AI tool translates security rules for multiple SIEM systems

Academics have developed a new technique to make AI useful for cyber-defenders by translating rules from diverse security information and event managements (SIEMs) into a format that is easier to use across multiple systems. This aims to simplify the complex task of managing security alerts for security operations centers (SOCs), with further coverage provided by The Register.

Organizations often use multiple SIEMs, leading to complexity for SOCs. Researchers from the National University of Singapore and Fudan University have created ARuleCon, a system that translates SIEM rules between different platforms. Current SIEMs use specific schemas, making rules incompatible across systems. While some vendor tools exist, they support limited SIEMs. Manual conversion is slow and labor-intensive.

ARuleCon uses an agentic retrieval augmented generation pipeline, referencing official vendor documentation to overcome schema mismatches. It also includes a Python-based consistency check for accuracy. The tool can translate rules for SIEMs including Splunk, Microsoft Sentinel, IBM QRadar, Google Chronicle, and RSA NetWitness, offering a more accurate solution than generic LLMs. This capability can aid organizations in SIEM consolidation or migration, enabling SOCs to better detect threats and reduce alert noise.

Source: The Register