// Copyright 2022 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.cloud.securitycenter.v1;

option csharp_namespace = "Google.Cloud.SecurityCenter.V1";
option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter";
option java_multiple_files = true;
option java_outer_classname = "IndicatorProto";
option java_package = "com.google.cloud.securitycenter.v1";
option php_namespace = "Google\\Cloud\\SecurityCenter\\V1";
option ruby_package = "Google::Cloud::SecurityCenter::V1";

// Represents what's commonly known as an Indicator of compromise (IoC) in
// computer forensics. This is an artifact observed on a network or in an
// operating system that, with high confidence, indicates a computer intrusion.
// Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise
message Indicator {
  // Indicates what signature matched this process.
  message ProcessSignature {
    // A signature corresponding to memory page hashes.
    message MemoryHashSignature {
      // Memory hash detection contributing to the binary family match.
      message Detection {
        // The name of the binary associated with the memory hash
        // signature detection.
        string binary = 2;

        // The percentage of memory page hashes in the signature
        // that were matched.
        double percent_pages_matched = 3;
      }

      // The binary family.
      string binary_family = 1;

      // The list of memory hash detections contributing to the binary family
      // match.
      repeated Detection detections = 4;
    }

    // A signature corresponding to a YARA rule.
    message YaraRuleSignature {
      // The name of the YARA rule.
      string yara_rule = 5;
    }

    oneof signature {
      // Signature indicating that a binary family was matched.
      MemoryHashSignature memory_hash_signature = 6;

      // Signature indicating that a YARA rule was matched.
      YaraRuleSignature yara_rule_signature = 7;
    }
  }

  // List of ip addresses associated to the Finding.
  repeated string ip_addresses = 1;

  // List of domains associated to the Finding.
  repeated string domains = 2;

  // The list of matched signatures indicating that the given
  // process is present in the environment.
  repeated ProcessSignature signatures = 3;

  // The list of URIs associated to the Findings.
  repeated string uris = 4;
}