cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 4
‎03-17-2018 05:54 AM

[Script] Automatic Correlation Rule Documentation Generator

Hi,

Since I am required to document all correlation rules for our customers, I wrote a python script that converts a rule export as XML file to Markdown. Afterwards its easy to convert Markdown to e.g. PDF, docs, HTML or even variuous wiki-formats with e.g. pandoc or typora (Windows Markdown Editor). This way it's possible to generate a PDF documentation of all rules with just a few clicks.

The script works for me but is still pretty beta. If you'd like to test or improve it, you can find it on my github: https://github.com/exitnode/esm2markdown

I'm not fully satisfied with the output since I only get the IDs for e.g. Normalization. Is anyone aware of any kind of information about those internal IDs? I'd love to improve the script with a mapping capability that automatically translates those IDs into the corresponding name, e.g. "Malware" instead of 12345678/3.

Any tips, information or improvements will be highly appreciated.

Kind regards
Michael

1 person had this problem.
Reply
3 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 4
‎03-22-2018 08:11 AM

Re: [Script] Automatic Correlation Rule Documentation Generator

I updated the script, fixed a lot of bugs and implemented the automatic generation of diagrams. Here is a sample of how the output looks like: https://raw.githubusercontent.com/exitnode/esm2markdown/master/demo/demo.png

 

Reply
Former Member
Not applicable
Report Inappropriate Content
Message 3 of 4
‎11-30-2018 08:08 PM

Re: [Script] Automatic Correlation Rule Documentation Generator

The script looks like exactly what I would like to use to document SIEM Rules.   I got it to work with the demo xml.  When using the export from ESM, the script runs without error, but only generates the title page.   The exported xml is large'ish 32mb.   I am running on an Ubuntu system.

Are there any size limitations?

Thanks in advance.

0 Kudos
Reply
fernando_segura
Employee
Employee
Report Inappropriate Content
Message 4 of 4
‎09-17-2018 01:33 PM

Re: [Script] Automatic Correlation Rule Documentation Generator

Great work! but maybe is possible one step by step to execute this script.

I have some doubts... for example where I need to put the script files, because on the siem not is possible

Is neccesary execute it from one ubuntu third

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC