1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.securitycenter.v2; 18 19import "google/api/field_behavior.proto"; 20import "google/api/resource.proto"; 21import "google/cloud/securitycenter/v2/access.proto"; 22import "google/cloud/securitycenter/v2/application.proto"; 23import "google/cloud/securitycenter/v2/attack_exposure.proto"; 24import "google/cloud/securitycenter/v2/backup_disaster_recovery.proto"; 25import "google/cloud/securitycenter/v2/cloud_dlp_data_profile.proto"; 26import "google/cloud/securitycenter/v2/cloud_dlp_inspection.proto"; 27import "google/cloud/securitycenter/v2/compliance.proto"; 28import "google/cloud/securitycenter/v2/connection.proto"; 29import "google/cloud/securitycenter/v2/contact_details.proto"; 30import "google/cloud/securitycenter/v2/container.proto"; 31import "google/cloud/securitycenter/v2/database.proto"; 32import "google/cloud/securitycenter/v2/exfiltration.proto"; 33import "google/cloud/securitycenter/v2/external_system.proto"; 34import "google/cloud/securitycenter/v2/file.proto"; 35import "google/cloud/securitycenter/v2/iam_binding.proto"; 36import "google/cloud/securitycenter/v2/indicator.proto"; 37import "google/cloud/securitycenter/v2/kernel_rootkit.proto"; 38import "google/cloud/securitycenter/v2/kubernetes.proto"; 39import "google/cloud/securitycenter/v2/load_balancer.proto"; 40import "google/cloud/securitycenter/v2/log_entry.proto"; 41import "google/cloud/securitycenter/v2/mitre_attack.proto"; 42import "google/cloud/securitycenter/v2/org_policy.proto"; 43import "google/cloud/securitycenter/v2/process.proto"; 44import "google/cloud/securitycenter/v2/security_marks.proto"; 45import "google/cloud/securitycenter/v2/security_posture.proto"; 46import "google/cloud/securitycenter/v2/vulnerability.proto"; 47import "google/protobuf/struct.proto"; 48import "google/protobuf/timestamp.proto"; 49 50option csharp_namespace = "Google.Cloud.SecurityCenter.V2"; 51option go_package = "cloud.google.com/go/securitycenter/apiv2/securitycenterpb;securitycenterpb"; 52option java_multiple_files = true; 53option java_outer_classname = "FindingProto"; 54option java_package = "com.google.cloud.securitycenter.v2"; 55option php_namespace = "Google\\Cloud\\SecurityCenter\\V2"; 56option ruby_package = "Google::Cloud::SecurityCenter::V2"; 57 58// Security Command Center finding. 59// 60// A finding is a record of assessment data like security, risk, health, or 61// privacy, that is ingested into Security Command Center for presentation, 62// notification, analysis, policy testing, and enforcement. For example, a 63// cross-site scripting (XSS) vulnerability in an App Engine application is a 64// finding. 65message Finding { 66 option (google.api.resource) = { 67 type: "securitycenter.googleapis.com/Finding" 68 pattern: "organizations/{organization}/sources/{source}/findings/{finding}" 69 pattern: "organizations/{organization}/sources/{source}/locations/{location}/findings/{finding}" 70 pattern: "folders/{folder}/sources/{source}/findings/{finding}" 71 pattern: "folders/{folder}/sources/{source}/locations/{location}/findings/{finding}" 72 pattern: "projects/{project}/sources/{source}/findings/{finding}" 73 pattern: "projects/{project}/sources/{source}/locations/{location}/findings/{finding}" 74 plural: "findings" 75 singular: "finding" 76 }; 77 78 // The state of the finding. 79 enum State { 80 // Unspecified state. 81 STATE_UNSPECIFIED = 0; 82 83 // The finding requires attention and has not been addressed yet. 84 ACTIVE = 1; 85 86 // The finding has been fixed, triaged as a non-issue or otherwise addressed 87 // and is no longer active. 88 INACTIVE = 2; 89 } 90 91 // The severity of the finding. 92 enum Severity { 93 // This value is used for findings when a source doesn't write a severity 94 // value. 95 SEVERITY_UNSPECIFIED = 0; 96 97 // Vulnerability: 98 // A critical vulnerability is easily discoverable by an external actor, 99 // exploitable, and results in the direct ability to execute arbitrary code, 100 // exfiltrate data, and otherwise gain additional access and privileges to 101 // cloud resources and workloads. Examples include publicly accessible 102 // unprotected user data and public SSH access with weak or no 103 // passwords. 104 // 105 // Threat: 106 // Indicates a threat that is able to access, modify, or delete data or 107 // execute unauthorized code within existing resources. 108 CRITICAL = 1; 109 110 // Vulnerability: 111 // A high risk vulnerability can be easily discovered and exploited in 112 // combination with other vulnerabilities in order to gain direct access and 113 // the ability to execute arbitrary code, exfiltrate data, and otherwise 114 // gain additional access and privileges to cloud resources and workloads. 115 // An example is a database with weak or no passwords that is only 116 // accessible internally. This database could easily be compromised by an 117 // actor that had access to the internal network. 118 // 119 // Threat: 120 // Indicates a threat that is able to create new computational resources in 121 // an environment but not able to access data or execute code in existing 122 // resources. 123 HIGH = 2; 124 125 // Vulnerability: 126 // A medium risk vulnerability could be used by an actor to gain access to 127 // resources or privileges that enable them to eventually (through multiple 128 // steps or a complex exploit) gain access and the ability to execute 129 // arbitrary code or exfiltrate data. An example is a service account with 130 // access to more projects than it should have. If an actor gains access to 131 // the service account, they could potentially use that access to manipulate 132 // a project the service account was not intended to. 133 // 134 // Threat: 135 // Indicates a threat that is able to cause operational impact but may not 136 // access data or execute unauthorized code. 137 MEDIUM = 3; 138 139 // Vulnerability: 140 // A low risk vulnerability hampers a security organization's ability to 141 // detect vulnerabilities or active threats in their deployment, or prevents 142 // the root cause investigation of security issues. An example is monitoring 143 // and logs being disabled for resource configurations and access. 144 // 145 // Threat: 146 // Indicates a threat that has obtained minimal access to an environment but 147 // is not able to access data, execute code, or create resources. 148 LOW = 4; 149 } 150 151 // Mute state a finding can be in. 152 enum Mute { 153 // Unspecified. 154 MUTE_UNSPECIFIED = 0; 155 156 // Finding has been muted. 157 MUTED = 1; 158 159 // Finding has been unmuted. 160 UNMUTED = 2; 161 162 // Finding has never been muted/unmuted. 163 UNDEFINED = 3; 164 } 165 166 // Represents what kind of Finding it is. 167 enum FindingClass { 168 // Unspecified finding class. 169 FINDING_CLASS_UNSPECIFIED = 0; 170 171 // Describes unwanted or malicious activity. 172 THREAT = 1; 173 174 // Describes a potential weakness in software that increases risk to 175 // Confidentiality & Integrity & Availability. 176 VULNERABILITY = 2; 177 178 // Describes a potential weakness in cloud resource/asset configuration that 179 // increases risk. 180 MISCONFIGURATION = 3; 181 182 // Describes a security observation that is for informational purposes. 183 OBSERVATION = 4; 184 185 // Describes an error that prevents some SCC functionality. 186 SCC_ERROR = 5; 187 188 // Describes a potential security risk due to a change in the security 189 // posture. 190 POSTURE_VIOLATION = 6; 191 } 192 193 // The [relative resource 194 // name](https://cloud.google.com/apis/design/resource_names#relative_resource_name) 195 // of the finding. The following list shows some examples: 196 // 197 // + 198 // `organizations/{organization_id}/sources/{source_id}/findings/{finding_id}` 199 // + 200 // `organizations/{organization_id}/sources/{source_id}/locations/{location_id}/findings/{finding_id}` 201 // + `folders/{folder_id}/sources/{source_id}/findings/{finding_id}` 202 // + 203 // `folders/{folder_id}/sources/{source_id}/locations/{location_id}/findings/{finding_id}` 204 // + `projects/{project_id}/sources/{source_id}/findings/{finding_id}` 205 // + 206 // `projects/{project_id}/sources/{source_id}/locations/{location_id}/findings/{finding_id}` 207 string name = 1; 208 209 // Output only. The canonical name of the finding. The following list shows 210 // some examples: 211 // 212 // + 213 // `organizations/{organization_id}/sources/{source_id}/findings/{finding_id}` 214 // + 215 // `organizations/{organization_id}/sources/{source_id}/locations/{location_id}/findings/{finding_id}` 216 // + `folders/{folder_id}/sources/{source_id}/findings/{finding_id}` 217 // + 218 // `folders/{folder_id}/sources/{source_id}/locations/{location_id}/findings/{finding_id}` 219 // + `projects/{project_id}/sources/{source_id}/findings/{finding_id}` 220 // + 221 // `projects/{project_id}/sources/{source_id}/locations/{location_id}/findings/{finding_id}` 222 // 223 // The prefix is the closest CRM ancestor of the resource associated with the 224 // finding. 225 string canonical_name = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; 226 227 // The relative resource name of the source and location the finding belongs 228 // to. See: 229 // https://cloud.google.com/apis/design/resource_names#relative_resource_name 230 // This field is immutable after creation time. The following list shows some 231 // examples: 232 // 233 // + `organizations/{organization_id}/sources/{source_id}` 234 // + `folders/{folders_id}/sources/{source_id}` 235 // + `projects/{projects_id}/sources/{source_id}` 236 // + 237 // `organizations/{organization_id}/sources/{source_id}/locations/{location_id}` 238 // + `folders/{folders_id}/sources/{source_id}/locations/{location_id}` 239 // + `projects/{projects_id}/sources/{source_id}/locations/{location_id}` 240 string parent = 3; 241 242 // Immutable. For findings on Google Cloud resources, the full resource 243 // name of the Google Cloud resource this finding is for. See: 244 // https://cloud.google.com/apis/design/resource_names#full_resource_name 245 // When the finding is for a non-Google Cloud resource, the resourceName can 246 // be a customer or partner defined string. 247 string resource_name = 4 [(google.api.field_behavior) = IMMUTABLE]; 248 249 // Output only. The state of the finding. 250 State state = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; 251 252 // Immutable. The additional taxonomy group within findings from a given 253 // source. Example: "XSS_FLASH_INJECTION" 254 string category = 7 [(google.api.field_behavior) = IMMUTABLE]; 255 256 // The URI that, if available, points to a web page outside of Security 257 // Command Center where additional information about the finding can be found. 258 // This field is guaranteed to be either empty or a well formed URL. 259 string external_uri = 8; 260 261 // Source specific properties. These properties are managed by the source 262 // that writes the finding. The key names in the source_properties map must be 263 // between 1 and 255 characters, and must start with a letter and contain 264 // alphanumeric characters or underscores only. 265 map<string, google.protobuf.Value> source_properties = 9; 266 267 // Output only. User specified security marks. These marks are entirely 268 // managed by the user and come from the SecurityMarks resource that belongs 269 // to the finding. 270 SecurityMarks security_marks = 10 [(google.api.field_behavior) = OUTPUT_ONLY]; 271 272 // The time the finding was first detected. If an existing finding is updated, 273 // then this is the time the update occurred. 274 // For example, if the finding represents an open firewall, this property 275 // captures the time the detector believes the firewall became open. The 276 // accuracy is determined by the detector. If the finding is later resolved, 277 // then this time reflects when the finding was resolved. This must not 278 // be set to a value greater than the current timestamp. 279 google.protobuf.Timestamp event_time = 11; 280 281 // Output only. The time at which the finding was created in Security Command 282 // Center. 283 google.protobuf.Timestamp create_time = 12 284 [(google.api.field_behavior) = OUTPUT_ONLY]; 285 286 // The severity of the finding. This field is managed by the source that 287 // writes the finding. 288 Severity severity = 14; 289 290 // Indicates the mute state of a finding (either muted, unmuted 291 // or undefined). Unlike other attributes of a finding, a finding provider 292 // shouldn't set the value of mute. 293 Mute mute = 15; 294 295 // The class of the finding. 296 FindingClass finding_class = 16; 297 298 // Represents what's commonly known as an *indicator of compromise* (IoC) in 299 // computer forensics. This is an artifact observed on a network or in an 300 // operating system that, with high confidence, indicates a computer 301 // intrusion. For more information, see [Indicator of 302 // compromise](https://en.wikipedia.org/wiki/Indicator_of_compromise). 303 Indicator indicator = 17; 304 305 // Represents vulnerability-specific fields like CVE and CVSS scores. 306 // CVE stands for Common Vulnerabilities and Exposures 307 // (https://cve.mitre.org/about/) 308 Vulnerability vulnerability = 18; 309 310 // Output only. The most recent time this finding was muted or unmuted. 311 google.protobuf.Timestamp mute_update_time = 19 312 [(google.api.field_behavior) = OUTPUT_ONLY]; 313 314 // Output only. Third party SIEM/SOAR fields within SCC, contains external 315 // system information and external system finding fields. 316 map<string, ExternalSystem> external_systems = 20 317 [(google.api.field_behavior) = OUTPUT_ONLY]; 318 319 // MITRE ATT&CK tactics and techniques related to this finding. 320 // See: https://attack.mitre.org 321 MitreAttack mitre_attack = 21; 322 323 // Access details associated with the finding, such as more information on the 324 // caller, which method was accessed, and from where. 325 Access access = 22; 326 327 // Contains information about the IP connection associated with the finding. 328 repeated Connection connections = 23; 329 330 // Records additional information about the mute operation, for example, the 331 // [mute 332 // configuration](https://cloud.google.com/security-command-center/docs/how-to-mute-findings) 333 // that muted the finding and the user who muted the finding. 334 string mute_initiator = 24; 335 336 // Represents operating system processes associated with the Finding. 337 repeated Process processes = 25; 338 339 // Output only. Map containing the points of contact for the given finding. 340 // The key represents the type of contact, while the value contains a list of 341 // all the contacts that pertain. Please refer to: 342 // https://cloud.google.com/resource-manager/docs/managing-notification-contacts#notification-categories 343 // 344 // { 345 // "security": { 346 // "contacts": [ 347 // { 348 // "email": "[email protected]" 349 // }, 350 // { 351 // "email": "[email protected]" 352 // } 353 // ] 354 // } 355 // } 356 map<string, ContactDetails> contacts = 26 357 [(google.api.field_behavior) = OUTPUT_ONLY]; 358 359 // Contains compliance information for security standards associated to the 360 // finding. 361 repeated Compliance compliances = 27; 362 363 // Output only. The human readable display name of the finding source such as 364 // "Event Threat Detection" or "Security Health Analytics". 365 string parent_display_name = 29 [(google.api.field_behavior) = OUTPUT_ONLY]; 366 367 // Contains more details about the finding. 368 string description = 30; 369 370 // Represents exfiltrations associated with the finding. 371 Exfiltration exfiltration = 31; 372 373 // Represents IAM bindings associated with the finding. 374 repeated IamBinding iam_bindings = 32; 375 376 // Steps to address the finding. 377 string next_steps = 33; 378 379 // Unique identifier of the module which generated the finding. 380 // Example: 381 // folders/598186756061/securityHealthAnalyticsSettings/customModules/56799441161885 382 string module_name = 34; 383 384 // Containers associated with the finding. This field provides information for 385 // both Kubernetes and non-Kubernetes containers. 386 repeated Container containers = 35; 387 388 // Kubernetes resources associated with the finding. 389 Kubernetes kubernetes = 36; 390 391 // Database associated with the finding. 392 Database database = 37; 393 394 // The results of an attack path simulation relevant to this finding. 395 AttackExposure attack_exposure = 38; 396 397 // File associated with the finding. 398 repeated File files = 39; 399 400 // Cloud Data Loss Prevention (Cloud DLP) inspection results that are 401 // associated with the finding. 402 CloudDlpInspection cloud_dlp_inspection = 40; 403 404 // Cloud DLP data profile that is associated with the finding. 405 CloudDlpDataProfile cloud_dlp_data_profile = 41; 406 407 // Signature of the kernel rootkit. 408 KernelRootkit kernel_rootkit = 42; 409 410 // Contains information about the org policies associated with the finding. 411 repeated OrgPolicy org_policies = 43; 412 413 // Represents an application associated with the finding. 414 Application application = 45; 415 416 // Fields related to Backup and DR findings. 417 BackupDisasterRecovery backup_disaster_recovery = 47; 418 419 // The security posture associated with the finding. 420 SecurityPosture security_posture = 48; 421 422 // Log entries that are relevant to the finding. 423 repeated LogEntry log_entries = 49; 424 425 // The load balancers associated with the finding. 426 repeated LoadBalancer load_balancers = 50; 427} 428