feat: Add compliances, processes and exfiltration fields to findings attributes. They contain compliance information about a security standard indicating unmet recommendations, represents operating system processes, and data exfiltration attempt of one or more source(s) to one or more target(s). Source(s) represent the source of data that is exfiltrated, and Target(s) represents the destination the data was copied to

Google APIs · copybara-github · commit 5bfadd980c36 · 2022-05-31T09:34:48.000-07:00
PiperOrigin-RevId: 452067806
diff --git a/google/cloud/securitycenter/v1/BUILD.bazel b/google/cloud/securitycenter/v1/BUILD.bazel
@@ -54,8 +54,11 @@ proto_library(
         "access.proto",
         "asset.proto",
         "bigquery_export.proto",
+        "compliance.proto",
         "connection.proto",
+        "exfiltration.proto",
         "external_system.proto",
+        "file.proto",
         "finding.proto",
         "folder.proto",
         "iam_binding.proto",
@@ -65,6 +68,7 @@ proto_library(
         "notification_config.proto",
         "notification_message.proto",
         "organization_settings.proto",
+        "process.proto",
         "resource.proto",
         "run_asset_discovery_response.proto",
         "security_marks.proto",
diff --git a/google/cloud/securitycenter/v1/compliance.proto b/google/cloud/securitycenter/v1/compliance.proto
@@ -0,0 +1,39 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.cloud.securitycenter.v1;
+
+option csharp_namespace = "Google.Cloud.SecurityCenter.V1";
+option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter";
+option java_multiple_files = true;
+option java_outer_classname = "ComplianceProto";
+option java_package = "com.google.cloud.securitycenter.v1";
+option php_namespace = "Google\\Cloud\\SecurityCenter\\V1";
+option ruby_package = "Google::Cloud::SecurityCenter::V1";
+
+// Contains compliance information about a security standard indicating unmet
+// recommendations.
+message Compliance {
+  // Refers to industry wide standards or benchmarks e.g. "cis", "pci", "owasp",
+  // etc.
+  string standard = 1;
+
+  // Version of the standard/benchmark e.g. 1.1
+  string version = 2;
+
+  // Policies within the standard/benchmark e.g. A.12.4.1
+  repeated string ids = 3;
+}
diff --git a/google/cloud/securitycenter/v1/exfiltration.proto b/google/cloud/securitycenter/v1/exfiltration.proto
@@ -0,0 +1,52 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.cloud.securitycenter.v1;
+
+option csharp_namespace = "Google.Cloud.SecurityCenter.V1";
+option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter";
+option java_multiple_files = true;
+option java_outer_classname = "ExfiltrationProto";
+option java_package = "com.google.cloud.securitycenter.v1";
+option php_namespace = "Google\\Cloud\\SecurityCenter\\V1";
+option ruby_package = "Google::Cloud::SecurityCenter::V1";
+
+// Exfiltration represents a data exfiltration attempt of one or more
+// sources to one or more targets.  Sources represent the source
+// of data that is exfiltrated, and Targets represents the destination the
+// data was copied to.
+message Exfiltration {
+  // If there are multiple sources, then the data is considered "joined" between
+  // them. For instance, BigQuery can join multiple tables, and each
+  // table would be considered a source.
+  repeated ExfilResource sources = 1;
+
+  // If there are multiple targets, each target would get a complete copy of the
+  // "joined" source data.
+  repeated ExfilResource targets = 2;
+}
+
+// Resource that has been exfiltrated or exfiltrated_to.
+message ExfilResource {
+  // Resource's URI (https://google.aip.dev/122#full-resource-names)
+  string name = 1;
+
+  // Subcomponents of the asset that is exfiltrated - these could be
+  // URIs used during exfiltration, table names, databases, filenames, etc.
+  // For example, multiple tables may be exfiltrated from the same CloudSQL
+  // instance, or multiple files from the same Cloud Storage bucket.
+  repeated string components = 2;
+}
diff --git a/google/cloud/securitycenter/v1/file.proto b/google/cloud/securitycenter/v1/file.proto
@@ -0,0 +1,52 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.cloud.securitycenter.v1;
+
+option csharp_namespace = "Google.Cloud.SecurityCenter.V1";
+option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter";
+option java_multiple_files = true;
+option java_outer_classname = "FileProto";
+option java_package = "com.google.cloud.securitycenter.v1";
+option php_namespace = "Google\\Cloud\\SecurityCenter\\V1";
+option ruby_package = "Google::Cloud::SecurityCenter::V1";
+
+// File information about the related binary/library used by an executable, or
+// the script used by a script interpreter
+message File {
+  // Absolute path of the file as a JSON encoded string.
+  string path = 1;
+
+  // Size of the file in bytes.
+  int64 size = 2;
+
+  // SHA256 hash of the first hashed_size bytes of the file encoded as a
+  // hex string.  If hashed_size == size, hash_sha256 represents the SHA256 hash
+  // of the entire file.
+  string sha256 = 3;
+
+  // The length in bytes of the file prefix that was hashed.  If
+  // hashed_size == size, any hashes reported represent the entire
+  // file.
+  int64 hashed_size = 4;
+
+  // True when the hash covers only a prefix of the file.
+  bool partially_hashed = 5;
+
+  // Prefix of the file contents as a JSON encoded string.
+  // (Currently only populated for Malicious Script Executed findings.)
+  string contents = 6;
+}
diff --git a/google/cloud/securitycenter/v1/finding.proto b/google/cloud/securitycenter/v1/finding.proto
@@ -19,11 +19,14 @@ package google.cloud.securitycenter.v1;
 import "google/api/field_behavior.proto";
 import "google/api/resource.proto";
 import "google/cloud/securitycenter/v1/access.proto";
+import "google/cloud/securitycenter/v1/compliance.proto";
 import "google/cloud/securitycenter/v1/connection.proto";
+import "google/cloud/securitycenter/v1/exfiltration.proto";
 import "google/cloud/securitycenter/v1/external_system.proto";
 import "google/cloud/securitycenter/v1/iam_binding.proto";
 import "google/cloud/securitycenter/v1/indicator.proto";
 import "google/cloud/securitycenter/v1/mitre_attack.proto";
+import "google/cloud/securitycenter/v1/process.proto";
 import "google/cloud/securitycenter/v1/security_marks.proto";
 import "google/cloud/securitycenter/v1/vulnerability.proto";
 import "google/protobuf/struct.proto";
@@ -251,11 +254,13 @@ message Finding {
   Vulnerability vulnerability = 20;
 
   // Output only. The most recent time this finding was muted or unmuted.
-  google.protobuf.Timestamp mute_update_time = 21 [(google.api.field_behavior) = OUTPUT_ONLY];
+  google.protobuf.Timestamp mute_update_time = 21
+      [(google.api.field_behavior) = OUTPUT_ONLY];
 
-  // Output only. Third party SIEM/SOAR fields within SCC, contains external system
-  // information and external system finding fields.
-  map<string, ExternalSystem> external_systems = 22 [(google.api.field_behavior) = OUTPUT_ONLY];
+  // Output only. Third party SIEM/SOAR fields within SCC, contains external
+  // system information and external system finding fields.
+  map<string, ExternalSystem> external_systems = 22
+      [(google.api.field_behavior) = OUTPUT_ONLY];
 
   // MITRE ATT&CK tactics and techniques related to this finding.
   // See: https://attack.mitre.org
@@ -274,9 +279,19 @@ message Finding {
   // shouldn't set the value of mute.
   string mute_initiator = 28;
 
+  // Represents operating system processes associated with the Finding.
+  repeated Process processes = 30;
+
+  // Contains compliance information for security standards associated to the
+  // finding.
+  repeated Compliance compliances = 34;
+
   // Contains more detail about the finding.
   string description = 37;
 
+  // Represents exfiltration associated with the Finding.
+  Exfiltration exfiltration = 38;
+
   // Represents IAM bindings associated with the Finding.
   repeated IamBinding iam_bindings = 39;
 
diff --git a/google/cloud/securitycenter/v1/mitre_attack.proto b/google/cloud/securitycenter/v1/mitre_attack.proto
@@ -78,7 +78,6 @@ message MitreAttack {
 
   // MITRE ATT&CK techniques that can be referenced by SCC findings.
   // See: https://attack.mitre.org/techniques/enterprise/
-  // Next ID: 31
   enum Technique {
     // Unspecified value.
     TECHNIQUE_UNSPECIFIED = 0;
@@ -172,6 +171,9 @@ message MitreAttack {
 
     // T1484
     DOMAIN_POLICY_MODIFICATION = 30;
+
+    // T1562
+    IMPAIR_DEFENSES = 31;
   }
 
   // The MITRE ATT&CK tactic most closely represented by this finding, if any.
diff --git a/google/cloud/securitycenter/v1/process.proto b/google/cloud/securitycenter/v1/process.proto
@@ -0,0 +1,70 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.cloud.securitycenter.v1;
+
+import "google/cloud/securitycenter/v1/file.proto";
+
+option csharp_namespace = "Google.Cloud.SecurityCenter.V1";
+option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter";
+option java_multiple_files = true;
+option java_outer_classname = "ProcessProto";
+option java_package = "com.google.cloud.securitycenter.v1";
+option php_namespace = "Google\\Cloud\\SecurityCenter\\V1";
+option ruby_package = "Google::Cloud::SecurityCenter::V1";
+
+// Represents an operating system process.
+message Process {
+  // File information for the process executable.
+  File binary = 3;
+
+  // File information for libraries loaded by the process.
+  repeated File libraries = 4;
+
+  // When the process represents the invocation of a script,
+  // `binary` provides information about the interpreter while `script`
+  // provides information about the script file provided to the
+  // interpreter.
+  File script = 5;
+
+  // Process arguments as JSON encoded strings.
+  repeated string args = 6;
+
+  // True if `args` is incomplete.
+  bool arguments_truncated = 7;
+
+  // Process environment variables.
+  repeated EnvironmentVariable env_variables = 8;
+
+  // True if `env_variables` is incomplete.
+  bool env_variables_truncated = 9;
+
+  // The process id.
+  int64 pid = 10;
+
+  // The parent process id.
+  int64 parent_pid = 11;
+}
+
+// EnvironmentVariable is a name-value pair to store environment variables for
+// Process.
+message EnvironmentVariable {
+  // Environment variable name as a JSON encoded string.
+  string name = 1;
+
+  // Environment variable value as a JSON encoded string.
+  string val = 2;
+}
diff --git a/google/cloud/securitycenter/v1/securitycenter_v1.yaml b/google/cloud/securitycenter/v1/securitycenter_v1.yaml
@@ -5,6 +5,7 @@ title: Security Command Center API
 
 apis:
 - name: google.cloud.securitycenter.v1.SecurityCenter
+- name: google.longrunning.Operations
 
 types:
 - name: google.cloud.securitycenter.v1.BigQueryExport
