123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218 |
- // Copyright 2021 Google LLC
- //
- // Licensed under the Apache License, Version 2.0 (the "License");
- // you may not use this file except in compliance with the License.
- // You may obtain a copy of the License at
- //
- // http://www.apache.org/licenses/LICENSE-2.0
- //
- // Unless required by applicable law or agreed to in writing, software
- // distributed under the License is distributed on an "AS IS" BASIS,
- // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- // See the License for the specific language governing permissions and
- // limitations under the License.
- syntax = "proto3";
- package google.cloud.securitycenter.v1;
- import "google/api/field_behavior.proto";
- import "google/api/resource.proto";
- import "google/cloud/securitycenter/v1/indicator.proto";
- import "google/cloud/securitycenter/v1/security_marks.proto";
- import "google/protobuf/struct.proto";
- import "google/protobuf/timestamp.proto";
- import "google/api/annotations.proto";
- option csharp_namespace = "Google.Cloud.SecurityCenter.V1";
- option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter";
- option java_multiple_files = true;
- option java_package = "com.google.cloud.securitycenter.v1";
- option php_namespace = "Google\\Cloud\\SecurityCenter\\V1";
- option ruby_package = "Google::Cloud::SecurityCenter::V1";
- // Security Command Center finding.
- //
- // A finding is a record of assessment data like security, risk, health, or
- // privacy, that is ingested into Security Command Center for presentation,
- // notification, analysis, policy testing, and enforcement. For example, a
- // cross-site scripting (XSS) vulnerability in an App Engine application is a
- // finding.
- message Finding {
- option (google.api.resource) = {
- type: "securitycenter.googleapis.com/Finding"
- pattern: "organizations/{organization}/sources/{source}/findings/{finding}"
- pattern: "folders/{folder}/sources/{source}/findings/{finding}"
- pattern: "projects/{project}/sources/{source}/findings/{finding}"
- };
- // The state of the finding.
- enum State {
- // Unspecified state.
- STATE_UNSPECIFIED = 0;
- // The finding requires attention and has not been addressed yet.
- ACTIVE = 1;
- // The finding has been fixed, triaged as a non-issue or otherwise addressed
- // and is no longer active.
- INACTIVE = 2;
- }
- // The severity of the finding.
- enum Severity {
- // This value is used for findings when a source doesn't write a severity
- // value.
- SEVERITY_UNSPECIFIED = 0;
- // Vulnerability:
- // A critical vulnerability is easily discoverable by an external actor,
- // exploitable, and results in the direct ability to execute arbitrary code,
- // exfiltrate data, and otherwise gain additional access and privileges to
- // cloud resources and workloads. Examples include publicly accessible
- // unprotected user data, public SSH access with weak or no passwords, etc.
- //
- // Threat:
- // Indicates a threat that is able to access, modify, or delete data or
- // execute unauthorized code within existing resources.
- CRITICAL = 1;
- // Vulnerability:
- // A high risk vulnerability can be easily discovered and exploited in
- // combination with other vulnerabilities in order to gain direct access and
- // the ability to execute arbitrary code, exfiltrate data, and otherwise
- // gain additional access and privileges to cloud resources and workloads.
- // An example is a database with weak or no passwords that is only
- // accessible internally. This database could easily be compromised by an
- // actor that had access to the internal network.
- //
- // Threat:
- // Indicates a threat that is able to create new computational resources in
- // an environment but not able to access data or execute code in existing
- // resources.
- HIGH = 2;
- // Vulnerability:
- // A medium risk vulnerability could be used by an actor to gain access to
- // resources or privileges that enable them to eventually (through multiple
- // steps or a complex exploit) gain access and the ability to execute
- // arbitrary code or exfiltrate data. An example is a service account with
- // access to more projects than it should have. If an actor gains access to
- // the service account, they could potentially use that access to manipulate
- // a project the service account was not intended to.
- //
- // Threat:
- // Indicates a threat that is able to cause operational impact but may not
- // access data or execute unauthorized code.
- MEDIUM = 3;
- // Vulnerability:
- // A low risk vulnerability hampers a security organization’s ability to
- // detect vulnerabilities or active threats in their deployment, or prevents
- // the root cause investigation of security issues. An example is monitoring
- // and logs being disabled for resource configurations and access.
- //
- // Threat:
- // Indicates a threat that has obtained minimal access to an environment but
- // is not able to access data, execute code, or create resources.
- LOW = 4;
- }
- // Represents what kind of Finding it is.
- enum FindingClass {
- // Unspecified finding class.
- FINDING_CLASS_UNSPECIFIED = 0;
- // Describes unwanted or malicious activity.
- THREAT = 1;
- // Describes a potential weakness in software that increases risk to
- // Confidentiality & Integrity & Availability.
- VULNERABILITY = 2;
- // Describes a potential weakness in cloud resource/asset configuration that
- // increases risk.
- MISCONFIGURATION = 3;
- // Describes a security observation that is for informational purposes.
- OBSERVATION = 4;
- }
- // The relative resource name of this finding. See:
- // https://cloud.google.com/apis/design/resource_names#relative_resource_name
- // Example:
- // "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}"
- string name = 1;
- // The relative resource name of the source the finding belongs to. See:
- // https://cloud.google.com/apis/design/resource_names#relative_resource_name
- // This field is immutable after creation time.
- // For example:
- // "organizations/{organization_id}/sources/{source_id}"
- string parent = 2;
- // For findings on Google Cloud resources, the full resource
- // name of the Google Cloud resource this finding is for. See:
- // https://cloud.google.com/apis/design/resource_names#full_resource_name
- // When the finding is for a non-Google Cloud resource, the resourceName can
- // be a customer or partner defined string. This field is immutable after
- // creation time.
- string resource_name = 3;
- // The state of the finding.
- State state = 4;
- // The additional taxonomy group within findings from a given source.
- // This field is immutable after creation time.
- // Example: "XSS_FLASH_INJECTION"
- string category = 5;
- // The URI that, if available, points to a web page outside of Security
- // Command Center where additional information about the finding can be found.
- // This field is guaranteed to be either empty or a well formed URL.
- string external_uri = 6;
- // Source specific properties. These properties are managed by the source
- // that writes the finding. The key names in the source_properties map must be
- // between 1 and 255 characters, and must start with a letter and contain
- // alphanumeric characters or underscores only.
- map<string, google.protobuf.Value> source_properties = 7;
- // Output only. User specified security marks. These marks are entirely
- // managed by the user and come from the SecurityMarks resource that belongs
- // to the finding.
- SecurityMarks security_marks = 8 [(google.api.field_behavior) = OUTPUT_ONLY];
- // The time at which the event took place, or when an update to the finding
- // occurred. For example, if the finding represents an open firewall it would
- // capture the time the detector believes the firewall became open. The
- // accuracy is determined by the detector. If the finding were to be resolved
- // afterward, this time would reflect when the finding was resolved. Must not
- // be set to a value greater than the current timestamp.
- google.protobuf.Timestamp event_time = 9;
- // The time at which the finding was created in Security Command Center.
- google.protobuf.Timestamp create_time = 10;
- // The severity of the finding. This field is managed by the source that
- // writes the finding.
- Severity severity = 12;
- // The canonical name of the finding. It's either
- // "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}",
- // "folders/{folder_id}/sources/{source_id}/findings/{finding_id}" or
- // "projects/{project_number}/sources/{source_id}/findings/{finding_id}",
- // depending on the closest CRM ancestor of the resource associated with the
- // finding.
- string canonical_name = 14;
- // The class of the finding.
- FindingClass finding_class = 17;
- // Represents what's commonly known as an Indicator of compromise (IoC) in
- // computer forensics. This is an artifact observed on a network or in an
- // operating system that, with high confidence, indicates a computer
- // intrusion.
- // Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise
- Indicator indicator = 18;
- }
|