google.cloud.securitycenter.v2.finding.proto Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of proto-google-cloud-securitycenter-v2 Show documentation
Show all versions of proto-google-cloud-securitycenter-v2 Show documentation
Proto library for google-cloud-securitycenter
// Copyright 2023 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
package google.cloud.securitycenter.v2;
import "google/api/field_behavior.proto";
import "google/api/resource.proto";
import "google/cloud/securitycenter/v2/access.proto";
import "google/cloud/securitycenter/v2/application.proto";
import "google/cloud/securitycenter/v2/attack_exposure.proto";
import "google/cloud/securitycenter/v2/backup_disaster_recovery.proto";
import "google/cloud/securitycenter/v2/cloud_dlp_data_profile.proto";
import "google/cloud/securitycenter/v2/cloud_dlp_inspection.proto";
import "google/cloud/securitycenter/v2/compliance.proto";
import "google/cloud/securitycenter/v2/connection.proto";
import "google/cloud/securitycenter/v2/contact_details.proto";
import "google/cloud/securitycenter/v2/container.proto";
import "google/cloud/securitycenter/v2/database.proto";
import "google/cloud/securitycenter/v2/exfiltration.proto";
import "google/cloud/securitycenter/v2/external_system.proto";
import "google/cloud/securitycenter/v2/file.proto";
import "google/cloud/securitycenter/v2/iam_binding.proto";
import "google/cloud/securitycenter/v2/indicator.proto";
import "google/cloud/securitycenter/v2/kernel_rootkit.proto";
import "google/cloud/securitycenter/v2/kubernetes.proto";
import "google/cloud/securitycenter/v2/load_balancer.proto";
import "google/cloud/securitycenter/v2/log_entry.proto";
import "google/cloud/securitycenter/v2/mitre_attack.proto";
import "google/cloud/securitycenter/v2/org_policy.proto";
import "google/cloud/securitycenter/v2/process.proto";
import "google/cloud/securitycenter/v2/security_marks.proto";
import "google/cloud/securitycenter/v2/security_posture.proto";
import "google/cloud/securitycenter/v2/vulnerability.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/timestamp.proto";
option csharp_namespace = "Google.Cloud.SecurityCenter.V2";
option go_package = "cloud.google.com/go/securitycenter/apiv2/securitycenterpb;securitycenterpb";
option java_multiple_files = true;
option java_outer_classname = "FindingProto";
option java_package = "com.google.cloud.securitycenter.v2";
option php_namespace = "Google\\Cloud\\SecurityCenter\\V2";
option ruby_package = "Google::Cloud::SecurityCenter::V2";
// Security Command Center finding.
//
// A finding is a record of assessment data like security, risk, health, or
// privacy, that is ingested into Security Command Center for presentation,
// notification, analysis, policy testing, and enforcement. For example, a
// cross-site scripting (XSS) vulnerability in an App Engine application is a
// finding.
message Finding {
option (google.api.resource) = {
type: "securitycenter.googleapis.com/Finding"
pattern: "organizations/{organization}/sources/{source}/findings/{finding}"
pattern: "organizations/{organization}/sources/{source}/locations/{location}/findings/{finding}"
pattern: "folders/{folder}/sources/{source}/findings/{finding}"
pattern: "folders/{folder}/sources/{source}/locations/{location}/findings/{finding}"
pattern: "projects/{project}/sources/{source}/findings/{finding}"
pattern: "projects/{project}/sources/{source}/locations/{location}/findings/{finding}"
plural: "findings"
singular: "finding"
};
// The state of the finding.
enum State {
// Unspecified state.
STATE_UNSPECIFIED = 0;
// The finding requires attention and has not been addressed yet.
ACTIVE = 1;
// The finding has been fixed, triaged as a non-issue or otherwise addressed
// and is no longer active.
INACTIVE = 2;
}
// The severity of the finding.
enum Severity {
// This value is used for findings when a source doesn't write a severity
// value.
SEVERITY_UNSPECIFIED = 0;
// Vulnerability:
// A critical vulnerability is easily discoverable by an external actor,
// exploitable, and results in the direct ability to execute arbitrary code,
// exfiltrate data, and otherwise gain additional access and privileges to
// cloud resources and workloads. Examples include publicly accessible
// unprotected user data and public SSH access with weak or no
// passwords.
//
// Threat:
// Indicates a threat that is able to access, modify, or delete data or
// execute unauthorized code within existing resources.
CRITICAL = 1;
// Vulnerability:
// A high risk vulnerability can be easily discovered and exploited in
// combination with other vulnerabilities in order to gain direct access and
// the ability to execute arbitrary code, exfiltrate data, and otherwise
// gain additional access and privileges to cloud resources and workloads.
// An example is a database with weak or no passwords that is only
// accessible internally. This database could easily be compromised by an
// actor that had access to the internal network.
//
// Threat:
// Indicates a threat that is able to create new computational resources in
// an environment but not able to access data or execute code in existing
// resources.
HIGH = 2;
// Vulnerability:
// A medium risk vulnerability could be used by an actor to gain access to
// resources or privileges that enable them to eventually (through multiple
// steps or a complex exploit) gain access and the ability to execute
// arbitrary code or exfiltrate data. An example is a service account with
// access to more projects than it should have. If an actor gains access to
// the service account, they could potentially use that access to manipulate
// a project the service account was not intended to.
//
// Threat:
// Indicates a threat that is able to cause operational impact but may not
// access data or execute unauthorized code.
MEDIUM = 3;
// Vulnerability:
// A low risk vulnerability hampers a security organization's ability to
// detect vulnerabilities or active threats in their deployment, or prevents
// the root cause investigation of security issues. An example is monitoring
// and logs being disabled for resource configurations and access.
//
// Threat:
// Indicates a threat that has obtained minimal access to an environment but
// is not able to access data, execute code, or create resources.
LOW = 4;
}
// Mute state a finding can be in.
enum Mute {
// Unspecified.
MUTE_UNSPECIFIED = 0;
// Finding has been muted.
MUTED = 1;
// Finding has been unmuted.
UNMUTED = 2;
// Finding has never been muted/unmuted.
UNDEFINED = 3;
}
// Represents what kind of Finding it is.
enum FindingClass {
// Unspecified finding class.
FINDING_CLASS_UNSPECIFIED = 0;
// Describes unwanted or malicious activity.
THREAT = 1;
// Describes a potential weakness in software that increases risk to
// Confidentiality & Integrity & Availability.
VULNERABILITY = 2;
// Describes a potential weakness in cloud resource/asset configuration that
// increases risk.
MISCONFIGURATION = 3;
// Describes a security observation that is for informational purposes.
OBSERVATION = 4;
// Describes an error that prevents some SCC functionality.
SCC_ERROR = 5;
// Describes a potential security risk due to a change in the security
// posture.
POSTURE_VIOLATION = 6;
}
// The [relative resource
// name](https://cloud.google.com/apis/design/resource_names#relative_resource_name)
// of the finding. The following list shows some examples:
//
// +
// `organizations/{organization_id}/sources/{source_id}/findings/{finding_id}`
// +
// `organizations/{organization_id}/sources/{source_id}/locations/{location_id}/findings/{finding_id}`
// + `folders/{folder_id}/sources/{source_id}/findings/{finding_id}`
// +
// `folders/{folder_id}/sources/{source_id}/locations/{location_id}/findings/{finding_id}`
// + `projects/{project_id}/sources/{source_id}/findings/{finding_id}`
// +
// `projects/{project_id}/sources/{source_id}/locations/{location_id}/findings/{finding_id}`
string name = 1;
// Output only. The canonical name of the finding. The following list shows
// some examples:
//
// +
// `organizations/{organization_id}/sources/{source_id}/findings/{finding_id}`
// +
// `organizations/{organization_id}/sources/{source_id}/locations/{location_id}/findings/{finding_id}`
// + `folders/{folder_id}/sources/{source_id}/findings/{finding_id}`
// +
// `folders/{folder_id}/sources/{source_id}/locations/{location_id}/findings/{finding_id}`
// + `projects/{project_id}/sources/{source_id}/findings/{finding_id}`
// +
// `projects/{project_id}/sources/{source_id}/locations/{location_id}/findings/{finding_id}`
//
// The prefix is the closest CRM ancestor of the resource associated with the
// finding.
string canonical_name = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
// The relative resource name of the source and location the finding belongs
// to. See:
// https://cloud.google.com/apis/design/resource_names#relative_resource_name
// This field is immutable after creation time. The following list shows some
// examples:
//
// + `organizations/{organization_id}/sources/{source_id}`
// + `folders/{folders_id}/sources/{source_id}`
// + `projects/{projects_id}/sources/{source_id}`
// +
// `organizations/{organization_id}/sources/{source_id}/locations/{location_id}`
// + `folders/{folders_id}/sources/{source_id}/locations/{location_id}`
// + `projects/{projects_id}/sources/{source_id}/locations/{location_id}`
string parent = 3;
// Immutable. For findings on Google Cloud resources, the full resource
// name of the Google Cloud resource this finding is for. See:
// https://cloud.google.com/apis/design/resource_names#full_resource_name
// When the finding is for a non-Google Cloud resource, the resourceName can
// be a customer or partner defined string.
string resource_name = 4 [(google.api.field_behavior) = IMMUTABLE];
// Output only. The state of the finding.
State state = 6 [(google.api.field_behavior) = OUTPUT_ONLY];
// Immutable. The additional taxonomy group within findings from a given
// source. Example: "XSS_FLASH_INJECTION"
string category = 7 [(google.api.field_behavior) = IMMUTABLE];
// The URI that, if available, points to a web page outside of Security
// Command Center where additional information about the finding can be found.
// This field is guaranteed to be either empty or a well formed URL.
string external_uri = 8;
// Source specific properties. These properties are managed by the source
// that writes the finding. The key names in the source_properties map must be
// between 1 and 255 characters, and must start with a letter and contain
// alphanumeric characters or underscores only.
map source_properties = 9;
// Output only. User specified security marks. These marks are entirely
// managed by the user and come from the SecurityMarks resource that belongs
// to the finding.
SecurityMarks security_marks = 10 [(google.api.field_behavior) = OUTPUT_ONLY];
// The time the finding was first detected. If an existing finding is updated,
// then this is the time the update occurred.
// For example, if the finding represents an open firewall, this property
// captures the time the detector believes the firewall became open. The
// accuracy is determined by the detector. If the finding is later resolved,
// then this time reflects when the finding was resolved. This must not
// be set to a value greater than the current timestamp.
google.protobuf.Timestamp event_time = 11;
// Output only. The time at which the finding was created in Security Command
// Center.
google.protobuf.Timestamp create_time = 12
[(google.api.field_behavior) = OUTPUT_ONLY];
// The severity of the finding. This field is managed by the source that
// writes the finding.
Severity severity = 14;
// Indicates the mute state of a finding (either muted, unmuted
// or undefined). Unlike other attributes of a finding, a finding provider
// shouldn't set the value of mute.
Mute mute = 15;
// The class of the finding.
FindingClass finding_class = 16;
// Represents what's commonly known as an *indicator of compromise* (IoC) in
// computer forensics. This is an artifact observed on a network or in an
// operating system that, with high confidence, indicates a computer
// intrusion. For more information, see [Indicator of
// compromise](https://en.wikipedia.org/wiki/Indicator_of_compromise).
Indicator indicator = 17;
// Represents vulnerability-specific fields like CVE and CVSS scores.
// CVE stands for Common Vulnerabilities and Exposures
// (https://cve.mitre.org/about/)
Vulnerability vulnerability = 18;
// Output only. The most recent time this finding was muted or unmuted.
google.protobuf.Timestamp mute_update_time = 19
[(google.api.field_behavior) = OUTPUT_ONLY];
// Output only. Third party SIEM/SOAR fields within SCC, contains external
// system information and external system finding fields.
map external_systems = 20
[(google.api.field_behavior) = OUTPUT_ONLY];
// MITRE ATT&CK tactics and techniques related to this finding.
// See: https://attack.mitre.org
MitreAttack mitre_attack = 21;
// Access details associated with the finding, such as more information on the
// caller, which method was accessed, and from where.
Access access = 22;
// Contains information about the IP connection associated with the finding.
repeated Connection connections = 23;
// Records additional information about the mute operation, for example, the
// [mute
// configuration](https://cloud.google.com/security-command-center/docs/how-to-mute-findings)
// that muted the finding and the user who muted the finding.
string mute_initiator = 24;
// Represents operating system processes associated with the Finding.
repeated Process processes = 25;
// Output only. Map containing the points of contact for the given finding.
// The key represents the type of contact, while the value contains a list of
// all the contacts that pertain. Please refer to:
// https://cloud.google.com/resource-manager/docs/managing-notification-contacts#notification-categories
//
// {
// "security": {
// "contacts": [
// {
// "email": "[email protected]"
// },
// {
// "email": "[email protected]"
// }
// ]
// }
// }
map contacts = 26
[(google.api.field_behavior) = OUTPUT_ONLY];
// Contains compliance information for security standards associated to the
// finding.
repeated Compliance compliances = 27;
// Output only. The human readable display name of the finding source such as
// "Event Threat Detection" or "Security Health Analytics".
string parent_display_name = 29 [(google.api.field_behavior) = OUTPUT_ONLY];
// Contains more details about the finding.
string description = 30;
// Represents exfiltrations associated with the finding.
Exfiltration exfiltration = 31;
// Represents IAM bindings associated with the finding.
repeated IamBinding iam_bindings = 32;
// Steps to address the finding.
string next_steps = 33;
// Unique identifier of the module which generated the finding.
// Example:
// folders/598186756061/securityHealthAnalyticsSettings/customModules/56799441161885
string module_name = 34;
// Containers associated with the finding. This field provides information for
// both Kubernetes and non-Kubernetes containers.
repeated Container containers = 35;
// Kubernetes resources associated with the finding.
Kubernetes kubernetes = 36;
// Database associated with the finding.
Database database = 37;
// The results of an attack path simulation relevant to this finding.
AttackExposure attack_exposure = 38;
// File associated with the finding.
repeated File files = 39;
// Cloud Data Loss Prevention (Cloud DLP) inspection results that are
// associated with the finding.
CloudDlpInspection cloud_dlp_inspection = 40;
// Cloud DLP data profile that is associated with the finding.
CloudDlpDataProfile cloud_dlp_data_profile = 41;
// Signature of the kernel rootkit.
KernelRootkit kernel_rootkit = 42;
// Contains information about the org policies associated with the finding.
repeated OrgPolicy org_policies = 43;
// Represents an application associated with the finding.
Application application = 45;
// Fields related to Backup and DR findings.
BackupDisasterRecovery backup_disaster_recovery = 47;
// The security posture associated with the finding.
SecurityPosture security_posture = 48;
// Log entries that are relevant to the finding.
repeated LogEntry log_entries = 49;
// The load balancers associated with the finding.
repeated LoadBalancer load_balancers = 50;
}
© 2015 - 2024 Weber Informatics LLC | Privacy Policy