lateos-ai/SIEMslator

# SIEMslator by Lateos **Cross-SIEM detection rule translation AI** ## The Problem Every MSSP Knows Your client just migrated from Splunk to Microsoft Sentinel. You have 847 detection rules. Each one needs to be rewritten in KQL. Your best analyst estimates three weeks of work. The client wants it done in five days. Or this one: a new Sigma rule drops covering a critical zero-day. Your team runs Splunk, your top client runs Elastic, another runs Chronicle. Three analysts. Three rewrites. Three hours minimum. By the time you deploy, the window has passed. Or the classic: a junior analyst joins your team. They know Splunk. Your client runs QRadar. You spend two weeks teaching them KQL instead of hunting threats. These are not edge cases. This is Tuesday for most MSSP detection teams. ## What SIEMslator Does One API call. Any Sigma rule. Any SIEM platform. Seconds, not hours. SIEMslator is a purpose-built AI specialist trained exclusively on detection engineering. It translates, generates, explains, and writes threat hunting queries across Splunk SPL, Elastic EQL, Microsoft Sentinel KQL, and Chronicle YARA-L. It is not a general-purpose AI with a security prompt. It was built for one job. ## Supported Platforms | Platform | Format | Status | |---|---|---| | Splunk | SPL | Production | | Elastic | EQL | Production | | Microsoft Sentinel | KQL | Production | | Chronicle | YARA-L | Production | ## See It Work **You send this:** title: Mimikatz Detection via CommandLine detection: selection: EventID: 4688 CommandLine|contains: mimikatz condition: selection **You get this — instantly:** index=windows sourcetype="WinEventLog:Security" EventCode=4688 CommandLine="*mimikatz*" That rule took your analyst 45 minutes the last time you needed it in KQL. SIEMslator does it in under 3 seconds. ## More Examples ### Sigma to Elastic EQL **Input:** title: PowerShell Download Cradle detection: selection: EventID: 1 CommandLine|contains: - DownloadString - WebClient condition: selection **Output:** process where event.code == "1" and process.command_line like~ ("*DownloadString*", "*WebClient*") ### Sigma to Microsoft Sentinel KQL **Input:** title: Suspicious Registry Run Key detection: selection: EventID: 13 TargetObject|contains: '\Run\' Details|contains: '.exe' condition: selection **Output:** SecurityEvent | where EventID == 13 | where RegistryKey contains "\\Run\\" | where RegistryValueData contains ".exe" ## Four Ways to Use It | Strategy | What it does | When to use it | |---|---|---| | `translation` | Convert a Sigma rule to target platform syntax | Migrating rules between SIEMs | | `generation` | Generate a detection rule from a plain description | Creating new detections from scratch | | `explanation` | Explain what a rule detects and why | Analyst onboarding, rule review | | `hunting` | Write a threat hunting query for an ATT&CK technique | Proactive threat hunting | ## Quick Start **Endpoint:** POST https://61er7l7oo7.execute-api.us-east-1.amazonaws.com/prod/translate **Required header:** x-api-key: YOUR_API_KEY **Request:** { "instruction": "Translate this Sigma rule to Splunk SPL:", "input": "", "customer_id": "your-customer-id", "strategy": "translation" } **Response:** { "output": "index=windows EventCode=4688 CommandLine=\"*mimikatz*\"", "strategy": "translation", "model": "SIEMslator-8B-v3", "provider": "Lateos" } ## Code Examples ### Python import requests response = requests.post( "https://61er7l7oo7.execute-api.us-east-1.amazonaws.com/prod/translate", headers={ "x-api-key": "YOUR_API_KEY", "Content-Type": "application/json", }, json={ "instruction": "Translate this Sigma rule to Splunk SPL:", "input": sigma_rule, "customer_id": "your-customer-id", "strategy": "translation", } ) print(response.json()["output"]) ### curl curl -X POST https://61er7l7oo7.execute-api.us-east-1.amazonaws.com/prod/translate \ -H "x-api-key: YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "instruction": "Translate this Sigma rule to Splunk SPL:", "input": "detection:\n selection:\n EventID: 4688\n CommandLine|contains: mimikatz\n condition: selection", "customer_id": "your-customer-id", "strategy": "translation" }' ### PowerShell $body = @{ instruction = "Translate this Sigma rule to Splunk SPL:" input = "detection:`n selection:`n EventID: 4688`n CommandLine|contains: mimikatz`n condition: selection" customer_id = "your-customer-id" strategy = "translation" } | ConvertTo-Json Invoke-RestMethod ` -Uri "https://61er7l7oo7.execute-api.us-east-1.amazonaws.com/prod/translate" ` -Method POST ` -Headers @{"x-api-key" = "YOUR_API_KEY"} ` -Body $body ## API Reference ### Request Fields | Field | Type | Required | Description | |---|---|---|---| | `instruction` | string | Yes | The task instruction | | `input` | string | Yes for translation | The Sigma rule YAML or input text | | `customer_id` | string | Yes | Your customer identifier for usage tracking | | `strategy` | string | No | translation, generation, explanation, or hunting. Defaults to translation | ### Response Headers | Header | Description | |---|---| | `X-Model` | Model version | | `X-Provider` | Lateos | | `X-Warning` | Present when output needs review | ### HTTP Status Codes | Code | Meaning | |---|---| | `200` | Success | | `400` | Missing required field | | `403` | Invalid or missing API key | | `502` | Model inference failed, retry | ## Pricing Available on [AWS Marketplace](https://aws.amazon.com/marketplace). 14-day free trial on all plans. | Plan | Price | Translations included | Overage | |---|---|---|---| | Starter | $299/month | 2,000 | $0.10/translation | | Pro | $999/month | 10,000 | $0.08/translation | | Enterprise | $2,499/month | Unlimited | None | At $0.10 per translation, replacing one analyst hour costs the same as a cup of coffee. ## Who It Is Built For **MSSP detection teams** managing rules across multiple client SIEMs with mixed platforms. Stop assigning headcount to rule rewriting. **SOC teams migrating SIEMs** who need to convert an existing rule library without a multi-month manual project. **Threat hunting teams** who want hunting queries generated from ATT&CK technique descriptions in seconds. ## Data and Privacy - Customer inputs are not retained after inference - No training data is collected from API calls - Usage metrics stored for billing only - Training data carries full source attribution under DRL 1.1, MIT, and Apache 2.0 licenses ## About SIEMslator is built by [Lateos](https://lateos.ai), a security-focused AI company based in Reno, Nevada. *SIEMslator is a specialist AI model built for one job: cross-SIEM detection engineering. Not a general assistant. Not a chatbot. A tool.*