Skip to content

Pipeline for sigma rule updates #609

Pipeline for sigma rule updates

Pipeline for sigma rule updates #609

### If you want to execte GitHub Actions on your local machine please use following commnad. (Please install act if needed.)
### act workflow_dispatch -s GITHUB_TOKEN=(your private access token) -P ubuntu-latest=nektos/act-environments-ubuntu:18.04 --artifact-server-path /tmp/act-artifacts
name: Pipeline for sigma rule updates
on:
## This workflow is executed once a day.
## I added workflow_dispatch so that you can execute this workflow from the GitHub UI.
workflow_dispatch:
schedule:
- cron: '0 20 * * *'
jobs:
updateSigmaRule:
runs-on: ubuntu-latest
steps:
- name: clone hayabusa rule repo
uses: actions/checkout@v3
with:
path: hayabusa-rules
- name: clone sigma
uses: actions/checkout@v3
with:
repository: SigmaHQ/sigma
path: sigma-repo
token: ${{ secrets.GITHUB_TOKEN }} ## This is necessary for executing on a local machine by act(Local GitHub Action Runner). We have to specify the github token explicitly.
- name: Setup Python
uses: actions/setup-python@v4
with:
python-version: '3.10'
token: '${{ secrets.GITHUB_TOKEN }}'
- name: download requirements.txt with curl
uses: wei/curl@master
with:
args: https://raw.githubusercontent.com/Yamato-Security/hayabusa-rules/main/tools/sigmac/requirements.txt > requirements.txt
- name: setup Python for use script
run: |
pip install -r requirements.txt
rm requirements.txt
- name: Update sigma rules
run: |
python3 hayabusa-rules/tools/sigmac/logsource_mapping.py -r sigma-repo -o converted_rules
rm -rf hayabusa-rules/sigma/
mkdir hayabusa-rules/sigma/
cp -r converted_rules/* hayabusa-rules/sigma/
- name: Create Text
id: create-text
run: |
pushd hayabusa-rules
echo "action_date=$(date '+%Y-%m-%d %H:%M:%S')" >> $GITHUB_ENV
echo "change_exist=true" >> $GITHUB_ENV
git_new=$(git diff --name-status --diff-filter=AC)
git_mod=$(git diff --name-status --diff-filter=MR)
git_del=$(git diff --name-status --diff-filter=D)
is_rule_changed=$(git status)
if [ "${is_rule_changed}" =~ nothing\sto\scommit ]; then
echo "change_exist=false" >> $GITHUB_ENV
else
echo "<details><summary>New files</summary>" >> ../changed_rule.logs
echo "${git_new}" >> ../changed_rule.logs
echo "</details>" >> ../changed_rule.logs
echo "<details><summary>Modified files</summary>" >> ../changed_rule.logs
echo "${git_mod}" >> ../changed_rule.logs
echo "</details>" >> ../changed_rule.logs
echo "<details><summary>Deleted files</summary>" >> ../changed_rule.logs
echo "${git_del}" >> ../changed_rule.logs
echo "</details>" >> ../changed_rule.logs
fi
popd
- name: Create Pull Request
if: env.change_exist == 'true'
id: cpr
uses: peter-evans/create-pull-request@v4
with:
path: hayabusa-rules
token: ${{ secrets.GITHUB_TOKEN }}
commit-message: Sigma Rule Update (${{ env.action_date }})
branch: rules/auto-sigma-update
delete-branch: true
title: '[Auto] Sigma Update report(${{ env.action_date }})' ### If a PR with the same name already exists, this github action library will not create a new pull request but it will update the PR with the same name. Therefore I added the date to the pull request's title so it creates a new PR.
branch-suffix: timestamp ### I use this field in order to avoid name duplication. If the pull request which is related to the same branch exists, the pull request is not newly created but is updated. So the next step will be skipped due to its if-field
body: |
${{ env.action_date }} Update report
- name: Enable Pull Request Automerge
if: steps.cpr.outputs.pull-request-operation == 'created' # This only runs if there were sigma rules updates and a new PR was created.
uses: peter-evans/enable-pull-request-automerge@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}
pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
merge-method: squash
- name: upload change log
if: env.change_exist == 'true'
uses: actions/upload-artifact@v3
with:
name: changed_rule_log
path: ${{ github.workspace }}/changed_rule.logs
retention-days: 30