feat: Add load balancer, log entry, org policy, database.version, exf…

…iltration.total_exfiltrated_bytes, file.disk_path, indicator.signature_type, and kubernetes.objects to finding's list of attributes PiperOrigin-RevId: 609614842
googleapis · Feb 23, 2024 · d2c86cf · d2c86cf
1 parent 4e6304c
commit d2c86cf
Show file tree

Hide file tree

Showing 12 changed files with 337 additions and 60 deletions.
diff --git a/google/cloud/securitycenter/v1/BUILD.bazel b/google/cloud/securitycenter/v1/BUILD.bazel
@@ -44,11 +44,14 @@ proto_library(
         "kernel_rootkit.proto",
         "kubernetes.proto",
         "label.proto",
+        "load_balancer.proto",
+        "log_entry.proto",
         "mitre_attack.proto",
         "mute_config.proto",
         "notification_config.proto",
         "notification_message.proto",
         "organization_settings.proto",
+        "org_policy.proto",
         "process.proto",
         "resource.proto",
         "run_asset_discovery_response.proto",

diff --git a/google/cloud/securitycenter/v1/database.proto b/google/cloud/securitycenter/v1/database.proto
@@ -31,12 +31,12 @@ option ruby_package = "Google::Cloud::SecurityCenter::V1";
 // name](https://google.aip.dev/122#full-resource-names) populated because these
 // resource types, such as Cloud SQL databases, are not yet supported by Cloud
 // Asset Inventory. In these cases only the display name is provided.
-// Some database resources may not have the [full resource
-// name](https://google.aip.dev/122#full-resource-names) populated because
-// these resource types are not yet supported by Cloud Asset Inventory (e.g.
-// Cloud SQL databases). In these cases only the display name will be
-// provided.
 message Database {
+  // Some database resources may not have the [full resource
+  // name](https://google.aip.dev/122#full-resource-names) populated because
+  // these resource types are not yet supported by Cloud Asset Inventory (e.g.
+  // Cloud SQL databases). In these cases only the display name will be
+  // provided.
   // The [full resource name](https://google.aip.dev/122#full-resource-names) of
   // the database that the user connected to, if it is supported by Cloud Asset
   // Inventory.
@@ -55,4 +55,9 @@ message Database {
   // The target usernames, roles, or groups of an SQL privilege grant, which is
   // not an IAM policy change.
   repeated string grantees = 5;
+
+  // The version of the database, for example, POSTGRES_14.
+  // See [the complete
+  // list](https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1/SqlDatabaseVersion).
+  string version = 6;
 }
diff --git a/google/cloud/securitycenter/v1/exfiltration.proto b/google/cloud/securitycenter/v1/exfiltration.proto
@@ -37,6 +37,9 @@ message Exfiltration {
   // If there are multiple targets, each target would get a complete copy of the
   // "joined" source data.
   repeated ExfilResource targets = 2;
+
+  // Total exfiltrated bytes processed for the entire job.
+  int64 total_exfiltrated_bytes = 3;
 }
 
 // Resource where data was exfiltrated from or exfiltrated to.

diff --git a/google/cloud/securitycenter/v1/file.proto b/google/cloud/securitycenter/v1/file.proto
@@ -27,6 +27,17 @@ option ruby_package = "Google::Cloud::SecurityCenter::V1";
 // File information about the related binary/library used by an executable, or
 // the script used by a script interpreter
 message File {
+  // Path of the file in terms of underlying disk/partition identifiers.
+  message DiskPath {
+    // UUID of the partition (format
+    // https://wiki.archlinux.org/title/persistent_block_device_naming#by-uuid)
+    string partition_uuid = 1;
+
+    // Relative path of the file in the partition as a JSON encoded string.
+    // Example: /home/user1/executable_file.sh
+    string relative_path = 2;
+  }
+
   // Absolute path of the file as a JSON encoded string.
   string path = 1;
 
@@ -48,4 +59,7 @@ message File {
 
   // Prefix of the file contents as a JSON-encoded string.
   string contents = 6;
+
+  // Path of the file in terms of underlying disk/partition identifiers.
+  DiskPath disk_path = 7;
 }
diff --git a/google/cloud/securitycenter/v1/finding.proto b/google/cloud/securitycenter/v1/finding.proto
@@ -35,7 +35,10 @@ import "google/cloud/securitycenter/v1/iam_binding.proto";
 import "google/cloud/securitycenter/v1/indicator.proto";
 import "google/cloud/securitycenter/v1/kernel_rootkit.proto";
 import "google/cloud/securitycenter/v1/kubernetes.proto";
+import "google/cloud/securitycenter/v1/load_balancer.proto";
+import "google/cloud/securitycenter/v1/log_entry.proto";
 import "google/cloud/securitycenter/v1/mitre_attack.proto";
+import "google/cloud/securitycenter/v1/org_policy.proto";
 import "google/cloud/securitycenter/v1/process.proto";
 import "google/cloud/securitycenter/v1/security_marks.proto";
 import "google/cloud/securitycenter/v1/vulnerability.proto";
@@ -362,9 +365,18 @@ message Finding {
   // Signature of the kernel rootkit.
   KernelRootkit kernel_rootkit = 50;
 
+  // Contains information about the org policies associated with the finding.
+  repeated OrgPolicy org_policies = 51;
+
   // Represents an application associated with the finding.
   Application application = 53;
 
   // Fields related to Backup and DR findings.
   BackupDisasterRecovery backup_disaster_recovery = 55;
+
+  // Log entries that are relevant to the finding.
+  repeated LogEntry log_entries = 57;
+
+  // The load balancers associated with the finding.
+  repeated LoadBalancer load_balancers = 58;
 }
diff --git a/google/cloud/securitycenter/v1/indicator.proto b/google/cloud/securitycenter/v1/indicator.proto
@@ -59,13 +59,28 @@ message Indicator {
       string yara_rule = 5;
     }
 
+    // Possible resource types to be associated with a signature.
+    enum SignatureType {
+      // The default signature type.
+      SIGNATURE_TYPE_UNSPECIFIED = 0;
+
+      // Used for signatures concerning processes.
+      SIGNATURE_TYPE_PROCESS = 1;
+
+      // Used for signatures concerning disks.
+      SIGNATURE_TYPE_FILE = 2;
+    }
+
     oneof signature {
       // Signature indicating that a binary family was matched.
       MemoryHashSignature memory_hash_signature = 6;
 
       // Signature indicating that a YARA rule was matched.
       YaraRuleSignature yara_rule_signature = 7;
     }
+
+    // Describes the type of resource associated with the signature.
+    SignatureType signature_type = 8;
   }
 
   // The list of IP addresses that are associated with the finding.

diff --git a/google/cloud/securitycenter/v1/kubernetes.proto b/google/cloud/securitycenter/v1/kubernetes.proto
@@ -158,6 +158,29 @@ message Kubernetes {
     string version = 7;
   }
 
+  // Kubernetes object related to the finding, uniquely identified by GKNN.
+  // Used if the object Kind is not one of Pod, Node, NodePool, Binding, or
+  // AccessReview.
+  message Object {
+    // Kubernetes object group, such as "policy.k8s.io/v1".
+    string group = 1;
+
+    // Kubernetes object kind, such as "Namespace".
+    string kind = 2;
+
+    // Kubernetes object namespace. Must be a valid DNS label. Named
+    // "ns" to avoid collision with C++ namespace keyword. For details see
+    // https://kubernetes.io/docs/tasks/administer-cluster/namespaces/.
+    string ns = 3;
+
+    // Kubernetes object name. For details see
+    // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/.
+    string name = 4;
+
+    // Pod containers associated with this finding, if any.
+    repeated Container containers = 5;
+  }
+
   // Kubernetes
   // [Pods](https://cloud.google.com/kubernetes-engine/docs/concepts/pod)
   // associated with the finding. This field contains Pod records for each
@@ -187,4 +210,7 @@ message Kubernetes {
   // Provides information on any Kubernetes access reviews (privilege checks)
   // relevant to the finding.
   repeated AccessReview access_reviews = 6;
+
+  // Kubernetes objects related to the finding.
+  repeated Object objects = 7;
 }
diff --git a/google/cloud/securitycenter/v1/load_balancer.proto b/google/cloud/securitycenter/v1/load_balancer.proto
@@ -0,0 +1,32 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.cloud.securitycenter.v1;
+
+option csharp_namespace = "Google.Cloud.SecurityCenter.V1";
+option go_package = "cloud.google.com/go/securitycenter/apiv1/securitycenterpb;securitycenterpb";
+option java_multiple_files = true;
+option java_outer_classname = "LoadBalancerProto";
+option java_package = "com.google.cloud.securitycenter.v1";
+option php_namespace = "Google\\Cloud\\SecurityCenter\\V1";
+option ruby_package = "Google::Cloud::SecurityCenter::V1";
+
+// Contains information related to the load balancer associated with the
+// finding.
+message LoadBalancer {
+  // The name of the load balancer associated with the finding.
+  string name = 1;
+}
diff --git a/google/cloud/securitycenter/v1/log_entry.proto b/google/cloud/securitycenter/v1/log_entry.proto
@@ -0,0 +1,55 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.cloud.securitycenter.v1;
+
+import "google/protobuf/timestamp.proto";
+
+option csharp_namespace = "Google.Cloud.SecurityCenter.V1";
+option go_package = "cloud.google.com/go/securitycenter/apiv1/securitycenterpb;securitycenterpb";
+option java_multiple_files = true;
+option java_outer_classname = "LogEntryProto";
+option java_package = "com.google.cloud.securitycenter.v1";
+option php_namespace = "Google\\Cloud\\SecurityCenter\\V1";
+option ruby_package = "Google::Cloud::SecurityCenter::V1";
+
+// An individual entry in a log.
+message LogEntry {
+  oneof log_entry {
+    // An individual entry in a log stored in Cloud Logging.
+    CloudLoggingEntry cloud_logging_entry = 1;
+  }
+}
+
+// Metadata taken from a [Cloud Logging
+// LogEntry](https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry)
+message CloudLoggingEntry {
+  // A unique identifier for the log entry.
+  string insert_id = 1;
+
+  // The type of the log (part of `log_name`. `log_name` is the resource name of
+  // the log to which this log entry belongs). For example:
+  // `cloudresourcemanager.googleapis.com/activity`. Note that this field is not
+  // URL-encoded, unlike the `LOG_ID` field in `LogEntry`.
+  string log_id = 2;
+
+  // The organization, folder, or project of the monitored resource that
+  // produced this log entry.
+  string resource_container = 3;
+
+  // The time the event described by the log entry occurred.
+  google.protobuf.Timestamp timestamp = 4;
+}