From 7fdec62959f080693e8e137c7772970cb45ecffd Mon Sep 17 00:00:00 2001 From: Google APIs Date: Fri, 1 Jul 2022 13:49:33 -0700 Subject: [PATCH] feat: Added contacts field to findings attributes, specifying Essential Contacts defined at org, folder or project level within a GCP org feat: Added process signature fields to the indicator attribute that helps surface multiple types of signature defined IOCs PiperOrigin-RevId: 458537238 --- google/cloud/securitycenter/v1/BUILD.bazel | 1 + .../securitycenter/v1/contact_details.proto | 37 ++++++++++++++++ google/cloud/securitycenter/v1/file.proto | 2 +- google/cloud/securitycenter/v1/finding.proto | 30 ++++++++++--- .../cloud/securitycenter/v1/indicator.proto | 42 +++++++++++++++++++ google/cloud/securitycenter/v1/process.proto | 4 ++ 6 files changed, 109 insertions(+), 7 deletions(-) create mode 100644 google/cloud/securitycenter/v1/contact_details.proto diff --git a/google/cloud/securitycenter/v1/BUILD.bazel b/google/cloud/securitycenter/v1/BUILD.bazel index 10d238aef31c3..c3cf9dfba151f 100644 --- a/google/cloud/securitycenter/v1/BUILD.bazel +++ b/google/cloud/securitycenter/v1/BUILD.bazel @@ -56,6 +56,7 @@ proto_library( "bigquery_export.proto", "compliance.proto", "connection.proto", + "contact_details.proto", "exfiltration.proto", "external_system.proto", "file.proto", diff --git a/google/cloud/securitycenter/v1/contact_details.proto b/google/cloud/securitycenter/v1/contact_details.proto new file mode 100644 index 0000000000000..c282d325b692b --- /dev/null +++ b/google/cloud/securitycenter/v1/contact_details.proto @@ -0,0 +1,37 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_outer_classname = "ContactDetailsProto"; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// The details pertaining to specific contacts +message ContactDetails { + // A list of contacts + repeated Contact contacts = 1; +} + +// Representa a single contact's email address +message Contact { + // An email address e.g. "person123@company.com" + string email = 1; +} diff --git a/google/cloud/securitycenter/v1/file.proto b/google/cloud/securitycenter/v1/file.proto index 97ba1d0bde35a..d802dda6ebf42 100644 --- a/google/cloud/securitycenter/v1/file.proto +++ b/google/cloud/securitycenter/v1/file.proto @@ -34,7 +34,7 @@ message File { int64 size = 2; // SHA256 hash of the first hashed_size bytes of the file encoded as a - // hex string. If hashed_size == size, hash_sha256 represents the SHA256 hash + // hex string. If hashed_size == size, sha256 represents the SHA256 hash // of the entire file. string sha256 = 3; diff --git a/google/cloud/securitycenter/v1/finding.proto b/google/cloud/securitycenter/v1/finding.proto index e43a90c285edd..70aa90e995234 100644 --- a/google/cloud/securitycenter/v1/finding.proto +++ b/google/cloud/securitycenter/v1/finding.proto @@ -21,6 +21,7 @@ import "google/api/resource.proto"; import "google/cloud/securitycenter/v1/access.proto"; import "google/cloud/securitycenter/v1/compliance.proto"; import "google/cloud/securitycenter/v1/connection.proto"; +import "google/cloud/securitycenter/v1/contact_details.proto"; import "google/cloud/securitycenter/v1/exfiltration.proto"; import "google/cloud/securitycenter/v1/external_system.proto"; import "google/cloud/securitycenter/v1/iam_binding.proto"; @@ -254,13 +255,11 @@ message Finding { Vulnerability vulnerability = 20; // Output only. The most recent time this finding was muted or unmuted. - google.protobuf.Timestamp mute_update_time = 21 - [(google.api.field_behavior) = OUTPUT_ONLY]; + google.protobuf.Timestamp mute_update_time = 21 [(google.api.field_behavior) = OUTPUT_ONLY]; - // Output only. Third party SIEM/SOAR fields within SCC, contains external - // system information and external system finding fields. - map external_systems = 22 - [(google.api.field_behavior) = OUTPUT_ONLY]; + // Output only. Third party SIEM/SOAR fields within SCC, contains external system + // information and external system finding fields. + map external_systems = 22 [(google.api.field_behavior) = OUTPUT_ONLY]; // MITRE ATT&CK tactics and techniques related to this finding. // See: https://attack.mitre.org @@ -282,6 +281,25 @@ message Finding { // Represents operating system processes associated with the Finding. repeated Process processes = 30; + // Output only. Map containing the point of contacts for the given finding. The key + // represents the type of contact, while the value contains a list of all the + // contacts that pertain. Please refer to: + // https://cloud.google.com/resource-manager/docs/managing-notification-contacts#notification-categories + // + // { + // "security": { + // "contacts": [ + // { + // "email": "person1@company.com" + // }, + // { + // "email": "person2@company.com" + // } + // ] + // } + // } + map contacts = 33 [(google.api.field_behavior) = OUTPUT_ONLY]; + // Contains compliance information for security standards associated to the // finding. repeated Compliance compliances = 34; diff --git a/google/cloud/securitycenter/v1/indicator.proto b/google/cloud/securitycenter/v1/indicator.proto index 9223477644766..e14e57abc05b4 100644 --- a/google/cloud/securitycenter/v1/indicator.proto +++ b/google/cloud/securitycenter/v1/indicator.proto @@ -29,9 +29,51 @@ option ruby_package = "Google::Cloud::SecurityCenter::V1"; // operating system that, with high confidence, indicates a computer intrusion. // Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise message Indicator { + // Indicates what signature matched this process. + message ProcessSignature { + // A signature corresponding to memory page hashes. + message MemoryHashSignature { + // Memory hash detection contributing to the binary family match. + message Detection { + // The name of the binary associated with the memory hash + // signature detection. + string binary = 2; + + // The percentage of memory page hashes in the signature + // that were matched. + double percent_pages_matched = 3; + } + + // The binary family. + string binary_family = 1; + + // The list of memory hash detections contributing to the binary family + // match. + repeated Detection detections = 4; + } + + // A signature corresponding to a YARA rule. + message YaraRuleSignature { + // The name of the YARA rule. + string yara_rule = 5; + } + + oneof signature { + // Signature indicating that a binary family was matched. + MemoryHashSignature memory_hash_signature = 6; + + // Signature indicating that a YARA rule was matched. + YaraRuleSignature yara_rule_signature = 7; + } + } + // List of ip addresses associated to the Finding. repeated string ip_addresses = 1; // List of domains associated to the Finding. repeated string domains = 2; + + // The list of matched signatures indicating that the given + // process is present in the environment. + repeated ProcessSignature signatures = 3; } diff --git a/google/cloud/securitycenter/v1/process.proto b/google/cloud/securitycenter/v1/process.proto index 185f0467fe0b1..480714be47d12 100644 --- a/google/cloud/securitycenter/v1/process.proto +++ b/google/cloud/securitycenter/v1/process.proto @@ -28,6 +28,10 @@ option ruby_package = "Google::Cloud::SecurityCenter::V1"; // Represents an operating system process. message Process { + // The process name visible in utilities like `top` and `ps`; it can + // be accessed via `/proc/[pid]/comm` and changed with `prctl(PR_SET_NAME)`. + string name = 12; + // File information for the process executable. File binary = 3;