xref: /aosp_15_r20/external/googleapis/google/cloud/securitycenter/v1/finding.proto (revision d5c09012810ac0c9f33fe448fb6da8260d444cc9) 
1// Copyright 2023 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.cloud.securitycenter.v1;
18
19import "google/api/field_behavior.proto";
20import "google/api/resource.proto";
21import "google/cloud/securitycenter/v1/access.proto";
22import "google/cloud/securitycenter/v1/application.proto";
23import "google/cloud/securitycenter/v1/backup_disaster_recovery.proto";
24import "google/cloud/securitycenter/v1/cloud_armor.proto";
25import "google/cloud/securitycenter/v1/cloud_dlp_data_profile.proto";
26import "google/cloud/securitycenter/v1/cloud_dlp_inspection.proto";
27import "google/cloud/securitycenter/v1/compliance.proto";
28import "google/cloud/securitycenter/v1/connection.proto";
29import "google/cloud/securitycenter/v1/contact_details.proto";
30import "google/cloud/securitycenter/v1/container.proto";
31import "google/cloud/securitycenter/v1/database.proto";
32import "google/cloud/securitycenter/v1/exfiltration.proto";
33import "google/cloud/securitycenter/v1/external_system.proto";
34import "google/cloud/securitycenter/v1/file.proto";
35import "google/cloud/securitycenter/v1/iam_binding.proto";
36import "google/cloud/securitycenter/v1/indicator.proto";
37import "google/cloud/securitycenter/v1/kernel_rootkit.proto";
38import "google/cloud/securitycenter/v1/kubernetes.proto";
39import "google/cloud/securitycenter/v1/load_balancer.proto";
40import "google/cloud/securitycenter/v1/log_entry.proto";
41import "google/cloud/securitycenter/v1/mitre_attack.proto";
42import "google/cloud/securitycenter/v1/notebook.proto";
43import "google/cloud/securitycenter/v1/org_policy.proto";
44import "google/cloud/securitycenter/v1/process.proto";
45import "google/cloud/securitycenter/v1/security_marks.proto";
46import "google/cloud/securitycenter/v1/security_posture.proto";
47import "google/cloud/securitycenter/v1/vulnerability.proto";
48import "google/protobuf/struct.proto";
49import "google/protobuf/timestamp.proto";
50
51option csharp_namespace = "Google.Cloud.SecurityCenter.V1";
52option go_package = "cloud.google.com/go/securitycenter/apiv1/securitycenterpb;securitycenterpb";
53option java_multiple_files = true;
54option java_package = "com.google.cloud.securitycenter.v1";
55option php_namespace = "Google\\Cloud\\SecurityCenter\\V1";
56option ruby_package = "Google::Cloud::SecurityCenter::V1";
57
58// Security Command Center finding.
59//
60// A finding is a record of assessment data like security, risk, health, or
61// privacy, that is ingested into Security Command Center for presentation,
62// notification, analysis, policy testing, and enforcement. For example, a
63// cross-site scripting (XSS) vulnerability in an App Engine application is a
64// finding.
65message Finding {
66  option (google.api.resource) = {
67    type: "securitycenter.googleapis.com/Finding"
68    pattern: "organizations/{organization}/sources/{source}/findings/{finding}"
69    pattern: "folders/{folder}/sources/{source}/findings/{finding}"
70    pattern: "projects/{project}/sources/{source}/findings/{finding}"
71  };
72
73  // The state of the finding.
74  enum State {
75    // Unspecified state.
76    STATE_UNSPECIFIED = 0;
77
78    // The finding requires attention and has not been addressed yet.
79    ACTIVE = 1;
80
81    // The finding has been fixed, triaged as a non-issue or otherwise addressed
82    // and is no longer active.
83    INACTIVE = 2;
84  }
85
86  // The severity of the finding.
87  enum Severity {
88    // This value is used for findings when a source doesn't write a severity
89    // value.
90    SEVERITY_UNSPECIFIED = 0;
91
92    // Vulnerability:
93    // A critical vulnerability is easily discoverable by an external actor,
94    // exploitable, and results in the direct ability to execute arbitrary code,
95    // exfiltrate data, and otherwise gain additional access and privileges to
96    // cloud resources and workloads. Examples include publicly accessible
97    // unprotected user data and public SSH access with weak or no
98    // passwords.
99    //
100    // Threat:
101    // Indicates a threat that is able to access, modify, or delete data or
102    // execute unauthorized code within existing resources.
103    CRITICAL = 1;
104
105    // Vulnerability:
106    // A high risk vulnerability can be easily discovered and exploited in
107    // combination with other vulnerabilities in order to gain direct access and
108    // the ability to execute arbitrary code, exfiltrate data, and otherwise
109    // gain additional access and privileges to cloud resources and workloads.
110    // An example is a database with weak or no passwords that is only
111    // accessible internally. This database could easily be compromised by an
112    // actor that had access to the internal network.
113    //
114    // Threat:
115    // Indicates a threat that is able to create new computational resources in
116    // an environment but not able to access data or execute code in existing
117    // resources.
118    HIGH = 2;
119
120    // Vulnerability:
121    // A medium risk vulnerability could be used by an actor to gain access to
122    // resources or privileges that enable them to eventually (through multiple
123    // steps or a complex exploit) gain access and the ability to execute
124    // arbitrary code or exfiltrate data. An example is a service account with
125    // access to more projects than it should have. If an actor gains access to
126    // the service account, they could potentially use that access to manipulate
127    // a project the service account was not intended to.
128    //
129    // Threat:
130    // Indicates a threat that is able to cause operational impact but may not
131    // access data or execute unauthorized code.
132    MEDIUM = 3;
133
134    // Vulnerability:
135    // A low risk vulnerability hampers a security organization's ability to
136    // detect vulnerabilities or active threats in their deployment, or prevents
137    // the root cause investigation of security issues. An example is monitoring
138    // and logs being disabled for resource configurations and access.
139    //
140    // Threat:
141    // Indicates a threat that has obtained minimal access to an environment but
142    // is not able to access data, execute code, or create resources.
143    LOW = 4;
144  }
145
146  // Mute state a finding can be in.
147  enum Mute {
148    // Unspecified.
149    MUTE_UNSPECIFIED = 0;
150
151    // Finding has been muted.
152    MUTED = 1;
153
154    // Finding has been unmuted.
155    UNMUTED = 2;
156
157    // Finding has never been muted/unmuted.
158    UNDEFINED = 4;
159  }
160
161  // Represents what kind of Finding it is.
162  enum FindingClass {
163    // Unspecified finding class.
164    FINDING_CLASS_UNSPECIFIED = 0;
165
166    // Describes unwanted or malicious activity.
167    THREAT = 1;
168
169    // Describes a potential weakness in software that increases risk to
170    // Confidentiality & Integrity & Availability.
171    VULNERABILITY = 2;
172
173    // Describes a potential weakness in cloud resource/asset configuration that
174    // increases risk.
175    MISCONFIGURATION = 3;
176
177    // Describes a security observation that is for informational purposes.
178    OBSERVATION = 4;
179
180    // Describes an error that prevents some SCC functionality.
181    SCC_ERROR = 5;
182
183    // Describes a potential security risk due to a change in the security
184    // posture.
185    POSTURE_VIOLATION = 6;
186  }
187
188  // The [relative resource
189  // name](https://cloud.google.com/apis/design/resource_names#relative_resource_name)
190  // of the finding. Example:
191  // "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}",
192  // "folders/{folder_id}/sources/{source_id}/findings/{finding_id}",
193  // "projects/{project_id}/sources/{source_id}/findings/{finding_id}".
194  string name = 1;
195
196  // The relative resource name of the source the finding belongs to. See:
197  // https://cloud.google.com/apis/design/resource_names#relative_resource_name
198  // This field is immutable after creation time.
199  // For example:
200  // "organizations/{organization_id}/sources/{source_id}"
201  string parent = 2;
202
203  // For findings on Google Cloud resources, the full resource
204  // name of the Google Cloud resource this finding is for. See:
205  // https://cloud.google.com/apis/design/resource_names#full_resource_name
206  // When the finding is for a non-Google Cloud resource, the resourceName can
207  // be a customer or partner defined string. This field is immutable after
208  // creation time.
209  string resource_name = 3;
210
211  // The state of the finding.
212  State state = 4;
213
214  // The additional taxonomy group within findings from a given source.
215  // This field is immutable after creation time.
216  // Example: "XSS_FLASH_INJECTION"
217  string category = 5;
218
219  // The URI that, if available, points to a web page outside of Security
220  // Command Center where additional information about the finding can be found.
221  // This field is guaranteed to be either empty or a well formed URL.
222  string external_uri = 6;
223
224  // Source specific properties. These properties are managed by the source
225  // that writes the finding. The key names in the source_properties map must be
226  // between 1 and 255 characters, and must start with a letter and contain
227  // alphanumeric characters or underscores only.
228  map<string, google.protobuf.Value> source_properties = 7;
229
230  // Output only. User specified security marks. These marks are entirely
231  // managed by the user and come from the SecurityMarks resource that belongs
232  // to the finding.
233  SecurityMarks security_marks = 8 [(google.api.field_behavior) = OUTPUT_ONLY];
234
235  // The time the finding was first detected. If an existing finding is updated,
236  // then this is the time the update occurred.
237  // For example, if the finding represents an open firewall, this property
238  // captures the time the detector believes the firewall became open. The
239  // accuracy is determined by the detector. If the finding is later resolved,
240  // then this time reflects when the finding was resolved. This must not
241  // be set to a value greater than the current timestamp.
242  google.protobuf.Timestamp event_time = 9;
243
244  // The time at which the finding was created in Security Command Center.
245  google.protobuf.Timestamp create_time = 10;
246
247  // The severity of the finding. This field is managed by the source that
248  // writes the finding.
249  Severity severity = 12;
250
251  // The canonical name of the finding. It's either
252  // "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}",
253  // "folders/{folder_id}/sources/{source_id}/findings/{finding_id}" or
254  // "projects/{project_number}/sources/{source_id}/findings/{finding_id}",
255  // depending on the closest CRM ancestor of the resource associated with the
256  // finding.
257  string canonical_name = 14;
258
259  // Indicates the mute state of a finding (either muted, unmuted
260  // or undefined). Unlike other attributes of a finding, a finding provider
261  // shouldn't set the value of mute.
262  Mute mute = 15;
263
264  // The class of the finding.
265  FindingClass finding_class = 17;
266
267  // Represents what's commonly known as an *indicator of compromise* (IoC) in
268  // computer forensics. This is an artifact observed on a network or in an
269  // operating system that, with high confidence, indicates a computer
270  // intrusion. For more information, see [Indicator of
271  // compromise](https://en.wikipedia.org/wiki/Indicator_of_compromise).
272  Indicator indicator = 18;
273
274  // Represents vulnerability-specific fields like CVE and CVSS scores.
275  // CVE stands for Common Vulnerabilities and Exposures
276  // (https://cve.mitre.org/about/)
277  Vulnerability vulnerability = 20;
278
279  // Output only. The most recent time this finding was muted or unmuted.
280  google.protobuf.Timestamp mute_update_time = 21
281      [(google.api.field_behavior) = OUTPUT_ONLY];
282
283  // Output only. Third party SIEM/SOAR fields within SCC, contains external
284  // system information and external system finding fields.
285  map<string, ExternalSystem> external_systems = 22
286      [(google.api.field_behavior) = OUTPUT_ONLY];
287
288  // MITRE ATT&CK tactics and techniques related to this finding.
289  // See: https://attack.mitre.org
290  MitreAttack mitre_attack = 25;
291
292  // Access details associated with the finding, such as more information on the
293  // caller, which method was accessed, and from where.
294  Access access = 26;
295
296  // Contains information about the IP connection associated with the finding.
297  repeated Connection connections = 31;
298
299  // Records additional information about the mute operation, for example, the
300  // [mute configuration](/security-command-center/docs/how-to-mute-findings)
301  // that muted the finding and the user who muted the finding.
302  string mute_initiator = 28;
303
304  // Represents operating system processes associated with the Finding.
305  repeated Process processes = 30;
306
307  // Output only. Map containing the points of contact for the given finding.
308  // The key represents the type of contact, while the value contains a list of
309  // all the contacts that pertain. Please refer to:
310  // https://cloud.google.com/resource-manager/docs/managing-notification-contacts#notification-categories
311  //
312  //     {
313  //       "security": {
314  //         "contacts": [
315  //           {
316  //             "email": "[email protected]"
317  //           },
318  //           {
319  //             "email": "[email protected]"
320  //           }
321  //         ]
322  //       }
323  //     }
324  map<string, ContactDetails> contacts = 33
325      [(google.api.field_behavior) = OUTPUT_ONLY];
326
327  // Contains compliance information for security standards associated to the
328  // finding.
329  repeated Compliance compliances = 34;
330
331  // Output only. The human readable display name of the finding source such as
332  // "Event Threat Detection" or "Security Health Analytics".
333  string parent_display_name = 36 [(google.api.field_behavior) = OUTPUT_ONLY];
334
335  // Contains more details about the finding.
336  string description = 37;
337
338  // Represents exfiltrations associated with the finding.
339  Exfiltration exfiltration = 38;
340
341  // Represents IAM bindings associated with the finding.
342  repeated IamBinding iam_bindings = 39;
343
344  // Steps to address the finding.
345  string next_steps = 40;
346
347  // Unique identifier of the module which generated the finding.
348  // Example:
349  // folders/598186756061/securityHealthAnalyticsSettings/customModules/56799441161885
350  string module_name = 41;
351
352  // Containers associated with the finding. This field provides information for
353  // both Kubernetes and non-Kubernetes containers.
354  repeated Container containers = 42;
355
356  // Kubernetes resources associated with the finding.
357  Kubernetes kubernetes = 43;
358
359  // Database associated with the finding.
360  Database database = 44;
361
362  // File associated with the finding.
363  repeated File files = 46;
364
365  // Cloud Data Loss Prevention (Cloud DLP) inspection results that are
366  // associated with the finding.
367  CloudDlpInspection cloud_dlp_inspection = 48;
368
369  // Cloud DLP data profile that is associated with the finding.
370  CloudDlpDataProfile cloud_dlp_data_profile = 49;
371
372  // Signature of the kernel rootkit.
373  KernelRootkit kernel_rootkit = 50;
374
375  // Contains information about the org policies associated with the finding.
376  repeated OrgPolicy org_policies = 51;
377
378  // Represents an application associated with the finding.
379  Application application = 53;
380
381  // Fields related to Backup and DR findings.
382  BackupDisasterRecovery backup_disaster_recovery = 55;
383
384  // The security posture associated with the finding.
385  SecurityPosture security_posture = 56;
386
387  // Log entries that are relevant to the finding.
388  repeated LogEntry log_entries = 57;
389
390  // The load balancers associated with the finding.
391  repeated LoadBalancer load_balancers = 58;
392
393  // Fields related to Cloud Armor findings.
394  CloudArmor cloud_armor = 59;
395
396  // Notebook associated with the finding.
397  Notebook notebook = 63;
398}
399