correlations - poppopjmp/spiderfoot GitHub Wiki
This page provides a reference for built-in and custom correlation rules, with links to YAML source and documentation for each rule. Use these as templates or inspiration for your own rules.
Below are some of the key built-in rules included with SpiderFoot. Each rule is a YAML file in the /correlations
directory. Click the rule name to view its YAML source and documentation:
Rule Name | Description | YAML Source |
---|---|---|
Expired SSL Certificate | Finds hosts with expired SSL certificates | cert_expired.yaml |
Open Cloud Bucket | Finds open cloud storage buckets | cloud_bucket_open.yaml |
Related Open Cloud Bucket | Finds possibly related open cloud buckets | cloud_bucket_open_related.yaml |
Data from Base64 | Finds interesting data in base64-encoded content | data_from_base64.yaml |
Data from Document Meta | Finds interesting data in document/image metadata | data_from_docmeta.yaml |
Internal Service Exposed | Finds internal services exposed to the Internet | internal_service_exposed.yaml |
Exposed Services (Fofa) | Finds services exposed using Fofa | fofa_exposed_services.yaml |
Exposed Contacts (RocketReach) | Finds exposed contacts using RocketReach | rocketreach_exposed_contacts.yaml |
Exposed Services (ZoomEye) | Finds services exposed using ZoomEye | zoomeye_exposed_services.yaml |
For a full list, see the /correlations
folder in your installation.
- Start with the template.yaml file.
- Read the README in the
/correlations
directory for a full technical reference. - See the Correlation Engine and Correlation Rules page for a deep dive on rule structure and advanced features.
- See the Correlation Analysis Guide for practical usage, workflow, and visualization tips.
- Use the CTI Reports page to learn how to integrate correlation results into threat intelligence reporting.
- Correlation Engine and Correlation Rules
- Correlation Analysis Guide
- CTI Reports
- /correlations/README.md
- /correlations/template.yaml
Maintainers: Steve Micallef [email protected], poppopjmp [email protected]