Showing results for 
Show  only  | Search instead for 
Did you mean: 

[Script] Automatic Correlation Rule Documentation Generator


Since I am required to document all correlation rules for our customers, I wrote a python script that converts a rule export as XML file to Markdown. Afterwards its easy to convert Markdown to e.g. PDF, docs, HTML or even variuous wiki-formats with e.g. pandoc or typora (Windows Markdown Editor). This way it's possible to generate a PDF documentation of all rules with just a few clicks.

The script works for me but is still pretty beta. If you'd like to test or improve it, you can find it on my github:

I'm not fully satisfied with the output since I only get the IDs for e.g. Normalization. Is anyone aware of any kind of information about those internal IDs? I'd love to improve the script with a mapping capability that automatically translates those IDs into the corresponding name, e.g. "Malware" instead of 12345678/3.

Any tips, information or improvements will be highly appreciated.

Kind regards

3 Replies

Re: [Script] Automatic Correlation Rule Documentation Generator

I updated the script, fixed a lot of bugs and implemented the automatic generation of diagrams. Here is a sample of how the output looks like:


Level 7
Report Inappropriate Content
Message 3 of 4

Re: [Script] Automatic Correlation Rule Documentation Generator

The script looks like exactly what I would like to use to document SIEM Rules.   I got it to work with the demo xml.  When using the export from ESM, the script runs without error, but only generates the title page.   The exported xml is large'ish 32mb.   I am running on an Ubuntu system.

Are there any size limitations?

Thanks in advance.

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: [Script] Automatic Correlation Rule Documentation Generator

Great work! but maybe is possible one step by step to execute this script.

I have some doubts... for example where I need to put the script files, because on the siem not is possible

Is neccesary execute it from one ubuntu third

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community