You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+7-9Lines changed: 7 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,19 +21,17 @@ RootA is a public-domain language for collective cyber defense, created to make
21
21
The objective of RootA is to accelerate the global cyber industry collaboration. With RootA acting as a wrapper, cyber defenders can take a native rule or query and augment it with metadata to automatically translate the code into other SIEM, EDR, XDR, and Data Lake languages without the need to learn new technology:
22
22
23
23
-**Simple universal format.** RootA is expressed using YAML, a wide-spread, easy-to-write and human-readable format.
24
-
-**Keeping the full power of your query.** RootA lets you capture all the native SIEM functions, including aggregations, correlations, and using multiple log sources. This way, your complex detection logic can later be rendered in other languages.
25
24
-**Flexibility.** Depending on your SIEM, you can rely on log sources explicitly or implicitly defined in the native query itself or in the customizable `logsource` field.
26
-
-**No need to learn a new technology.** To capture detection with RootA, you don't have to learn a new query language. The detection logic is specified in the native language of your SIEM, EDR, XDR, or Data Lake technology.
25
+
-**Unlock the Full Power of Your SIEM and EDR.** Break through the limits of describing attack behavior by leveraging stateful logic of any sophistication, instead of a flat IOC-like string matching. This way you can assure that detection logic you build and share is harder to bypass by the attackers, is more compute efficient and can later be rendered in other languages.
26
+
-**Empower Your Detection Engineering Skills.** To capture detection logic with RootA, you can use any query language that you already know. Initial rule is specified in the native language of your favorite SIEM, EDR or Data Lake technology.
27
27
28
-
### CTI and Metadata Enrichment
29
-
RootA includes fields to define relevant cyber threat intelligence and metadata to create a self-sufficient document capturing the whole use case rather than mere detection logic:
28
+
### A Journey Beyond Detection
29
+
RootA is designed to welcome all members of cyber defence industry, maximising the use of open standards such as MITRE ATT&CK, OCSF schema and Sigma rules.
30
30
31
+
-**Advanced Compatibility.** RootA syntax fully accommodates OCSF and Sigma rules as taxonomy, making it fast to learn, easy to read and share, and providing maximum compatibility for Detection Engineers.
32
+
-**Threat Actor Timeline.** While Actors change, behaviours stay the same. RootA supports an additional threat intelligence layer for CERTs, NCSCs, ISACs, MDRs, and Defence Agencies, to coordinate defence faster and with greater precision.
31
33
-**Mapping to TTPs.** Link detection logic to related tactics, techniques, and procedures in terms of MITRE ATT&CK®. Use custom tags to make the mapping even more tailored and detailed.
32
-
-**Timeline.** Ensure a clear understanding of the adversary's behavior over the course of an attack. Specify when a particular actor, tool, or threat was detected.
33
-
-**Triage facilitation.** Define the severity of a potential hit to help in its prioritization. Be mindful of SOC operators who are sometimes overwhelmed with alerts.
34
-
-**Author and license.** Writing a rule requires a great deal of effort and expertise. Ensure the credit is on the right person and define the license for use.
35
-
-**Details.** Well, that's where the devil is. Describe how the detection logic works and provide anything that may be useful to understand the code or use it properly.
36
-
-**Response.** Define response recommendations for cases where the detection produces hits. Refer to best practices or provide specific instructions.
34
+
-**Response as Code.** With enough community members and industry adoption, the next step after detection is sharing the code to automate response.
37
35
38
36
### Community Collaboration
39
37
-**Use Case Documentation.** Relying on the RootA language, cyber defenders can seamlessly document and share their threat research in a universal format describing the whole use case enriched with CTI, ATT&CK tagging, and other relevant fields.
0 commit comments