Add yamllint to GHA

Signed-off-by: Gábor Lipták <gliptak@gmail.com>

.github/workflows/sigma-test.yml

@@ -8,7 +8,9 @@ on:
     branches:
       - "*"
   pull_request:
-    branches: [ master, oscd ]
+    branches:
+      - master
+      - oscd
 
 jobs:
   test-sigma:
@@ -31,3 +33,9 @@ jobs:
     - name: Test SQL(ite) Backend
       run: |
         pipenv run make test-backend-sql
+  yamllint:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: yaml-lint
+      uses: ibiqlik/action-yamllint@v3

Makefile

@@ -104,7 +104,7 @@ test-sigmac:
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o $(TMPOUT) - < tests/collection_repeat.yml > /dev/null
 	! $(COVERAGE) run -a --include=$(COVSCOPE)  tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
 	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/not_existing.yml > /dev/null
-	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_yaml.yml > /dev/null
+	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_yaml.badyml > /dev/null
 	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-no_identifiers.yml > /dev/null
 	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-no_condition.yml > /dev/null
 	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-invalid_identifier_reference.yml > /dev/null
@@ -113,7 +113,7 @@ test-sigmac:
 	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml rules/windows/builtin/win_susp_failed_logons_single_source.yml
 	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
 	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
-	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
+	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.badyml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
 	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
 
 test-merge:

rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml

@@ -13,7 +13,7 @@ tags:
 logsource:
     product: windows
     category: process_creation
-    definition : Works only if  Enrich Sysmon events with additional information about process in ParentOfParentImage check enrichment section
+    definition: Works only if  Enrich Sysmon events with additional information about process in ParentOfParentImage check enrichment section
 detection:
     parent_image:
         ParentImage|endswith:

rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml

@@ -35,7 +35,7 @@ fields:
     - IntegrityLevel
     - User
     - Image
-    ParentProcessGuid
+    - ParentProcessGuid
 falsepositives:
     - System administrator usage
     - Penetration test 

rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml

@@ -12,7 +12,7 @@ date: 2019/06/03
 logsource:
     category: process_creation
     product: windows
-    definition : Works only if  Enrich Sysmon events with additional information about process in ParentIntegrityLevel check enrichment section
+    definition: Works only if  Enrich Sysmon events with additional information about process in ParentIntegrityLevel check enrichment section
 detection:
     selection:
         ParentIntegrityLevel: Medium

rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml

@@ -15,7 +15,7 @@ modified: 2020/09/01
 logsource:
     category: process_creation
     product: windows
-    definition : Works only if  Enrich Sysmon events with additional information about process in ParentUser check enrichment section
+    definition: Works only if  Enrich Sysmon events with additional information about process in ParentUser check enrichment section
 detection:
     selection:
         ParentUser:

tools/config/arcsight-zeek.yml

@@ -458,7 +458,7 @@ fieldmappings:
     #service=http:
     #service=sip:
   msg:
-    -  'message'
+    - 'message'
     #service=notice:
     #service=pop3:
   name:
@@ -832,7 +832,7 @@ fieldmappings:
   #password:
   pending: message
   #status: message
-  successful_commands:  message
+  successful_commands: message
   #username: sourceUserName
   # Radius
   connect_info: message

tools/config/ecs-auditd.yml

@@ -1,4 +1,4 @@
-title:  Elastic Auditbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules
+title: Elastic Auditbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules
 order: 20
 backends:
   - es-qs
@@ -70,7 +70,6 @@ fieldmappings:
     data: data
     default-context: default-context
     dev: dev
-    dev: dev
     device: device
     dir: dir
     direction: direction
@@ -92,7 +91,6 @@ fieldmappings:
     feature: feature
     fi: fi
     fp: fp
-    fp: fp
     format: format
     fsgid: fsgid
     fsuid: fsuid
@@ -169,7 +167,6 @@ fieldmappings:
     ogid: ogid
     ocomm: ocomm
     old: old
-    old: old
     old-auid: old-auid
     old-chardev: old-chardev
     old-disk: old-disk

tools/config/ecs-filebeat.yml

@@ -1,4 +1,4 @@
-title:  Elastic filebeat (from 7.x) index pattern and field mapping following Elastic Common Schema 
+title: Elastic filebeat (from 7.x) index pattern and field mapping following Elastic Common Schema
 order: 20
 backends:
   - es-qs

tools/config/winlogbeat-modules-enabled.yml

@@ -225,7 +225,6 @@ fieldmappings:
     Accesses: winlog.event_data.Accesses
     AccessList: winlog.event_data.AccessList
     AttributeValue: winlog.event_data.AttributeValue
-    AttributeValue: winlog.event_data.AttributeValue
     AuditSourceName: winlog.event_data.AuditSourceName
     AuthenticationPackage: winlog.event_data.AuthenticationPackageName
     CallerProcessName: winlog.event_data.CallerProcessName
@@ -279,4 +278,4 @@ fieldmappings:
     TaskName: winlog.event_data.TaskName
     # UserName => smbclient-security  eventid:31017
     UserName: winlog.event_data.UserName
-    Workstation : winlog.event_data.Workstation
+    Workstation: winlog.event_data.Workstation

tools/config/winlogbeat.yml

@@ -203,8 +203,6 @@ fieldmappings:
     ContextInfo: winlog.event_data.ContextInfo
     # from here missing field at 20210706
     Accesses: winlog.event_data.Accesses
-    AccessList: winlog.event_data.AccessList
-    AttributeValue: winlog.event_data.AttributeValue
     AttributeValue: winlog.event_data.AttributeValue
     AuditSourceName: winlog.event_data.AuditSourceName
     AuthenticationPackage: winlog.event_data.AuthenticationPackageName
@@ -214,7 +212,6 @@ fieldmappings:
     Company: winlog.event_data.Company
     DestAddress: winlog.event_data.DestAddress
     Destination: winlog.event_data.Destination
-    DestinationIsIpv6: winlog.event_data.DestinationIsIpv6
     DestPort: winlog.event_data.DestPort
     Device: winlog.event_data.Device
     DeviceDescription: winlog.event_data.DeviceDescription
@@ -258,4 +255,4 @@ fieldmappings:
     TaskName: winlog.event_data.TaskName
     # UserName => smbclient-security  eventid:31017
     UserName: winlog.event_data.UserName 
-    Workstation : winlog.event_data.Workstation
+    Workstation: winlog.event_data.Workstation