1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.securitycenter.v1; 18 19option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; 20option go_package = "cloud.google.com/go/securitycenter/apiv1/securitycenterpb;securitycenterpb"; 21option java_multiple_files = true; 22option java_outer_classname = "IndicatorProto"; 23option java_package = "com.google.cloud.securitycenter.v1"; 24option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; 25option ruby_package = "Google::Cloud::SecurityCenter::V1"; 26 27// Represents what's commonly known as an _indicator of compromise_ (IoC) in 28// computer forensics. This is an artifact observed on a network or in an 29// operating system that, with high confidence, indicates a computer intrusion. 30// For more information, see [Indicator of 31// compromise](https://en.wikipedia.org/wiki/Indicator_of_compromise). 32message Indicator { 33 // Indicates what signature matched this process. 34 message ProcessSignature { 35 // A signature corresponding to memory page hashes. 36 message MemoryHashSignature { 37 // Memory hash detection contributing to the binary family match. 38 message Detection { 39 // The name of the binary associated with the memory hash 40 // signature detection. 41 string binary = 2; 42 43 // The percentage of memory page hashes in the signature 44 // that were matched. 45 double percent_pages_matched = 3; 46 } 47 48 // The binary family. 49 string binary_family = 1; 50 51 // The list of memory hash detections contributing to the binary family 52 // match. 53 repeated Detection detections = 4; 54 } 55 56 // A signature corresponding to a YARA rule. 57 message YaraRuleSignature { 58 // The name of the YARA rule. 59 string yara_rule = 5; 60 } 61 62 // Possible resource types to be associated with a signature. 63 enum SignatureType { 64 // The default signature type. 65 SIGNATURE_TYPE_UNSPECIFIED = 0; 66 67 // Used for signatures concerning processes. 68 SIGNATURE_TYPE_PROCESS = 1; 69 70 // Used for signatures concerning disks. 71 SIGNATURE_TYPE_FILE = 2; 72 } 73 74 oneof signature { 75 // Signature indicating that a binary family was matched. 76 MemoryHashSignature memory_hash_signature = 6; 77 78 // Signature indicating that a YARA rule was matched. 79 YaraRuleSignature yara_rule_signature = 7; 80 } 81 82 // Describes the type of resource associated with the signature. 83 SignatureType signature_type = 8; 84 } 85 86 // The list of IP addresses that are associated with the finding. 87 repeated string ip_addresses = 1; 88 89 // List of domains associated to the Finding. 90 repeated string domains = 2; 91 92 // The list of matched signatures indicating that the given 93 // process is present in the environment. 94 repeated ProcessSignature signatures = 3; 95 96 // The list of URIs associated to the Findings. 97 repeated string uris = 4; 98} 99