This study addresses the challenge of heterogeneous security rule syntaxes across SIEM platforms—such as Splunk, Microsoft, and IBM—which hinders cross-platform rule reuse and necessitates extensive manual intervention. To overcome this, the authors propose ARuleCon, an automated rule conversion approach leveraging large language model (LLM) agents that eliminates the need for manual parsing of source rule logic or target platform documentation. ARuleCon employs an agent-based architecture to align rule semantics and integrates a scripted consistency validation mechanism to ensure fidelity of converted rules in controlled environments, thereby mitigating semantic drift. Experimental results demonstrate that ARuleCon improves text alignment and execution success rates by 15% on average over baseline LLM methods, significantly reducing the cognitive and remapping burden on experts during cross-platform rule migration.

Security Information and Event Management (SIEM) systems make it possible for detecting intrusion anomalies in real-time manner by their applied security rules. However, the heterogeneity of vendor-specific rules (e.g., Splunk SPL, Microsoft KQL, IBM AQL, Google YARA-L, and RSA ESA) makes cross-platform rule reuse extremely difficult, requiring deep domain knowledge for reliable conversion. As a result, an autonomous and accurate rule conversion framework can significantly lead to effort savings, preserving the value of existing rules. In this paper, we propose ARuleCon, an agentic SIEM-rule conversion approach. Using ARuleCon, the security professionals do not need to distill the source rules' logic, the documentation of the target rules and ARuleCon can purposely convert to the target vendors without more intervention. To achieve this, ARuleCon is equipped with conversion/schema mismatches, and Python-based consistency check that running both source and target rules in controlled test environments to mitigate subtle semantic drifts. We present a comprehensive evaluation of ARuleCon ranging from textual alignment and the execution success, showcasing ARuleCon can convert rules with high fidelity, outperforming the baseline LLM model by 15% averagely. Finally, we perform case studies and interview with our industry collaborators in Singtel Singapore, which showcases that ARuleCon can significantly save expert's time on understanding cross-SIEM's documentation and remapping logic.