[qualys_vmdr.asset_host_detection] Align `cloud.*` fields with Qualys data and not elastic agent metadata

[clement-fouque]

When ingesting vulnerability data, cloud.* fields are a mix of the Elastic agent metadata and Qualys vulnerability data. I didn't find a way to disable metadata coming from Elastic agent (publisher_pipeline.disable_host seems to apply to field host only).

A decision must be made to either have no cloud fields set, either have only the data coming from Qualys, either from the elastic agent metadata.

I have a strong preference to remove any properties set by the elastic agent and only have data from Qualys. If we want to build dashboard with data coming from different scanning solutions (Qualys, Tenable, Snyk, ...), we'll heavily rely on ECS fields.

We might have a rule that if the field tags contains forwarded, we use only the data from Qualys.

Here is an example of what I'm getting

"cloud": {
  "availability_zone": "us-central1-a", # Elastic agent metadata
  "instance": {
    "name": "gke-xxx", # Elastic agent metadata
    "id": "12346789" # Qualys vulnerability data
  },
  "provider": "GCP", # Qualys vulnerability data
  "service": {
    "name": "Compute Engine" # Qualys vulnerability data
  },
  "project": {
    "id": "my-project" # Elastic agent metadata
  },
  "region": "us-central1", # Elastic agent metadata
  "account": {
    "id": "my-project" # Elastic agent metadata
  }
}

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)