Since I am required to document all correlation rules for our customers, I wrote a python script that converts a rule export as XML file to Markdown. Afterwards its easy to convert Markdown to e.g. PDF, docs, HTML or even variuous wiki-formats with e.g. pandoc or typora (Windows Markdown Editor). This way it's possible to generate a PDF documentation of all rules with just a few clicks.
The script works for me but is still pretty beta. If you'd like to test or improve it, you can find it on my github: https://github.com/exitnode/esm2markdown
I'm not fully satisfied with the output since I only get the IDs for e.g. Normalization. Is anyone aware of any kind of information about those internal IDs? I'd love to improve the script with a mapping capability that automatically translates those IDs into the corresponding name, e.g. "Malware" instead of 12345678/3.
Any tips, information or improvements will be highly appreciated.
I updated the script, fixed a lot of bugs and implemented the automatic generation of diagrams. Here is a sample of how the output looks like: https://raw.githubusercontent.com/exitnode/esm2markdown/master/demo/demo.png
Great work! but maybe is possible one step by step to execute this script.
I have some doubts... for example where I need to put the script files, because on the siem not is possible
Is neccesary execute it from one ubuntu third