Skip to main content

AI can do what now?! Accelerating SIEM migration

By
Elastic Security Team
blog-ai-can-do-what-now-highres_(1).png

It’s rare to find a security professional who enjoys the security information and event management (SIEM) migration process. Security teams are often diverted from actively defending their environment to tend to the long, manual, and error-prone migration process. 

SIEM migration traditionally requires teams to manually export hundreds or thousands of detection rules, port over the detection logic behind them, translate that logic into the new system’s language, and then continue to iterate on new and existing queries. Many teams simply avoid SIEM migration altogether, even if they know their existing tool isn’t scaling to their needs.

LLMs and RAG help to migrate in minutes

In the newly released episode of AI can do what now?!, Haran Kumar, principal security solutions architect at Elastic, decodes how AI can help automate the transfer of detection rules from an old SIEM into a new one in minutes instead of weeks or months. 

“With large language models, the RAG framework, and its code transformation capabilities, AI is helping to automate these manual rule migrations and other query migration processes,” Kumar says. “We are now able to extract your rules from the legacy SIEM, understand the logic, translate it into normalization formats, and convert that into your modern platform.”

How can AI help automate the transfer of detection rules?

Here’s how it works:

  1. Automatic Migration accelerates SIEM migration through an AI-driven process by uploading detection rules in bulk from your legacy SIEM, such as Splunk, and automatically converting those rules into Elastic native detections. It translates rules from Splunk's Search Processing Language (SPL) to Elasticsearch Query Language (ES|QL), mapping to existing Elastic rules or creating custom ones as needed.

  2. Automatic Import quickly parses, ingests, and creates Elastic Common Schema (ECS) mappings for data from sources that don’t yet have prebuilt Elastic integrations. Its main purpose is to help teams bring new data sources into Elastic Security, not to migrate detection rules from legacy SIEMs.
  3. Large language models (LLMs) parse through the content and query logic in the old SIEM. They automate repetitive rule migrations, convert and normalize log data, and translate hundreds or thousands of complex detection rules.
  4. Retrieval augmented generation (RAG) then improves the context and relevance of the source information the LLM has pulled. RAG-enabled systems can retrieve the latest information from internal knowledge bases, documentation, and other proprietary data, reducing hallucinations and increasing contextual awareness.

That’s a powerful way to streamline your migration process, reduce your timeframe to migrate, and reduce your errors [. . .] It solves everything that a manual migration process is prone to.

Haran Kumar, Principal Security Solutions Architect, Elastic

Streamline and accelerate SIEM migration

The Automatic Import feature goes beyond detection rules. What if you have to migrate or convert your dashboards with hundreds of queries into the new SIEM platform? Now, you can efficiently convert those queries via AI. 

The feature normalizes your legacy query logic into a common format, converting it into the new query logic for your modern platform. An AI assistant can explain why and how it converted the queries and whether there were any rules that it had to skip, such as a missing macro file or correlation dependencies. With that knowledge, you can easily convert those missing rules or queries manually yourself.

“You’re getting educated along the way,” Kumar adds.

Migrate to an AI-driven SIEM with confidence

AI-accelerated migration is powerful, but it’s not magic. For instance, if your detection rules are not properly documented or involve missing macros, then you’ll receive a messy output.

That’s why human review is crucial. Your SOC team will have to verify the accuracy of your new detection rules, especially if you’re exporting them from your legacy SIEM system and manually updating any incomplete information. 

Ready to see how accessible SIEM migration can be with the help of AI? Check out the AI can do what now?! - SIEM migration episode to learn how to save time, reduce manual errors, and give your security team the confidence to migrate your legacy SIEM to a next-generation, AI-driven SIEM

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.

In this blog post, we may have used or referred to third party generative AI tools, which are owned and operated by their respective owners. Elastic does not have any control over the third party tools and we have no responsibility or liability for their content, operation or use, nor for any loss or damage that may arise from your use of such tools. Please exercise caution when using AI tools with personal, sensitive or confidential information. Any data you submit may be used for AI training or other purposes. There is no guarantee that information you provide will be kept secure or confidential. You should familiarize yourself with the privacy practices and terms of use of any generative AI tools prior to use. 

Elastic, Elasticsearch, and associated marks are trademarks, logos, or registered trademarks of Elasticsearch N.V. in the United States and other countries. All other company and product names are trademarks, logos or registered trademarks of their respective owners.

Sign up for Elastic Cloud free trial

Spin up a fully loaded deployment on the cloud provider you choose. As the company behind Elasticsearch, we bring our features and support to your Elastic clusters in the cloud.

Start free trial