# This workflow will install Python dependencies, run tests and lint with a single version of Python
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions

name: Sigma Rule Tests

on:
  push:
    branches:
      - "*"
  pull_request:
    branches:
      - master
      - oscd

jobs:
  test-sigma:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Set up Python 3.8
      uses: actions/setup-python@v1
      with:
        python-version: 3.8
    - name: Install dependencies
      run: |
        pip install sigma-cli~=0.3.2
    - name: Test Sigma Rule Syntax
      run: |
        sigma check rules
    - name: Test Sigma Rules
      run: |
        pip install PyYAML attackcti colorama
        python tests/test_rules.py
  yamllint:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: yaml-lint
      uses: ibiqlik/action-yamllint@v3
  check-baseline-win10:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Download evtx-sigma-checker
      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker
    - name: Download and extract Windows 10 baseline
      run: |
        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win10-client.tgz
        tar xzf win10-client.tgz
    - name: Remove deprecated rules
      run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v'
    - name: Check for Sigma matches in baseline
      run: |
        chmod +x evtx-sigma-checker
        ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ > findings.json
    - name: Show findings excluding known FPs
      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv