ARuleCon: Agentic Security Rule Conversion

The real-time demand for web security makes Security Information and Event Management (SIEM) platforms and their applied security rule an integral part of the intrusion detection life-cycle. However, the heterogeneity of vendor-specific rules (e.g., Splunk SPL, Microsoft KQL, IBM AQL, Google YARA-L, and RSA ESA) makes cross-platform rule reuse extremely difficult, requiring deep domain knowledge for reliable conversion. As a result, an autonomous and accurate rule conversion framework can significantly lead to effort savings, preserving the value of existing rules. In this paper, we propose ARuleCon, an agentic SIEM-rule conversion approach. Using ARuleCon, the security professionals do not need to distill the source rules' logic and re-map it to target vendors, instead, they provide the source rules, the documentation of the target rules and ARuleCon can purposely convert to the target vendors without more intervention. To achieve this, ARuleCon is equipped with intermediate representation (IR) that aligns core detection logic into vendor-neutral layer, agentic RAG pipeline that retrieves authoritative official vendor documentation to address the convension/schema mismatches, and Python-based consistency check that running both source and target rules in controlled test environments to mitigate subtle semantic drifts. We present a comprehensive evaluation of ARuleCon ranging from textual alignment between the source and target rules, and the execution success of target rules, showcasing ARuleCon can convert rules with higher fidelity, outperforming the baseline LLM models by 15% averagely. Finally, we perform a case study and interview with our industry collaborators 1, which showcases that ARuleCon can significantly save the expert's time on understanding the cross-SIEM's documentation and remapping the logic.