diff --git a/google/cloud/securitycenter/v1/finding.proto b/google/cloud/securitycenter/v1/finding.proto index cf0873cf..dcc62f8b 100644 --- a/google/cloud/securitycenter/v1/finding.proto +++ b/google/cloud/securitycenter/v1/finding.proto @@ -56,6 +56,65 @@ message Finding { INACTIVE = 2; } + // The severity of the finding. + enum Severity { + // This value is used for findings when a source doesn't write a severity + // value. + SEVERITY_UNSPECIFIED = 0; + + // Vulnerability: + // A critical vulnerability is easily discoverable by an external actor, + // exploitable, and results in the direct ability to execute arbitrary code, + // exfiltrate data, and otherwise gain additional access and privileges to + // cloud resources and workloads. Examples include publicly accessible + // unprotected user data, public SSH access with weak or no passwords, etc. + // + // Threat: + // Indicates a threat that is able to access, modify, or delete data or + // execute unauthorized code within existing resources. + CRITICAL = 1; + + // Vulnerability: + // A high risk vulnerability can be easily discovered and exploited in + // combination with other vulnerabilities in order to gain direct access and + // the ability to execute arbitrary code, exfiltrate data, and otherwise + // gain additional access and privileges to cloud resources and workloads. + // An example is a database with weak or no passwords that is only + // accessible internally. This database could easily be compromised by an + // actor that had access to the internal network. + // + // Threat: + // Indicates a threat that is able to create new computational resources in + // an environment but not able to access data or execute code in existing + // resources. + HIGH = 2; + + // Vulnerability: + // A medium risk vulnerability could be used by an actor to gain access to + // resources or privileges that enable them to eventually (through multiple + // steps or a complex exploit) gain access and the ability to execute + // arbitrary code or exfiltrate data. An example is a service account with + // access to more projects than it should have. If an actor gains access to + // the service account, they could potentially use that access to manipulate + // a project the service account was not intended to. + // + // Threat: + // Indicates a threat that is able to cause operational impact but may not + // access data or execute unauthorized code. + MEDIUM = 3; + + // Vulnerability: + // A low risk vulnerability hampers a security organization’s ability to + // detect vulnerabilities or active threats in their deployment, or prevents + // the root cause investigation of security issues. An example is monitoring + // and logs being disabled for resource configurations and access. + // + // Threat: + // Indicates a threat that has obtained minimal access to an environment but + // is not able to access data, execute code, or create resources. + LOW = 4; + } + // The relative resource name of this finding. See: // https://cloud.google.com/apis/design/resource_names#relative_resource_name // Example: @@ -110,4 +169,8 @@ message Finding { // The time at which the finding was created in Security Command Center. google.protobuf.Timestamp create_time = 10; + + // The severity of the finding. This field is managed by the source that + // writes the finding. + Severity severity = 12; } diff --git a/google/cloud/securitycenter/v1/notification_config.proto b/google/cloud/securitycenter/v1/notification_config.proto index 90bd83c3..1a9676d9 100644 --- a/google/cloud/securitycenter/v1/notification_config.proto +++ b/google/cloud/securitycenter/v1/notification_config.proto @@ -78,14 +78,14 @@ message NotificationConfig { // The description of the notification config (max of 1024 characters). string description = 2; - // The PubSub topic to send notifications to. Its format is + // The Pub/Sub topic to send notifications to. Its format is // "projects/[project_id]/topics/[topic]". - string pubsub_topic = 3 [ - (google.api.resource_reference) = { type: "pubsub.googleapis.com/Topic" } - ]; + string pubsub_topic = 3 [(google.api.resource_reference) = { + type: "pubsub.googleapis.com/Topic" + }]; // Output only. The service account that needs "pubsub.topics.publish" - // permission to publish to the PubSub topic. + // permission to publish to the Pub/Sub topic. string service_account = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; // The config for triggering notifications. diff --git a/google/cloud/securitycenter/v1/securitycenter_service.proto b/google/cloud/securitycenter/v1/securitycenter_service.proto index b660d467..07f2f99d 100644 --- a/google/cloud/securitycenter/v1/securitycenter_service.proto +++ b/google/cloud/securitycenter/v1/securitycenter_service.proto @@ -17,7 +17,6 @@ syntax = "proto3"; package google.cloud.securitycenter.v1; import public "google/cloud/securitycenter/v1/run_asset_discovery_response.proto"; - import "google/api/annotations.proto"; import "google/api/client.proto"; import "google/api/field_behavior.proto"; @@ -47,8 +46,7 @@ option ruby_package = "Google::Cloud::SecurityCenter::V1"; // V1 APIs for Security Center service. service SecurityCenter { option (google.api.default_host) = "securitycenter.googleapis.com"; - option (google.api.oauth_scopes) = - "https://www.googleapis.com/auth/cloud-platform"; + option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; // Creates a source. rpc CreateSource(CreateSourceRequest) returns (Source) { @@ -70,20 +68,17 @@ service SecurityCenter { } // Creates a notification config. - rpc CreateNotificationConfig(CreateNotificationConfigRequest) - returns (NotificationConfig) { + rpc CreateNotificationConfig(CreateNotificationConfigRequest) returns (NotificationConfig) { option (google.api.http) = { post: "/v1/{parent=organizations/*}/notificationConfigs" body: "notification_config" }; - option (google.api.method_signature) = - "parent,config_id,notification_config"; + option (google.api.method_signature) = "parent,config_id,notification_config"; option (google.api.method_signature) = "parent,notification_config"; } // Deletes a notification config. - rpc DeleteNotificationConfig(DeleteNotificationConfigRequest) - returns (google.protobuf.Empty) { + rpc DeleteNotificationConfig(DeleteNotificationConfigRequest) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/v1/{name=organizations/*/notificationConfigs/*}" }; @@ -91,8 +86,7 @@ service SecurityCenter { } // Gets the access control policy on the specified Source. - rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) - returns (google.iam.v1.Policy) { + rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) { option (google.api.http) = { post: "/v1/{resource=organizations/*/sources/*}:getIamPolicy" body: "*" @@ -101,8 +95,7 @@ service SecurityCenter { } // Gets a notification config. - rpc GetNotificationConfig(GetNotificationConfigRequest) - returns (NotificationConfig) { + rpc GetNotificationConfig(GetNotificationConfigRequest) returns (NotificationConfig) { option (google.api.http) = { get: "/v1/{name=organizations/*/notificationConfigs/*}" }; @@ -110,8 +103,7 @@ service SecurityCenter { } // Gets the settings for an organization. - rpc GetOrganizationSettings(GetOrganizationSettingsRequest) - returns (OrganizationSettings) { + rpc GetOrganizationSettings(GetOrganizationSettingsRequest) returns (OrganizationSettings) { option (google.api.http) = { get: "/v1/{name=organizations/*/organizationSettings}" }; @@ -166,8 +158,7 @@ service SecurityCenter { } // Lists notification configs. - rpc ListNotificationConfigs(ListNotificationConfigsRequest) - returns (ListNotificationConfigsResponse) { + rpc ListNotificationConfigs(ListNotificationConfigsRequest) returns (ListNotificationConfigsResponse) { option (google.api.http) = { get: "/v1/{parent=organizations/*}/notificationConfigs" }; @@ -188,8 +179,7 @@ service SecurityCenter { // This API can only be called with limited frequency for an organization. If // it is called too frequently the caller will receive a TOO_MANY_REQUESTS // error. - rpc RunAssetDiscovery(RunAssetDiscoveryRequest) - returns (google.longrunning.Operation) { + rpc RunAssetDiscovery(RunAssetDiscoveryRequest) returns (google.longrunning.Operation) { option (google.api.http) = { post: "/v1/{parent=organizations/*}/assets:runDiscovery" body: "*" @@ -211,8 +201,7 @@ service SecurityCenter { } // Sets the access control policy on the specified Source. - rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) - returns (google.iam.v1.Policy) { + rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) { option (google.api.http) = { post: "/v1/{resource=organizations/*/sources/*}:setIamPolicy" body: "*" @@ -221,8 +210,7 @@ service SecurityCenter { } // Returns the permissions that a caller has on the specified source. - rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) - returns (google.iam.v1.TestIamPermissionsResponse) { + rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) { option (google.api.http) = { post: "/v1/{resource=organizations/*/sources/*}:testIamPermissions" body: "*" @@ -242,8 +230,7 @@ service SecurityCenter { // Updates a notification config. The following update // fields are allowed: description, pubsub_topic, streaming_config.filter - rpc UpdateNotificationConfig(UpdateNotificationConfigRequest) - returns (NotificationConfig) { + rpc UpdateNotificationConfig(UpdateNotificationConfigRequest) returns (NotificationConfig) { option (google.api.http) = { patch: "/v1/{notification_config.name=organizations/*/notificationConfigs/*}" body: "notification_config" @@ -253,8 +240,7 @@ service SecurityCenter { } // Updates an organization's settings. - rpc UpdateOrganizationSettings(UpdateOrganizationSettingsRequest) - returns (OrganizationSettings) { + rpc UpdateOrganizationSettings(UpdateOrganizationSettingsRequest) returns (OrganizationSettings) { option (google.api.http) = { patch: "/v1/{organization_settings.name=organizations/*/organizationSettings}" body: "organization_settings" @@ -301,15 +287,15 @@ message CreateFindingRequest { // greater than 0 characters in length. string finding_id = 2 [(google.api.field_behavior) = REQUIRED]; - // Required. The Finding being created. The name and security_marks will be - // ignored as they are both output only fields on this resource. + // Required. The Finding being created. The name and security_marks will be ignored as + // they are both output only fields on this resource. Finding finding = 3 [(google.api.field_behavior) = REQUIRED]; } // Request message for creating a notification config. message CreateNotificationConfigRequest { - // Required. Resource name of the new notification config's parent. Its format - // is "organizations/[organization_id]". + // Required. Resource name of the new notification config's parent. Its format is + // "organizations/[organization_id]". string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { @@ -323,11 +309,9 @@ message CreateNotificationConfigRequest { // characters, underscores or hyphens only. string config_id = 2 [(google.api.field_behavior) = REQUIRED]; - // Required. The notification config being created. The name and the service - // account will be ignored as they are both output only fields on this - // resource. - NotificationConfig notification_config = 3 - [(google.api.field_behavior) = REQUIRED]; + // Required. The notification config being created. The name and the service account + // will be ignored as they are both output only fields on this resource. + NotificationConfig notification_config = 3 [(google.api.field_behavior) = REQUIRED]; } // Request message for creating a source. @@ -341,8 +325,8 @@ message CreateSourceRequest { } ]; - // Required. The Source being created, only the display_name and description - // will be used. All other fields will be ignored. + // Required. The Source being created, only the display_name and description will be + // used. All other fields will be ignored. Source source = 2 [(google.api.field_behavior) = REQUIRED]; } @@ -372,8 +356,8 @@ message GetNotificationConfigRequest { // Request message for getting organization settings. message GetOrganizationSettingsRequest { - // Required. Name of the organization to get organization settings for. Its - // format is "organizations/[organization_id]/organizationSettings". + // Required. Name of the organization to get organization settings for. Its format is + // "organizations/[organization_id]/organizationSettings". string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { @@ -463,15 +447,15 @@ message GroupAssetsRequest { // For example, `resource_properties.size = 100` is a valid filter string. // // Use a partial match on the empty string to filter based on a property - // existing:`resource_properties.my_property : ""` + // existing: `resource_properties.my_property : ""` // // Use a negated partial match on the empty string to filter based on a // property not existing: `-resource_properties.my_property : ""` string filter = 2; - // Required. Expression that defines what assets fields to use for grouping. - // The string value should follow SQL syntax: comma separated list of fields. - // For example: + // Required. Expression that defines what assets fields to use for grouping. The string + // value should follow SQL syntax: comma separated list of fields. For + // example: // "security_center_properties.resource_project,security_center_properties.project". // // The following fields are supported when compare_duration is not set: @@ -598,6 +582,7 @@ message GroupFindingsRequest { // * category: `=`, `:` // * external_uri: `=`, `:` // * event_time: `=`, `>`, `<`, `>=`, `<=` + // * severity: `=`, `:` // // Usage: This should be milliseconds since epoch or an RFC3339 string. // Examples: @@ -616,9 +601,9 @@ message GroupFindingsRequest { // property not existing: `-source_properties.my_property : ""` string filter = 2; - // Required. Expression that defines what assets fields to use for grouping - // (including `state_change`). The string value should follow SQL syntax: - // comma separated list of fields. For example: "parent,resource_name". + // Required. Expression that defines what assets fields to use for grouping (including + // `state_change`). The string value should follow SQL syntax: comma separated + // list of fields. For example: "parent,resource_name". // // The following fields are supported: // @@ -626,6 +611,7 @@ message GroupFindingsRequest { // * category // * state // * parent + // * severity // // The following fields are supported when compare_duration is set: // @@ -901,10 +887,10 @@ message ListAssetsRequest { // read_time. google.protobuf.Duration compare_duration = 5; - // Optional. A field mask to specify the ListAssetsResult fields to be listed - // in the response. An empty field mask will list all fields. - google.protobuf.FieldMask field_mask = 7 - [(google.api.field_behavior) = OPTIONAL]; + // A field mask to specify the ListAssetsResult fields to be listed in the + // response. + // An empty field mask will list all fields. + google.protobuf.FieldMask field_mask = 7; // The value returned by the last `ListAssetsResponse`; indicates // that this is a continuation of a prior `ListAssets` call, and @@ -1000,13 +986,14 @@ message ListFindingsRequest { // // The following field and operator combinations are supported: // - // name: `=` - // parent: `=`, `:` - // resource_name: `=`, `:` - // state: `=`, `:` - // category: `=`, `:` - // external_uri: `=`, `:` - // event_time: `=`, `>`, `<`, `>=`, `<=` + // * name: `=` + // * parent: `=`, `:` + // * resource_name: `=`, `:` + // * state: `=`, `:` + // * category: `=`, `:` + // * external_uri: `=`, `:` + // * event_time: `=`, `>`, `<`, `>=`, `<=` + // * severity: `=`, `:` // // Usage: This should be milliseconds since epoch or an RFC3339 string. // Examples: @@ -1083,10 +1070,9 @@ message ListFindingsRequest { // read_time. google.protobuf.Duration compare_duration = 5; - // Optional. A field mask to specify the Finding fields to be listed in the - // response. An empty field mask will list all fields. - google.protobuf.FieldMask field_mask = 7 - [(google.api.field_behavior) = OPTIONAL]; + // A field mask to specify the Finding fields to be listed in the response. + // An empty field mask will list all fields. + google.protobuf.FieldMask field_mask = 7; // The value returned by the last `ListFindingsResponse`; indicates // that this is a continuation of a prior `ListFindings` call, and @@ -1157,7 +1143,7 @@ message ListFindingsResponse { StateChange state_change = 2; // Output only. Resource that is associated with this finding. - Resource resource = 3; + Resource resource = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; } // Findings matching the list request. @@ -1191,14 +1177,13 @@ message SetFindingStateRequest { Finding.State state = 2 [(google.api.field_behavior) = REQUIRED]; // Required. The time at which the updated state takes effect. - google.protobuf.Timestamp start_time = 3 - [(google.api.field_behavior) = REQUIRED]; + google.protobuf.Timestamp start_time = 3 [(google.api.field_behavior) = REQUIRED]; } // Request message for running asset discovery for an organization. message RunAssetDiscoveryRequest { - // Required. Name of the organization to run asset discovery for. Its format - // is "organizations/[organization_id]". + // Required. Name of the organization to run asset discovery for. Its format is + // "organizations/[organization_id]". string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { @@ -1209,8 +1194,8 @@ message RunAssetDiscoveryRequest { // Request message for updating or creating a finding. message UpdateFindingRequest { - // Required. The finding resource to update or create if it does not already - // exist. parent, security_marks, and update_time will be ignored. + // Required. The finding resource to update or create if it does not already exist. + // parent, security_marks, and update_time will be ignored. // // In the case of creation, the finding id portion of the name must be // alphanumeric and less than or equal to 32 characters and greater than 0 @@ -1230,8 +1215,7 @@ message UpdateFindingRequest { // Request message for updating a notification config. message UpdateNotificationConfigRequest { // Required. The notification config to update. - NotificationConfig notification_config = 1 - [(google.api.field_behavior) = REQUIRED]; + NotificationConfig notification_config = 1 [(google.api.field_behavior) = REQUIRED]; // The FieldMask to use when updating the notification config. // @@ -1242,12 +1226,11 @@ message UpdateNotificationConfigRequest { // Request message for updating an organization's settings. message UpdateOrganizationSettingsRequest { // Required. The organization settings resource to update. - OrganizationSettings organization_settings = 1 - [(google.api.field_behavior) = REQUIRED]; + OrganizationSettings organization_settings = 1 [(google.api.field_behavior) = REQUIRED]; // The FieldMask to use when updating the settings resource. // - // If empty all mutable fields will be updated. + // If empty all mutable fields will be updated. google.protobuf.FieldMask update_mask = 2; }