1// Copyright 2024 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.securitycenter.v1; 18 19import "google/protobuf/duration.proto"; 20 21option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; 22option go_package = "cloud.google.com/go/securitycenter/apiv1/securitycenterpb;securitycenterpb"; 23option java_multiple_files = true; 24option java_outer_classname = "CloudArmorProto"; 25option java_package = "com.google.cloud.securitycenter.v1"; 26option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; 27option ruby_package = "Google::Cloud::SecurityCenter::V1"; 28 29// Fields related to Google Cloud Armor findings. 30message CloudArmor { 31 // Information about the [Google Cloud Armor security 32 // policy](https://cloud.google.com/armor/docs/security-policy-overview) 33 // relevant to the finding. 34 SecurityPolicy security_policy = 1; 35 36 // Information about incoming requests evaluated by [Google Cloud Armor 37 // security 38 // policies](https://cloud.google.com/armor/docs/security-policy-overview). 39 Requests requests = 2; 40 41 // Information about potential Layer 7 DDoS attacks identified by [Google 42 // Cloud Armor Adaptive 43 // Protection](https://cloud.google.com/armor/docs/adaptive-protection-overview). 44 AdaptiveProtection adaptive_protection = 3; 45 46 // Information about DDoS attack volume and classification. 47 Attack attack = 4; 48 49 // Distinguish between volumetric & protocol DDoS attack and 50 // application layer attacks. For example, “L3_4” for Layer 3 and Layer 4 DDoS 51 // attacks, or “L_7” for Layer 7 DDoS attacks. 52 string threat_vector = 5; 53 54 // Duration of attack from the start until the current moment (updated every 5 55 // minutes). 56 google.protobuf.Duration duration = 6; 57} 58 59// Information about the [Google Cloud Armor security 60// policy](https://cloud.google.com/armor/docs/security-policy-overview) 61// relevant to the finding. 62message SecurityPolicy { 63 // The name of the Google Cloud Armor security policy, for example, 64 // "my-security-policy". 65 string name = 1; 66 67 // The type of Google Cloud Armor security policy for example, ‘backend 68 // security policy’, ‘edge security policy’, ‘network edge security policy’, 69 // or ‘always-on DDoS protection’. 70 string type = 2; 71 72 // Whether or not the associated rule or policy is in preview mode. 73 bool preview = 3; 74} 75 76// Information about the requests relevant to the finding. 77message Requests { 78 // For 'Increasing deny ratio', the ratio is the denied traffic divided by the 79 // allowed traffic. For 'Allowed traffic spike', the ratio is the allowed 80 // traffic in the short term divided by allowed traffic in the long term. 81 double ratio = 1; 82 83 // Allowed RPS (requests per second) in the short term. 84 int32 short_term_allowed = 2; 85 86 // Allowed RPS (requests per second) over the long term. 87 int32 long_term_allowed = 3; 88 89 // Denied RPS (requests per second) over the long term. 90 int32 long_term_denied = 4; 91} 92 93// Information about [Google Cloud Armor Adaptive 94// Protection](https://cloud.google.com/armor/docs/cloud-armor-overview#google-cloud-armor-adaptive-protection). 95message AdaptiveProtection { 96 // A score of 0 means that there is low confidence that the detected event is 97 // an actual attack. A score of 1 means that there is high confidence that the 98 // detected event is an attack. See the [Adaptive Protection 99 // documentation](https://cloud.google.com/armor/docs/adaptive-protection-overview#configure-alert-tuning) 100 // for further explanation. 101 double confidence = 1; 102} 103 104// Information about DDoS attack volume and classification. 105message Attack { 106 // Total PPS (packets per second) volume of attack. 107 int32 volume_pps = 1; 108 109 // Total BPS (bytes per second) volume of attack. 110 int32 volume_bps = 2; 111 112 // Type of attack, for example, ‘SYN-flood’, ‘NTP-udp’, or ‘CHARGEN-udp’. 113 string classification = 3; 114} 115