workflow: new baseline check against Windows 2022

.github/workflows/sigma-test.yml

@@ -12,6 +12,9 @@ on: # yamllint disable-line rule:truthy
       - master
       - oscd
 
+env:
+  EVTX_BASELINE_VERSION: v0.5
+
 jobs:
   test-sigma:
     runs-on: ubuntu-latest
@@ -42,10 +45,10 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - name: Download evtx-sigma-checker
-      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker
+      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
     - name: Download and extract Windows 7 32-bit baseline
       run: |
-        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win7-x86.tgz
+        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win7-x86.tgz
         tar xzf win7-x86.tgz
     - name: Remove deprecated rules
       run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v'
@@ -60,10 +63,10 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - name: Download evtx-sigma-checker
-      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker
+      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
     - name: Download and extract Windows 10 baseline
       run: |
-        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win10-client.tgz
+        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win10-client.tgz
         tar xzf win10-client.tgz
     - name: Remove deprecated rules
       run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v'
@@ -78,10 +81,10 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - name: Download evtx-sigma-checker
-      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker
+      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
     - name: Download and extract Windows 11 baseline
       run: |
-        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win11-client.tgz
+        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win11-client.tgz
         tar xzf win11-client.tgz
     - name: Remove deprecated rules
       run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v'
@@ -91,3 +94,21 @@ jobs:
         ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Win11/ --rule-path rules/windows/ > findings.json
     - name: Show findings excluding known FPs
       run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
+    check-baseline-win2022:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Download evtx-sigma-checker
+      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
+    - name: Download and extract Windows 2022 baseline
+      run: |
+        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-evtx.tgz
+        tar xzf win2022-evtx.tgz
+    - name: Remove deprecated rules
+      run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v'
+    - name: Check for Sigma matches in baseline
+      run: |
+        chmod +x evtx-sigma-checker
+        ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path win2022-evtx/ --rule-path rules/windows/ > findings.json
+    - name: Show findings excluding known FPs
+      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv