シンガポールの研究者らが、AI を活用して多様な SIEM ルールを相互運用可能に変換する手法を開発

Academics from Singapore and China have found a way to make AI useful for cyber-defenders, by creating a technique that translates rules from diverse Security Information and Event Managements (SIEMs) so they’re easier to consume across multiple systems.

SIEMs collect log files from many sources and allow users to set rules that trigger alerts that a security operations center (SOC) considers in case they represent security incidents. Testing for an “impossible travel” scenario – in which the same user logs on from New York and London within an hour, suggesting credential theft or other skulduggery – is a common SIEM rule.

Many organizations end up with multiple SIEMs, which means complexity for SOCs.

Enter researchers from the National University of Singapore and China’s Fudan University, who recently presented a paper [PDF] titled “ARuleCon: Agentic Security Rule Conversion” in which they explain a technique they developed to translate rules so they’re consumable by multiple SIEMs.

Lead author Ming Xu told *The Register* she and her colleagues developed ARuleCon because SIEMs use specific schemas for rules, so a rule created with one SIEM won’t work with another. While some vendors provide translation tools, they don’t offer support for many SIEMs: the authors say Microsoft’s tool shifts Splunk rules into Redmond’s Sentinel SIEM but can’t handle others.

“Rule conversion can be performed manually by security experts, which are slow and imposes a heavy workload,” the paper observes.

Tools like the Sigma framework aim to help manage and share rules across multiple platforms, but Ming and her co-authors think it, and other existing translation tools, don’t do well with complex or interlinked rules.

• Microsoft actually does something useful, adds Sysmon to Windows

• Hybrid clouds have two attack surfaces and you’re not paying enough attention to either

• Ker-Splunk! Cisco closes $28 billion analytics acquisition

• Microsoft teases how it'll make Sentinel a bit easier to monitor and audit

It’s 2026 so it seems natural to try using an LLM to convert SIEM rules into different formats.

The authors say that approach “typically yield a poor accuracy and lacks vendor-specific correctness” because training data used to build LLMs doesn’t include enough data about SIEM rule schemas.

“These shortcomings call for a scalable, vendor-neutral, and reliable SIEM-rule conversion framework that retains existing rule value and eases SOC workloads,” the paper states, before explaining how ARuleCon gets the job done with an "agentic RAG [retrieval augmented generation] pipeline that retrieves authoritative official vendor documentation to address the convention/schema mismatches, and Python-based consistency check that running both source and target rules in controlled test environments to mitigate subtle semantic drifts."

Long story short, the researchers developed agentic tech capable of translating SIEM rules created using Splunk, Microsoft Sentinel, IBM QRadar, Google Chronicle and RSA NetWitness. Not all the conversions are brilliant, but ARuleCon can translate the proprietary rule format each SIEM vendor uses to multiple rival platforms – and does it more accurately than a generic LLM.

ARuleCon therefore makes it possible to export rules from one SIEM and use them in another.

Ming told *The Register* she hopes the tool helps organizations to consider and plan SIEM consolidations or migrations, and emerge with SOCs that can more easily detect the signals of security threats and stop worrying about noise from multiple alerts. ®