/schema mismatches, and Python-based consistency check that running both source and target rules in controlled test environments to mitigate subtle semantic drifts. We present a comprehensive evaluation of ARuleCon ranging from textual alignment and the execution success, showcasing ARuleCon can convert rules with high fidelity, outperforming the baseline LLM model by 15% averagely. Finally, we perform case studies and interview with our industry collaborators in Singtel Singapore, which showcases that ARuleCon can significantly save expert's time on understanding cross-SIEM's documentation and remapping logic.
title ARuleCon: Agentic Security Rule Conversion
topic Cryptography and Security
url https://arxiv.org/abs/2604.06762