When ingesting vulnerability data, cloud.* fields are a mix of the Elastic agent metadata and Qualys vulnerability data. I didn't find a way to disable metadata coming from Elastic agent (publisher_pipeline.disable_host seems to apply to field host only).
A decision must be made to either have no cloud fields set, either have only the data coming from Qualys, either from the elastic agent metadata.
I have a strong preference to remove any properties set by the elastic agent and only have data from Qualys. If we want to build dashboard with data coming from different scanning solutions (Qualys, Tenable, Snyk, ...), we'll heavily rely on ECS fields.
We might have a rule that if the field tags contains forwarded, we use only the data from Qualys.
When ingesting vulnerability data,
cloud.*
fields are a mix of the Elastic agent metadata and Qualys vulnerability data. I didn't find a way to disable metadata coming from Elastic agent (publisher_pipeline.disable_host
seems to apply to fieldhost
only).A decision must be made to either have no cloud fields set, either have only the data coming from Qualys, either from the elastic agent metadata.
I have a strong preference to remove any properties set by the elastic agent and only have data from Qualys. If we want to build dashboard with data coming from different scanning solutions (Qualys, Tenable, Snyk, ...), we'll heavily rely on ECS fields.
We might have a rule that if the field
tags
containsforwarded
, we use only the data from Qualys.Here is an example of what I'm getting