fix(suricata-fastlogs): use Priority field instead of GID for suricata_rule_severity

[Copilot]

The suricata-fastlogs parser was mapping the Generator ID (GID) from [GID:SID:REV] to suricata_rule_severity meta. Since GID is always 1 for standard Suricata rules, crowdsecurity/suricata-major-severity matched every alert regardless of actual priority, causing false positive bans.

Changes

• parsers/s01-parse/crowdsecurity/suricata-logs.yaml
  • Renamed grok capture in SURICATA_RULE_ID from suricata_rule_severity → suricata_gid (the field is the GID, not severity)
  • Fixed suricata_rule_severity static to source from evt.Parsed.suricata_priority (the [Priority: N] field) instead of the GID capture

# Before
SURICATA_RULE_ID: '\[%{NUMBER:suricata_rule_severity}:%{NUMBER:rule_id}:%{NUMBER:suricata_alert_signature_rev}\]'
...
- meta: suricata_rule_severity
  expression: evt.Parsed.suricata_rule_severity  # always 1 (GID)

# After
SURICATA_RULE_ID: '\[%{NUMBER:suricata_gid}:%{NUMBER:rule_id}:%{NUMBER:suricata_alert_signature_rev}\]'
...
- meta: suricata_rule_severity
  expression: evt.Parsed.suricata_priority  # actual Priority from fast.log

• .tests/suricata-logs-fastlog/parser.assert
  • Updated assertions to use renamed suricata_gid parsed field
  • Updated suricata_rule_severity meta expectations to reflect actual Priority values (3, 2, 2, 1 across the four test log entries)

This aligns the fast.log parser with the eve.log parser, which correctly uses JsonExtract(evt.Parsed.message, "alert.severity").

Checklist

• I have read the contributing guide
• I have tested my changes locally
• For new parsers or scenarios, tests have been added
• I have run the hub linter and no issues were reported (see contributing guide)
• Automated tests are passing
• AI was used to generate any/all content of this PR

[Copilot]

Pull request overview

Fixes Suricata fast.log severity mapping by using the alert Priority value (from [Priority: N]) instead of the rule GID (from [GID:SID:REV]), preventing scenarios like crowdsecurity/suricata-major-severity from matching every alert due to GID being 1 for standard rules.

Changes:

• Update the SURICATA_RULE_ID grok capture to parse suricata_gid (correctly labeling the GID portion of [GID:SID:REV]).
• Map suricata_rule_severity meta from evt.Parsed.suricata_priority (the actual Priority field) instead of the former GID-derived value.
• Adjust fast.log parser tests to assert suricata_gid and the corrected suricata_rule_severity meta values.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
parsers/s01-parse/crowdsecurity/suricata-logs.yaml	Corrects severity meta sourcing for fast.log by using parsed Priority and renames the GID capture.
.tests/suricata-logs-fastlog/parser.assert	Updates assertions to reflect the new parsed field name (suricata_gid) and expected meta severity values.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.