This page provides a reference for built-in and custom correlation rules, with links to YAML source and documentation for each rule. Use these as templates or inspiration for your own rules.

---

Below are some of the key built-in rules included with SpiderFoot. Each rule is a YAML file in the /correlations directory. Click the rule name to view its YAML source and documentation:

Rule Name	Description	YAML Source
Expired SSL Certificate	Finds hosts with expired SSL certificates	cert_expired.yaml
Open Cloud Bucket	Finds open cloud storage buckets	cloud_bucket_open.yaml
Related Open Cloud Bucket	Finds possibly related open cloud buckets	cloud_bucket_open_related.yaml
Data from Base64	Finds interesting data in base64-encoded content	data_from_base64.yaml
Data from Document Meta	Finds interesting data in document/image metadata	data_from_docmeta.yaml
Internal Service Exposed	Finds internal services exposed to the Internet	internal_service_exposed.yaml
Exposed Services (Fofa)	Finds services exposed using Fofa	fofa_exposed_services.yaml
Exposed Contacts (RocketReach)	Finds exposed contacts using RocketReach	rocketreach_exposed_contacts.yaml
Exposed Services (ZoomEye)	Finds services exposed using ZoomEye	zoomeye_exposed_services.yaml

For a full list, see the /correlations folder in your installation.

---

• Start with the template.yaml file.
• Read the README in the /correlations directory for a full technical reference.
• See the Correlation Engine and Correlation Rules page for a deep dive on rule structure and advanced features.

---

• See the Correlation Analysis Guide for practical usage, workflow, and visualization tips.
• Use the CTI Reports page to learn how to integrate correlation results into threat intelligence reporting.

---

• Correlation Engine and Correlation Rules
• Correlation Analysis Guide
• CTI Reports
• /correlations/README.md
• /correlations/template.yaml

---

Maintainers: Steve Micallef [email protected], poppopjmp [email protected]