Add Linux pipeline (based on upstream logpoint/pySigma-backend-logpoint main)

[Copilot]

Adds a Linux (auditd) pipeline on top of the upstream logpoint/pySigma-backend-logpoint main branch. All existing files are byte-for-byte identical to upstream; only the Linux pipeline additions are new.

Upstream sync

All shared files exactly match logpoint/pySigma-backend-logpoint main (verified by git blob SHA), including:

• pyproject.toml (version 0.4.0, pySigma ^1.0.0, Python ^3.10)
• poetry.lock (upstream lockfile)
• windows.py, azure.py, m365.py (pySigma 1.0.0 API refactor using FieldFunctionTransformation)
• All test files and CI workflows

New Linux pipeline

• sigma/pipelines/logpoint/linux.py — two-stage pipeline:
  1. Auditd-specific field mapping (e.g. proctitle → command, auid → user_id, exe → process)
  2. Generic Linux snake_case mapping with common taxonomy overrides (Image → process, CommandLine → command, etc.)
• Registered as logpoint_linux in the pipeline registry

from sigma.backends.logpoint import Logpoint
from sigma.pipelines.logpoint import logpoint_linux_pipeline

Logpoint(logpoint_linux_pipeline()).convert(rule)
# auditd: event_type="EXECVE" command="/usr/bin/test" user_id=1000
# generic: "process"="/usr/bin/test" command="test arg"

New mappings (logpoint_linux_auditd_mapping, logpoint_linux_common_taxonomy) added to logpoint_mapping.py.

Original prompt

So there is a difference between pysigma upgrade to 1.0.0 and adding a linux pipeline can you create a branch that has the latest changes from the official pysigma backend logpoint and add my linux pipeline that I did in pipeline patch too?

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[vl43den]

Can you pull the latest version from the upstream repository logpoint/pysigma-backend-logpoint?

[Copilot]

Can you pull the latest version from the upstream repository logpoint/pysigma-backend-logpoint?

Done in commit 43d7c13. Synced the following from upstream logpoint/pySigma-backend-logpoint main:

• Version bumped 0.3.0 → 0.4.0 (upstream commit 791731e)
• windows.py typing imports aligned with upstream (ClassVar, Pattern)
• azure.py LogsourceCondition import style matched to upstream single-line form

Our Linux pipeline additions are layered on top of the upstream changes.

[vl43den]

Okay Check that my branch and the upstream branch of logpoint/pysigma-backend-logpoint are the same and add just the needed changes for the linux pipeline, then start a PR to the upstream repo

[vl43den]

Okay Check that my branch and the upstream branch of logpoint/pysigma-backend-logpoint are the same and add just the needed changes for the linux pipeline, then start a PR to the upstream repo logpoint/pysigma-backend-logpoint

[Copilot]

Okay Check that my branch and the upstream branch of logpoint/pysigma-backend-logpoint are the same and add just the needed changes for the linux pipeline, then start a PR to the upstream repo

Done in commit 19bec94. The branch now has exactly upstream's content plus only the Linux pipeline additions:

Identical to upstream logpoint/pySigma-backend-logpoint main (verified by git blob SHA):

• All shared files match upstream byte-for-byte (poetry.lock, windows.py, azure.py, m365.py, pyproject.toml, all test files, workflows, etc.)

Only Linux-specific additions on top of upstream:

• sigma/pipelines/logpoint/linux.py (new)
• sigma/pipelines/logpoint/__init__.py (linux pipeline registered)
• sigma/pipelines/logpoint/logpoint_mapping.py (linux mappings appended)
• tests/test_pipelines_linux.py (new)

Regarding opening a PR to logpoint/pySigma-backend-logpoint — I don't have write access to that repository so I'm unable to create the PR there directly. You can open it yourself from this branch targeting logpoint/pySigma-backend-logpoint:main.

Okay Check that my branch and the upstream branch of logpoint/pysigma-backend-logpoint are the same and add just the needed changes for the linux pipeline, then start a PR to the upstream repo logpoin...

The branch is now exactly in sync with upstream logpoint/pySigma-backend-logpoint main, with only the Linux pipeline changes on top (commit 19bec94). I'm unable to open a PR to the upstream repository directly as I don't have write access there — you'll need to open it from this branch targeting logpoint/pySigma-backend-logpoint:main.