Skip to content

Commit

Permalink
feat: [dlp] action for publishing data profiles to SecOps (formelly k…
Browse files Browse the repository at this point in the history 
…nown as Chronicle) (#5691)

* feat: action for publishing data profiles to SecOps (formelly known as Chronicle)
feat: action for publishing data profiles to Security Command Center
feat: discovery configs for AWS S3 buckets
docs: small improvements and clarifications

PiperOrigin-RevId: 676184918

Source-Link: googleapis/googleapis@607c2ae

Source-Link: googleapis/googleapis-gen@f92f1ae
Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLXByaXZhY3ktZGxwLy5Pd2xCb3QueWFtbCIsImgiOiJmOTJmMWFlMTk4OTU5MzBhY2E2YWQxMWFhZWIxZDRkOWNkN2E2MWExIn0=

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

---------

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
  • Loading branch information
@gcf-owl-bot
gcf-owl-bot[bot] and gcf-owl-bot[bot] authored Sep 20, 2024
1 parent 02aeffb commit 106d029
Show file tree
Hide file tree
Showing 7 changed files with 13,333 additions and 6,659 deletions.
270 changes: 268 additions & 2 deletions packages/google-privacy-dlp/protos/google/privacy/dlp/v2/dlp.proto
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4897,6 +4897,12 @@ message DataProfileAction {
ERROR_CHANGED = 4;
}

// Message expressing intention to publish to Google Security Operations.
message PublishToChronicle {}

// If set, a summary finding will be created/updated in SCC for each profile.
message PublishToSecurityCommandCenter {}

// If set, attaches the [tags]
// (https://cloud.google.com/resource-manager/docs/tags/tags-overview)
// provided to profiled resources. Tags support [access
Expand Down Expand Up @@ -4959,6 +4965,15 @@ message DataProfileAction {
// Publish a message into the Pub/Sub topic.
PubSubNotification pub_sub_notification = 2;

// Publishes generated data profiles to Google Security Operations.
// For more information, see [Use Sensitive Data Protection data in
// context-aware
// analytics](https://cloud.google.com/chronicle/docs/detection/usecase-dlp-high-risk-user-download).
PublishToChronicle publish_to_chronicle = 3;

// Publishes findings to SCC for each data profile.
PublishToSecurityCommandCenter publish_to_scc = 4;

// Tags the profiled resources with the specified tag values.
TagResources tag_resources = 8;
}
Expand All @@ -4980,6 +4995,9 @@ message DataProfileJobConfig {
// that are profiled, and the Cloud DLP API must be enabled.
string project_id = 5;

// Must be set only when scanning other clouds.
OtherCloudDiscoveryStartingLocation other_cloud_starting_location = 8;

// Detection logic for profile generation.
//
// Not all template features are used by profiles. FindingLimits,
Expand Down Expand Up @@ -5144,6 +5162,9 @@ message DiscoveryConfig {
// Only set when the parent is an org.
OrgConfig org_config = 2;

// Must be set only when scanning other clouds.
OtherCloudDiscoveryStartingLocation other_cloud_starting_location = 12;

// Detection logic for profile generation.
//
// Not all template features are used by Discovery. FindingLimits,
Expand Down Expand Up @@ -5210,6 +5231,10 @@ message DiscoveryTarget {
// Cloud Storage target for Discovery. The first target to match a table
// will be the one applied.
CloudStorageDiscoveryTarget cloud_storage_target = 4;

// Other clouds target for discovery. The first target to match a resource
// will be the one applied.
OtherCloudDiscoveryTarget other_cloud_target = 5;
}
}

Expand Down Expand Up @@ -5821,6 +5846,208 @@ message DiscoveryFileStoreConditions {
}
}

// Target used to match against for discovery of resources from other clouds.
// An [AWS connector in Security Command Center
// (Enterprise](https://cloud.google.com/security-command-center/docs/connect-scc-to-aws)
// is required to use this feature.
message OtherCloudDiscoveryTarget {
// Required. The type of data profiles generated by this discovery target.
// Supported values are:
// * aws/s3/bucket
DataSourceType data_source_type = 1 [(google.api.field_behavior) = REQUIRED];

// Required. The resources that the discovery cadence applies to. The
// first target with a matching filter will be the one to apply to a resource.
DiscoveryOtherCloudFilter filter = 2 [(google.api.field_behavior) = REQUIRED];

// Optional. In addition to matching the filter, these conditions must be true
// before a profile is generated.
DiscoveryOtherCloudConditions conditions = 3
[(google.api.field_behavior) = OPTIONAL];

// Type of cadence.
oneof cadence {
// How often and when to update data profiles. New resources that match both
// the filter and conditions are scanned as quickly as possible depending on
// system capacity.
DiscoveryOtherCloudGenerationCadence generation_cadence = 4;

// Disable profiling for resources that match this filter.
Disabled disabled = 5;
}
}

// Determines which resources from the other cloud will have profiles generated.
// Includes the ability to filter by resource names.
message DiscoveryOtherCloudFilter {
// Whether the filter applies to a specific set of resources or all
// other resources. The first filter to match will be applied, regardless of
// the condition. Defaults to `others` if none is set.
oneof filter {
// A collection of resources for this filter to apply to.
OtherCloudResourceCollection collection = 1;

// The resource to scan. Configs using this filter can only have one target
// (the target with this single resource reference).
OtherCloudSingleResourceReference single_resource = 2;

// Optional. Catch-all. This should always be the last target in the list
// because anything above it will apply first. Should only appear once in a
// configuration. If none is specified, a default one will be added
// automatically.
AllOtherResources others = 100 [(google.api.field_behavior) = OPTIONAL];
}
}

// Match resources using regex filters.
message OtherCloudResourceCollection {
// The first filter containing a pattern that matches a resource will be used.
oneof pattern {
// A collection of regular expressions to match a resource against.
OtherCloudResourceRegexes include_regexes = 1;
}
}

// A collection of regular expressions to determine what resources to match
// against.
message OtherCloudResourceRegexes {
// A group of regular expression patterns to match against one or more
// resources.
// Maximum of 100 entries. The sum of all regular expression's length can't
// exceed 10 KiB.
repeated OtherCloudResourceRegex patterns = 1;
}

// A pattern to match against one or more resources. At least one pattern must
// be specified. Regular expressions use RE2
// [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found
// under the google/re2 repository on GitHub.
message OtherCloudResourceRegex {
// The type of resource regex to use.
oneof resource_regex {
// Regex for Amazon S3 buckets.
AmazonS3BucketRegex amazon_s3_bucket_regex = 1;
}
}

// AWS account regex.
message AwsAccountRegex {
// Optional. Regex to test the AWS account ID against.
// If empty, all accounts match.
string account_id_regex = 1 [(google.api.field_behavior) = OPTIONAL];
}

// Amazon S3 bucket regex.
message AmazonS3BucketRegex {
// The AWS account regex.
AwsAccountRegex aws_account_regex = 1;

// Optional. Regex to test the bucket name against.
// If empty, all buckets match.
string bucket_name_regex = 2 [(google.api.field_behavior) = OPTIONAL];
}

// Identifies a single resource, like a single Amazon S3 bucket.
message OtherCloudSingleResourceReference {
// The resource to scan.
oneof resource {
// Amazon S3 bucket.
AmazonS3Bucket amazon_s3_bucket = 1;
}
}

// AWS account.
message AwsAccount {
// Required. AWS account ID.
string account_id = 1 [(google.api.field_behavior) = REQUIRED];
}

// Amazon S3 bucket.
message AmazonS3Bucket {
// The AWS account.
AwsAccount aws_account = 1;

// Required. The bucket name.
string bucket_name = 2 [(google.api.field_behavior) = REQUIRED];
}

// Requirements that must be true before a resource is profiled for the first
// time.
message DiscoveryOtherCloudConditions {
// Minimum age a resource must be before Cloud DLP can profile it. Value must
// be 1 hour or greater.
google.protobuf.Duration min_age = 1;

// The conditions to apply.
oneof conditions {
// Amazon S3 bucket conditions.
AmazonS3BucketConditions amazon_s3_bucket_conditions = 2;
}
}

// Amazon S3 bucket conditions.
message AmazonS3BucketConditions {
// Supported Amazon S3 bucket types.
// Defaults to TYPE_ALL_SUPPORTED.
enum BucketType {
// Unused.
TYPE_UNSPECIFIED = 0;

// All supported classes.
TYPE_ALL_SUPPORTED = 1;

// A general purpose Amazon S3 bucket.
TYPE_GENERAL_PURPOSE = 2;
}

// Supported Amazon S3 object storage classes.
// Defaults to ALL_SUPPORTED_CLASSES.
enum ObjectStorageClass {
// Unused.
UNSPECIFIED = 0;

// All supported classes.
ALL_SUPPORTED_CLASSES = 1;

// Standard object class.
STANDARD = 2;

// Standard - infrequent access object class.
STANDARD_INFREQUENT_ACCESS = 4;

// Glacier - instant retrieval object class.
GLACIER_INSTANT_RETRIEVAL = 6;

// Objects in the S3 Intelligent-Tiering access tiers.
INTELLIGENT_TIERING = 7;
}

// Optional. Bucket types that should be profiled.
// Optional. Defaults to TYPE_ALL_SUPPORTED if unspecified.
repeated BucketType bucket_types = 1 [(google.api.field_behavior) = OPTIONAL];

// Optional. Object classes that should be profiled.
// Optional. Defaults to ALL_SUPPORTED_CLASSES if unspecified.
repeated ObjectStorageClass object_storage_classes = 2
[(google.api.field_behavior) = OPTIONAL];
}

// How often existing resources should have their profiles refreshed.
// New resources are scanned as quickly as possible depending on system
// capacity.
message DiscoveryOtherCloudGenerationCadence {
// Optional. Frequency to update profiles regardless of whether the underlying
// resource has changes. Defaults to never.
DataProfileUpdateFrequency refresh_frequency = 1
[(google.api.field_behavior) = OPTIONAL];

// Optional. Governs when to update data profiles when the inspection rules
// defined by the `InspectTemplate` change.
// If not set, changing the template will not cause a data profile to update.
DiscoveryInspectTemplateModifiedCadence inspect_template_modified_cadence = 2
[(google.api.field_behavior) = OPTIONAL];
}

// The location to begin a discovery scan. Denotes an organization ID or folder
// ID within an organization.
message DiscoveryStartingLocation {
Expand All @@ -5834,6 +6061,31 @@ message DiscoveryStartingLocation {
}
}

// The other cloud starting location for discovery.
message OtherCloudDiscoveryStartingLocation {
// The AWS starting location for discovery.
message AwsDiscoveryStartingLocation {
// The scope of this starting location.
oneof scope {
// The AWS account ID that this discovery config applies to.
// Within an AWS organization, you can find the AWS account ID inside an
// AWS account ARN. Example:
// arn:{partition}:organizations::{management_account_id}:account/{org_id}/{account_id}
string account_id = 2;

// All AWS assets stored in Asset Inventory that didn't match other AWS
// discovery configs.
bool all_asset_inventory_assets = 3;
}
}

// The other cloud starting location for discovery.
oneof location {
// The AWS starting location for discovery.
AwsDiscoveryStartingLocation aws_location = 1;
}
}

// Match discovery resources not covered by any other filter.
message AllOtherResources {}

Expand Down Expand Up @@ -6946,7 +7198,7 @@ message ProjectDataProfile {
// The resource name of the profile.
string name = 1;

// Project ID that was profiled.
// Project ID or account that was profiled.
string project_id = 2;

// The last time the profile was generated.
Expand Down Expand Up @@ -7364,6 +7616,7 @@ message ColumnDataProfile {
// The profile for a file store.
//
// * Cloud Storage: maps 1:1 with a bucket.
// * Amazon S3: maps 1:1 with a bucket.
message FileStoreDataProfile {
option (google.api.resource) = {
type: "dlp.googleapis.com/FileStoreDataProfile"
Expand Down Expand Up @@ -7396,12 +7649,15 @@ message FileStoreDataProfile {
string project_data_profile = 3;

// The Google Cloud project ID that owns the resource.
// For Amazon S3 buckets, this is the AWS Account Id.
string project_id = 4;

// The location of the file store.
//
// * Cloud Storage:
// https://cloud.google.com/storage/docs/locations#available-locations
// * Amazon S3:
// https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints
string file_store_location = 5;

// For resources that have multiple storage locations, these are those
Expand All @@ -7419,10 +7675,14 @@ message FileStoreDataProfile {
// The file store path.
//
// * Cloud Storage: `gs://{bucket}`
// * Amazon S3: `s3://{bucket}`
string file_store_path = 6;

// The resource name of the resource profiled.
// https://cloud.google.com/apis/design/resource_names#full_resource_name
//
// Example format of an S3 bucket full resource name:
// `//cloudasset.googleapis.com/organizations/{org_id}/otherCloudConnections/aws/arn:aws:s3:::{bucket_name}`
string full_resource = 24;

// The snapshot of the configurations used to generate the profile.
Expand Down Expand Up @@ -7599,6 +7859,7 @@ message ListFileStoreDataProfilesRequest {
// * A restriction has the form of `{field} {operator} {value}`.
// * Supported fields/values:
// - `project_id` - The Google Cloud project ID.
// - `account_id` - The AWS account ID.
// - `file_store_path` - The path like "gs://bucket".
// - `data_source_type` - The profile's data source type, like
// "google/storage/bucket".
Expand Down Expand Up @@ -7995,7 +8256,12 @@ message DeleteTableDataProfileRequest {
// Message used to identify the type of resource being profiled.
message DataSourceType {
// Output only. An identifying string to the type of resource being profiled.
// Current values: google/bigquery/table, google/project
// Current values:
//
// * google/bigquery/table
// * google/project
// * google/sql/table
// * google/gcs/bucket
string data_source = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
}

Expand Down
Loading

0 comments on commit 106d029

Please sign in to comment.