From e6fe8fdeddf95165915ec9a6dcecdc7a9d12e008 Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Fri, 18 Feb 2022 13:33:29 +0100
Subject: [PATCH] workflow: execute evtx-sigma-checker

---
 .github/workflows/sigma-test.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml
index 88c6d0502..8c0171a21 100644
--- a/.github/workflows/sigma-test.yml
+++ b/.github/workflows/sigma-test.yml
@@ -39,3 +39,20 @@ jobs:
     - uses: actions/checkout@v2
     - name: yaml-lint
       uses: ibiqlik/action-yamllint@v3
+  check-baseline-win10:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Download evtx-sigma-checker
+      run: wget https://github.com/NextronSystems/evtx-baseline/releases/download/v0.1/evtx-sigma-checker
+    - name: Download and extract Windows 10 baseline
+      run: |
+        wget https://github.com/NextronSystems/evtx-baseline/releases/download/v0.1/win10-client-v0.1.tgz
+        tar xzf win10-client-v0.1.tgz
+    - name: Remove deprecated rules
+      run: grep -ER "^status: deprecated" rules | xargs -r rm
+    - name: Run evtx-sigma-checker
+      run: |
+        chmod +x evtx-sigma-checker
+        ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ > findings-client.json
+        cat findings-client.json