feat: Added contacts field to findings attributes, specifying Essential Contacts defined at org, folder or project level within a GCP org

Google APIs · copybara-github · commit 7fdec62959f0 · 2022-07-01T13:50:19.000-07:00
feat: Added process signature fields to the indicator attribute that helps surface multiple types of signature defined IOCs

PiperOrigin-RevId: 458537238
diff --git a/google/cloud/securitycenter/v1/BUILD.bazel b/google/cloud/securitycenter/v1/BUILD.bazel
@@ -56,6 +56,7 @@ proto_library(
         "bigquery_export.proto",
         "compliance.proto",
         "connection.proto",
+        "contact_details.proto",
         "exfiltration.proto",
         "external_system.proto",
         "file.proto",
diff --git a/google/cloud/securitycenter/v1/contact_details.proto b/google/cloud/securitycenter/v1/contact_details.proto
@@ -0,0 +1,37 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.cloud.securitycenter.v1;
+
+option csharp_namespace = "Google.Cloud.SecurityCenter.V1";
+option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter";
+option java_multiple_files = true;
+option java_outer_classname = "ContactDetailsProto";
+option java_package = "com.google.cloud.securitycenter.v1";
+option php_namespace = "Google\\Cloud\\SecurityCenter\\V1";
+option ruby_package = "Google::Cloud::SecurityCenter::V1";
+
+// The details pertaining to specific contacts
+message ContactDetails {
+  // A list of contacts
+  repeated Contact contacts = 1;
+}
+
+// Representa a single contact's email address
+message Contact {
+  // An email address e.g. "person123@company.com"
+  string email = 1;
+}
diff --git a/google/cloud/securitycenter/v1/file.proto b/google/cloud/securitycenter/v1/file.proto
@@ -34,7 +34,7 @@ message File {
   int64 size = 2;
 
   // SHA256 hash of the first hashed_size bytes of the file encoded as a
-  // hex string.  If hashed_size == size, hash_sha256 represents the SHA256 hash
+  // hex string.  If hashed_size == size, sha256 represents the SHA256 hash
   // of the entire file.
   string sha256 = 3;
 
diff --git a/google/cloud/securitycenter/v1/finding.proto b/google/cloud/securitycenter/v1/finding.proto
@@ -21,6 +21,7 @@ import "google/api/resource.proto";
 import "google/cloud/securitycenter/v1/access.proto";
 import "google/cloud/securitycenter/v1/compliance.proto";
 import "google/cloud/securitycenter/v1/connection.proto";
+import "google/cloud/securitycenter/v1/contact_details.proto";
 import "google/cloud/securitycenter/v1/exfiltration.proto";
 import "google/cloud/securitycenter/v1/external_system.proto";
 import "google/cloud/securitycenter/v1/iam_binding.proto";
@@ -254,13 +255,11 @@ message Finding {
   Vulnerability vulnerability = 20;
 
   // Output only. The most recent time this finding was muted or unmuted.
-  google.protobuf.Timestamp mute_update_time = 21
-      [(google.api.field_behavior) = OUTPUT_ONLY];
+  google.protobuf.Timestamp mute_update_time = 21 [(google.api.field_behavior) = OUTPUT_ONLY];
 
-  // Output only. Third party SIEM/SOAR fields within SCC, contains external
-  // system information and external system finding fields.
-  map<string, ExternalSystem> external_systems = 22
-      [(google.api.field_behavior) = OUTPUT_ONLY];
+  // Output only. Third party SIEM/SOAR fields within SCC, contains external system
+  // information and external system finding fields.
+  map<string, ExternalSystem> external_systems = 22 [(google.api.field_behavior) = OUTPUT_ONLY];
 
   // MITRE ATT&CK tactics and techniques related to this finding.
   // See: https://attack.mitre.org
@@ -282,6 +281,25 @@ message Finding {
   // Represents operating system processes associated with the Finding.
   repeated Process processes = 30;
 
+  // Output only. Map containing the point of contacts for the given finding. The key
+  // represents the type of contact, while the value contains a list of all the
+  // contacts that pertain. Please refer to:
+  // https://cloud.google.com/resource-manager/docs/managing-notification-contacts#notification-categories
+  //
+  //     {
+  //       "security": {
+  //         "contacts": [
+  //           {
+  //             "email": "person1@company.com"
+  //           },
+  //           {
+  //             "email": "person2@company.com"
+  //           }
+  //         ]
+  //       }
+  //     }
+  map<string, ContactDetails> contacts = 33 [(google.api.field_behavior) = OUTPUT_ONLY];
+
   // Contains compliance information for security standards associated to the
   // finding.
   repeated Compliance compliances = 34;
diff --git a/google/cloud/securitycenter/v1/indicator.proto b/google/cloud/securitycenter/v1/indicator.proto
@@ -29,9 +29,51 @@ option ruby_package = "Google::Cloud::SecurityCenter::V1";
 // operating system that, with high confidence, indicates a computer intrusion.
 // Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise
 message Indicator {
+  // Indicates what signature matched this process.
+  message ProcessSignature {
+    // A signature corresponding to memory page hashes.
+    message MemoryHashSignature {
+      // Memory hash detection contributing to the binary family match.
+      message Detection {
+        // The name of the binary associated with the memory hash
+        // signature detection.
+        string binary = 2;
+
+        // The percentage of memory page hashes in the signature
+        // that were matched.
+        double percent_pages_matched = 3;
+      }
+
+      // The binary family.
+      string binary_family = 1;
+
+      // The list of memory hash detections contributing to the binary family
+      // match.
+      repeated Detection detections = 4;
+    }
+
+    // A signature corresponding to a YARA rule.
+    message YaraRuleSignature {
+      // The name of the YARA rule.
+      string yara_rule = 5;
+    }
+
+    oneof signature {
+      // Signature indicating that a binary family was matched.
+      MemoryHashSignature memory_hash_signature = 6;
+
+      // Signature indicating that a YARA rule was matched.
+      YaraRuleSignature yara_rule_signature = 7;
+    }
+  }
+
   // List of ip addresses associated to the Finding.
   repeated string ip_addresses = 1;
 
   // List of domains associated to the Finding.
   repeated string domains = 2;
+
+  // The list of matched signatures indicating that the given
+  // process is present in the environment.
+  repeated ProcessSignature signatures = 3;
 }
diff --git a/google/cloud/securitycenter/v1/process.proto b/google/cloud/securitycenter/v1/process.proto
@@ -28,6 +28,10 @@ option ruby_package = "Google::Cloud::SecurityCenter::V1";
 
 // Represents an operating system process.
 message Process {
+  // The process name visible in utilities like `top` and `ps`; it can
+  // be accessed via `/proc/[pid]/comm` and changed with `prctl(PR_SET_NAME)`.
+  string name = 12;
+
   // File information for the process executable.
   File binary = 3;
 
