1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.securitycentermanagement.v1; 18 19import "google/api/annotations.proto"; 20import "google/api/client.proto"; 21import "google/api/field_behavior.proto"; 22import "google/api/resource.proto"; 23import "google/iam/v1/policy.proto"; 24import "google/protobuf/empty.proto"; 25import "google/protobuf/field_mask.proto"; 26import "google/protobuf/struct.proto"; 27import "google/protobuf/timestamp.proto"; 28import "google/rpc/status.proto"; 29import "google/type/expr.proto"; 30 31option csharp_namespace = "Google.Cloud.SecurityCenterManagement.V1"; 32option go_package = "cloud.google.com/go/securitycentermanagement/apiv1/securitycentermanagementpb;securitycentermanagementpb"; 33option java_multiple_files = true; 34option java_outer_classname = "SecurityCenterManagementProto"; 35option java_package = "com.google.cloud.securitycentermanagement.v1"; 36option php_namespace = "Google\\Cloud\\SecurityCenterManagement\\V1"; 37option ruby_package = "Google::Cloud::SecurityCenterManagement::V1"; 38option (google.api.resource_definition) = { 39 type: "securitycentermanagement.googleapis.com/OrganizationLocation" 40 pattern: "organizations/{organization}/locations/{location}" 41}; 42option (google.api.resource_definition) = { 43 type: "securitycentermanagement.googleapis.com/FolderLocation" 44 pattern: "folders/{folder}/locations/{location}" 45}; 46 47// Service describing handlers for resources 48service SecurityCenterManagement { 49 option (google.api.default_host) = "securitycentermanagement.googleapis.com"; 50 option (google.api.oauth_scopes) = 51 "https://www.googleapis.com/auth/cloud-platform"; 52 53 // Returns a list of all EffectiveSecurityHealthAnalyticsCustomModules for the 54 // given parent. This includes resident modules defined at the scope of the 55 // parent, and inherited modules, inherited from CRM ancestors (no 56 // descendants). 57 rpc ListEffectiveSecurityHealthAnalyticsCustomModules( 58 ListEffectiveSecurityHealthAnalyticsCustomModulesRequest) 59 returns (ListEffectiveSecurityHealthAnalyticsCustomModulesResponse) { 60 option (google.api.http) = { 61 get: "/v1/{parent=projects/*/locations/*}/effectiveSecurityHealthAnalyticsCustomModules" 62 additional_bindings { 63 get: "/v1/{parent=folders/*/locations/*}/effectiveSecurityHealthAnalyticsCustomModules" 64 } 65 additional_bindings { 66 get: "/v1/{parent=organizations/*/locations/*}/effectiveSecurityHealthAnalyticsCustomModules" 67 } 68 }; 69 option (google.api.method_signature) = "parent"; 70 } 71 72 // Gets details of a single EffectiveSecurityHealthAnalyticsCustomModule. 73 rpc GetEffectiveSecurityHealthAnalyticsCustomModule( 74 GetEffectiveSecurityHealthAnalyticsCustomModuleRequest) 75 returns (EffectiveSecurityHealthAnalyticsCustomModule) { 76 option (google.api.http) = { 77 get: "/v1/{name=projects/*/locations/*/effectiveSecurityHealthAnalyticsCustomModules/*}" 78 additional_bindings { 79 get: "/v1/{name=folders/*/locations/*/effectiveSecurityHealthAnalyticsCustomModules/*}" 80 } 81 additional_bindings { 82 get: "/v1/{name=organizations/*/locations/*/effectiveSecurityHealthAnalyticsCustomModules/*}" 83 } 84 }; 85 option (google.api.method_signature) = "name"; 86 } 87 88 // Returns a list of all SecurityHealthAnalyticsCustomModules for the given 89 // parent. This includes resident modules defined at the scope of the parent, 90 // and inherited modules, inherited from CRM ancestors (no descendants). 91 rpc ListSecurityHealthAnalyticsCustomModules( 92 ListSecurityHealthAnalyticsCustomModulesRequest) 93 returns (ListSecurityHealthAnalyticsCustomModulesResponse) { 94 option (google.api.http) = { 95 get: "/v1/{parent=projects/*/locations/*}/securityHealthAnalyticsCustomModules" 96 additional_bindings { 97 get: "/v1/{parent=folders/*/locations/*}/securityHealthAnalyticsCustomModules" 98 } 99 additional_bindings { 100 get: "/v1/{parent=organizations/*/locations/*}/securityHealthAnalyticsCustomModules" 101 } 102 }; 103 option (google.api.method_signature) = "parent"; 104 } 105 106 // Returns a list of all resident SecurityHealthAnalyticsCustomModules under 107 // the given CRM parent and all of the parent's CRM descendants. 108 rpc ListDescendantSecurityHealthAnalyticsCustomModules( 109 ListDescendantSecurityHealthAnalyticsCustomModulesRequest) 110 returns (ListDescendantSecurityHealthAnalyticsCustomModulesResponse) { 111 option (google.api.http) = { 112 get: "/v1/{parent=projects/*/locations/*}/securityHealthAnalyticsCustomModules:listDescendant" 113 additional_bindings { 114 get: "/v1/{parent=folders/*/locations/*}/securityHealthAnalyticsCustomModules:listDescendant" 115 } 116 additional_bindings { 117 get: "/v1/{parent=organizations/*/locations/*}/securityHealthAnalyticsCustomModules:listDescendant" 118 } 119 }; 120 option (google.api.method_signature) = "parent"; 121 } 122 123 // Retrieves a SecurityHealthAnalyticsCustomModule. 124 rpc GetSecurityHealthAnalyticsCustomModule( 125 GetSecurityHealthAnalyticsCustomModuleRequest) 126 returns (SecurityHealthAnalyticsCustomModule) { 127 option (google.api.http) = { 128 get: "/v1/{name=projects/*/locations/*/securityHealthAnalyticsCustomModules/*}" 129 additional_bindings { 130 get: "/v1/{name=folders/*/locations/*/securityHealthAnalyticsCustomModules/*}" 131 } 132 additional_bindings { 133 get: "/v1/{name=organizations/*/locations/*/securityHealthAnalyticsCustomModules/*}" 134 } 135 }; 136 option (google.api.method_signature) = "name"; 137 } 138 139 // Creates a resident SecurityHealthAnalyticsCustomModule at the scope of the 140 // given CRM parent, and also creates inherited 141 // SecurityHealthAnalyticsCustomModules for all CRM descendants of the given 142 // parent. These modules are enabled by default. 143 rpc CreateSecurityHealthAnalyticsCustomModule( 144 CreateSecurityHealthAnalyticsCustomModuleRequest) 145 returns (SecurityHealthAnalyticsCustomModule) { 146 option (google.api.http) = { 147 post: "/v1/{parent=projects/*/locations/*}/securityHealthAnalyticsCustomModules" 148 body: "security_health_analytics_custom_module" 149 additional_bindings { 150 post: "/v1/{parent=folders/*/locations/*}/securityHealthAnalyticsCustomModules" 151 body: "security_health_analytics_custom_module" 152 } 153 additional_bindings { 154 post: "/v1/{parent=organizations/*/locations/*}/securityHealthAnalyticsCustomModules" 155 body: "security_health_analytics_custom_module" 156 } 157 }; 158 option (google.api.method_signature) = 159 "parent,security_health_analytics_custom_module"; 160 } 161 162 // Updates the SecurityHealthAnalyticsCustomModule under the given name based 163 // on the given update mask. Updating the enablement state is supported on 164 // both resident and inherited modules (though resident modules cannot have an 165 // enablement state of "inherited"). Updating the display name and custom 166 // config of a module is supported on resident modules only. 167 rpc UpdateSecurityHealthAnalyticsCustomModule( 168 UpdateSecurityHealthAnalyticsCustomModuleRequest) 169 returns (SecurityHealthAnalyticsCustomModule) { 170 option (google.api.http) = { 171 patch: "/v1/{security_health_analytics_custom_module.name=projects/*/locations/*/securityHealthAnalyticsCustomModules/*}" 172 body: "security_health_analytics_custom_module" 173 additional_bindings { 174 patch: "/v1/{security_health_analytics_custom_module.name=folders/*/locations/*/securityHealthAnalyticsCustomModules/*}" 175 body: "security_health_analytics_custom_module" 176 } 177 additional_bindings { 178 patch: "/v1/{security_health_analytics_custom_module.name=organizations/*/locations/*/securityHealthAnalyticsCustomModules/*}" 179 body: "security_health_analytics_custom_module" 180 } 181 }; 182 option (google.api.method_signature) = 183 "security_health_analytics_custom_module,update_mask"; 184 } 185 186 // Deletes the specified SecurityHealthAnalyticsCustomModule and all of its 187 // descendants in the CRM hierarchy. This method is only supported for 188 // resident custom modules. 189 rpc DeleteSecurityHealthAnalyticsCustomModule( 190 DeleteSecurityHealthAnalyticsCustomModuleRequest) 191 returns (google.protobuf.Empty) { 192 option (google.api.http) = { 193 delete: "/v1/{name=projects/*/locations/*/securityHealthAnalyticsCustomModules/*}" 194 additional_bindings { 195 delete: "/v1/{name=folders/*/locations/*/securityHealthAnalyticsCustomModules/*}" 196 } 197 additional_bindings { 198 delete: "/v1/{name=organizations/*/locations/*/securityHealthAnalyticsCustomModules/*}" 199 } 200 }; 201 option (google.api.method_signature) = "name"; 202 } 203 204 // Simulates a given SecurityHealthAnalyticsCustomModule and Resource. 205 rpc SimulateSecurityHealthAnalyticsCustomModule( 206 SimulateSecurityHealthAnalyticsCustomModuleRequest) 207 returns (SimulateSecurityHealthAnalyticsCustomModuleResponse) { 208 option (google.api.http) = { 209 post: "/v1/{parent=projects/*/locations/*}/securityHealthAnalyticsCustomModules:simulate" 210 body: "*" 211 additional_bindings { 212 post: "/v1/{parent=folders/*/locations/*}/securityHealthAnalyticsCustomModules:simulate" 213 body: "*" 214 } 215 additional_bindings { 216 post: "/v1/{parent=organizations/*/locations/*}/securityHealthAnalyticsCustomModules:simulate" 217 body: "*" 218 } 219 }; 220 option (google.api.method_signature) = "parent,custom_config,resource"; 221 } 222 223 // Lists all effective Event Threat Detection custom modules for the 224 // given parent. This includes resident modules defined at the scope of the 225 // parent along with modules inherited from its ancestors. 226 rpc ListEffectiveEventThreatDetectionCustomModules( 227 ListEffectiveEventThreatDetectionCustomModulesRequest) 228 returns (ListEffectiveEventThreatDetectionCustomModulesResponse) { 229 option (google.api.http) = { 230 get: "/v1/{parent=projects/*/locations/*}/effectiveEventThreatDetectionCustomModules" 231 additional_bindings { 232 get: "/v1/{parent=folders/*/locations/*}/effectiveEventThreatDetectionCustomModules" 233 } 234 additional_bindings { 235 get: "/v1/{parent=organizations/*/locations/*}/effectiveEventThreatDetectionCustomModules" 236 } 237 }; 238 option (google.api.method_signature) = "parent"; 239 } 240 241 // Gets an effective ETD custom module. Retrieves the effective module at the 242 // given level. The difference between an EffectiveCustomModule and a 243 // CustomModule is that the fields for an EffectiveCustomModule are computed 244 // from ancestors if needed. For example, the enablement_state for a 245 // CustomModule can be either ENABLED, DISABLED, or INHERITED. Where as the 246 // enablement_state for an EffectiveCustomModule is always computed to ENABLED 247 // or DISABLED (the effective enablement_state). 248 rpc GetEffectiveEventThreatDetectionCustomModule( 249 GetEffectiveEventThreatDetectionCustomModuleRequest) 250 returns (EffectiveEventThreatDetectionCustomModule) { 251 option (google.api.http) = { 252 get: "/v1/{name=projects/*/locations/*/effectiveEventThreatDetectionCustomModules/*}" 253 additional_bindings { 254 get: "/v1/{name=folders/*/locations/*/effectiveEventThreatDetectionCustomModules/*}" 255 } 256 additional_bindings { 257 get: "/v1/{name=organizations/*/locations/*/effectiveEventThreatDetectionCustomModules/*}" 258 } 259 }; 260 option (google.api.method_signature) = "name"; 261 } 262 263 // Lists all Event Threat Detection custom modules for the given 264 // Resource Manager parent. This includes resident modules defined at the 265 // scope of the parent along with modules inherited from ancestors. 266 rpc ListEventThreatDetectionCustomModules( 267 ListEventThreatDetectionCustomModulesRequest) 268 returns (ListEventThreatDetectionCustomModulesResponse) { 269 option (google.api.http) = { 270 get: "/v1/{parent=projects/*/locations/*}/eventThreatDetectionCustomModules" 271 additional_bindings { 272 get: "/v1/{parent=folders/*/locations/*}/eventThreatDetectionCustomModules" 273 } 274 additional_bindings { 275 get: "/v1/{parent=organizations/*/locations/*}/eventThreatDetectionCustomModules" 276 } 277 }; 278 option (google.api.method_signature) = "parent"; 279 } 280 281 // Lists all resident Event Threat Detection custom modules under the 282 // given Resource Manager parent and its descendants. 283 rpc ListDescendantEventThreatDetectionCustomModules( 284 ListDescendantEventThreatDetectionCustomModulesRequest) 285 returns (ListDescendantEventThreatDetectionCustomModulesResponse) { 286 option (google.api.http) = { 287 get: "/v1/{parent=projects/*/locations/*}/eventThreatDetectionCustomModules:listDescendant" 288 additional_bindings { 289 get: "/v1/{parent=folders/*/locations/*}/eventThreatDetectionCustomModules:listDescendant" 290 } 291 additional_bindings { 292 get: "/v1/{parent=organizations/*/locations/*}/eventThreatDetectionCustomModules:listDescendant" 293 } 294 }; 295 option (google.api.method_signature) = "parent"; 296 } 297 298 // Gets an Event Threat Detection custom module. 299 rpc GetEventThreatDetectionCustomModule( 300 GetEventThreatDetectionCustomModuleRequest) 301 returns (EventThreatDetectionCustomModule) { 302 option (google.api.http) = { 303 get: "/v1/{name=projects/*/locations/*/eventThreatDetectionCustomModules/*}" 304 additional_bindings { 305 get: "/v1/{name=folders/*/locations/*/eventThreatDetectionCustomModules/*}" 306 } 307 additional_bindings { 308 get: "/v1/{name=organizations/*/locations/*/eventThreatDetectionCustomModules/*}" 309 } 310 }; 311 option (google.api.method_signature) = "name"; 312 } 313 314 // Creates a resident Event Threat Detection custom module at the scope of the 315 // given Resource Manager parent, and also creates inherited custom modules 316 // for all descendants of the given parent. These modules are enabled by 317 // default. 318 rpc CreateEventThreatDetectionCustomModule( 319 CreateEventThreatDetectionCustomModuleRequest) 320 returns (EventThreatDetectionCustomModule) { 321 option (google.api.http) = { 322 post: "/v1/{parent=projects/*/locations/*}/eventThreatDetectionCustomModules" 323 body: "event_threat_detection_custom_module" 324 additional_bindings { 325 post: "/v1/{parent=folders/*/locations/*}/eventThreatDetectionCustomModules" 326 body: "event_threat_detection_custom_module" 327 } 328 additional_bindings { 329 post: "/v1/{parent=organizations/*/locations/*}/eventThreatDetectionCustomModules" 330 body: "event_threat_detection_custom_module" 331 } 332 }; 333 option (google.api.method_signature) = 334 "parent,event_threat_detection_custom_module"; 335 } 336 337 // Updates the Event Threat Detection custom module with the given name based 338 // on the given update mask. Updating the enablement state is supported for 339 // both resident and inherited modules (though resident modules cannot have an 340 // enablement state of "inherited"). Updating the display name or 341 // configuration of a module is supported for resident modules only. The type 342 // of a module cannot be changed. 343 rpc UpdateEventThreatDetectionCustomModule( 344 UpdateEventThreatDetectionCustomModuleRequest) 345 returns (EventThreatDetectionCustomModule) { 346 option (google.api.http) = { 347 patch: "/v1/{event_threat_detection_custom_module.name=projects/*/locations/*/eventThreatDetectionCustomModules/*}" 348 body: "event_threat_detection_custom_module" 349 additional_bindings { 350 patch: "/v1/{event_threat_detection_custom_module.name=folders/*/locations/*/eventThreatDetectionCustomModules/*}" 351 body: "event_threat_detection_custom_module" 352 } 353 additional_bindings { 354 patch: "/v1/{event_threat_detection_custom_module.name=organizations/*/locations/*/eventThreatDetectionCustomModules/*}" 355 body: "event_threat_detection_custom_module" 356 } 357 }; 358 option (google.api.method_signature) = 359 "event_threat_detection_custom_module,update_mask"; 360 } 361 362 // Deletes the specified Event Threat Detection custom module and all of its 363 // descendants in the Resource Manager hierarchy. This method is only 364 // supported for resident custom modules. 365 rpc DeleteEventThreatDetectionCustomModule( 366 DeleteEventThreatDetectionCustomModuleRequest) 367 returns (google.protobuf.Empty) { 368 option (google.api.http) = { 369 delete: "/v1/{name=projects/*/locations/*/eventThreatDetectionCustomModules/*}" 370 additional_bindings { 371 delete: "/v1/{name=folders/*/locations/*/eventThreatDetectionCustomModules/*}" 372 } 373 additional_bindings { 374 delete: "/v1/{name=organizations/*/locations/*/eventThreatDetectionCustomModules/*}" 375 } 376 }; 377 option (google.api.method_signature) = "name"; 378 } 379 380 // Validates the given Event Threat Detection custom module. 381 rpc ValidateEventThreatDetectionCustomModule( 382 ValidateEventThreatDetectionCustomModuleRequest) 383 returns (ValidateEventThreatDetectionCustomModuleResponse) { 384 option (google.api.http) = { 385 post: "/v1/{parent=projects/*/locations/*}/eventThreatDetectionCustomModules:validate" 386 body: "*" 387 additional_bindings { 388 post: "/v1/{parent=folders/*/locations/*}/eventThreatDetectionCustomModules:validate" 389 body: "*" 390 } 391 additional_bindings { 392 post: "/v1/{parent=organizations/*/locations/*}/eventThreatDetectionCustomModules:validate" 393 body: "*" 394 } 395 }; 396 } 397} 398 399// An EffectiveSecurityHealthAnalyticsCustomModule is the representation of 400// a Security Health Analytics custom module at a specified level of the 401// resource hierarchy: organization, folder, or project. If a custom module is 402// inherited from a parent organization or folder, the value of the 403// `enablementState` property in EffectiveSecurityHealthAnalyticsCustomModule is 404// set to the value that is effective in the parent, instead of `INHERITED`. 405// For example, if the module is enabled in a parent organization or folder, the 406// effective enablement_state for the module in all child folders or projects is 407// also `enabled`. EffectiveSecurityHealthAnalyticsCustomModule is read-only. 408message EffectiveSecurityHealthAnalyticsCustomModule { 409 option (google.api.resource) = { 410 type: "securitycentermanagement.googleapis.com/EffectiveSecurityHealthAnalyticsCustomModule" 411 pattern: "organizations/{organization}/locations/{location}/effectiveSecurityHealthAnalyticsCustomModules/{effective_security_health_analytics_custom_module}" 412 pattern: "projects/{project}/locations/{location}/effectiveSecurityHealthAnalyticsCustomModules/{effective_security_health_analytics_custom_module}" 413 pattern: "folders/{folder}/locations/{location}/effectiveSecurityHealthAnalyticsCustomModules/{effective_security_health_analytics_custom_module}" 414 plural: "effectiveSecurityHealthAnalyticsCustomModules" 415 singular: "effectiveSecurityHealthAnalyticsCustomModule" 416 }; 417 418 // The enablement state of the module. 419 enum EnablementState { 420 // Unspecified enablement state. 421 ENABLEMENT_STATE_UNSPECIFIED = 0; 422 423 // The module is enabled at the given level. 424 ENABLED = 1; 425 426 // The module is disabled at the given level. 427 DISABLED = 2; 428 } 429 430 // Identifier. The resource name of the custom module. 431 // Its format is 432 // "organizations/{organization}/locations/{location}/effectiveSecurityHealthAnalyticsCustomModules/{effective_security_health_analytics_custom_module}", 433 // or 434 // "folders/{folder}/locations/{location}/effectiveSecurityHealthAnalyticsCustomModules/{effective_security_health_analytics_custom_module}", 435 // or 436 // "projects/{project}/locations/{location}/effectiveSecurityHealthAnalyticsCustomModules/{effective_security_health_analytics_custom_module}" 437 string name = 1 [(google.api.field_behavior) = IDENTIFIER]; 438 439 // Output only. The user-specified configuration for the module. 440 CustomConfig custom_config = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; 441 442 // Output only. The effective state of enablement for the module at the given 443 // level of the hierarchy. 444 EnablementState enablement_state = 3 445 [(google.api.field_behavior) = OUTPUT_ONLY]; 446 447 // Output only. The display name for the custom module. The name must be 448 // between 1 and 128 characters, start with a lowercase letter, and contain 449 // alphanumeric characters or underscores only. 450 string display_name = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 451} 452 453// Request message for listing effective Security Health Analytics custom 454// modules. 455message ListEffectiveSecurityHealthAnalyticsCustomModulesRequest { 456 // Required. Name of parent to list effective custom modules. Its format is 457 // "organizations/{organization}/locations/{location}", 458 // "folders/{folder}/locations/{location}", 459 // or 460 // "projects/{project}/locations/{location}" 461 string parent = 1 [ 462 (google.api.field_behavior) = REQUIRED, 463 (google.api.resource_reference) = { 464 child_type: "securitycentermanagement.googleapis.com/EffectiveSecurityHealthAnalyticsCustomModule" 465 } 466 ]; 467 468 // Optional. The maximum number of results to return in a single response. 469 // Default is 10, minimum is 1, maximum is 1000. 470 int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; 471 472 // Optional. The value returned by the last call indicating a continuation. 473 string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; 474} 475 476// Response message for listing effective Security Health Analytics custom 477// modules. 478message ListEffectiveSecurityHealthAnalyticsCustomModulesResponse { 479 // The list of EffectiveSecurityHealthAnalyticsCustomModule 480 repeated EffectiveSecurityHealthAnalyticsCustomModule 481 effective_security_health_analytics_custom_modules = 1; 482 483 // A token identifying a page of results the server should return. 484 string next_page_token = 2; 485} 486 487// Message for getting a EffectiveSecurityHealthAnalyticsCustomModule 488message GetEffectiveSecurityHealthAnalyticsCustomModuleRequest { 489 // Required. The resource name of the SHA custom module. 490 // 491 // Its format is: 492 // 493 // * "organizations/{organization}/locations/{location}/effectiveSecurityHealthAnalyticsCustomModules/{module_id}". 494 // * "folders/{folder}/locations/{location}/effectiveSecurityHealthAnalyticsCustomModules/{module_id}". 495 // * "projects/{project}/locations/{location}/effectiveSecurityHealthAnalyticsCustomModules/{module_id}". 496 string name = 1 [ 497 (google.api.field_behavior) = REQUIRED, 498 (google.api.resource_reference) = { 499 type: "securitycentermanagement.googleapis.com/EffectiveSecurityHealthAnalyticsCustomModule" 500 } 501 ]; 502} 503 504// Represents an instance of a Security Health Analytics custom module, 505// including its full module name, display name, enablement state, and last 506// updated time. You can create a custom module at the organization, folder, or 507// project level. Custom modules that you create at the organization or folder 508// level are inherited by the child folders and projects. 509message SecurityHealthAnalyticsCustomModule { 510 option (google.api.resource) = { 511 type: "securitycentermanagement.googleapis.com/SecurityHealthAnalyticsCustomModule" 512 pattern: "organizations/{organization}/locations/{location}/securityHealthAnalyticsCustomModules/{security_health_analytics_custom_module}" 513 pattern: "projects/{project}/locations/{location}/securityHealthAnalyticsCustomModules/{security_health_analytics_custom_module}" 514 pattern: "folders/{folder}/locations/{location}/securityHealthAnalyticsCustomModules/{security_health_analytics_custom_module}" 515 plural: "securityHealthAnalyticsCustomModules" 516 singular: "securityHealthAnalyticsCustomModule" 517 }; 518 519 // Possible enablement states of a custom module. 520 enum EnablementState { 521 // Unspecified enablement state. 522 ENABLEMENT_STATE_UNSPECIFIED = 0; 523 524 // The module is enabled at the given CRM resource. 525 ENABLED = 1; 526 527 // The module is disabled at the given CRM resource. 528 DISABLED = 2; 529 530 // State is inherited from an ancestor module. The module will either 531 // be effectively ENABLED or DISABLED based on its closest non-inherited 532 // ancestor module in the CRM hierarchy. Attempting to set a top level 533 // module (module with no parent) to the INHERITED state will result in an 534 // INVALID_ARGUMENT error. 535 INHERITED = 3; 536 } 537 538 // Identifier. The resource name of the custom module. 539 // Its format is 540 // "organizations/{organization}/locations/{location}/securityHealthAnalyticsCustomModules/{security_health_analytics_custom_module}", 541 // or 542 // "folders/{folder}/locations/{location}/securityHealthAnalyticsCustomModules/{security_health_analytics_custom_module}", 543 // or 544 // "projects/{project}/locations/{location}/securityHealthAnalyticsCustomModules/{security_health_analytics_custom_module}" 545 // 546 // The id {customModule} is server-generated and is not user settable. 547 // It will be a numeric id containing 1-20 digits. 548 string name = 1 [(google.api.field_behavior) = IDENTIFIER]; 549 550 // Optional. The display name of the Security Health Analytics custom module. 551 // This display name becomes the finding category for all findings that are 552 // returned by this custom module. The display name must be between 1 and 553 // 128 characters, start with a lowercase letter, and contain alphanumeric 554 // characters or underscores only. 555 string display_name = 2 [(google.api.field_behavior) = OPTIONAL]; 556 557 // Optional. The enablement state of the custom module. 558 EnablementState enablement_state = 3 [(google.api.field_behavior) = OPTIONAL]; 559 560 // Output only. The time at which the custom module was last updated. 561 google.protobuf.Timestamp update_time = 4 562 [(google.api.field_behavior) = OUTPUT_ONLY]; 563 564 // Output only. The editor that last updated the custom module. 565 string last_editor = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; 566 567 // Output only. Specifies the organization or folder from which the custom 568 // module is inherited. If empty, indicates that the custom module was created 569 // in the organization, folder, or project in which you are viewing the custom 570 // module. 571 string ancestor_module = 6 [ 572 (google.api.field_behavior) = OUTPUT_ONLY, 573 (google.api.resource_reference) = { 574 type: "securitycentermanagement.googleapis.com/SecurityHealthAnalyticsCustomModule" 575 } 576 ]; 577 578 // Optional. The user specified custom configuration for the module. 579 CustomConfig custom_config = 7 [(google.api.field_behavior) = OPTIONAL]; 580} 581 582// Defines the properties in a custom module configuration for Security 583// Health Analytics. Use the custom module configuration to create custom 584// detectors that generate custom findings for resources that you specify. 585message CustomConfig { 586 // A set of optional name-value pairs that define custom source properties to 587 // return with each finding that is generated by the custom module. The custom 588 // source properties that are defined here are included in the finding JSON 589 // under `sourceProperties`. 590 message CustomOutputSpec { 591 // An individual name-value pair that defines a custom source property. 592 message Property { 593 // Optional. Name of the property for the custom output. 594 string name = 1 [(google.api.field_behavior) = OPTIONAL]; 595 596 // Optional. The CEL expression for the custom output. A resource property 597 // can be specified to return the value of the property or a text string 598 // enclosed in quotation marks. 599 google.type.Expr value_expression = 2 600 [(google.api.field_behavior) = OPTIONAL]; 601 } 602 603 // Optional. A list of custom output properties to add to the finding. 604 repeated Property properties = 1 [(google.api.field_behavior) = OPTIONAL]; 605 } 606 607 // Resource for selecting resource type. 608 message ResourceSelector { 609 // Optional. The resource types to run the detector on. 610 repeated string resource_types = 1 [(google.api.field_behavior) = OPTIONAL]; 611 } 612 613 // Defines the valid value options for the severity of a finding. 614 enum Severity { 615 // Unspecified severity. 616 SEVERITY_UNSPECIFIED = 0; 617 618 // Critical severity. 619 CRITICAL = 1; 620 621 // High severity. 622 HIGH = 2; 623 624 // Medium severity. 625 MEDIUM = 3; 626 627 // Low severity. 628 LOW = 4; 629 } 630 631 // Optional. The CEL expression to evaluate to produce findings. When the 632 // expression evaluates to true against a resource, a finding is generated. 633 google.type.Expr predicate = 1 [(google.api.field_behavior) = OPTIONAL]; 634 635 // Optional. Custom output properties. 636 CustomOutputSpec custom_output = 2 [(google.api.field_behavior) = OPTIONAL]; 637 638 // Optional. The Cloud Asset Inventory resource types that the custom module 639 // operates on. For information about resource types, see [Supported asset 640 // types](https://cloud.google.com/asset-inventory/docs/supported-asset-types). 641 // Each custom module can specify up to 5 resource types. 642 ResourceSelector resource_selector = 3 643 [(google.api.field_behavior) = OPTIONAL]; 644 645 // Optional. The severity to assign to findings generated by the module. 646 Severity severity = 4 [(google.api.field_behavior) = OPTIONAL]; 647 648 // Optional. Text that describes the vulnerability or misconfiguration that 649 // the custom module detects. This explanation is returned with each finding 650 // instance to help investigators understand the detected issue. The text must 651 // be enclosed in quotation marks. 652 string description = 5 [(google.api.field_behavior) = OPTIONAL]; 653 654 // Optional. An explanation of the recommended steps that security teams can 655 // take to resolve the detected issue. This explanation is returned with each 656 // finding generated by this module in the `nextSteps` property of the finding 657 // JSON. 658 string recommendation = 6 [(google.api.field_behavior) = OPTIONAL]; 659} 660 661// Request message for listing Security Health Analytics custom modules. 662message ListSecurityHealthAnalyticsCustomModulesRequest { 663 // Required. Name of parent to list custom modules. Its format is 664 // "organizations/{organization}/locations/{location}", 665 // "folders/{folder}/locations/{location}", 666 // or 667 // "projects/{project}/locations/{location}" 668 string parent = 1 [ 669 (google.api.field_behavior) = REQUIRED, 670 (google.api.resource_reference) = { 671 child_type: "securitycentermanagement.googleapis.com/SecurityHealthAnalyticsCustomModule" 672 } 673 ]; 674 675 // Optional. The maximum number of results to return in a single response. 676 // Default is 10, minimum is 1, maximum is 1000. 677 int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; 678 679 // Optional. A token identifying a page of results the server should return. 680 string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; 681} 682 683// Response message for listing Security Health Analytics custom modules. 684message ListSecurityHealthAnalyticsCustomModulesResponse { 685 // The list of SecurityHealthAnalyticsCustomModules 686 repeated SecurityHealthAnalyticsCustomModule 687 security_health_analytics_custom_modules = 1; 688 689 // A token identifying a page of results the server should return. 690 string next_page_token = 2; 691} 692 693// Request message for listing descendant Security Health Analytics custom 694// modules. 695message ListDescendantSecurityHealthAnalyticsCustomModulesRequest { 696 // Required. Name of parent to list custom modules. Its format is 697 // "organizations/{organization}/locations/{location}", 698 // "folders/{folder}/locations/{location}", 699 // or 700 // "projects/{project}/locations/{location}" 701 string parent = 1 [ 702 (google.api.field_behavior) = REQUIRED, 703 (google.api.resource_reference) = { 704 child_type: "securitycentermanagement.googleapis.com/SecurityHealthAnalyticsCustomModule" 705 } 706 ]; 707 708 // Optional. The maximum number of results to return in a single response. 709 // Default is 10, minimum is 1, maximum is 1000. 710 int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; 711 712 // Optional. A token identifying a page of results the server should return. 713 string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; 714} 715 716// Response message for listing descendant Security Health Analytics custom 717// modules. 718message ListDescendantSecurityHealthAnalyticsCustomModulesResponse { 719 // The list of SecurityHealthAnalyticsCustomModules 720 repeated SecurityHealthAnalyticsCustomModule 721 security_health_analytics_custom_modules = 1; 722 723 // A token identifying a page of results the server should return. 724 string next_page_token = 2; 725} 726 727// Message for getting a SecurityHealthAnalyticsCustomModule 728message GetSecurityHealthAnalyticsCustomModuleRequest { 729 // Required. Name of the resource 730 string name = 1 [ 731 (google.api.field_behavior) = REQUIRED, 732 (google.api.resource_reference) = { 733 type: "securitycentermanagement.googleapis.com/SecurityHealthAnalyticsCustomModule" 734 } 735 ]; 736} 737 738// Message for creating a SecurityHealthAnalyticsCustomModule 739message CreateSecurityHealthAnalyticsCustomModuleRequest { 740 // Required. Name of the parent for the module. Its format is 741 // "organizations/{organization}/locations/{location}", 742 // "folders/{folder}/locations/{location}", 743 // or 744 // "projects/{project}/locations/{location}" 745 string parent = 1 [ 746 (google.api.field_behavior) = REQUIRED, 747 (google.api.resource_reference) = { 748 child_type: "securitycentermanagement.googleapis.com/SecurityHealthAnalyticsCustomModule" 749 } 750 ]; 751 752 // Required. The resource being created 753 SecurityHealthAnalyticsCustomModule security_health_analytics_custom_module = 754 2 [(google.api.field_behavior) = REQUIRED]; 755 756 // Optional. When set to true, only validations (including IAM checks) will 757 // done for the request (no module will be created). An OK response indicates 758 // the request is valid while an error response indicates the request is 759 // invalid. Note that a subsequent request to actually create the module could 760 // still fail because: 761 // 1. the state could have changed (e.g. IAM permission lost) or 762 // 2. A failure occurred during creation of the module. 763 // Defaults to false. 764 bool validate_only = 3 [(google.api.field_behavior) = OPTIONAL]; 765} 766 767// Message for updating a SecurityHealthAnalyticsCustomModule 768message UpdateSecurityHealthAnalyticsCustomModuleRequest { 769 // Required. The list of fields to be updated. The only fields that can be 770 // updated are `enablement_state` and `custom_config`. If empty or set to the 771 // wildcard value `*`, both `enablement_state` and `custom_config` are 772 // updated. 773 google.protobuf.FieldMask update_mask = 1 774 [(google.api.field_behavior) = REQUIRED]; 775 776 // Required. The resource being updated 777 SecurityHealthAnalyticsCustomModule security_health_analytics_custom_module = 778 2 [(google.api.field_behavior) = REQUIRED]; 779 780 // Optional. When set to true, only validations (including IAM checks) will 781 // done for the request (module will not be updated). An OK response indicates 782 // the request is valid while an error response indicates the request is 783 // invalid. Note that a subsequent request to actually update the module could 784 // still fail because 1. the state could have changed (e.g. IAM permission 785 // lost) or 786 // 2. A failure occurred while trying to update the module. 787 bool validate_only = 3 [(google.api.field_behavior) = OPTIONAL]; 788} 789 790// Message for deleting a SecurityHealthAnalyticsCustomModule 791message DeleteSecurityHealthAnalyticsCustomModuleRequest { 792 // Required. The resource name of the SHA custom module. 793 // 794 // Its format is: 795 // 796 // * "organizations/{organization}/locations/{location}/securityHealthAnalyticsCustomModules/{security_health_analytics_custom_module}". 797 // * "folders/{folder}/locations/{location}/securityHealthAnalyticsCustomModules/{security_health_analytics_custom_module}". 798 // * "projects/{project}/locations/{location}/securityHealthAnalyticsCustomModules/{security_health_analytics_custom_module}". 799 string name = 1 [ 800 (google.api.field_behavior) = REQUIRED, 801 (google.api.resource_reference) = { 802 type: "securitycentermanagement.googleapis.com/SecurityHealthAnalyticsCustomModule" 803 } 804 ]; 805 806 // Optional. When set to true, only validations (including IAM checks) will 807 // done for the request (module will not be deleted). An OK response indicates 808 // the request is valid while an error response indicates the request is 809 // invalid. Note that a subsequent request to actually delete the module could 810 // still fail because 1. the state could have changed (e.g. IAM permission 811 // lost) or 812 // 2. A failure occurred while trying to delete the module. 813 bool validate_only = 2 [(google.api.field_behavior) = OPTIONAL]; 814} 815 816// Request message to simulate a CustomConfig against a given test resource. 817// Maximum size of the request is 4 MB by default. 818message SimulateSecurityHealthAnalyticsCustomModuleRequest { 819 // Manually constructed resource name. If the custom module evaluates against 820 // only the resource data, you can omit the `iam_policy_data` field. If it 821 // evaluates only the `iam_policy_data` field, you can omit the resource data. 822 message SimulatedResource { 823 // Required. The type of the resource, for example, 824 // `compute.googleapis.com/Disk`. 825 string resource_type = 1 [(google.api.field_behavior) = REQUIRED]; 826 827 // Optional. A representation of the Google Cloud resource. Should match the 828 // Google Cloud resource JSON format. 829 google.protobuf.Struct resource_data = 2 830 [(google.api.field_behavior) = OPTIONAL]; 831 832 // Optional. A representation of the IAM policy. 833 google.iam.v1.Policy iam_policy_data = 3 834 [(google.api.field_behavior) = OPTIONAL]; 835 } 836 837 // Required. The relative resource name of the organization, project, or 838 // folder. For more information about relative resource names, see [Relative 839 // Resource 840 // Name](https://cloud.google.com/apis/design/resource_names#relative_resource_name) 841 // Example: `organizations/{organization_id}`. 842 string parent = 1 [(google.api.field_behavior) = REQUIRED]; 843 844 // Required. The custom configuration that you need to test. 845 CustomConfig custom_config = 2 [(google.api.field_behavior) = REQUIRED]; 846 847 // Required. Resource data to simulate custom module against. 848 SimulatedResource resource = 3 [(google.api.field_behavior) = REQUIRED]; 849} 850 851// A subset of the fields of the Security Center Finding proto. The minimum set 852// of fields needed to represent a simulated finding from a SHA custom module. 853message SimulatedFinding { 854 option (google.api.resource) = { 855 type: "securitycenter.googleapis.com/Finding" 856 pattern: "organizations/{organization}/sources/{source}/findings/{finding}" 857 pattern: "folders/{folder}/sources/{source}/findings/{finding}" 858 pattern: "projects/{project}/sources/{source}/findings/{finding}" 859 plural: "findings" 860 singular: "finding" 861 }; 862 863 // The state of the finding. 864 enum State { 865 // Unspecified state. 866 STATE_UNSPECIFIED = 0; 867 868 // The finding requires attention and has not been addressed yet. 869 ACTIVE = 1; 870 871 // The finding has been fixed, triaged as a non-issue or otherwise addressed 872 // and is no longer active. 873 INACTIVE = 2; 874 } 875 876 // The severity of the finding. 877 enum Severity { 878 // This value is used for findings when a source doesn't write a severity 879 // value. 880 SEVERITY_UNSPECIFIED = 0; 881 882 // Vulnerability: 883 // A critical vulnerability is easily discoverable by an external actor, 884 // exploitable, and results in the direct ability to execute arbitrary code, 885 // exfiltrate data, and otherwise gain additional access and privileges to 886 // cloud resources and workloads. Examples include publicly accessible 887 // unprotected user data and public SSH access with weak or no 888 // passwords. 889 // 890 // Threat: 891 // Indicates a threat that is able to access, modify, or delete data or 892 // execute unauthorized code within existing resources. 893 CRITICAL = 1; 894 895 // Vulnerability: 896 // A high risk vulnerability can be easily discovered and exploited in 897 // combination with other vulnerabilities in order to gain direct access and 898 // the ability to execute arbitrary code, exfiltrate data, and otherwise 899 // gain additional access and privileges to cloud resources and workloads. 900 // An example is a database with weak or no passwords that is only 901 // accessible internally. This database could easily be compromised by an 902 // actor that had access to the internal network. 903 // 904 // Threat: 905 // Indicates a threat that is able to create new computational resources in 906 // an environment but not able to access data or execute code in existing 907 // resources. 908 HIGH = 2; 909 910 // Vulnerability: 911 // A medium risk vulnerability could be used by an actor to gain access to 912 // resources or privileges that enable them to eventually (through multiple 913 // steps or a complex exploit) gain access and the ability to execute 914 // arbitrary code or exfiltrate data. An example is a service account with 915 // access to more projects than it should have. If an actor gains access to 916 // the service account, they could potentially use that access to manipulate 917 // a project the service account was not intended to. 918 // 919 // Threat: 920 // Indicates a threat that is able to cause operational impact but may not 921 // access data or execute unauthorized code. 922 MEDIUM = 3; 923 924 // Vulnerability: 925 // A low risk vulnerability hampers a security organization's ability to 926 // detect vulnerabilities or active threats in their deployment, or prevents 927 // the root cause investigation of security issues. An example is monitoring 928 // and logs being disabled for resource configurations and access. 929 // 930 // Threat: 931 // Indicates a threat that has obtained minimal access to an environment but 932 // is not able to access data, execute code, or create resources. 933 LOW = 4; 934 } 935 936 // Represents what kind of Finding it is. 937 enum FindingClass { 938 // Unspecified finding class. 939 FINDING_CLASS_UNSPECIFIED = 0; 940 941 // Describes unwanted or malicious activity. 942 THREAT = 1; 943 944 // Describes a potential weakness in software that increases risk to 945 // Confidentiality & Integrity & Availability. 946 VULNERABILITY = 2; 947 948 // Describes a potential weakness in cloud resource/asset configuration that 949 // increases risk. 950 MISCONFIGURATION = 3; 951 952 // Describes a security observation that is for informational purposes. 953 OBSERVATION = 4; 954 955 // Describes an error that prevents some SCC functionality. 956 SCC_ERROR = 5; 957 958 // Describes a potential security risk due to a change in the security 959 // posture. 960 POSTURE_VIOLATION = 6; 961 } 962 963 // Identifier. The [relative resource 964 // name](https://cloud.google.com/apis/design/resource_names#relative_resource_name) 965 // of the finding. Example: 966 // "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}", 967 // "folders/{folder_id}/sources/{source_id}/findings/{finding_id}", 968 // "projects/{project_id}/sources/{source_id}/findings/{finding_id}". 969 string name = 1 [(google.api.field_behavior) = IDENTIFIER]; 970 971 // The relative resource name of the source the finding belongs to. See: 972 // https://cloud.google.com/apis/design/resource_names#relative_resource_name 973 // This field is immutable after creation time. 974 // For example: 975 // "organizations/{organization_id}/sources/{source_id}" 976 string parent = 2; 977 978 // For findings on Google Cloud resources, the full resource 979 // name of the Google Cloud resource this finding is for. See: 980 // https://cloud.google.com/apis/design/resource_names#full_resource_name 981 // When the finding is for a non-Google Cloud resource, the resourceName can 982 // be a customer or partner defined string. This field is immutable after 983 // creation time. 984 string resource_name = 3; 985 986 // The additional taxonomy group within findings from a given source. 987 // This field is immutable after creation time. 988 // Example: "XSS_FLASH_INJECTION" 989 string category = 4; 990 991 // Output only. The state of the finding. 992 State state = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; 993 994 // Source specific properties. These properties are managed by the source 995 // that writes the finding. The key names in the source_properties map must be 996 // between 1 and 255 characters, and must start with a letter and contain 997 // alphanumeric characters or underscores only. 998 map<string, google.protobuf.Value> source_properties = 6; 999 1000 // The time the finding was first detected. If an existing finding is updated, 1001 // then this is the time the update occurred. 1002 // For example, if the finding represents an open firewall, this property 1003 // captures the time the detector believes the firewall became open. The 1004 // accuracy is determined by the detector. If the finding is later resolved, 1005 // then this time reflects when the finding was resolved. This must not 1006 // be set to a value greater than the current timestamp. 1007 google.protobuf.Timestamp event_time = 7; 1008 1009 // The severity of the finding. This field is managed by the source that 1010 // writes the finding. 1011 Severity severity = 8; 1012 1013 // The class of the finding. 1014 FindingClass finding_class = 9; 1015} 1016 1017// Response message for simulating a `SecurityHealthAnalyticsCustomModule` 1018// against a given resource. 1019message SimulateSecurityHealthAnalyticsCustomModuleResponse { 1020 // Possible test result. 1021 message SimulatedResult { 1022 oneof result { 1023 // Finding that would be published for the test case, 1024 // if a violation is detected. 1025 SimulatedFinding finding = 1; 1026 1027 // Indicates that the test case does not trigger any violation. 1028 google.protobuf.Empty no_violation = 2; 1029 1030 // Error encountered during the test. 1031 google.rpc.Status error = 3; 1032 } 1033 } 1034 1035 // Result for test case in the corresponding request. 1036 SimulatedResult result = 1; 1037} 1038 1039// An EffectiveEventThreatDetectionCustomModule is the representation of 1040// EventThreatDetectionCustomModule at a given level taking hierarchy into 1041// account and resolving various fields accordingly. e.g. if the module is 1042// enabled at the ancestor level, effective modules at all descendant levels 1043// will have enablement_state set to ENABLED. Similarly, if module.inherited is 1044// set, then effective module's config will contain the ancestor's config 1045// details. EffectiveEventThreatDetectionCustomModule is read-only. 1046message EffectiveEventThreatDetectionCustomModule { 1047 option (google.api.resource) = { 1048 type: "securitycentermanagement.googleapis.com/EffectiveEventThreatDetectionCustomModule" 1049 pattern: "organizations/{organization}/locations/{location}/effectiveEventThreatDetectionCustomModules/{effective_event_threat_detection_custom_module}" 1050 pattern: "projects/{project}/locations/{location}/effectiveEventThreatDetectionCustomModules/{effective_event_threat_detection_custom_module}" 1051 pattern: "folders/{folder}/locations/{location}/effectiveEventThreatDetectionCustomModules/{effective_event_threat_detection_custom_module}" 1052 plural: "effectiveEventThreatDetectionCustomModules" 1053 singular: "effectiveEventThreatDetectionCustomModule" 1054 }; 1055 1056 // The enablement state of the module. 1057 enum EnablementState { 1058 // Unspecified enablement state. 1059 ENABLEMENT_STATE_UNSPECIFIED = 0; 1060 1061 // The module is enabled at the given level. 1062 ENABLED = 1; 1063 1064 // The module is disabled at the given level. 1065 DISABLED = 2; 1066 } 1067 1068 // Identifier. The resource name of the ETD custom module. 1069 // 1070 // Its format is: 1071 // 1072 // * "organizations/{organization}/locations/{location}/effectiveEventThreatDetectionCustomModules/{effective_event_threat_detection_custom_module}". 1073 // * "folders/{folder}/locations/{location}/effectiveEventThreatDetectionCustomModules/{effective_event_threat_detection_custom_module}". 1074 // * "projects/{project}/locations/{location}/effectiveEventThreatDetectionCustomModules/{effective_event_threat_detection_custom_module}". 1075 string name = 1 [(google.api.field_behavior) = IDENTIFIER]; 1076 1077 // Output only. Config for the effective module. 1078 google.protobuf.Struct config = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; 1079 1080 // Output only. The effective state of enablement for the module at the given 1081 // level of the hierarchy. 1082 EnablementState enablement_state = 3 1083 [(google.api.field_behavior) = OUTPUT_ONLY]; 1084 1085 // Output only. Type for the module. e.g. CONFIGURABLE_BAD_IP. 1086 string type = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 1087 1088 // Output only. The human readable name to be displayed for the module. 1089 string display_name = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; 1090 1091 // Output only. The description for the module. 1092 string description = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; 1093} 1094 1095// Request message for listing effective Event Threat Detection custom 1096// modules. 1097message ListEffectiveEventThreatDetectionCustomModulesRequest { 1098 // Required. Name of parent to list effective custom modules. Its format is 1099 // "organizations/{organization}/locations/{location}", 1100 // "folders/{folder}/locations/{location}", 1101 // or 1102 // "projects/{project}/locations/{location}" 1103 string parent = 1 [ 1104 (google.api.field_behavior) = REQUIRED, 1105 (google.api.resource_reference) = { 1106 child_type: "securitycentermanagement.googleapis.com/EffectiveEventThreatDetectionCustomModule" 1107 } 1108 ]; 1109 1110 // Optional. The maximum number of results to return in a single response. 1111 // Default is 10, minimum is 1, maximum is 1000. 1112 int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; 1113 1114 // Optional. The value returned by the last call indicating a continuation 1115 string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; 1116} 1117 1118// Response message for listing effective Event Threat Detection custom 1119// modules. 1120message ListEffectiveEventThreatDetectionCustomModulesResponse { 1121 // The list of EffectiveEventThreatDetectionCustomModules 1122 repeated EffectiveEventThreatDetectionCustomModule 1123 effective_event_threat_detection_custom_modules = 1; 1124 1125 // A token identifying a page of results the server should return. 1126 string next_page_token = 2; 1127} 1128 1129// Message for getting a EffectiveEventThreatDetectionCustomModule 1130message GetEffectiveEventThreatDetectionCustomModuleRequest { 1131 // Required. The resource name of the ETD custom module. 1132 // 1133 // Its format is: 1134 // 1135 // * "organizations/{organization}/locations/{location}/effectiveEventThreatDetectionCustomModules/{effective_event_threat_detection_custom_module}". 1136 // * "folders/{folder}/locations/{location}/effectiveEventThreatDetectionCustomModules/{effective_event_threat_detection_custom_module}". 1137 // * "projects/{project}/locations/{location}/effectiveEventThreatDetectionCustomModules/{effective_event_threat_detection_custom_module}". 1138 string name = 1 [ 1139 (google.api.field_behavior) = REQUIRED, 1140 (google.api.resource_reference) = { 1141 type: "securitycentermanagement.googleapis.com/EffectiveEventThreatDetectionCustomModule" 1142 } 1143 ]; 1144} 1145 1146// An event threat detection custom module is a Cloud SCC resource that contains 1147// the configuration and enablement state of a custom module, which enables ETD 1148// to write certain findings to Cloud SCC. 1149message EventThreatDetectionCustomModule { 1150 option (google.api.resource) = { 1151 type: "securitycentermanagement.googleapis.com/EventThreatDetectionCustomModule" 1152 pattern: "organizations/{organization}/locations/{location}/eventThreatDetectionCustomModules/{event_threat_detection_custom_module}" 1153 pattern: "projects/{project}/locations/{location}/eventThreatDetectionCustomModules/{event_threat_detection_custom_module}" 1154 pattern: "folders/{folder}/locations/{location}/eventThreatDetectionCustomModules/{event_threat_detection_custom_module}" 1155 plural: "eventThreatDetectionCustomModules" 1156 singular: "eventThreatDetectionCustomModule" 1157 }; 1158 1159 // The enablement state of the module. 1160 enum EnablementState { 1161 // Unspecified enablement state. 1162 ENABLEMENT_STATE_UNSPECIFIED = 0; 1163 1164 // The module is enabled at the given level. 1165 ENABLED = 1; 1166 1167 // The module is disabled at the given level. 1168 DISABLED = 2; 1169 1170 // State is inherited from an ancestor module. The module will either 1171 // be effectively ENABLED or DISABLED based on its closest non-inherited 1172 // ancestor module in the CRM hierarchy. Attempting to set a top level 1173 // module (module with no parent) to the INHERITED state will result in an 1174 // error. 1175 INHERITED = 3; 1176 } 1177 1178 // Identifier. The resource name of the ETD custom module. 1179 // 1180 // Its format is: 1181 // 1182 // * "organizations/{organization}/locations/{location}/eventThreatDetectionCustomModules/{event_threat_detection_custom_module}". 1183 // * "folders/{folder}/locations/{location}/eventThreatDetectionCustomModules/{event_threat_detection_custom_module}". 1184 // * "projects/{project}/locations/{location}/eventThreatDetectionCustomModules/{event_threat_detection_custom_module}". 1185 string name = 1 [(google.api.field_behavior) = IDENTIFIER]; 1186 1187 // Optional. Config for the module. For the resident module, its config value 1188 // is defined at this level. For the inherited module, its config value is 1189 // inherited from the ancestor module. 1190 google.protobuf.Struct config = 2 [(google.api.field_behavior) = OPTIONAL]; 1191 1192 // Output only. The closest ancestor module that this module inherits the 1193 // enablement state from. If empty, indicates that the custom module was 1194 // created in the requesting parent organization, folder, or project. The 1195 // format is the same as the EventThreatDetectionCustomModule resource name. 1196 string ancestor_module = 3 [ 1197 (google.api.field_behavior) = OUTPUT_ONLY, 1198 (google.api.resource_reference) = { 1199 type: "securitycentermanagement.googleapis.com/EventThreatDetectionCustomModule" 1200 } 1201 ]; 1202 1203 // Optional. The state of enablement for the module at the given level of the 1204 // hierarchy. 1205 EnablementState enablement_state = 4 [(google.api.field_behavior) = OPTIONAL]; 1206 1207 // Optional. Type for the module. e.g. CONFIGURABLE_BAD_IP. 1208 string type = 5 [(google.api.field_behavior) = OPTIONAL]; 1209 1210 // Optional. The human readable name to be displayed for the module. 1211 string display_name = 6 [(google.api.field_behavior) = OPTIONAL]; 1212 1213 // Optional. The description for the module. 1214 string description = 7 [(google.api.field_behavior) = OPTIONAL]; 1215 1216 // Output only. The time the module was last updated. 1217 google.protobuf.Timestamp update_time = 8 1218 [(google.api.field_behavior) = OUTPUT_ONLY]; 1219 1220 // Output only. The editor the module was last updated by. 1221 string last_editor = 9 [(google.api.field_behavior) = OUTPUT_ONLY]; 1222} 1223 1224// Request message for listing Event Threat Detection custom modules. 1225message ListEventThreatDetectionCustomModulesRequest { 1226 // Required. Name of parent to list custom modules. Its format is 1227 // "organizations/{organization}/locations/{location}", 1228 // "folders/{folder}/locations/{location}", 1229 // or 1230 // "projects/{project}/locations/{location}" 1231 string parent = 1 [ 1232 (google.api.field_behavior) = REQUIRED, 1233 (google.api.resource_reference) = { 1234 child_type: "securitycentermanagement.googleapis.com/EventThreatDetectionCustomModule" 1235 } 1236 ]; 1237 1238 // Optional. The maximum number of modules to return. The service may return 1239 // fewer than this value. If unspecified, at most 10 configs will be returned. 1240 // The maximum value is 1000; values above 1000 will be coerced to 1000. 1241 int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; 1242 1243 // Optional. A page token, received from a previous 1244 // `ListEventThreatDetectionCustomModules` call. Provide this to retrieve the 1245 // subsequent page. 1246 // 1247 // When paginating, all other parameters provided to 1248 // `ListEventThreatDetectionCustomModules` must match the call that provided 1249 // the page token. 1250 string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; 1251} 1252 1253// Response message for listing Event Threat Detection custom modules. 1254message ListEventThreatDetectionCustomModulesResponse { 1255 // The list of EventThreatDetectionCustomModules 1256 repeated EventThreatDetectionCustomModule 1257 event_threat_detection_custom_modules = 1; 1258 1259 // A token identifying a page of results the server should return. 1260 string next_page_token = 2; 1261} 1262 1263// Request message for listing descendant Event Threat Detection custom 1264// modules. 1265message ListDescendantEventThreatDetectionCustomModulesRequest { 1266 // Required. Name of parent to list custom modules. Its format is 1267 // "organizations/{organization}/locations/{location}", 1268 // "folders/{folder}/locations/{location}", 1269 // or 1270 // "projects/{project}/locations/{location}" 1271 string parent = 1 [ 1272 (google.api.field_behavior) = REQUIRED, 1273 (google.api.resource_reference) = { 1274 child_type: "securitycentermanagement.googleapis.com/EventThreatDetectionCustomModule" 1275 } 1276 ]; 1277 1278 // Optional. The maximum number of modules to return. The service may return 1279 // fewer than this value. If unspecified, at most 10 configs will be returned. 1280 // The maximum value is 1000; values above 1000 will be coerced to 1000. 1281 int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; 1282 1283 // Optional. A token identifying a page of results the server should return. 1284 string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; 1285} 1286 1287// Response message for listing descendant Event Threat Detection custom 1288// modules. 1289message ListDescendantEventThreatDetectionCustomModulesResponse { 1290 // The list of EventThreatDetectionCustomModules 1291 repeated EventThreatDetectionCustomModule 1292 event_threat_detection_custom_modules = 1; 1293 1294 // A token identifying a page of results the server should return. 1295 string next_page_token = 2; 1296} 1297 1298// Message for getting a EventThreatDetectionCustomModule 1299message GetEventThreatDetectionCustomModuleRequest { 1300 // Required. The resource name of the ETD custom module. 1301 // 1302 // Its format is: 1303 // 1304 // * "organizations/{organization}/locations/{location}/eventThreatDetectionCustomModules/{event_threat_detection_custom_module}". 1305 // * "folders/{folder}/locations/{location}/eventThreatDetectionCustomModules/{event_threat_detection_custom_module}". 1306 // * "projects/{project}/locations/{location}/eventThreatDetectionCustomModules/{event_threat_detection_custom_module}". 1307 string name = 1 [ 1308 (google.api.field_behavior) = REQUIRED, 1309 (google.api.resource_reference) = { 1310 type: "securitycentermanagement.googleapis.com/EventThreatDetectionCustomModule" 1311 } 1312 ]; 1313} 1314 1315// Message for creating a EventThreatDetectionCustomModule 1316message CreateEventThreatDetectionCustomModuleRequest { 1317 // Required. Name of parent for the module. Its format is 1318 // "organizations/{organization}/locations/{location}", 1319 // "folders/{folder}/locations/{location}", 1320 // or 1321 // "projects/{project}/locations/{location}" 1322 string parent = 1 [ 1323 (google.api.field_behavior) = REQUIRED, 1324 (google.api.resource_reference) = { 1325 child_type: "securitycentermanagement.googleapis.com/EventThreatDetectionCustomModule" 1326 } 1327 ]; 1328 1329 // Required. The module to create. The 1330 // event_threat_detection_custom_module.name will be ignored and server 1331 // generated. 1332 EventThreatDetectionCustomModule event_threat_detection_custom_module = 3 1333 [(google.api.field_behavior) = REQUIRED]; 1334 1335 // Optional. When set to true, only validations (including IAM checks) will 1336 // done for the request (no module will be created). An OK response indicates 1337 // the request is valid while an error response indicates the request is 1338 // invalid. Note that a subsequent request to actually create the module could 1339 // still fail because 1. the state could have changed (e.g. IAM permission 1340 // lost) or 1341 // 2. A failure occurred during creation of the module. 1342 bool validate_only = 4 [(google.api.field_behavior) = OPTIONAL]; 1343} 1344 1345// Message for updating a EventThreatDetectionCustomModule 1346message UpdateEventThreatDetectionCustomModuleRequest { 1347 // Required. Field mask is used to specify the fields to be overwritten in the 1348 // EventThreatDetectionCustomModule resource by the update. 1349 // The fields specified in the update_mask are relative to the resource, not 1350 // the full request. A field will be overwritten if it is in the mask. If the 1351 // user does not provide a mask then all fields will be overwritten. 1352 google.protobuf.FieldMask update_mask = 1 1353 [(google.api.field_behavior) = REQUIRED]; 1354 1355 // Required. The module being updated 1356 EventThreatDetectionCustomModule event_threat_detection_custom_module = 2 1357 [(google.api.field_behavior) = REQUIRED]; 1358 1359 // Optional. When set to true, only validations (including IAM checks) will 1360 // done for the request (module will not be updated). An OK response indicates 1361 // the request is valid while an error response indicates the request is 1362 // invalid. Note that a subsequent request to actually update the module could 1363 // still fail because 1. the state could have changed (e.g. IAM permission 1364 // lost) or 1365 // 2. A failure occurred while trying to update the module. 1366 bool validate_only = 3 [(google.api.field_behavior) = OPTIONAL]; 1367} 1368 1369// Message for deleting a EventThreatDetectionCustomModule 1370message DeleteEventThreatDetectionCustomModuleRequest { 1371 // Required. The resource name of the ETD custom module. 1372 // 1373 // Its format is: 1374 // 1375 // * "organizations/{organization}/locations/{location}/eventThreatDetectionCustomModules/{event_threat_detection_custom_module}". 1376 // * "folders/{folder}/locations/{location}/eventThreatDetectionCustomModules/{event_threat_detection_custom_module}". 1377 // * "projects/{project}/locations/{location}/eventThreatDetectionCustomModules/{event_threat_detection_custom_module}". 1378 string name = 1 [ 1379 (google.api.field_behavior) = REQUIRED, 1380 (google.api.resource_reference) = { 1381 type: "securitycentermanagement.googleapis.com/EventThreatDetectionCustomModule" 1382 } 1383 ]; 1384 1385 // Optional. When set to true, only validations (including IAM checks) will 1386 // done for the request (module will not be deleted). An OK response indicates 1387 // the request is valid while an error response indicates the request is 1388 // invalid. Note that a subsequent request to actually delete the module could 1389 // still fail because 1. the state could have changed (e.g. IAM permission 1390 // lost) or 1391 // 2. A failure occurred while trying to delete the module. 1392 bool validate_only = 2 [(google.api.field_behavior) = OPTIONAL]; 1393} 1394 1395// Request to validate an Event Threat Detection custom module. 1396message ValidateEventThreatDetectionCustomModuleRequest { 1397 // Required. Resource name of the parent to validate the Custom Module under. 1398 // 1399 // Its format is: 1400 // 1401 // * "organizations/{organization}/locations/{location}". 1402 string parent = 1 [ 1403 (google.api.field_behavior) = REQUIRED, 1404 (google.api.resource_reference) = { 1405 child_type: "securitycentermanagement.googleapis.com/EventThreatDetectionCustomModule" 1406 } 1407 ]; 1408 1409 // Required. The raw text of the module's contents. Used to generate error 1410 // messages. 1411 string raw_text = 2 [(google.api.field_behavior) = REQUIRED]; 1412 1413 // Required. The type of the module (e.g. CONFIGURABLE_BAD_IP). 1414 string type = 3 [(google.api.field_behavior) = REQUIRED]; 1415} 1416 1417// Response to validating an Event Threat Detection custom module. 1418message ValidateEventThreatDetectionCustomModuleResponse { 1419 // An error encountered while validating the uploaded configuration of an 1420 // Event Threat Detection Custom Module. 1421 message CustomModuleValidationError { 1422 // A description of the error, suitable for human consumption. Required. 1423 string description = 1; 1424 1425 // The path, in RFC 8901 JSON Pointer format, to the field that failed 1426 // validation. This may be left empty if no specific field is affected. 1427 string field_path = 2; 1428 1429 // The initial position of the error in the uploaded text version of the 1430 // module. This field may be omitted if no specific position applies, or if 1431 // one could not be computed. 1432 optional Position start = 3; 1433 1434 // The end position of the error in the uploaded text version of the 1435 // module. This field may be omitted if no specific position applies, or if 1436 // one could not be computed.. 1437 optional Position end = 4; 1438 } 1439 1440 // A position in the uploaded text version of a module. 1441 message Position { 1442 // The line position in the text 1443 int32 line_number = 1; 1444 1445 // The column position in the line 1446 int32 column_number = 2; 1447 } 1448 1449 // A list of errors returned by the validator. If the list is empty, there 1450 // were no errors. 1451 repeated CustomModuleValidationError errors = 2; 1452} 1453