Convert Sigma rules into Zircolite JSON format #814
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Convert Sigma rules into Zircolite JSON format | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - "main" | |
| schedule: | |
| - cron: '0 1 * * *' | |
| jobs: | |
| rules-gen: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v3 | |
| with: | |
| submodules: recursive | |
| - uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.10' | |
| - name: Setup PDM | |
| uses: pdm-project/setup-pdm@v3 | |
| with: | |
| python-version: '3.10' | |
| - name: Git Submodules Update | |
| run: | | |
| git pull --recurse-submodules | |
| git submodule update --remote --recursive | |
| - name: Install Dependencies | |
| run: | | |
| rm pyproject.toml .pdm* pdm.* | |
| pdm init -n | |
| pdm add requests urllib3 progressbar2 pymisp PyYAML "ruamel.yaml" termcolor | |
| pdm add pysigma pysigma-pipeline-sysmon pysigma-pipeline-windows | |
| - name: Clean annoying PDM files | |
| shell: bash | |
| continue-on-error: true | |
| run: | | |
| rm -rf ./src | |
| rm -rf ./tests | |
| rm -rf ./README.md | |
| cp ./README.md.back README.md | |
| - name: Generate Zircolite rules | |
| shell: bash | |
| continue-on-error: true | |
| run: | | |
| cp -r ./sigma/rules-threat-hunting/ ./sigma/rules/windows/rules-threat-hunting/ | |
| cp -r ./sigma/rules-emerging-threats/ ./sigma/rules/windows/rules-emerging-threats/ | |
| find ./sigma/ -type f -name '*.md' -delete | |
| pdm run ./legacy-sigmatools/tools/sigmac -t sqlite -c ./legacy-sigmatools/tools/config/generic/sysmon.yml -c ./legacy-sigmatools/tools/config/generic/powershell.yml -c ./legacy-sigmatools/tools/config/zircolite.yml -d ./sigma/rules/windows/ --output-fields title,id,description,author,tags,level,falsepositives,filename,status --output-format json -r -o rules_windows_sysmon_high.json --filter level\>=high --backend-option table=logs || true | |
| pdm run ./legacy-sigmatools/tools/sigmac -t sqlite -c ./legacy-sigmatools/tools/config/generic/windows-audit.yml -c ./legacy-sigmatools/tools/config/generic/powershell.yml -c ./legacy-sigmatools/tools/config/zircolite.yml -d ./sigma/rules/windows/ --output-fields title,id,description,author,tags,level,falsepositives,filename,status --output-format json -r -o rules_windows_generic_high.json --filter level\>=high --backend-option table=logs || true | |
| pdm run ./legacy-sigmatools/tools/sigmac -t sqlite -c ./legacy-sigmatools/tools/config/generic/sysmon.yml -c ./legacy-sigmatools/tools/config/generic/powershell.yml -c ./legacy-sigmatools/tools/config/zircolite.yml -d ./sigma/rules/windows/ --output-fields title,id,description,author,tags,level,falsepositives,filename,status --output-format json -r -o rules_windows_sysmon_medium.json --filter level\>=medium --backend-option table=logs || true | |
| pdm run ./legacy-sigmatools/tools/sigmac -t sqlite -c ./legacy-sigmatools/tools/config/generic/windows-audit.yml -c ./legacy-sigmatools/tools/config/generic/powershell.yml -c ./legacy-sigmatools/tools/config/zircolite.yml -d ./sigma/rules/windows/ --output-fields title,id,description,author,tags,level,falsepositives,filename,status --output-format json -r -o rules_windows_generic_medium.json --filter level\>=medium --backend-option table=logs || true | |
| pdm run ./legacy-sigmatools/tools/sigmac -t sqlite -c ./legacy-sigmatools/tools/config/zircolite.yml -d ./sigma/rules/linux/ --output-fields title,id,description,author,tags,level,falsepositives,filename --output-format json -r -o rules_linux.json --backend-option table=logs || true | |
| cp rules_windows_sysmon_high.json rules_windows_sysmon.json | |
| cp rules_windows_generic_high.json rules_windows_generic.json | |
| - name: Generate Zircolite rules with pySigma | |
| shell: bash | |
| continue-on-error: true | |
| run: | | |
| cp gen_ruleset.py ./pySigma-backend-sqlite/ | |
| pdm run python3 ./pySigma-backend-sqlite/gen_ruleset.py | |
| cp rules_windows_generic_pysigma.json rules_windows_generic_full.json | |
| cp rules_windows_sysmon_pysigma.json rules_windows_sysmon_full.json | |
| cp rules_windows_generic_pysigma.json rules_windows_generic_medium.json | |
| cp rules_windows_sysmon_pysigma.json rules_windows_sysmon_medium.json | |
| - name: Commit and Push | |
| uses: EndBug/add-and-commit@v9 | |
| with: | |
| add: '.' | |
| author_name: wagga40 | |
| default_author: user_info | |
| message: 'Rules Update' |