feat: Add iam_binding field to findings attributes. It represents par…

…ticular IAM bindings, which captures a member's role addition, removal, or state

PiperOrigin-RevId: 439976914

google/cloud/securitycenter/v1/BUILD.bazel

@@ -58,6 +58,7 @@ proto_library(
         "finding.proto",
         "folder.proto",
         "indicator.proto",
+        "iam_binding.proto",
         "mitre_attack.proto",
         "mute_config.proto",
         "notification_config.proto",

google/cloud/securitycenter/v1/access.proto

@@ -16,11 +16,11 @@ syntax = "proto3";
 
 package google.cloud.securitycenter.v1;
 
+option csharp_namespace = "Google.Cloud.SecurityCenter.V1";
 option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter";
 option java_multiple_files = true;
 option java_outer_classname = "AccessProto";
 option java_package = "com.google.cloud.securitycenter.v1";
-option csharp_namespace = "Google.Cloud.SecurityCenter.V1";
 option php_namespace = "Google\\Cloud\\SecurityCenter\\V1";
 option ruby_package = "Google::Cloud::SecurityCenter::V1";
 

google/cloud/securitycenter/v1/bigquery_export.proto

@@ -81,21 +81,19 @@ message BigQueryExport {
   // Output only. The time at which the big query export was created.
   // This field is set by the server and will be ignored if provided on export
   // on creation.
-  google.protobuf.Timestamp create_time = 5
-      [(google.api.field_behavior) = OUTPUT_ONLY];
+  google.protobuf.Timestamp create_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY];
 
   // Output only. The most recent time at which the big export was updated.
   // This field is set by the server and will be ignored if provided on export
   // creation or update.
-  google.protobuf.Timestamp update_time = 6
-      [(google.api.field_behavior) = OUTPUT_ONLY];
+  google.protobuf.Timestamp update_time = 6 [(google.api.field_behavior) = OUTPUT_ONLY];
 
-  // Output only. Email address of the user who last edited the big query
-  // export. This field is set by the server and will be ignored if provided on
-  // export creation or update.
+  // Output only. Email address of the user who last edited the big query export.
+  // This field is set by the server and will be ignored if provided on export
+  // creation or update.
   string most_recent_editor = 7 [(google.api.field_behavior) = OUTPUT_ONLY];
 
-  // Output only. The service account that needs permission to create table,
-  // upload data to the big query dataset.
+  // Output only. The service account that needs permission to create table, upload data to
+  // the big query dataset.
   string principal = 8 [(google.api.field_behavior) = OUTPUT_ONLY];
 }

google/cloud/securitycenter/v1/external_system.proto

@@ -37,7 +37,8 @@ message ExternalSystem {
   };
 
   // External System Name e.g. jira, demisto, etc.
-  //  e.g.: `organizations/1234/sources/5678/findings/123456/externalSystems/jira`
+  //  e.g.:
+  //  `organizations/1234/sources/5678/findings/123456/externalSystems/jira`
   // `folders/1234/sources/5678/findings/123456/externalSystems/jira`
   // `projects/1234/sources/5678/findings/123456/externalSystems/jira`
   string name = 1;

google/cloud/securitycenter/v1/finding.proto

@@ -20,6 +20,7 @@ import "google/api/field_behavior.proto";
 import "google/api/resource.proto";
 import "google/cloud/securitycenter/v1/access.proto";
 import "google/cloud/securitycenter/v1/external_system.proto";
+import "google/cloud/securitycenter/v1/iam_binding.proto";
 import "google/cloud/securitycenter/v1/indicator.proto";
 import "google/cloud/securitycenter/v1/mitre_attack.proto";
 import "google/cloud/securitycenter/v1/security_marks.proto";
@@ -110,7 +111,7 @@ message Finding {
     MEDIUM = 3;
 
     // Vulnerability:
-    // A low risk vulnerability hampers a security organization’s ability to
+    // A low risk vulnerability hampers a security organization's ability to
     // detect vulnerabilities or active threats in their deployment, or prevents
     // the root cause investigation of security issues. An example is monitoring
     // and logs being disabled for resource configurations and access.
@@ -228,7 +229,7 @@ message Finding {
   // finding.
   string canonical_name = 14;
 
-  // Indicates the mute state of a finding (either unspecified, muted, unmuted
+  // Indicates the mute state of a finding (either muted, unmuted
   // or undefined). Unlike other attributes of a finding, a finding provider
   // shouldn't set the value of mute.
   Mute mute = 15;
@@ -249,13 +250,11 @@ message Finding {
   Vulnerability vulnerability = 20;
 
   // Output only. The most recent time this finding was muted or unmuted.
-  google.protobuf.Timestamp mute_update_time = 21
-      [(google.api.field_behavior) = OUTPUT_ONLY];
+  google.protobuf.Timestamp mute_update_time = 21 [(google.api.field_behavior) = OUTPUT_ONLY];
 
-  // Output only. Third party SIEM/SOAR fields within SCC, contains external
-  // system information and external system finding fields.
-  map<string, ExternalSystem> external_systems = 22
-      [(google.api.field_behavior) = OUTPUT_ONLY];
+  // Output only. Third party SIEM/SOAR fields within SCC, contains external system
+  // information and external system finding fields.
+  map<string, ExternalSystem> external_systems = 22 [(google.api.field_behavior) = OUTPUT_ONLY];
 
   // MITRE ATT&CK tactics and techniques related to this finding.
   // See: https://attack.mitre.org
@@ -270,4 +269,7 @@ message Finding {
   // finding, etc. Unlike other attributes of a finding, a finding provider
   // shouldn't set the value of mute.
   string mute_initiator = 28;
+
+  // Represents IAM bindings associated with the Finding.
+  repeated IamBinding iam_bindings = 39;
 }

google/cloud/securitycenter/v1/iam_binding.proto

@@ -0,0 +1,52 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.cloud.securitycenter.v1;
+
+option csharp_namespace = "Google.Cloud.SecurityCenter.V1";
+option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter";
+option java_multiple_files = true;
+option java_outer_classname = "IamBindingProto";
+option java_package = "com.google.cloud.securitycenter.v1";
+option php_namespace = "Google\\Cloud\\SecurityCenter\\V1";
+option ruby_package = "Google::Cloud::SecurityCenter::V1";
+
+// Represents a particular IAM binding, which captures a member's role addition,
+// removal, or state.
+message IamBinding {
+  // The type of action performed on a Binding in a policy.
+  enum Action {
+    // Unspecified.
+    ACTION_UNSPECIFIED = 0;
+
+    // Addition of a Binding.
+    ADD = 1;
+
+    // Removal of a Binding.
+    REMOVE = 2;
+  }
+
+  // The action that was performed on a Binding.
+  Action action = 1;
+
+  // Role that is assigned to "members".
+  // For example, "roles/viewer", "roles/editor", or "roles/owner".
+  string role = 2;
+
+  // A single identity requesting access for a Cloud Platform resource,
+  // e.g. "foo@google.com".
+  string member = 3;
+}

google/cloud/securitycenter/v1/indicator.proto

@@ -16,15 +16,14 @@ syntax = "proto3";
 
 package google.cloud.securitycenter.v1;
 
+option csharp_namespace = "Google.Cloud.SecurityCenter.V1";
 option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter";
 option java_multiple_files = true;
 option java_outer_classname = "IndicatorProto";
 option java_package = "com.google.cloud.securitycenter.v1";
-option csharp_namespace = "Google.Cloud.SecurityCenter.V1";
 option php_namespace = "Google\\Cloud\\SecurityCenter\\V1";
 option ruby_package = "Google::Cloud::SecurityCenter::V1";
 
-
 // Represents what's commonly known as an Indicator of compromise (IoC) in
 // computer forensics. This is an artifact observed on a network or in an
 // operating system that, with high confidence, indicates a computer intrusion.

google/cloud/securitycenter/v1/mitre_attack.proto

@@ -78,6 +78,7 @@ message MitreAttack {
 
   // MITRE ATT&CK techniques that can be referenced by SCC findings.
   // See: https://attack.mitre.org/techniques/enterprise/
+  // Next ID: 30
   enum Technique {
     // Unspecified value.
     TECHNIQUE_UNSPECIFIED = 0;
@@ -165,6 +166,9 @@ message MitreAttack {
 
     // T1556
     MODIFY_AUTHENTICATION_PROCESS = 28;
+
+    // T1485
+    DATA_DESTRUCTION = 29;
   }
 
   // The MITRE ATT&CK tactic most closely represented by this finding, if any.

google/cloud/securitycenter/v1/resource.proto

@@ -33,10 +33,16 @@ message Resource {
   // https://cloud.google.com/apis/design/resource_names#full_resource_name
   string name = 1;
 
+  // The human readable name of the resource.
+  string display_name = 8;
+
+  // The full resource type of the resource.
+  string type = 6;
+
   // The full resource name of project that the resource belongs to.
   string project = 2;
 
-  // The project id that the resource belongs to.
+  // The project ID that the resource belongs to.
   string project_display_name = 3;
 
   // The full resource name of resource's parent.
@@ -45,14 +51,8 @@ message Resource {
   // The human readable name of resource's parent.
   string parent_display_name = 5;
 
-  // The full resource type of the resource.
-  string type = 6;
-
   // Output only. Contains a Folder message for each folder in the assets ancestry.
   // The first folder is the deepest nested folder, and the last folder is the
   // folder directly under the Organization.
   repeated Folder folders = 7 [(google.api.field_behavior) = OUTPUT_ONLY];
-
-  // The human readable name of the resource.
-  string display_name = 8;
 }

google/cloud/securitycenter/v1/securitycenter_service.proto

@@ -1574,10 +1574,16 @@ message ListFindingsResponse {
       // https://cloud.google.com/apis/design/resource_names#full_resource_name
       string name = 1;
 
+      // The human readable name of the resource.
+      string display_name = 8;
+
+      // The full resource type of the resource.
+      string type = 6;
+
       // The full resource name of project that the resource belongs to.
       string project_name = 2;
 
-      // The project id that the resource belongs to.
+      // The project ID that the resource belongs to.
       string project_display_name = 3;
 
       // The full resource name of resource's parent.
@@ -1586,16 +1592,10 @@ message ListFindingsResponse {
       // The human readable name of resource's parent.
       string parent_display_name = 5;
 
-      // The full resource type of the resource.
-      string type = 6;
-
       // Contains a Folder message for each folder in the assets ancestry.
       // The first folder is the deepest nested folder, and the last folder is
       // the folder directly under the Organization.
       repeated Folder folders = 7;
-
-      // The human readable name of the resource.
-      string display_name = 8;
     }
 
     // Finding matching the search request.
@@ -1765,7 +1765,7 @@ message UpdateSecurityMarksRequest {
   // The time at which the updated SecurityMarks take effect.
   // If not set uses current server time.  Updates will be applied to the
   // SecurityMarks that are active immediately preceding this time. Must be
-  // smaller or equal to the server time.
+  // earlier or equal to the server time.
   google.protobuf.Timestamp start_time = 3;
 }