Since I am required to document all correlation rules for our customers, I wrote a python script that converts a rule export as XML file to Markdown. Afterwards its easy to convert Markdown to e.g. PDF, docs, HTML or even variuous wiki-formats with e.g. pandoc or typora (Windows Markdown Editor). This way it's possible to generate a PDF documentation of all rules with just a few clicks.
The script works for me but is still pretty beta. If you'd like to test or improve it, you can find it on my github: https://github.com/exitnode/esm2markdown
I'm not fully satisfied with the output since I only get the IDs for e.g. Normalization. Is anyone aware of any kind of information about those internal IDs? I'd love to improve the script with a mapping capability that automatically translates those IDs into the corresponding name, e.g. "Malware" instead of 12345678/3.
Any tips, information or improvements will be highly appreciated.
I updated the script, fixed a lot of bugs and implemented the automatic generation of diagrams. Here is a sample of how the output looks like: https://raw.githubusercontent.com/exitnode/esm2markdown/master/demo/demo.png
The script looks like exactly what I would like to use to document SIEM Rules. I got it to work with the demo xml. When using the export from ESM, the script runs without error, but only generates the title page. The exported xml is large'ish 32mb. I am running on an Ubuntu system.
Are there any size limitations?
Thanks in advance.
Great work! but maybe is possible one step by step to execute this script.
I have some doubts... for example where I need to put the script files, because on the siem not is possible
Is neccesary execute it from one ubuntu third