Repository files navigation

🌎English |Українська |Español

Roota is a public-domain language for collective cyber defense, created to make threat detection, incident response, and actor attribution simple. It acts as an open-source wrapper on top of most of the existing SIEM, EDR, XDR, and Data Lake query languages. If you learn the basics of Roota, you will be able to contribute to collective defense. And if you have mastered a specific SIEM language, with Roota and Uncoder IO you can speak them all.

Table Of Contents:

• Why Roota
• Writing Roota Rules
• How to Contribute
• Maintainers
• Credits
• Licenses
• Resources & Useful Links

The objective of Roota is to accelerate the global cybersecurity industry collaboration. With Roota acting as a wrapper, cyber defenders can take a native rule or query and augment it with metadata to automatically translate the code into other SIEM, EDR, XDR, and Data Lake languages. Inspired by the success of Yara and Sigma rules, Roota is focused on a broader applicability by a larger community of defenders.

• Roota is expressed usingYAML, a widely spread, easy-to-write, human-readable format.
• Use any query language for detection, Uncoder IO will take care of the translation.
• Correlation support. Common correlations are supported by Roota in order to make detection logic harder to bypass by the attackers, more compute efficient, and future-proof.
• Log sources can be explicitly or implicitly defined in the native query itself or in the customizablelogsource field.
• Roota syntax fully accommodatesOCSF andSigma as taxonomy, making it fast to learn, easy to read and share, and providing maximum compatibility for Detection Engineers.
• Threat Actor Timeline. While Actors change, behaviors often stay the same. Roota supports an additional threat intelligence layer for CERTs, NCSCs, ISACs, MDRs, and Defence Agencies, to coordinate defense faster and with greater precision.
• Mapping to TTPs. Link detection logic to related tactics, techniques, and procedures in terms of MITRE ATT&CK®. Use custom tags to make the mapping even more tailored and detailed.
• Response as Code. With enough community members and industry adoption, the next step after detection is sharing the code to automate response.

You can start writing Roota rules in any code editor that supports YAML.To translate Roota rules to other languages use Uncoder IO by building it from the sourcehttps://github.com/UncoderIO/UncoderIO or hosted online privately by SOC Prime since 2018 athttps://uncoder.io

Roota Rule format has minimal, full, and extended templates.

Minimal template is for keeping rules simple, requiring only a name, description, author, severity, date, MITRE ATT&CK tags, detection query in any specific language, reference, and license.

Full template is for adding alerting context, threat actor campaign timeline, specific log source attributes defined based on Sigma Rules or OCSF taxonomy, and cross-platform correlation section.

Extended template is currently reserved for adding response as code and experimental features.

name: Possible Credential Dumping Using Comsvcs.dll (via cmdline)details: Adversaries can use built-in library comsvcs.dll to dump credentials on a compromised host.author: SOC Prime Teamseverity: highdate: 2020-05-24mitre-attack:    - t1003.001    - t1136.003detection:    language: splunk-spl-query # elastic-lucene-query, logscale-lql-query, mde-kql-query    body: index=* ((((process="*comsvcs*") AND (process="*MiniDump*")) OR ((process="*comsvcs*") AND (process="*#24*"))) OR ((process="*comsvcs*") AND (process="*full*")))references:     - https://badoption.eu/blog/2023/06/21/dumpit.htmllicense: DRL 1.1

name: Possible Credential Dumping Using Comsvcs.dll (via cmdline)details: Adversaries can use built-in library comsvcs.dll to dump credentials on a compromised host.author: SOC Prime Teamseverity: hightype: query class: behaviourdate: 2020-05-24mitre-attack:    - t1003.001    - t1136.003tram-tags:    NaiveBayes:        - t1136.003    MLPClassifier:        - t1003.001    LogisticRegression:        - t1003        - t1003.005detection:    language: splunk-spl-query # elastic-lucene-query, logscale-lql-query, mde-kql-query    body: index=* ((((process="*comsvcs*") AND (process="*MiniDump*")) OR ((process="*comsvcs*") AND (process="*#24*"))) OR ((process="*comsvcs*") AND (process="*full*")))logsource:    product: Windows                # Sigma or OCSF products    log_name: Security              # OCSF log names    class_name: Process Activity    # OCSF classes    #category:                      # Sigma categories    #service:                       # Sigma services    audit:        source: Windows Security Event Log         enable: Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Processtimeline:    2022-04-01 - 2022-08-08: Bumblebee    2022-07-27: KNOTWEED    2022-12-04: UAC-0082, CERT-UA#4435references:     - https://badoption.eu/blog/2023/06/21/dumpit.htmltags: Bumblebee, UAC-0082, CERT-UA#4435, KNOTWEED, Comsvcs, cir_ttps, ContentlistEndpointlicense: DRL 1.1version: 1uuid: 151fbb45-0048-497a-95ec-2fa733bb15dccorrelation:     timeframe: 1m    functions: count() > 3#response: []    # extended format

Roota specification includes the list of all fields that can be used to write a Roota rule.

Your contribution really matters in evolving the project and helping us make the Roota language even more useful for the global cyber defender community.

To submit your pull request with your ideas or suggestions for changes, take the following steps:

1. Fork theRoota repository and clone your fork to your local environment.
2. Create a new feature branch in which you’re going to make your changes.
3. Then commit your changes to your newly created feature branch.
4. Push the changes to your fork.
5. Create a new Pull Request
   a. Clicking the New Pull Request button.
   b. Select your fork along with a feature branch.
   c. Provide a title and a description of your changes. Make sure they are both clear and informative.
   d. Finally, submit your Pull Request and wait for its approval.

Thank you for your contribution to the Roota project!

• Roman Ranskyi
• Alex Bredikhin
• Adam Swan
• Ruslan Mikhalov
• Andrii Bezverkhyi

We are genuinely grateful to security professionals who contribute their time, expertise, and creativity to evolve the Roota open-source project.

The contents of this repo, along with Roota specifications, are in the public domain.

• Roota.IO the main website page of the Roota project
• Uncoder.IO source code for translation engine Uncoder IO which supports Roota, Sigma, and IOC packaging into specific SIEM, EDR, and Data Lake query formats
• Uncoder.IO private hosted version of Uncoder IO since 2018, operated by SOC Prime, does not track you, does not see your code
• Roota Discord Channel Discord channel to network with Roota enthusiasts