Showing results for 
Search instead for 
Did you mean: 

[Script] Automatic Correlation Rule Documentation Generator


Since I am required to document all correlation rules for our customers, I wrote a python script that converts a rule export as XML file to Markdown. Afterwards its easy to convert Markdown to e.g. PDF, docs, HTML or even variuous wiki-formats with e.g. pandoc or typora (Windows Markdown Editor). This way it's possible to generate a PDF documentation of all rules with just a few clicks.

The script works for me but is still pretty beta. If you'd like to test or improve it, you can find it on my github:

I'm not fully satisfied with the output since I only get the IDs for e.g. Normalization. Is anyone aware of any kind of information about those internal IDs? I'd love to improve the script with a mapping capability that automatically translates those IDs into the corresponding name, e.g. "Malware" instead of 12345678/3.

Any tips, information or improvements will be highly appreciated.

Kind regards

2 Replies

Re: [Script] Automatic Correlation Rule Documentation Generator

I updated the script, fixed a lot of bugs and implemented the automatic generation of diagrams. Here is a sample of how the output looks like:


McAfee Employee fernando_segura
McAfee Employee
Report Inappropriate Content
Message 3 of 3

Re: [Script] Automatic Correlation Rule Documentation Generator

Great work! but maybe is possible one step by step to execute this script.

I have some doubts... for example where I need to put the script files, because on the siem not is possible

Is neccesary execute it from one ubuntu third