phantinuss
58 lines
1.9 KiB
YAML
58 lines
1.9 KiB
YAML
# This workflow will install Python dependencies, run tests and lint with a single version of Python
|
|
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
|
|
|
|
name: Sigma Rule Tests
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- "*"
|
|
pull_request:
|
|
branches:
|
|
- master
|
|
- oscd
|
|
|
|
jobs:
|
|
test-sigma:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v2
|
|
- name: Set up Python 3.8
|
|
uses: actions/setup-python@v1
|
|
with:
|
|
python-version: 3.8
|
|
- name: Install dependencies
|
|
run: |
|
|
pip install sigma-cli~=0.3.2
|
|
- name: Test Sigma Rule Syntax
|
|
run: |
|
|
sigma check rules
|
|
- name: Test Sigma Rules
|
|
run: |
|
|
pip install PyYAML attackcti colorama
|
|
python tests/test_rules.py
|
|
yamllint:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v2
|
|
- name: yaml-lint
|
|
uses: ibiqlik/action-yamllint@v3
|
|
check-baseline-win10:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v2
|
|
- name: Download evtx-sigma-checker
|
|
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker
|
|
- name: Download and extract Windows 10 baseline
|
|
run: |
|
|
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win10-client.tgz
|
|
tar xzf win10-client.tgz
|
|
- name: Remove deprecated rules
|
|
run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v'
|
|
- name: Check for Sigma matches in baseline
|
|
run: |
|
|
chmod +x evtx-sigma-checker
|
|
./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ > findings.json
|
|
- name: Show findings excluding known FPs
|
|
run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
|