qualys_vmdr: Add "show_igs" and fingerprint processor UI options

[kcreddy]

Proposed commit message

Add show_igs API parameter as a UI option. Also optionally add fingerprint processor. By default, Qualys API only includes detection records with `Confirmed` and `Potential` vulnerabilities. With show_igs option users can enable Qualys API to fetch detections of type `Info` as well. Optionally adding fingerprint processor on event.original field so that any existing vulnerabilities in the current backing index will not be duplicated. I prefixed the document _id value with the timestamp based on recommendations from the "Efficient Duplicate Prevention for Event-Based Data in Elasticsearch" blog post. References - https://qualysguard.qg2.apps.qualys.com/qwebhelp/fo_portal/api_doc/assets/index.htm#t=host_lists%2Fhost_detection.htm - https://www.elastic.co/blog/efficient-duplicate-prevention-for-event-based-data-in-elasticsearch. 

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

1. Updated system tests with show_igs=1 should run successfully.
   Run: cd packages/qualys_vmdr && elastic-package stack down && elastic-package build && elastic-package stack up --version=8.13.0 -d -v && eval "$(elastic-package stack shellinit)" && elastic-package test system --generate -v --data-streams=asset_host_detection
   Returns:

   2025/01/22 22:22:53 DEBUG found 0 hits in logs-qualys_vmdr.asset_host_detection-71011 data stream 2025/01/22 22:22:54 DEBUG found 4 hits in logs-qualys_vmdr.asset_host_detection-71011 data stream 2025/01/22 22:22:58 DEBUG found 4 hits in logs-qualys_vmdr.asset_host_detection-71011 data stream ...... 2025/01/22 22:23:01 DEBUG assert hit count expected 4, observed 4 ...... --- Test results for package: qualys_vmdr - START --- ╭─────────────┬──────────────────────┬───────────┬───────────┬────────┬───────────────╮ │ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME │ RESULT │ TIME ELAPSED │ ├─────────────┼──────────────────────┼───────────┼───────────┼────────┼───────────────┤ │ qualys_vmdr │ asset_host_detection │ system │ default │ PASS │ 42.686733958s │ ╰─────────────┴──────────────────────┴───────────┴───────────┴────────┴───────────────╯ --- Test results for package: qualys_vmdr - END --- Done 

2. Check tracer logs:
   a. Don't select Enable Information Gathered Detections UI option.
   Inside tracer logs, the request has:

   "url.query":"action=list&ids=879484319&show_igs=0&truncation_limit=1000" 

   b. Select Enable Information Gathered Detections UI option.
   Inside tracer logs, the request has:

   "url.query":"action=list&ids=879484319&show_igs=1&truncation_limit=1000" 

Screenshots

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[kcreddy]

produced by elastic-package

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[andrewkroh]

Suggested change

	description: By default, Qualys API only includes detection records with `Confirmed` and `Potential` vulnerabilities. When this option is enabled, the Qualys API also sends detections of type `Info` along with `Confirmed` and `Potential` vulnerabilities.
	description: By default, Qualys API only includes detection records with `Confirmed` and `Potential` vulnerabilities. When this option is enabled, the Qualys API sends detections of type `Info` in addition to `Confirmed` and `Potential` vulnerabilities.

[kcreddy]

Updated as suggested in 1f0ea18

[andrewkroh]

Deduplication paired with full syncs each period could make it more difficult to validate all assets and vulnerabilities were collected. Currently the validation process involves reviewing data written during the last sync window. If deduplication is implemented then you need to consider all data in the current backing index to account for vulnerabilities that were indexed during an earlier sync.

Users need to know that deduplication is enabled because it impacts how you should query the data for certain uses. My recommendation is to make deduplication an opt-in feature with an explanation of how it impacts ingestion. Specifically, each sync interval will ingest all detected vulnerabilities. However, if deduplication is enabled, any existing vulnerabilities in the current backing index will not be duplicated. The presence of a vulnerability in the backing index is determined by computing a checksum of the event contents and checking if that checksum already exists in Elasticsearch.

[kcreddy]

That makes sense.
I added UI option to select Enable Data Deduplication (default: false) in 1f0ea18

Described the option in manifest.yml as suggested. Updated PR description.

[kcreddy]

[andrewkroh]

Why make this into a string rather than retain the boolean type?

[kcreddy]

Not intentional. Updated in 6c46311

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 6c46311800ce0890008011bc2a93b277bb41bc63

History

• 💚 Build #20834 succeeded 1f0ea18da4595c102a5079dc06b9c19c353c60ce
• 💚 Build #20812 succeeded 856c230d2b3730ff67c309135993970870252a90

cc @kcreddy

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[elastic-vault-github-plugin-prod]

Package qualys_vmdr - 5.9.0 containing this change is available at https://epr.elastic.co/package/qualys_vmdr/5.9.0/