lenn
/
grpc1.45.2


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218
							// Copyright 2021 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.cloud.securitycenter.v1;

import "google/api/field_behavior.proto";
import "google/api/resource.proto";
import "google/cloud/securitycenter/v1/indicator.proto";
import "google/cloud/securitycenter/v1/security_marks.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/timestamp.proto";
import "google/api/annotations.proto";

option csharp_namespace = "Google.Cloud.SecurityCenter.V1";
option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter";
option java_multiple_files = true;
option java_package = "com.google.cloud.securitycenter.v1";
option php_namespace = "Google\\Cloud\\SecurityCenter\\V1";
option ruby_package = "Google::Cloud::SecurityCenter::V1";

// Security Command Center finding.
//
// A finding is a record of assessment data like security, risk, health, or
// privacy, that is ingested into Security Command Center for presentation,
// notification, analysis, policy testing, and enforcement. For example, a
// cross-site scripting (XSS) vulnerability in an App Engine application is a
// finding.
message Finding {
  option (google.api.resource) = {
    type: "securitycenter.googleapis.com/Finding"
    pattern: "organizations/{organization}/sources/{source}/findings/{finding}"
    pattern: "folders/{folder}/sources/{source}/findings/{finding}"
    pattern: "projects/{project}/sources/{source}/findings/{finding}"
  };

  // The state of the finding.
  enum State {
    // Unspecified state.
    STATE_UNSPECIFIED = 0;

    // The finding requires attention and has not been addressed yet.
    ACTIVE = 1;

    // The finding has been fixed, triaged as a non-issue or otherwise addressed
    // and is no longer active.
    INACTIVE = 2;
  }

  // The severity of the finding.
  enum Severity {
    // This value is used for findings when a source doesn't write a severity
    // value.
    SEVERITY_UNSPECIFIED = 0;

    // Vulnerability:
    // A critical vulnerability is easily discoverable by an external actor,
    // exploitable, and results in the direct ability to execute arbitrary code,
    // exfiltrate data, and otherwise gain additional access and privileges to
    // cloud resources and workloads. Examples include publicly accessible
    // unprotected user data, public SSH access with weak or no passwords, etc.
    //
    // Threat:
    // Indicates a threat that is able to access, modify, or delete data or
    // execute unauthorized code within existing resources.
    CRITICAL = 1;

    // Vulnerability:
    // A high risk vulnerability can be easily discovered and exploited in
    // combination with other vulnerabilities in order to gain direct access and
    // the ability to execute arbitrary code, exfiltrate data, and otherwise
    // gain additional access and privileges to cloud resources and workloads.
    // An example is a database with weak or no passwords that is only
    // accessible internally. This database could easily be compromised by an
    // actor that had access to the internal network.
    //
    // Threat:
    // Indicates a threat that is able to create new computational resources in
    // an environment but not able to access data or execute code in existing
    // resources.
    HIGH = 2;

    // Vulnerability:
    // A medium risk vulnerability could be used by an actor to gain access to
    // resources or privileges that enable them to eventually (through multiple
    // steps or a complex exploit) gain access and the ability to execute
    // arbitrary code or exfiltrate data. An example is a service account with
    // access to more projects than it should have. If an actor gains access to
    // the service account, they could potentially use that access to manipulate
    // a project the service account was not intended to.
    //
    // Threat:
    // Indicates a threat that is able to cause operational impact but may not
    // access data or execute unauthorized code.
    MEDIUM = 3;

    // Vulnerability:
    // A low risk vulnerability hampers a security organization’s ability to
    // detect vulnerabilities or active threats in their deployment, or prevents
    // the root cause investigation of security issues. An example is monitoring
    // and logs being disabled for resource configurations and access.
    //
    // Threat:
    // Indicates a threat that has obtained minimal access to an environment but
    // is not able to access data, execute code, or create resources.
    LOW = 4;
  }

  // Represents what kind of Finding it is.
  enum FindingClass {
    // Unspecified finding class.
    FINDING_CLASS_UNSPECIFIED = 0;

    // Describes unwanted or malicious activity.
    THREAT = 1;

    // Describes a potential weakness in software that increases risk to
    // Confidentiality & Integrity & Availability.
    VULNERABILITY = 2;

    // Describes a potential weakness in cloud resource/asset configuration that
    // increases risk.
    MISCONFIGURATION = 3;

    // Describes a security observation that is for informational purposes.
    OBSERVATION = 4;
  }

  // The relative resource name of this finding. See:
  // https://cloud.google.com/apis/design/resource_names#relative_resource_name
  // Example:
  // "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}"
  string name = 1;

  // The relative resource name of the source the finding belongs to. See:
  // https://cloud.google.com/apis/design/resource_names#relative_resource_name
  // This field is immutable after creation time.
  // For example:
  // "organizations/{organization_id}/sources/{source_id}"
  string parent = 2;

  // For findings on Google Cloud resources, the full resource
  // name of the Google Cloud resource this finding is for. See:
  // https://cloud.google.com/apis/design/resource_names#full_resource_name
  // When the finding is for a non-Google Cloud resource, the resourceName can
  // be a customer or partner defined string. This field is immutable after
  // creation time.
  string resource_name = 3;

  // The state of the finding.
  State state = 4;

  // The additional taxonomy group within findings from a given source.
  // This field is immutable after creation time.
  // Example: "XSS_FLASH_INJECTION"
  string category = 5;

  // The URI that, if available, points to a web page outside of Security
  // Command Center where additional information about the finding can be found.
  // This field is guaranteed to be either empty or a well formed URL.
  string external_uri = 6;

  // Source specific properties. These properties are managed by the source
  // that writes the finding. The key names in the source_properties map must be
  // between 1 and 255 characters, and must start with a letter and contain
  // alphanumeric characters or underscores only.
  map<string, google.protobuf.Value> source_properties = 7;

  // Output only. User specified security marks. These marks are entirely
  // managed by the user and come from the SecurityMarks resource that belongs
  // to the finding.
  SecurityMarks security_marks = 8 [(google.api.field_behavior) = OUTPUT_ONLY];

  // The time at which the event took place, or when an update to the finding
  // occurred. For example, if the finding represents an open firewall it would
  // capture the time the detector believes the firewall became open. The
  // accuracy is determined by the detector. If the finding were to be resolved
  // afterward, this time would reflect when the finding was resolved. Must not
  // be set to a value greater than the current timestamp.
  google.protobuf.Timestamp event_time = 9;

  // The time at which the finding was created in Security Command Center.
  google.protobuf.Timestamp create_time = 10;

  // The severity of the finding. This field is managed by the source that
  // writes the finding.
  Severity severity = 12;

  // The canonical name of the finding. It's either
  // "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}",
  // "folders/{folder_id}/sources/{source_id}/findings/{finding_id}" or
  // "projects/{project_number}/sources/{source_id}/findings/{finding_id}",
  // depending on the closest CRM ancestor of the resource associated with the
  // finding.
  string canonical_name = 14;

  // The class of the finding.
  FindingClass finding_class = 17;

  // Represents what's commonly known as an Indicator of compromise (IoC) in
  // computer forensics. This is an artifact observed on a network or in an
  // operating system that, with high confidence, indicates a computer
  // intrusion.
  // Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise
  Indicator indicator = 18;
}