An Open-Source Language for Collective Cyber Defense

🌎 English | Українська | Español

Roota is a public-domain language for collective cyber defense, created to make threat detection, incident response, and actor attribution simple. It acts as an open-source wrapper on top of most of the existing SIEM, EDR, XDR, and Data Lake query languages. If you learn the basics of Roota, you will be able to contribute to collective defense. And if you have mastered a specific SIEM language, with Roota and Uncoder IO you can speak them all.

Table Of Contents:

• Why Roota
• Writing Roota Rules
• How to Contribute
• Maintainers
• Credits
• Licenses
• Resources & Useful Links

🥰 Why Roota

The objective of Roota is to accelerate the global cybersecurity industry collaboration. With Roota acting as a wrapper, cyber defenders can take a native rule or query and augment it with metadata to automatically translate the code into other SIEM, EDR, XDR, and Data Lake languages. Inspired by the success of Yara and Sigma rules, Roota is focused on a broader applicability by a larger community of defenders.

• Roota is expressed using YAML, a widely spread, easy-to-write, human-readable format.
• Use any query language for detection, Uncoder IO will take care of the translation.
• Correlation support. Common correlations are supported by Roota in order to make detection logic harder to bypass by the attackers, more compute efficient, and future-proof.
• Log sources can be explicitly or implicitly defined in the native query itself or in the customizable logsource field.
• Roota syntax fully accommodates OCSF and Sigma as taxonomy, making it fast to learn, easy to read and share, and providing maximum compatibility for Detection Engineers.
• Threat Actor Timeline. While Actors change, behaviors often stay the same. Roota supports an additional threat intelligence layer for CERTs, NCSCs, ISACs, MDRs, and Defence Agencies, to coordinate defense faster and with greater precision.
• Mapping to TTPs. Link detection logic to related tactics, techniques, and procedures in terms of MITRE ATT&CK®. Use custom tags to make the mapping even more tailored and detailed.
• Response as Code. With enough community members and industry adoption, the next step after detection is sharing the code to automate response.

🧙 Writing Roota Rules

You can start writing Roota rules in any code editor that supports YAML. To translate Roota rules to other languages use Uncoder IO by building it from the source https://github.com/UncoderIO/UncoderIO or hosted online privately by SOC Prime since 2018 at https://uncoder.io

Roota Rule Templates

Roota Rule format has minimal, full, and extended templates.

Minimal template is for keeping rules simple, requiring only a name, description, author, severity, date, MITRE ATT&CK tags, detection query in any specific language, reference, and license.

Full template is for adding alerting context, threat actor campaign timeline, specific log source attributes defined based on Sigma Rules or OCSF taxonomy, and cross-platform correlation section.

Extended template is currently reserved for adding response as code and experimental features.

Minimal Roota rule example:

name: Possible Credential Dumping Using Comsvcs.dll (via cmdline)
details: Adversaries can use built-in library comsvcs.dll to dump credentials on a compromised host.
author: SOC Prime Team
severity: high
date: 2020-05-24
mitre-attack:
    - t1003.001
    - t1136.003
detection:
    language: splunk-spl-query # elastic-lucene-query, logscale-lql-query, mde-kql-query
    body: index=* ((((process="*comsvcs*") AND (process="*MiniDump*")) OR ((process="*comsvcs*") AND (process="*#24*"))) OR ((process="*comsvcs*") AND (process="*full*")))
references: 
    - https://badoption.eu/blog/2023/06/21/dumpit.html
license: DRL 1.1

Full Roota rule example:

name: Possible Credential Dumping Using Comsvcs.dll (via cmdline)
details: Adversaries can use built-in library comsvcs.dll to dump credentials on a compromised host.
author: SOC Prime Team
severity: high
type: query 
class: behaviour
date: 2020-05-24
mitre-attack:
    - t1003.001
    - t1136.003
detection:
    language: splunk-spl-query # elastic-lucene-query, logscale-lql-query, mde-kql-query
    body: index=* ((((process="*comsvcs*") AND (process="*MiniDump*")) OR ((process="*comsvcs*") AND (process="*#24*"))) OR ((process="*comsvcs*") AND (process="*full*")))
logsource:
    product: Windows                # Sigma or OCSF products
    log_name: Security              # OCSF log names
    class_name: Process Activity    # OCSF classes
    #category:                      # Sigma categories
    #service:                       # Sigma services
    audit:
        source: Windows Security Event Log 
        enable: Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process
timeline:
    2022-04-01 - 2022-08-08: Bumblebee
    2022-07-27: KNOTWEED
    2022-12-04: UAC-0082, CERT-UA#4435
references: 
    - https://badoption.eu/blog/2023/06/21/dumpit.html
tags: Bumblebee, UAC-0082, CERT-UA#4435, KNOTWEED, Comsvcs, cir_ttps, ContentlistEndpoint
license: DRL 1.1
version: 1
uuid: 151fbb45-0048-497a-95ec-2fa733bb15dc
correlation: 
    timeframe: 1m
    functions: count() > 3
#response: []    # extended format

Fields

Roota specification includes the list of all fields that can be used to write a Roota rule.

🍪 How to Contribute

Your contribution really matters in evolving the project and helping us make the Roota language even more useful for the global cyber defender community.

To submit your pull request with your ideas or suggestions for changes, take the following steps:

1. Fork the Roota repository and clone your fork to your local environment.
2. Create a new feature branch in which you’re going to make your changes.
3. Then commit your changes to your newly created feature branch.
4. Push the changes to your fork.
5. Create a new Pull Request
   a. Clicking the New Pull Request button.
   b. Select your fork along with a feature branch.
   c. Provide a title and a description of your changes. Make sure they are both clear and informative.
   d. Finally, submit your Pull Request and wait for its approval.

Thank you for your contribution to the Roota project!

😸 Maintainers

• Roman Ranskyi
• Alex Bredikhin
• Adam Swan
• Ruslan Mikhalov
• Andrii Bezverkhyi

👏 Credits

We are genuinely grateful to security professionals who contribute their time, expertise, and creativity to evolve the Roota open-source project.

🌐 Licenses

The contents of this repo, along with Roota specifications, are in the public domain.

📖 Resources & Useful Links

• Roota.IO the main website page of the Roota project
• Uncoder.IO source code for translation engine Uncoder IO which supports Roota, Sigma, and IOC packaging into specific SIEM, EDR, and Data Lake query formats
• Uncoder.IO private hosted version of Uncoder IO since 2018, operated by SOC Prime, does not track you, does not see your code
• Roota Discord Channel Discord channel to network with Roota enthusiasts