Roota is a public-domain language of threat detection and response that combines native queries from a SIEM, EDR, XDR, or Data Lake with standardized metadata and threat intelligence to enable automated translation into other languages
:earth_americas: English | Українська | Español
Roota is a public-domain language for collective cyber defense, created to make threat detection, incident response, and actor attribution simple. It acts as an open-source wrapper on top of most of the existing SIEM, EDR, XDR, and Data Lake query languages. If you learn the basics of Roota, you will be able to contribute to collective defense. And if you have mastered a specific SIEM language, with Roota and Uncoder IO you can speak them all.
Table Of Contents:
The objective of Roota is to accelerate the global cybersecurity industry collaboration. With Roota acting as a wrapper, cyber defenders can take a native rule or query and augment it with metadata to automatically translate the code into other SIEM, EDR, XDR, and Data Lake languages. Inspired by the success of Yara and Sigma rules, Roota is focused on a broader applicability by a larger community of defenders.
logsource
field.You can start writing Roota rules in any code editor that supports YAML. To translate Roota rules to other languages use Uncoder IO by building it from the source https://github.com/UncoderIO/UncoderIO or hosted online privately by SOC Prime since 2018 at https://uncoder.io
Roota Rule format has minimal, full, and extended templates.
Minimal template is for keeping rules simple, requiring only a name, description, author, severity, date, MITRE ATT&CK tags, detection query in any specific language, reference, and license.
Full template is for adding alerting context, threat actor campaign timeline, specific log source attributes defined based on Sigma Rules or OCSF taxonomy, and cross-platform correlation section.
Extended template is currently reserved for adding response as code and experimental features.
name: Possible Credential Dumping Using Comsvcs.dll (via cmdline)
details: Adversaries can use built-in library comsvcs.dll to dump credentials on a compromised host.
author: SOC Prime Team
severity: high
date: 2020-05-24
mitre-attack:
- t1003.001
- t1136.003
detection:
language: splunk-spl-query # elastic-lucene-query, logscale-lql-query, mde-kql-query
body: index=* ((((process="*comsvcs*") AND (process="*MiniDump*")) OR ((process="*comsvcs*") AND (process="*#24*"))) OR ((process="*comsvcs*") AND (process="*full*")))
references:
- https://badoption.eu/blog/2023/06/21/dumpit.html
license: DRL 1.1
name: Possible Credential Dumping Using Comsvcs.dll (via cmdline)
details: Adversaries can use built-in library comsvcs.dll to dump credentials on a compromised host.
author: SOC Prime Team
severity: high
type: query
class: behaviour
date: 2020-05-24
mitre-attack:
- t1003.001
- t1136.003
detection:
language: splunk-spl-query # elastic-lucene-query, logscale-lql-query, mde-kql-query
body: index=* ((((process="*comsvcs*") AND (process="*MiniDump*")) OR ((process="*comsvcs*") AND (process="*#24*"))) OR ((process="*comsvcs*") AND (process="*full*")))
logsource:
product: Windows # Sigma or OCSF products
log_name: Security # OCSF log names
class_name: Process Activity # OCSF classes
#category: # Sigma categories
#service: # Sigma services
audit:
source: Windows Security Event Log
enable: Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process
timeline:
2022-04-01 - 2022-08-08: Bumblebee
2022-07-27: KNOTWEED
2022-12-04: UAC-0082, CERT-UA#4435
references:
- https://badoption.eu/blog/2023/06/21/dumpit.html
tags: Bumblebee, UAC-0082, CERT-UA#4435, KNOTWEED, Comsvcs, cir_ttps, ContentlistEndpoint
license: DRL 1.1
version: 1
uuid: 151fbb45-0048-497a-95ec-2fa733bb15dc
correlation:
timeframe: 1m
functions: count() > 3
#response: [] # extended format
Roota specification includes the list of all fields that can be used to write a Roota rule.
Your contribution really matters in evolving the project and helping us make the Roota language even more useful for the global cyber defender community.
To submit your pull request with your ideas or suggestions for changes, take the following steps:
Thank you for your contribution to the Roota project!
We are genuinely grateful to security professionals who contribute their time, expertise, and creativity to evolve the Roota open-source project.
The contents of this repo, along with Roota specifications, are in the public domain.