Embedded Files
Background
This paper addresses the challenge of automating security rule generation and conversion in Security Information and Event Management (SIEM) systems. Traditional rule-based intrusion detection systems require domain experts to manually write and maintain detection rules, which is time-consuming and costly. Additionally, different SIEM platforms use distinct rule languages, making rule migration across vendors difficult.
Overview
Input: Rule description
Step 1 - Chain-of-Thought (CoT) Reasoning: RulePilot breaks rule generation into structured steps using Least-to-Most Prompting (LMP). It processes each task sequentially, such as identifying logs, defining conditions, and extracting fields, ensuring logical consistency and completeness.
Step 2 - Intermediate Representation (IR): To bridge natural language and SIEM rules, RulePilot uses an Intermediate Representation (IR) in the form of domain-specific language (DSL). This structured format helps reduce syntax errors and ensures compatibility across SIEM platforms.
Step 3 - Reflection & Iterative Optimization: After generating a rule, RulePilot validates and refines it using Splunk’s syntax checker and execution feedback. If issues are found, it automatically adjusts filtering conditions and logic, improving accuracy and execution success.
Page updated
Google Sites
Report abuse