Pipelines
Use rsigma pipelines to select a LynxDB index and map rule fields to ingested event fields. The pipeline shapes what rsigma emits; the emitted query is still legacy SPL2 and needs the usual hand-migration to LynxFlow before it runs.
Create a concrete event:
printf '%s\n' '{"process.command_line":"cmd.exe /c whoami","user.name":"alice"}' > ecs.ndjson
lynxdb ingest ecs.ndjson --source ecs --sourcetype json --index security
Create a rule that uses ECS field names:
cat > ecs-whoami.yml <<'YAML'
title: ECS Whoami
logsource:
product: windows
detection:
selection:
process.command_line|contains: whoami
condition: selection
YAML
Create a pipeline that targets the security index:
cat > ecs-lynxdb.yml <<'YAML'
transformations:
- type: set_state
key: index
value: security
YAML
Convert:
rsigma convert -t lynxdb -p ecs-lynxdb.yml ecs-whoami.yml
The legacy SPL2 output (reference only):
FROM security | search process.command_line=*"whoami"*
Hand-migrate to LynxFlow and run:
cat > ecs-whoami.lynxflow <<'EOF'
from security | where contains(process.command_line, "whoami")
EOF
lynxdb query "$(cat ecs-whoami.lynxflow)" --since 24h
If your ingested fields differ from the rule fields, add rsigma field-mapping
transformations to the same pipeline so the emitted (and therefore migrated)
query uses your real field names. Keep those mappings near the rule pack, and
commit the migrated .lynxflow file next to the rule so the runnable query is
reproducible.