16. Wazuh Rule Collection
Summary of Custom Wazuh Rulesets on GitHub
Below is a personal collection of custom Wazuh rulesets gathered from various community and organizational sources. These rules can be used for reference, customization, or direct application in your own setup. Using this ruleset will provide you with additional rules to use, reducing the time needed to rewrite them and the time spent parsing logs.
Featured Rulesets
SOCFortress/Wazuh-Rules: Advanced Wazuh Rules for more accurate threat detection. Feel free to implement within your own Wazuh environment, contribute, or fork!
TristanGNS/wazuh-cjis-rules: Modular CJIS Compliance Ruleset for Wazuh. A maintainable, version-controlled collection of custom Wazuh rules mapped to CJIS Security Policy controls. Designed for easy auditing, deployment, and integration with SIEM workflows.
sametsazak/sysmon: Sysmon and wazuh integration with Sigma sysmon rules [updated]
MikhailKasimov/maltrail-wazuh-decoder-and-rules: Maltrail decoder and rules for Wazuh
TheMuntu/Wazuh-Detection: This is a collection of various Wazuh detection rules for vulnerabilities, malware and adversary emulations.
We have also collected and created some rules ourselves and shared them with the community at the link below. What sets us apart is that we filter out obsolete rules and keep them updated over time.
- FMI Wazuh Rule: hawkteam404/Wazuh
Comparison Table of Main Features
| Project (GitHub) | Monitoring Scope | Pros | Cons | Highlights |
| SOCFortress/Wazuh-Rules | Advanced detection: Sysmon, Office365, Defender, Sophos, MISP, Osquery, Yara, Suricata, Falco, ModSecurity, etc. | Comprehensive, updated, auto-install scripts, SIGMA & Yara support | Very large, potential ID conflicts, may produce false positives | Windows/Linux support, MITRE mapping via SIGMA |
| TristanGNS/wazuh-cjis-rules | Compliance with FBI CJIS, mapping to CJIS/NIST 800-53 | Modular, clear mapping, audit-ready | Specialized, limited to CJIS, some rules still in progress | Focused on compliance, version-controlled |
| sametsazak/sysmon | SIGMA-based rules for Sysmon (Windows) | Extensive SIGMA rules, advanced Windows detection | Windows-only, may flood alerts, repo old | SIGMA integration, detailed Sysmon analysis |
| MikhailKasimov/maltrail-wazuh-decoder-and-rules | Maltrail log processing | Specialized, easy integration, updated | Narrow focus, requires ID adjustment | Maltrail integration, clear ID guidance |
| TheMuntu/Wazuh-Detection | Vulnerability, malware, adversary emulation | Multiple illustrative rules, updated 2024 | Few stars, mainly examples, limited integration | Focus on IOC & Blue Team exercises |
| sanesecurityguy/opnsense-… | OPNsense firewall log decoding | Ready to use for OPNsense | Old version, limited updates | - |
