From acee0a3e11b2acedf25ad23f083d1eb198584158 Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Fri, 19 Dec 2025 09:26:27 +0100
Subject: [PATCH] chore: update readme and move requirements.txt

---
 .github/actions/setup-python/action.yml       |  2 +-
 README.md                                     | 29 +++++++++++++++++--
 requirements.txt => testdata/requirements.txt |  0
 3 files changed, 28 insertions(+), 3 deletions(-)
 rename requirements.txt => testdata/requirements.txt (100%)

diff --git a/.github/actions/setup-python/action.yml b/.github/actions/setup-python/action.yml
index 9698a22..ac1d3b2 100644
--- a/.github/actions/setup-python/action.yml
+++ b/.github/actions/setup-python/action.yml
@@ -13,7 +13,7 @@ runs:
       run: |
         python3 -m venv .venv
         . .venv/bin/activate
-        pip install -r requirements.txt
+        pip install -r testdata/requirements.txt
 
         # Set environment variables for subsequent steps
         echo "VIRTUAL_ENV=$VIRTUAL_ENV" >> $GITHUB_ENV
diff --git a/README.md b/README.md
index b0c04a1..e063a89 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,29 @@
 # Nextron YAML IOC Specification
 
-This repository is used to maintain the specification for the IOC YAML format
-used in Nextron products such as THOR.
\ No newline at end of file
+This repository contains the official specification for the IOC (Indicator of Compromise) YAML format used in Nextron products such as THOR.
+
+## What is this?
+
+The YAML IOC format is a standardized way to define threat intelligence indicators in a structured, human-readable format. This specification enables security analysts and threat hunters to create portable IOC rules that can detect various types of malicious artifacts including:
+
+- **File indicators**: File paths, names, and patterns.
+- **Network indicators**: C2 domains, IPs.
+- **System indicators**: Mutexes, named pipes, events.
+- **Hash indicators**: File hashes (MD5, SHA1, SHA256, Imphash).
+
+## Benefits for Users
+
+- **Future Proof**: Consistent format across different Nextron tools and environments, starting with THOR.
+- **Portability**: IOC rules can be shared and reused across different deployments.
+- **Validation**: JSON schema ensures rule correctness and prevents common errors.
+- **Flexibility**: Support for various IOC types with customizable scoring and filtering.
+- **Documentation**: Built-in fields for references, descriptions, and metadata.
+
+## Main Files
+
+- **[yaml-ioc-schema.json](yaml-ioc-schema.json)**: The main JSON Schema file that defines the complete IOC YAML specification.
+- **testdata/**: Example IOC rules demonstrating valid and invalid formats for testing purposes.
+
+## Documentation
+
+For detailed information on using IOC rules with THOR, see the [THOR Manual](https://thor-manual.nextron-systems.com/en/v11/signatures/ioc-types.html).
\ No newline at end of file
diff --git a/requirements.txt b/testdata/requirements.txt
similarity index 100%
rename from requirements.txt
rename to testdata/requirements.txt