Skip to main content

Search

Request Info Apply Now

Undergraduate Certificates
Begin or advance your cybersecurity career at any age with our hands-on certificate programs.
Bachelors Degree
Transfer your credits to SANS.edu and become one of the most job-ready candidates in cybersecurity.
Graduate Certificates
Gain job-specific skills in highly technical certificate programs designed for working professionals.
Master’s Degree
Take your InfoSec career to the highest levels—developing both hands-on technical skills and the ability to lead.
Single Courses
Start with a course, advance to a cybersecurity certificate or degree
All Academic Programs
Explore hands-on undergraduate and graduate programs for every stage of your cybersecurity career.

Featured Program

Hands typing on a laptop

Applied Cybersecurity Certificate (ACS)

Get Your Questions AnsweredJoin a free online info session to see which program is right for you.

Why SANS.edu?
How To Apply
Tuition & Funding

Join us for a free online info session to learn more.

Resources for Veterans

Learn how to get the most from your Veterans Education Benefits.

Women in Cybersecurity

Empowering women to thrive in cybersecurity.

Get Your Questions AnsweredJoin a free online info session to see which program is right for you.

Research Overview
Learn how SANS.edu research is strengthening the field of cybersecurity.
Cybersecurity Research Papers
Explore real-world solutions to pressing issues across AI, cloud security, digital forensics and more.
Internet Storm Center
Discover the world's largest global cyber threat detection network.

Featured Research

Research Review Journal Volume 5

Explore the latest research from SANS.edu graduate students—professionals on the front lines of cybersecurity—tackling today’s toughest threats across AI, cloud security, digital forensics, zero trust, malware detection, and more.

Download the Journal

Get Your Questions AnsweredJoin a free online info session to see which program is right for you.

About Us
Students
Alumni
- Alumni Resources Alumni Resources
- Alumni Outcomes Report Alumni Outcomes Report

Launch Your Cyber Career

Let SANS.edu guide you on a proven path to success.

Sentinels Referral Program

Get recognized for your impact on the SANS.edu community.

Get Your Questions AnsweredJoin a free online info session to see which program is right for you.

Search

Request Info Apply Now

Cyber Research Papers
/SIEM Detection Logic Conversion with LLMs

Cyber Research Papers

SIEM Detection Logic Conversion with LLMs

Migrations of mature security information and event management (SIEMs) can be overwhelming due to the sheer volume of detection logic and log sources that must be translated between platforms and query languages.

This research explores how Large Language Models (LLMs) and automation scripts can expedite the translation of detection logic between SIEMs, converting detections in minutes instead of hours. Multiple tests can be conducted to optimize translation results, test various LLM parameters, and increase the successful output of the conversion. This translation process can be automated by utilizing scripting and API integrations, significantly reducing the manual effort involved in SIEM migrations.

SANS_SIEM_Detection_Logic_Conversion_LLMs (PDF, 0.56MB)

2 May 2025

ByDavid Wolverton

Share

All papers are copyrighted

No re-posting of papers is permitted

Related Content

Secure By Design: An Exploration of the Application of Generative AI in Threat Modeling Technical Design Documents

This paper explores the efficacy of large language models (LLMs) for creating comprehensive threat models by analyzing technical design documents, particularly when provided with additional contextual information about the product's underlying infrastructure and deployment environment.

27 May 2026

Leveraging Large Language Models for Cross-Vendor Firewall Configuration Migration: A Comparative Case Study of Claude and ChatGPT

This paper investigates how two current-generation large language models (LLMs) perform on a single, representative firewall migration task.

12 May 2026

Infrastructure as Code-Driven Group Policy Infrastructure: A Comprehensive Engine for Group Policy Architecture and Enforcement

This study introduces a PowerShell-based Infrastructure as Code (IaC) engine developed to automate the setup and enforcement of a STIG-compliant Group Policy framework.

5 Dec 2025

No-Cost Detection of Endpoint Hard Drive Removal

This paper analyzes low-cost detection methods, using existing hard drive counters from Self-Monitoring, Analysis, and Reporting Technology (S.M.A.R.T.) and the Windows Registry, for their fidelity in detecting hard drive removal.

19 Nov 2025

Defending Vulnerable Populations Against Scams: Effectiveness of Browser Extensions in Mitigating Scammer Attack Chains

This research evaluates the effectiveness of a browser extension as a security control—Grandma’s Guardian—designed for simplicity and accessibility so that even non-technical home users can benefit from enterprise-grade protection.

19 Nov 2025

Automating Generative AI Guidelines: Reducing Prompt Injection Risk with 'Shift-Left' MITRE ATLAS Mitigation Testing

Automated testing during the build stage of the AI engineering life cycle can evaluate the effectiveness of generative AI guidelines against prompt injection attacks.

7 Nov 2025

Can Your Security Stack Handle AI? An Empirical Assessment of Enterprise Controls Versus Generative AI Risks

Enterprise security teams face a critical dilemma. Executives want AI productivity gains, but it remains uncertain if existing security controls can handle the risks.

6 Nov 2025

Building Scalable Detection-as-Code Pipelines with Agentic Validation and Refinement

The proposed DaC pipeline uses large language models (LLMs) for logic conversion, variant analysis, and simulation testing via Atomic Red Team, with queries executed against Splunk to measure true positives and false negatives.

6 Nov 2025

Isolated Trust: Zero Trust in Standalone Systems

The use of air-gapped, isolated systems remains an essential tool for organizations that require high confidentiality or integrity, including those in the government, industrial control systems, and the banking industry.

6 Nov 2025

"You Again": Fingerprinting and Tracking Mechanisms of Malicious Sites

Browsers provide many APIs for any visited site to perform stateful and stateless tracking, and legitimate websites utilize these capabilities. Yet little is widely known about what tracking, if any, malicious sites perform.

26 Sep 2025

Fixing What You Broke: Can AI Be Used to Thwart AI-Generated Malware?

Security professionals are starting to rethink their approach to access control and monitoring for...

3 Sep 2025

Trust But Verify: Evaluating the Accuracy of LLMs in Normalizing Threat Data Feeds

This paper examines whether Large Language Models (LLMs) can be reliably applied to the normalization of Indicators of Compromise (IOCs) into Structured Threat Information Expression (STIX) format.

16 Jul 2025

Evaluating Zero Trust Network Access: A Framework for Comparative Security Testing

Evaluating Zero Trust Network Access: A Framework for Comparative Security Testing

11 Jul 2025

Do AI Coding Assistants Make Bad Coders Worse? A Security Evaluation of GitHub Copilot

As AI coding assistants become increasingly integral to software development, the security of their generated outputs is under greater scrutiny.

11 Jul 2025

AI-Driven Insecurity: Assessing Security Gaps in AI Generated IT Guidance

The increasing reliance on AI-generated technical guidance for IT system configuration introduces significant security risks. This study assesses these risks through a case study: setting up an Apache web server on a Rocky Linux system using instructions from seven AI models.

13 May 2025

Validating the Effectiveness of MITRE Engage and Active Defense

This research examines the impact of Active Defense compared to a traditional security posture when an adversary employs common tactics and techniques to identify high-value targets or exfiltrate sensitive data.

29 Mar 2025

Shift Left the Awareness and Detection of Developers Using Vulnerable Open-Source Software Components

The number of open-source software components, as well as the number of existing security...

26 Mar 2025

Leveraging Large Language Models for Security-Focused Code Reviews

This study investigates the potential application of Large Language Models (LLMs) in enhancing...

26 Mar 2025

Strolling Through the STIG

The CKL file has become the unofficial common language amongst the Department of Defense activities...

7 Mar 2025

Building Resilient IoT Devices: Binary Hardening with Yocto and Clang

This paper addresses the critical need for enhanced security in Internet of Things (IoT) devices by evaluating the implementation of binary hardening techniques using Clang security features within the Yocto build environment.

3 Mar 2025

Cybersecurity is all we teach, and nobody does it better.

Research
Resources
Learn More

Privacy Policy
Terms and Conditions
Admissions
Do Not Sell/Share My Personal Information
Cookie Notice

© 2026 The Escal Institute of Advanced Technologies, Inc. d/b/a SANS Institute.

Our Terms and Conditions detail our trademark and copyright rights. Any unauthorized use is expressly prohibited.

SANS Institute
Internet Storm Center