Source Code Learn More
Get Started
roota

Open-Source Language for Collective Cyber Defense

Source Code Learn More
https://github.com/UncoderIO/
Built by the Detection Engineering team
with the background in 100+ SIEM deployment
and improvement projects, having built
over 300 log data connectors for leading
vendors
detection:
    language: splunk
    schema: cim
    body: index=* ((((process="*comsvcs*") AND
(process="*MiniDump*")) OR ((process="*comsvcs*") AND
(process="*#24*"))) OR ((process="*comsvcs*") AND
(process="*full*")))
timeline:
    2022-04-01 - 2022-08-08: Bumblebee
    2022-07-27: KNOTWEED
    2022-12-04: UAC-0082, CERT-UA#4435
mitre-attack: t1003.001
tags: Bumblebee, UAC-0082, CERT-UA#4435, KNOTWEED,
Comsvcs, cir_ttps, ContentlistEndpoint
RootA is a public-domain language for collective cyber defense, created to make threat detection, incident response, and actor attribution simple. It acts as an open-source wrapper on top of the majority of existing SIEM, EDR, XDR, and Data Lake query languages. If you learn the basics of RootA, you will be able to contribute to collective defense. And if you have mastered a specific SIEM language, with RootA and Uncoder IO you can speak them all.

Roots of RootA

The objective of RootA is to accelerate the global cybersecurity industry collaboration. You can easily start performing Detection Engineering tasks, having any background in writing SIEM or EDR detection rules. Alternatively, if you are good with generic languages like Sigma or Yara, then RootA will look like the next logical step forward.
The Story of Language
Our Ukrainian roots have inspired us to choose “RootA” as the language name evoking the ancient Ukrainian legend of "Chervona Ruta" (Red Rue) that symbolizes the search for love. In an industry replete with challenges but often lacking in collaboration, we believe that RootA's mission is to change it for the better.
Created by The Team
RootA has been developed from the ground up and is presently maintained by SOC Prime's team in Ukraine. Since 2015, we've been building up on the idea of establishing a unified language and toolkit for threat detection and response. The first steps were our support of Sigma rules and the Uncoder IO project, an online yet fully private IDE for Detection Engineering.
Which Made Uncoder.IO
Uncoder IO is now Open Source to translate IOCs, RootA, and Sigma rules in multiple directions. The barrier between threat detection languages is therefore removed, so that we all can contribute to the further evolution of collective cyber defense capabilities.
It is time to take a step towards a safer tomorrow, together, as one community.

Community Collaboration

MITRE ATT&CK at Core
Just as we linked Sigma Rules with MITRE ATT&CK back in 2018, the time has come to take it to the next level. With RootA adoption we enhance Detection and Response Code with Actor and Campaign Timelines, integration with top CTI platforms, contribution to MITRE TRAM and Sightings.
Online Knowledge Sharing
We all come together at Discord, with no need to raise support tickets or go to physical trainings. There's a space for Uncoder, for Sigma and RootA, for 45 distinct SIEM, EDR, and Data Lake technologies. Each space is focused on solving practical daily tasks, made by engineers for engineers.
One Language, a Hundred Dialects
All Detection Engineers, Threat Hunters, and Cyber Threat Intelligence Analysts in the world have one common goal of combating cyber threats. Until now, we were bound to express solutions in specific query dialects. With RootA, Sigma, and Uncoder we work together on solving the big problem.
Uncoder.IO Join Discord

Enabling Cross-Platform Query Translation

With RootA acting as a wrapper, cyber defenders can take a native rule or query and augment it with metadata to automatically translate the code into other SIEM, EDR, XDR, and Data Lake languages without the need to learn new technology.
Simple Universal Format
RootA is expressed using YAML, a widely spread, easy-to-write, human-readable format.
Flexibility
Depending on your SIEM, you can rely on log sources explicitly or implicitly defined in the native query itself, or in the customizable logsource field.
Splunk
Elastic Stack
Microsoft Sentinel
Defender ATP
Humio
ElastAlert
Carbon Black
QRadar
Google Chronicle
Humio
ElastAlert
Carbon Black
QRadar
Google Chronicle
Splunk
Elastic Stack
Microsoft Sentinel
Defender ATP
Unlock the Full Power of Your SIEM and EDR
Break through the limits of describing attack behavior by leveraging stateful logic of any sophistication, instead of a flat IOC-like string matching. This way you can assure that the detection logic you build and share is harder to bypass by the attackers, is more compute efficient, and can later be rendered in other languages.
Empower Your Detection Engineering Skills
To capture detection logic with RootA, you can use any query language that you already know. The initial rule is specified in the native language of your favorite SIEM, EDR, or Data Lake technology.

A Journey Beyond Detection

RootA syntax fully accommodates OCSF and Sigma rules as taxonomy, making it fast to learn, easy to read and share, providing maximum compatibility for Detection Engineers.

Advanced Compatibility
RootA syntax fully accommodates OCSF and Sigma rules as taxonomy, to minimise friction for the Detection Engineers.
Threat Actor Timeline
While Actors change, behaviors stay the same. RootA supports an additional threat intelligence layer for CERTs, NCSCs, ISACs, MDRs, and Defence Agencies, to coordinate defense faster and with greater precision.
Mapping to TTPs
Link detection logic to related tactics, techniques, and procedures in terms of MITRE ATT&CK®. Use custom tags to make the mapping even more tailored and detailed.
Response as Code
With enough community members and industry adoption, the next step after detection is sharing the code to automate response.

Enabled for Defence, with Open-Source Uncoder IO

Since 2018, Uncoder.IO has been the most popular professional translation engine for Sigma Rules. The capability to fuse IOCs and Behavior Detections via Sigma & RootA rules has just become Open Source. Uncoder is rapidly evolving to support translations to every cyber security language in the shortest possible timeframe. Meanwhile, its SaaS counterpart assures backward compatibility with all specific languages, providing a fully private, developer-centric, secure SOC 2 Type II certified IDE for community, personal, business, and government use.
Sub-Second
Performance
100%
Privacy
Collective
Cyber Defense
  • RootA
  • Sigma
  • IOCs

Supported Technologies

Speak 65 languages for 45 technologies, with RootA acting as a wrapper for any SIEM, EDR, XDR, or Data Lake format.

Have questions?

Let's discuss on Discord

Have questions?

Let's discuss on Discord

Have questions?

Let's discuss on Discord

Have questions?

Let's discuss on Discord

Have questions?

Let's discuss on Discord

Have questions?

Let's discuss on Discord

Have questions?

Let's discuss on Discord

Have questions?

Let's discuss on Discord

Have questions?

Let's discuss on Discord

Have questions?

Let's discuss on Discord

Have questions?

Let's discuss on Discord

Have questions?

Let's discuss on Discord

Have questions?

Let's discuss on Discord

Have questions?

Let's discuss on Discord

Have questions?

Let's discuss on Discord

Have questions?

Let's discuss on Discord

Have questions?

Let's discuss on Discord

Have questions?

Let's discuss on Discord

Have questions?

Let's discuss on Discord

Have questions?

Let's discuss on Discord

Have questions?

Let's discuss on Discord

Have questions?

Let's discuss on Discord

Have questions?

Let's discuss on Discord

Have questions?

Let's discuss on Discord

Have questions?

Let's discuss on Discord

Deeper into the Roots

Writing RootA Rules

RootA is made to be easy to start with for a person with any background. Experiment with packaging open-source rule formats like Sigma or Yara. Use knowledge you have on any specific SIEM language to create RootA rules which become instantly compatible with all the languages that exist.

Read Documentation
Contribute to Open Source

RootA structure supports adding valuable information based on your expertise. This can be as simple as providing an extended description and reference, more advanced like logging requirements or MITRE ATT&CK tag. Experts will find it easy to share log audit requirements as well as Threat Actor and Campaign timelines.

Contribute via GitHub

Join the RootA Community

Whether you’re a seasoned expert or just learning how to write detection code, you're welcome to join the ranks of our RootA community. Connect to peers and contribute to collective cyber defense for a secure tomorrow.

Discord GitHub X.com Linkedin
planet

RootA Ecosystem

Start with Uncoder.IO Go to GitHub