feat: [securitycenter] enable Dynamic Mute (#5602)

* feat: enable Dynamic Mute
feat: New values `EXPLOITATION_FOR_PRIVILEGE_ESCALATION` corresponding to T1068 and `INDICATOR_REMOVAL_FILE_DELETION` corresponding to T1070.004 are added to enum `Technique`
docs: T1068 is added for value `EXPLOITATION_FOR_PRIVILEGE_ESCALATION` and T1070.004 is added for value `INDICATOR_REMOVAL_FILE_DELETION` for enum `Technique

PiperOrigin-RevId: 659656285

Source-Link: googleapis/googleapis@ae59394

Source-Link: googleapis/googleapis-gen@1a6022a
Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLWNsb3VkLXNlY3VyaXR5Y2VudGVyLy5Pd2xCb3QueWFtbCIsImgiOiIxYTYwMjJhNTFiYzIxMDI3MmI0YTBhMmJhNzZlNWE0NGU4Y2Y4Y2M2In0=

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

---------

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>

packages/google-cloud-securitycenter/protos/google/cloud/securitycenter/v1/finding.proto

@@ -196,6 +196,41 @@ message Finding {
     TOXIC_COMBINATION = 7;
   }
 
+  // Mute information about the finding, including whether the finding has a
+  // static mute or any matching dynamic mute rules.
+  message MuteInfo {
+    // Information about the static mute state. A static mute state overrides
+    // any dynamic mute rules that apply to this finding. The static mute state
+    // can be set by a static mute rule or by muting the finding directly.
+    message StaticMute {
+      // The static mute state. If the value is `MUTED` or `UNMUTED`, then the
+      // finding's overall mute state will have the same value.
+      Mute state = 1;
+
+      // When the static mute was applied.
+      google.protobuf.Timestamp apply_time = 2;
+    }
+
+    // The record of a dynamic mute rule that matches the finding.
+    message DynamicMuteRecord {
+      // The relative resource name of the mute rule, represented by a mute
+      // config, that created this record, for example
+      // `organizations/123/muteConfigs/mymuteconfig` or
+      // `organizations/123/locations/global/muteConfigs/mymuteconfig`.
+      string mute_config = 1;
+
+      // When the dynamic mute rule first matched the finding.
+      google.protobuf.Timestamp match_time = 2;
+    }
+
+    // If set, the static mute applied to this finding. Static mutes override
+    // dynamic mutes. If unset, there is no static mute.
+    StaticMute static_mute = 1;
+
+    // The list of dynamic mute rules that currently match the finding.
+    repeated DynamicMuteRecord dynamic_mute_records = 2;
+  }
+
   // The [relative resource
   // name](https://cloud.google.com/apis/design/resource_names#relative_resource_name)
   // of the finding. Example:
@@ -312,6 +347,9 @@ message Finding {
   // that muted the finding and the user who muted the finding.
   string mute_initiator = 28;
 
+  // Output only. The mute information regarding this finding.
+  MuteInfo mute_info = 61 [(google.api.field_behavior) = OUTPUT_ONLY];
+
   // Represents operating system processes associated with the Finding.
   repeated Process processes = 30;
 

packages/google-cloud-securitycenter/protos/google/cloud/securitycenter/v1/mitre_attack.proto

@@ -78,7 +78,7 @@ message MitreAttack {
 
   // MITRE ATT&CK techniques that can be referenced by SCC findings.
   // See: https://attack.mitre.org/techniques/enterprise/
-  // Next ID: 63
+  // Next ID: 65
   enum Technique {
     // Unspecified value.
     TECHNIQUE_UNSPECIFIED = 0;
@@ -110,12 +110,18 @@ message MitreAttack {
     // T1059.006
     PYTHON = 59;
 
+    // T1068
+    EXPLOITATION_FOR_PRIVILEGE_ESCALATION = 63;
+
     // T1069
     PERMISSION_GROUPS_DISCOVERY = 18;
 
     // T1069.003
     CLOUD_GROUPS = 19;
 
+    // T1070.004
+    INDICATOR_REMOVAL_FILE_DELETION = 64;
+
     // T1071
     APPLICATION_LAYER_PROTOCOL = 45;
 

packages/google-cloud-securitycenter/protos/google/cloud/securitycenter/v1/mute_config.proto

@@ -43,6 +43,25 @@ message MuteConfig {
     singular: "muteConfig"
   };
 
+  // The type of MuteConfig.
+  enum MuteConfigType {
+    // Unused.
+    MUTE_CONFIG_TYPE_UNSPECIFIED = 0;
+
+    // A static mute config, which sets the static mute state of future matching
+    // findings to muted. Once the static mute state has been set, finding or
+    // config modifications will not affect the state.
+    STATIC = 1;
+
+    // A dynamic mute config, which is applied to existing and future matching
+    // findings, setting their dynamic mute state to "muted". If the config is
+    // updated or deleted, or a matching finding is updated, such that the
+    // finding doesn't match the config, the config will be removed from the
+    // finding, and the finding's dynamic mute state may become "unmuted"
+    // (unless other configs still match).
+    DYNAMIC = 2;
+  }
+
   // This field will be ignored if provided on config creation. Format
   // `organizations/{organization}/muteConfigs/{mute_config}`
   // `folders/{folder}/muteConfigs/{mute_config}`
@@ -96,4 +115,16 @@ message MuteConfig {
   // This field is set by the server and will be ignored if provided on config
   // creation or update.
   string most_recent_editor = 7 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Optional. The type of the mute config, which determines what type of mute
+  // state the config affects. The static mute state takes precedence over the
+  // dynamic mute state. Immutable after creation. STATIC by default if not set
+  // during creation.
+  MuteConfigType type = 8 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. The expiry of the mute config. Only applicable for dynamic
+  // configs. If the expiry is set, when the config expires, it is removed from
+  // all findings.
+  google.protobuf.Timestamp expiry_time = 9
+      [(google.api.field_behavior) = OPTIONAL];
 }

packages/google-cloud-securitycenter/protos/google/cloud/securitycenter/v1/securitycenter_service.proto

@@ -1092,6 +1092,18 @@ service SecurityCenter {
 // which they get executed is not defined.
 // 2. Once a bulk operation is started, there is no way to stop it.
 message BulkMuteFindingsRequest {
+  // The mute state.
+  enum MuteState {
+    // Unused.
+    MUTE_STATE_UNSPECIFIED = 0;
+
+    // Matching findings will be muted (default).
+    MUTED = 1;
+
+    // Matching findings will have their mute state cleared.
+    UNDEFINED = 2;
+  }
+
   // Required. The parent, at which bulk action needs to be applied. Its format
   // is `organizations/[organization_id]`, `folders/[folder_id]`,
   // `projects/[project_id]`.
@@ -1125,6 +1137,11 @@ message BulkMuteFindingsRequest {
   // This can be a mute configuration name or any identifier for mute/unmute
   // of findings based on the filter.
   string mute_annotation = 3 [deprecated = true];
+
+  // Optional. All findings matching the given filter will have their mute state
+  // set to this value. The default value is `MUTED`. Setting this to
+  // `UNDEFINED` will clear the mute state on all matching findings.
+  MuteState mute_state = 4 [(google.api.field_behavior) = OPTIONAL];
 }
 
 // The response to a BulkMute request. Contains the LRO information.
@@ -2982,9 +2999,9 @@ message DeleteEventThreatDetectionCustomModuleRequest {
   //
   // Its format is:
   //
-  // * "organizations/{organization}/eventThreatDetectionSettings/customModules/{module}".
-  // * "folders/{folder}/eventThreatDetectionSettings/customModules/{module}".
-  // * "projects/{project}/eventThreatDetectionSettings/customModules/{module}".
+  // * `organizations/{organization}/eventThreatDetectionSettings/customModules/{module}`.
+  // * `folders/{folder}/eventThreatDetectionSettings/customModules/{module}`.
+  // * `projects/{project}/eventThreatDetectionSettings/customModules/{module}`.
   string name = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {

packages/google-cloud-securitycenter/protos/google/cloud/securitycenter/v1/vulnerability.proto

@@ -119,6 +119,9 @@ message Cve {
   // Whether or not the vulnerability was zero day when the finding was
   // published.
   bool zero_day = 8;
+
+  // Date the first publicly available exploit or PoC was released.
+  google.protobuf.Timestamp exploit_release_date = 9;
 }
 
 // Additional Links