Showing results for 
Search instead for 
Did you mean: 

[Script] Automatic Correlation Rule Documentation Generator


Since I am required to document all correlation rules for our customers, I wrote a python script that converts a rule export as XML file to Markdown. Afterwards its easy to convert Markdown to e.g. PDF, docs, HTML or even variuous wiki-formats with e.g. pandoc or typora (Windows Markdown Editor). This way it's possible to generate a PDF documentation of all rules with just a few clicks.

The script works for me but is still pretty beta. If you'd like to test or improve it, you can find it on my github:

I'm not fully satisfied with the output since I only get the IDs for e.g. Normalization. Is anyone aware of any kind of information about those internal IDs? I'd love to improve the script with a mapping capability that automatically translates those IDs into the corresponding name, e.g. "Malware" instead of 12345678/3.

Any tips, information or improvements will be highly appreciated.

Kind regards

3 Replies

Re: [Script] Automatic Correlation Rule Documentation Generator

I updated the script, fixed a lot of bugs and implemented the automatic generation of diagrams. Here is a sample of how the output looks like:


Level 7
Report Inappropriate Content
Message 3 of 4

Re: [Script] Automatic Correlation Rule Documentation Generator

The script looks like exactly what I would like to use to document SIEM Rules.   I got it to work with the demo xml.  When using the export from ESM, the script runs without error, but only generates the title page.   The exported xml is large'ish 32mb.   I am running on an Ubuntu system.

Are there any size limitations?

Thanks in advance.

McAfee Employee fernando_segura
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: [Script] Automatic Correlation Rule Documentation Generator

Great work! but maybe is possible one step by step to execute this script.

I have some doubts... for example where I need to put the script files, because on the siem not is possible

Is neccesary execute it from one ubuntu third

Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.