forked from SigmaHQ/sigma
-
Notifications
You must be signed in to change notification settings - Fork 0
132 lines (128 loc) · 5.77 KB
/
Copy pathsigma-test.yml
File metadata and controls
132 lines (128 loc) · 5.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# This workflow will install Python dependencies, run tests and lint with a single version of Python
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
name: Sigma Rule Tests
on: # yamllint disable-line rule:truthy
push:
branches:
- "*"
pull_request:
branches:
- master
- oscd
env:
EVTX_BASELINE_VERSION: v0.6
jobs:
test-sigma:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up Python 3.8
uses: actions/setup-python@v1
with:
python-version: 3.8
- name: Install dependencies
run: |
pip install sigma-cli~=0.3.2
- name: Test Sigma Rule Syntax
run: |
sigma check rules
- name: Test Sigma Rules
run: |
pip install PyYAML attackcti colorama
python tests/test_rules.py
yamllint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: yaml-lint
uses: ibiqlik/action-yamllint@v3
check-baseline-win7:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Download evtx-sigma-checker
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
- name: Download and extract Windows 7 32-bit baseline
run: |
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win7-x86.tgz
tar xzf win7-x86.tgz
- name: Remove deprecated rules
run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v'
- name: Check for Sigma matches in baseline
run: |
chmod +x evtx-sigma-checker
./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path win7_x86/ --rule-path rules/windows/ > findings.json
- name: Show findings excluding known FPs
run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
check-baseline-win10:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Download evtx-sigma-checker
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
- name: Download and extract Windows 10 baseline
run: |
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win10-client.tgz
tar xzf win10-client.tgz
- name: Remove deprecated rules
run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v'
- name: Check for Sigma matches in baseline
run: |
chmod +x evtx-sigma-checker
./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ > findings.json
- name: Show findings excluding known FPs
run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
check-baseline-win11:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Download evtx-sigma-checker
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
- name: Download and extract Windows 11 baseline
run: |
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win11-client.tgz
tar xzf win11-client.tgz
- name: Remove deprecated rules
run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v'
- name: Check for Sigma matches in baseline
run: |
chmod +x evtx-sigma-checker
./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Win11/ --rule-path rules/windows/ > findings.json
- name: Show findings excluding known FPs
run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
check-baseline-win2022:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Download evtx-sigma-checker
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
- name: Download and extract Windows 2022 baseline
run: |
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-evtx.tgz
tar xzf win2022-evtx.tgz
- name: Remove deprecated rules
run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v'
- name: Check for Sigma matches in baseline
run: |
chmod +x evtx-sigma-checker
./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path win2022-evtx/ --rule-path rules/windows/ > findings.json
- name: Show findings excluding known FPs
run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
check-baseline-win2022-domain-controller:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Download evtx-sigma-checker
run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
- name: Download and extract Windows 2022 baseline
run: |
wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-ad.tgz
tar xzf win2022-ad.tgz
- name: Remove deprecated rules
run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v'
- name: Check for Sigma matches in baseline
run: |
chmod +x evtx-sigma-checker
./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Win2022-AD/ --rule-path rules/windows/ > findings.json
- name: Show findings excluding known FPs
run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv