Skip to content

CoreTide: An Open Source DetectionOps Backend

Original URL

Introduction

CoreTide is an open-source backend designed to facilitate data schema and automation for OpenTide instances, catering specifically to the needs of Detection Engineering teams. Developed and battle-tested within the European Commission for over two years, CoreTide offers a mature and standardized platform for Detection-as-Code (DaC) practices. This platform aims to streamline detection engineering workflows by decoupling code from content and providing robust object validation and documentation features.

Main Points

Key Features

  • Highly Mature and Standardized Detection-as-Code: CoreTide promotes a consistent and repeatable approach to defining and deploying detection logic across diverse systems.
  • Powerful CI/CD Architecture: The platform’s architecture allows for seamless integration with CI/CD pipelines, where an OpenTide instance injects CoreTide, thereby decoupling code and content. This improves deployment efficiency and reduces the risk of errors.
  • YAML-Based Meta Schemas: CoreTide uses YAML-based meta schemas to define objects within the OpenTide framework, providing a clear and structured way to manage data models.
  • Self-Documenting JSON Schemas: The platform automatically generates comprehensive JSON schemas, creating an IDE-like experience for detection engineers.
  • Automated Documentation Generation: CoreTide automatically generates interconnected Markdown files, providing up-to-date documentation for all components.
  • Full UUIDv4 Object System: CoreTide employs a UUIDv4 object system for uniquely identifying and managing all objects within the framework.

Supported Detection Platforms

CoreTide offers integration with a variety of popular detection platforms, including:

  • Carbon Black Cloud EDR
  • Crowdstrike XDR
  • Microsoft Sentinel
  • Microsoft Defender for Endpoint XDR
  • Sentinel One
  • Splunk Enterprise and Splunk Enterprise Security (with advanced metadata management).
    • Splunk integration allows to leverage Splunk as a central hub for all analytics and Detection-as-Code alert workflow.

CoreTide Architecture

CoreTide's architecture is designed to empower Detection Engineering Teams. Key architectural components include: * Schemas: Centralized management of data schemas, ensuring consistency and standardization across the environment. * Templates: Reusable templates for defining detection logic, enabling rapid deployment and reducing redundancy. * Indexes: Efficient indexing mechanisms for optimized query performance and faster threat detection. These components regenerate and source from the client OpenTide instance configurations.

Talks and Presentations

CoreTide has been presented at several industry events, including:

  • Hack.lu 2023: TIDeMEC(CoreTIDE): A Detection Engineering Platform Homegrown At The EC
  • FIRST Technical Colloquium Amsterdam 2024: CoreTIDE: the First Project of the OpenTIDE Family

Conclusion

CoreTide represents a significant advancement in open-source DetectionOps, offering a robust and mature platform for Detection-as-Code. Its comprehensive feature set, including automated documentation, CI/CD integration, and support for multiple detection platforms, makes it an invaluable tool for detection engineering teams seeking to enhance their threat detection capabilities. By standardizing and streamlining detection workflows, CoreTide empowers organizations to respond more effectively to evolving cyber threats.