use params based severity map lookup

Author: navnit-elastic

packages/crowdstrike/_dev/build/docs/README.md

@@ -28,7 +28,7 @@ The [CrowdStrike](https://www.crowdstrike.com/) integration allows you to easily
 
 3. **Falcon Data Replicator**: This collects events from your endpoints, cloud workloads, identities, and data. CrowdStrike Falcon Data Replicator (FDR) enables you with actionable insights to improve SOC performance. FDR contains data collected by the Falcon platform's single, lightweight agent. It includes the following datasets for receiving logs:
 
-- `fdr` dataset: consists of logs forwarded using the [Falcon Data Replicator](https://github.com/CrowdStrike/FDR). In addition to the existing log types, the integration supports parsing of Cloud Security Posture Management (CSPM) Indicators of Misconfiguration (IOM) and Indicators of Attack (IOA) events.
+- `fdr` dataset: consists of logs forwarded using the [Falcon Data Replicator](https://github.com/CrowdStrike/FDR). In addition to the existing log types, the integration supports parsing of Cloud Security Posture Management (CSPM). CSPM contains Indicators of Misconfiguration (IOM) and Indicators of Attack (IOA) events.
 
 4. **CrowdStrike Event Stream**: This streams security logs from CrowdStrike Event Stream, including authentication activity, cloud security posture management (CSPM), firewall logs, user activity, and XDR data. It captures real-time security events like user logins, cloud environment changes, network traffic, and advanced threat detections. The streaming integration provides continuous monitoring and analysis for proactive threat detection. It enhances visibility into user behavior, network security, and overall system health. This setup enables faster response capabilities to emerging security incidents. It includes the following datasets for receiving logs:
 

packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/cspm_ioa.yml

@@ -208,17 +208,16 @@ processors:
       lang: painless
       tag: set_event_severity_from_severity_name
       if: ctx.crowdstrike?.SeverityName instanceof String && ctx.crowdstrike.SeverityName != ''
+      params:
+        low: 21
+        info: 21
+        informational: 21
+        medium: 47
+        high: 73
+        critical: 99
       source: |-
         ctx.event = ctx.event ?: [:];
-        def severityScores = [
-          'low': 21,
-          'info': 21,
-          'informational': 21,
-          'medium': 47,
-          'high': 73,
-          'critical': 99
-        ];
-        Integer score = severityScores[ctx.crowdstrike.SeverityName.toLowerCase()];
+        Integer score = params[ctx.crowdstrike.SeverityName.toLowerCase()];
         if (score != null) {
           ctx.event.severity = score;
         }

packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/cspm_iom.yml

@@ -333,17 +333,16 @@ processors:
       lang: painless
       tag: set_event_severity_from_severity_name
       if: ctx.crowdstrike?.SeverityName instanceof String && ctx.crowdstrike.SeverityName != ''
+      params:
+        low: 21
+        info: 21
+        informational: 21
+        medium: 47
+        high: 73
+        critical: 99
       source: |-
         ctx.event = ctx.event ?: [:];
-        def severityScores = [
-          'low': 21,
-          'info': 21,
-          'informational': 21,
-          'medium': 47,
-          'high': 73,
-          'critical': 99
-        ];
-        Integer score = severityScores[ctx.crowdstrike.SeverityName.toLowerCase()];
+        Integer score = params[ctx.crowdstrike.SeverityName.toLowerCase()];
         if (score != null) {
           ctx.event.severity = score;
         }

packages/crowdstrike/docs/README.md

@@ -28,7 +28,7 @@ The [CrowdStrike](https://www.crowdstrike.com/) integration allows you to easily
 
 3. **Falcon Data Replicator**: This collects events from your endpoints, cloud workloads, identities, and data. CrowdStrike Falcon Data Replicator (FDR) enables you with actionable insights to improve SOC performance. FDR contains data collected by the Falcon platform's single, lightweight agent. It includes the following datasets for receiving logs:
 
-- `fdr` dataset: consists of logs forwarded using the [Falcon Data Replicator](https://github.com/CrowdStrike/FDR). In addition to the existing log types, the integration supports parsing of Cloud Security Posture Management (CSPM) Indicators of Misconfiguration (IOM) and Indicators of Attack (IOA) events.
+- `fdr` dataset: consists of logs forwarded using the [Falcon Data Replicator](https://github.com/CrowdStrike/FDR). In addition to the existing log types, the integration supports parsing of Cloud Security Posture Management (CSPM). CSPM contains Indicators of Misconfiguration (IOM) and Indicators of Attack (IOA) events.
 
 4. **CrowdStrike Event Stream**: This streams security logs from CrowdStrike Event Stream, including authentication activity, cloud security posture management (CSPM), firewall logs, user activity, and XDR data. It captures real-time security events like user logins, cloud environment changes, network traffic, and advanced threat detections. The streaming integration provides continuous monitoring and analysis for proactive threat detection. It enhances visibility into user behavior, network security, and overall system health. This setup enables faster response capabilities to emerging security incidents. It includes the following datasets for receiving logs: