Researchers from Singapore and China have developed a new way to simplify cybersecurity management. Their tool helps translate security rules between various SIEMs, making it easier for security teams to work across different systems. This innovation aims to reduce complexity and improve threat detection in modern security operations centers.

Why Multiple SIEMs Create Challenges

Security Information and Event Management systems collect logs from many sources to monitor for suspicious activity. They allow security teams to set rules that trigger alerts when potential threats are detected. For example, if a user logs in from two different locations within a short time, it could indicate credential theft. Such rules are vital for identifying security incidents.

Many organizations use more than one SIEM to cover different parts of their infrastructure. This leads to a lot of complexity because each SIEM uses its own format for rules. When rules are created in one system, they often can’t be directly used in another, forcing security teams to manually rework them. This process is slow, error-prone, and adds to the workload of security analysts.

The Problem with Existing Translation Tools

Some tools, like the Sigma framework, try to help share rules across platforms. But they struggle with complex or interconnected rules, which are common in real-world scenarios. Microsoft offers a tool to convert rules from its own SIEM, Sentinel, to other formats, but it only covers a limited set of systems.

In recent years, many have looked to large language models (LLMs) to solve this problem. However, these models often produce inaccurate results because they haven’t been trained on enough specific data about SIEM rule schemas. As a result, relying solely on LLMs can lead to errors and reduce trust in the translated rules.

The ARuleCon Solution

The researchers introduced ARuleCon, a new framework that uses an “agentic retrieval augmented generation” approach. This means it actively fetches official documentation from vendors to understand the specific schemas used by different SIEMs. It then uses a Python-based consistency check to test rules in controlled environments, reducing the chance of errors caused by semantic differences.

ARuleCon can handle rules from popular SIEMs like Splunk, Microsoft Sentinel, IBM QRadar, Google Chronicle, and RSA NetWitness. It translates proprietary rule formats into other formats more accurately than generic language models. This allows security teams to export rules from one system and seamlessly import them into another.

The goal is to help organizations plan and execute SIEM migrations more smoothly. By translating rules effectively, security teams can focus more on detecting threats rather than managing multiple alert systems. This can lead to faster response times and better overall security posture.

While ARuleCon isn’t perfect yet, it represents a significant step forward. It reduces manual effort, minimizes errors, and supports a vendor-neutral approach to rule translation. In the long run, this tool could help unify security operations and make threat detection more consistent across different platforms.

Inspired by

• https://go.theregister.com/feed/www.theregister.com/2026/05/05/arulecon_siem_rule_conversion/

Sources

• arxiv.org
• sigmahq.io