finding.proto 9.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218
  1. // Copyright 2021 Google LLC
  2. //
  3. // Licensed under the Apache License, Version 2.0 (the "License");
  4. // you may not use this file except in compliance with the License.
  5. // You may obtain a copy of the License at
  6. //
  7. // http://www.apache.org/licenses/LICENSE-2.0
  8. //
  9. // Unless required by applicable law or agreed to in writing, software
  10. // distributed under the License is distributed on an "AS IS" BASIS,
  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. // See the License for the specific language governing permissions and
  13. // limitations under the License.
  14. syntax = "proto3";
  15. package google.cloud.securitycenter.v1;
  16. import "google/api/field_behavior.proto";
  17. import "google/api/resource.proto";
  18. import "google/cloud/securitycenter/v1/indicator.proto";
  19. import "google/cloud/securitycenter/v1/security_marks.proto";
  20. import "google/protobuf/struct.proto";
  21. import "google/protobuf/timestamp.proto";
  22. import "google/api/annotations.proto";
  23. option csharp_namespace = "Google.Cloud.SecurityCenter.V1";
  24. option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter";
  25. option java_multiple_files = true;
  26. option java_package = "com.google.cloud.securitycenter.v1";
  27. option php_namespace = "Google\\Cloud\\SecurityCenter\\V1";
  28. option ruby_package = "Google::Cloud::SecurityCenter::V1";
  29. // Security Command Center finding.
  30. //
  31. // A finding is a record of assessment data like security, risk, health, or
  32. // privacy, that is ingested into Security Command Center for presentation,
  33. // notification, analysis, policy testing, and enforcement. For example, a
  34. // cross-site scripting (XSS) vulnerability in an App Engine application is a
  35. // finding.
  36. message Finding {
  37. option (google.api.resource) = {
  38. type: "securitycenter.googleapis.com/Finding"
  39. pattern: "organizations/{organization}/sources/{source}/findings/{finding}"
  40. pattern: "folders/{folder}/sources/{source}/findings/{finding}"
  41. pattern: "projects/{project}/sources/{source}/findings/{finding}"
  42. };
  43. // The state of the finding.
  44. enum State {
  45. // Unspecified state.
  46. STATE_UNSPECIFIED = 0;
  47. // The finding requires attention and has not been addressed yet.
  48. ACTIVE = 1;
  49. // The finding has been fixed, triaged as a non-issue or otherwise addressed
  50. // and is no longer active.
  51. INACTIVE = 2;
  52. }
  53. // The severity of the finding.
  54. enum Severity {
  55. // This value is used for findings when a source doesn't write a severity
  56. // value.
  57. SEVERITY_UNSPECIFIED = 0;
  58. // Vulnerability:
  59. // A critical vulnerability is easily discoverable by an external actor,
  60. // exploitable, and results in the direct ability to execute arbitrary code,
  61. // exfiltrate data, and otherwise gain additional access and privileges to
  62. // cloud resources and workloads. Examples include publicly accessible
  63. // unprotected user data, public SSH access with weak or no passwords, etc.
  64. //
  65. // Threat:
  66. // Indicates a threat that is able to access, modify, or delete data or
  67. // execute unauthorized code within existing resources.
  68. CRITICAL = 1;
  69. // Vulnerability:
  70. // A high risk vulnerability can be easily discovered and exploited in
  71. // combination with other vulnerabilities in order to gain direct access and
  72. // the ability to execute arbitrary code, exfiltrate data, and otherwise
  73. // gain additional access and privileges to cloud resources and workloads.
  74. // An example is a database with weak or no passwords that is only
  75. // accessible internally. This database could easily be compromised by an
  76. // actor that had access to the internal network.
  77. //
  78. // Threat:
  79. // Indicates a threat that is able to create new computational resources in
  80. // an environment but not able to access data or execute code in existing
  81. // resources.
  82. HIGH = 2;
  83. // Vulnerability:
  84. // A medium risk vulnerability could be used by an actor to gain access to
  85. // resources or privileges that enable them to eventually (through multiple
  86. // steps or a complex exploit) gain access and the ability to execute
  87. // arbitrary code or exfiltrate data. An example is a service account with
  88. // access to more projects than it should have. If an actor gains access to
  89. // the service account, they could potentially use that access to manipulate
  90. // a project the service account was not intended to.
  91. //
  92. // Threat:
  93. // Indicates a threat that is able to cause operational impact but may not
  94. // access data or execute unauthorized code.
  95. MEDIUM = 3;
  96. // Vulnerability:
  97. // A low risk vulnerability hampers a security organization’s ability to
  98. // detect vulnerabilities or active threats in their deployment, or prevents
  99. // the root cause investigation of security issues. An example is monitoring
  100. // and logs being disabled for resource configurations and access.
  101. //
  102. // Threat:
  103. // Indicates a threat that has obtained minimal access to an environment but
  104. // is not able to access data, execute code, or create resources.
  105. LOW = 4;
  106. }
  107. // Represents what kind of Finding it is.
  108. enum FindingClass {
  109. // Unspecified finding class.
  110. FINDING_CLASS_UNSPECIFIED = 0;
  111. // Describes unwanted or malicious activity.
  112. THREAT = 1;
  113. // Describes a potential weakness in software that increases risk to
  114. // Confidentiality & Integrity & Availability.
  115. VULNERABILITY = 2;
  116. // Describes a potential weakness in cloud resource/asset configuration that
  117. // increases risk.
  118. MISCONFIGURATION = 3;
  119. // Describes a security observation that is for informational purposes.
  120. OBSERVATION = 4;
  121. }
  122. // The relative resource name of this finding. See:
  123. // https://cloud.google.com/apis/design/resource_names#relative_resource_name
  124. // Example:
  125. // "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}"
  126. string name = 1;
  127. // The relative resource name of the source the finding belongs to. See:
  128. // https://cloud.google.com/apis/design/resource_names#relative_resource_name
  129. // This field is immutable after creation time.
  130. // For example:
  131. // "organizations/{organization_id}/sources/{source_id}"
  132. string parent = 2;
  133. // For findings on Google Cloud resources, the full resource
  134. // name of the Google Cloud resource this finding is for. See:
  135. // https://cloud.google.com/apis/design/resource_names#full_resource_name
  136. // When the finding is for a non-Google Cloud resource, the resourceName can
  137. // be a customer or partner defined string. This field is immutable after
  138. // creation time.
  139. string resource_name = 3;
  140. // The state of the finding.
  141. State state = 4;
  142. // The additional taxonomy group within findings from a given source.
  143. // This field is immutable after creation time.
  144. // Example: "XSS_FLASH_INJECTION"
  145. string category = 5;
  146. // The URI that, if available, points to a web page outside of Security
  147. // Command Center where additional information about the finding can be found.
  148. // This field is guaranteed to be either empty or a well formed URL.
  149. string external_uri = 6;
  150. // Source specific properties. These properties are managed by the source
  151. // that writes the finding. The key names in the source_properties map must be
  152. // between 1 and 255 characters, and must start with a letter and contain
  153. // alphanumeric characters or underscores only.
  154. map<string, google.protobuf.Value> source_properties = 7;
  155. // Output only. User specified security marks. These marks are entirely
  156. // managed by the user and come from the SecurityMarks resource that belongs
  157. // to the finding.
  158. SecurityMarks security_marks = 8 [(google.api.field_behavior) = OUTPUT_ONLY];
  159. // The time at which the event took place, or when an update to the finding
  160. // occurred. For example, if the finding represents an open firewall it would
  161. // capture the time the detector believes the firewall became open. The
  162. // accuracy is determined by the detector. If the finding were to be resolved
  163. // afterward, this time would reflect when the finding was resolved. Must not
  164. // be set to a value greater than the current timestamp.
  165. google.protobuf.Timestamp event_time = 9;
  166. // The time at which the finding was created in Security Command Center.
  167. google.protobuf.Timestamp create_time = 10;
  168. // The severity of the finding. This field is managed by the source that
  169. // writes the finding.
  170. Severity severity = 12;
  171. // The canonical name of the finding. It's either
  172. // "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}",
  173. // "folders/{folder_id}/sources/{source_id}/findings/{finding_id}" or
  174. // "projects/{project_number}/sources/{source_id}/findings/{finding_id}",
  175. // depending on the closest CRM ancestor of the resource associated with the
  176. // finding.
  177. string canonical_name = 14;
  178. // The class of the finding.
  179. FindingClass finding_class = 17;
  180. // Represents what's commonly known as an Indicator of compromise (IoC) in
  181. // computer forensics. This is an artifact observed on a network or in an
  182. // operating system that, with high confidence, indicates a computer
  183. // intrusion.
  184. // Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise
  185. Indicator indicator = 18;
  186. }