ODEF provides two templates for documenting detections — yaml and markdown. Each for different purpose:
Yaml is used due to its data serialization and wide programming language compatibility. It is used for automation and integrations with other systems. It stores components like the queries, baseline, schedule and others. It is a stepping stone for Detection-as-Code capability.
Markdown is used for detection documentation due to its readability and simplicity. Especially helpful for knowledge sharing when used in conjunction with platforms like GitHub. The purpose of the file is to house all details related to the detection. Check the Knowledge Management section for additional information.