You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
218 lines
9.1 KiB
218 lines
9.1 KiB
// Copyright 2021 Google LLC |
|
// |
|
// Licensed under the Apache License, Version 2.0 (the "License"); |
|
// you may not use this file except in compliance with the License. |
|
// You may obtain a copy of the License at |
|
// |
|
// http://www.apache.org/licenses/LICENSE-2.0 |
|
// |
|
// Unless required by applicable law or agreed to in writing, software |
|
// distributed under the License is distributed on an "AS IS" BASIS, |
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
// See the License for the specific language governing permissions and |
|
// limitations under the License. |
|
|
|
syntax = "proto3"; |
|
|
|
package google.cloud.securitycenter.v1; |
|
|
|
import "google/api/field_behavior.proto"; |
|
import "google/api/resource.proto"; |
|
import "google/cloud/securitycenter/v1/indicator.proto"; |
|
import "google/cloud/securitycenter/v1/security_marks.proto"; |
|
import "google/protobuf/struct.proto"; |
|
import "google/protobuf/timestamp.proto"; |
|
import "google/api/annotations.proto"; |
|
|
|
option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; |
|
option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; |
|
option java_multiple_files = true; |
|
option java_package = "com.google.cloud.securitycenter.v1"; |
|
option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; |
|
option ruby_package = "Google::Cloud::SecurityCenter::V1"; |
|
|
|
// Security Command Center finding. |
|
// |
|
// A finding is a record of assessment data like security, risk, health, or |
|
// privacy, that is ingested into Security Command Center for presentation, |
|
// notification, analysis, policy testing, and enforcement. For example, a |
|
// cross-site scripting (XSS) vulnerability in an App Engine application is a |
|
// finding. |
|
message Finding { |
|
option (google.api.resource) = { |
|
type: "securitycenter.googleapis.com/Finding" |
|
pattern: "organizations/{organization}/sources/{source}/findings/{finding}" |
|
pattern: "folders/{folder}/sources/{source}/findings/{finding}" |
|
pattern: "projects/{project}/sources/{source}/findings/{finding}" |
|
}; |
|
|
|
// The state of the finding. |
|
enum State { |
|
// Unspecified state. |
|
STATE_UNSPECIFIED = 0; |
|
|
|
// The finding requires attention and has not been addressed yet. |
|
ACTIVE = 1; |
|
|
|
// The finding has been fixed, triaged as a non-issue or otherwise addressed |
|
// and is no longer active. |
|
INACTIVE = 2; |
|
} |
|
|
|
// The severity of the finding. |
|
enum Severity { |
|
// This value is used for findings when a source doesn't write a severity |
|
// value. |
|
SEVERITY_UNSPECIFIED = 0; |
|
|
|
// Vulnerability: |
|
// A critical vulnerability is easily discoverable by an external actor, |
|
// exploitable, and results in the direct ability to execute arbitrary code, |
|
// exfiltrate data, and otherwise gain additional access and privileges to |
|
// cloud resources and workloads. Examples include publicly accessible |
|
// unprotected user data, public SSH access with weak or no passwords, etc. |
|
// |
|
// Threat: |
|
// Indicates a threat that is able to access, modify, or delete data or |
|
// execute unauthorized code within existing resources. |
|
CRITICAL = 1; |
|
|
|
// Vulnerability: |
|
// A high risk vulnerability can be easily discovered and exploited in |
|
// combination with other vulnerabilities in order to gain direct access and |
|
// the ability to execute arbitrary code, exfiltrate data, and otherwise |
|
// gain additional access and privileges to cloud resources and workloads. |
|
// An example is a database with weak or no passwords that is only |
|
// accessible internally. This database could easily be compromised by an |
|
// actor that had access to the internal network. |
|
// |
|
// Threat: |
|
// Indicates a threat that is able to create new computational resources in |
|
// an environment but not able to access data or execute code in existing |
|
// resources. |
|
HIGH = 2; |
|
|
|
// Vulnerability: |
|
// A medium risk vulnerability could be used by an actor to gain access to |
|
// resources or privileges that enable them to eventually (through multiple |
|
// steps or a complex exploit) gain access and the ability to execute |
|
// arbitrary code or exfiltrate data. An example is a service account with |
|
// access to more projects than it should have. If an actor gains access to |
|
// the service account, they could potentially use that access to manipulate |
|
// a project the service account was not intended to. |
|
// |
|
// Threat: |
|
// Indicates a threat that is able to cause operational impact but may not |
|
// access data or execute unauthorized code. |
|
MEDIUM = 3; |
|
|
|
// Vulnerability: |
|
// A low risk vulnerability hampers a security organization’s ability to |
|
// detect vulnerabilities or active threats in their deployment, or prevents |
|
// the root cause investigation of security issues. An example is monitoring |
|
// and logs being disabled for resource configurations and access. |
|
// |
|
// Threat: |
|
// Indicates a threat that has obtained minimal access to an environment but |
|
// is not able to access data, execute code, or create resources. |
|
LOW = 4; |
|
} |
|
|
|
// Represents what kind of Finding it is. |
|
enum FindingClass { |
|
// Unspecified finding class. |
|
FINDING_CLASS_UNSPECIFIED = 0; |
|
|
|
// Describes unwanted or malicious activity. |
|
THREAT = 1; |
|
|
|
// Describes a potential weakness in software that increases risk to |
|
// Confidentiality & Integrity & Availability. |
|
VULNERABILITY = 2; |
|
|
|
// Describes a potential weakness in cloud resource/asset configuration that |
|
// increases risk. |
|
MISCONFIGURATION = 3; |
|
|
|
// Describes a security observation that is for informational purposes. |
|
OBSERVATION = 4; |
|
} |
|
|
|
// The relative resource name of this finding. See: |
|
// https://cloud.google.com/apis/design/resource_names#relative_resource_name |
|
// Example: |
|
// "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}" |
|
string name = 1; |
|
|
|
// The relative resource name of the source the finding belongs to. See: |
|
// https://cloud.google.com/apis/design/resource_names#relative_resource_name |
|
// This field is immutable after creation time. |
|
// For example: |
|
// "organizations/{organization_id}/sources/{source_id}" |
|
string parent = 2; |
|
|
|
// For findings on Google Cloud resources, the full resource |
|
// name of the Google Cloud resource this finding is for. See: |
|
// https://cloud.google.com/apis/design/resource_names#full_resource_name |
|
// When the finding is for a non-Google Cloud resource, the resourceName can |
|
// be a customer or partner defined string. This field is immutable after |
|
// creation time. |
|
string resource_name = 3; |
|
|
|
// The state of the finding. |
|
State state = 4; |
|
|
|
// The additional taxonomy group within findings from a given source. |
|
// This field is immutable after creation time. |
|
// Example: "XSS_FLASH_INJECTION" |
|
string category = 5; |
|
|
|
// The URI that, if available, points to a web page outside of Security |
|
// Command Center where additional information about the finding can be found. |
|
// This field is guaranteed to be either empty or a well formed URL. |
|
string external_uri = 6; |
|
|
|
// Source specific properties. These properties are managed by the source |
|
// that writes the finding. The key names in the source_properties map must be |
|
// between 1 and 255 characters, and must start with a letter and contain |
|
// alphanumeric characters or underscores only. |
|
map<string, google.protobuf.Value> source_properties = 7; |
|
|
|
// Output only. User specified security marks. These marks are entirely |
|
// managed by the user and come from the SecurityMarks resource that belongs |
|
// to the finding. |
|
SecurityMarks security_marks = 8 [(google.api.field_behavior) = OUTPUT_ONLY]; |
|
|
|
// The time at which the event took place, or when an update to the finding |
|
// occurred. For example, if the finding represents an open firewall it would |
|
// capture the time the detector believes the firewall became open. The |
|
// accuracy is determined by the detector. If the finding were to be resolved |
|
// afterward, this time would reflect when the finding was resolved. Must not |
|
// be set to a value greater than the current timestamp. |
|
google.protobuf.Timestamp event_time = 9; |
|
|
|
// The time at which the finding was created in Security Command Center. |
|
google.protobuf.Timestamp create_time = 10; |
|
|
|
// The severity of the finding. This field is managed by the source that |
|
// writes the finding. |
|
Severity severity = 12; |
|
|
|
// The canonical name of the finding. It's either |
|
// "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}", |
|
// "folders/{folder_id}/sources/{source_id}/findings/{finding_id}" or |
|
// "projects/{project_number}/sources/{source_id}/findings/{finding_id}", |
|
// depending on the closest CRM ancestor of the resource associated with the |
|
// finding. |
|
string canonical_name = 14; |
|
|
|
// The class of the finding. |
|
FindingClass finding_class = 17; |
|
|
|
// Represents what's commonly known as an Indicator of compromise (IoC) in |
|
// computer forensics. This is an artifact observed on a network or in an |
|
// operating system that, with high confidence, indicates a computer |
|
// intrusion. |
|
// Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise |
|
Indicator indicator = 18; |
|
}
|
|
|