This release is about opening things up — to the community, and to the tools your team already relies on. Comments now have a real home of their own, votes and reactions are transparent (you can finally see who liked what), and the platform gets its first external tool integration with Velociraptor. That last one is deliberately just a first step: Velociraptor is the opening move, not the whole plan — more integrations with the tools SOC and DFIR teams actually use are coming.
Online version available at rulezet.org
Features
- Blog — a full publishing system for the platform:
- Rich post creation with cover images and draft/published states
- Generate a post directly from a CVE — pulls CVSS score, CWE classification, and affected products from CIRCL's CVE v5 records and turns them into a formatted write-up
- Download or export posts as PDF, Markdown, or JSON
- Notification preference for new blog publications
- Comments Hub — a single place to browse every comment across the platform (rules, bundles, and edit proposals), with filters, search, and a "my comments" view
- Voter visibility — hover over a like/dislike on a rule, a bundle, or a comment to see exactly who reacted, with avatar, name, and a link to their profile
- File a comment as a GitHub issue — admins can turn a user comment directly into an issue on the project's GitHub repo, with GitHub token setup guided from Admin Settings
- Bulk ownership transfer — admins can select any set of rules and reassign them to a different owner in one background job, independent of the existing ownership-request flow
- Log Definitions manager — admins can customize the icon, title, and visibility of any activity-log action type from a dedicated settings screen, without touching code
- Legal & Privacy pages — privacy policy and legal notice, linked from the footer
Velociraptor Integration, Just the Beginning
Rule detail pages can now surface linked Velociraptor artifacts directly alongside a rule. This is the first integration of its kind on Rulezet, and it's intentionally a starting point rather than a finished story: the goal is to make Rulezet useful not just as a detection rule repository, but as a hub that connects to the tools detection engineers and DFIR teams already run day to day. Expect more tool integrations to follow — if there's a specific tool your workflow depends on, the GitHub issue tracker is the place to ask for it.
Improvements
- Admin navigation — every admin page now shares the same compact, collapsible navigation bar, placed consistently alongside each page's own tabs instead of a long sidebar
- Bulk Field Parser — the admin tool for extracting metadata from rule content now includes a live tester: paste a sample rule and see exactly what a keyword or regex rule would extract, with the matching line or span highlighted, before running it on your whole library
- CVE re-scan — the field parser can now re-scan rule content for CVE and vulnerability identifiers and merge any newly found ones into a rule's existing list, without ever overwriting or duplicating what's already there
- Home page — new "Total Rules" chart showing platform growth as a running total over time, alongside the existing per-period activity chart
- Profile & account pages — new "My Comments" tab, simplified profile editing, and a refreshed layout for both your own profile and public user pages
- Graph fullscreen mode — the relationship graph on bundle detail pages and the ATT&CK coverage graph can now be expanded to fullscreen
- PivoTick canvas customization — choose how the relationship graph background looks: soft dot grid, the original grid lines, a flat color, or an image from a small admin-managed gallery
- YARA match results — large match lists (rules with thousands of string matches) are now paginated and truncated for readability instead of freezing the page
Fixes
- Fixed a bug where the "View on GitHub" link on imported rules could point at a broken, locally-resolved path instead of the actual file on GitHub
- Fixed rule and tag filters losing context when combined with an active RuleList filter in some views
- Fixed rule format not rendering correctly in some home page widgets
- Improved duplicate handling when importing or re-processing rules from a connector or GitHub source
- Improved thread safety and session finalization during GitHub import, update, and similarity-detection jobs
- Added proper Sigma rule detection so Sigma files are no longer misclassified against other YAML-based formats
- Change the system of bundle from the rule list section ( bundle from filter)
Coming Next
The next release turns attention to Suricata. A number of formats currently sit close to each other conceptually — Sagan, Suricata, and Snort in particular — and the goal is to sharpen the boundaries between them: better format detection, clearer conflict handling when a rule could plausibly belong to more than one format, and improvements specific to how Suricata rules are parsed, validated, and displayed. If you regularly work with any of these three formats and have friction to report, now is a good time to open an issue.
Run Your Own Rulezet — Stay Private, Stay Connected
Rulezet is free and open-source. You do not need to share your detection rules publicly to benefit from the platform. You can run your own private Rulezet instance within your organisation and manage all your detection rules there — YARA, Sigma, Suricata, Zeek, ATR, or any other format — without any of it ever being visible to the outside world.
Where Rulezet becomes even more powerful is through its connector (federation sync) system. A connector lets your private instance pull rules from any remote Rulezet instance — including the official community instance at rulezet.org. This means:
- Your team works in a private, self-hosted environment with full control
- You can sync in any subset of the community rules from rulezet.org at any time
- Two pull modes are available: soft pull (skip rules you already have) and hard pull (update existing rules in place)
- Rules are matched by UUID — no duplicates, clean merges
- You can filter what you pull by format, tags, or ATT&CK technique
The result: you get the best of both worlds. The community library available to you on demand, without ever having to expose your internal rules. Whether you are a SOC team, a threat intelligence unit, or an independent researcher, you can have a fully functional, private detection engineering workbench running in minutes.
https://rulezet.org/connector/how-it-works
Thanks
Special thanks to Éric Leblond (@regit), co-founder of Suricata, for taking the time to test Rulezet and file detailed reports:
Feedback like this, straight from someone building one of the formats Rulezet supports, is exactly what shapes the roadmap above.
Full Changelog
Full Changelog: 1.6.0...1.6.1
Funding
Co-funded by the European Union and CIRCL. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Cybersecurity Competence Centre. Neither the European Union nor the granting authority can be held responsible for them.
This repository is part of the NGSOTI project. Project: 101127921 NGSOTI DIGITAL‑ECCC‑2022‑CYBER‑03
