xref: /aosp_15_r20/external/googleapis/google/cloud/ids/logging/v1/logging.proto (revision d5c09012810ac0c9f33fe448fb6da8260d444cc9) 
1// Copyright 2022 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.cloud.ids.logging.v1;
18
19import "google/protobuf/duration.proto";
20import "google/protobuf/timestamp.proto";
21
22option go_package = "cloud.google.com/go/ids/logging/apiv1/loggingpb;loggingpb";
23option java_multiple_files = true;
24option java_outer_classname = "LoggingProto";
25option java_package = "com.google.cloud.ids.logging.v1";
26
27// A threat detected by Cloud IDS.
28message ThreatLog {
29  // Describes the type of severity of the threat.
30  enum Severity {
31    // Default value - should never be used.
32    SEVERITY_UNSPECIFIED = 0;
33
34    LOW = 2;
35
36    MEDIUM = 3;
37
38    HIGH = 4;
39
40    CRITICAL = 5;
41
42    INFORMATIONAL = 6;
43  }
44
45  enum Direction {
46    // Default value - permitted since Direction is optional.
47    DIRECTION_UNDEFINED = 0;
48
49    // Ingress traffic.
50    CLIENT_TO_SERVER = 1;
51
52    // Egress traffic.
53    SERVER_TO_CLIENT = 2;
54  }
55
56  // Name of the threat, e,g. "Suspicious HTTP Evasion"
57  string name = 1;
58
59  // Unique ID of the threat.
60  string threat_id = 13;
61
62  // The time of the alert.
63  google.protobuf.Timestamp alert_time = 2;
64
65  // Severity of threat.
66  Severity alert_severity = 19;
67
68  // The type of the threat, e.g. "Spyware".
69  string type = 4;
70
71  // Category (sub-type) of the threat, e.g. "code-execution".
72  string category = 18;
73
74  // The source IP Address of the packet, e.g. "35.191.8.79"
75  string source_ip_address = 5;
76
77  // The source port of the packet, e.g. 8080
78  int32 source_port = 6;
79
80  // The destination IP Address of the packet, e.g. "192.168.100.2"
81  string destination_ip_address = 7;
82
83  // The destination port of the packet, e.g. 100
84  int32 destination_port = 8;
85
86  // The IP protocol of the packet, e.g. "TCP".
87  string ip_protocol = 9;
88
89  // The direction of the packet - an optional field.
90  Direction direction = 10;
91
92  // ID of the Layer 4 session of the threat.
93  string session_id = 14;
94
95  // Number of sessions with same source IP, destination IP, application, and
96  // type seen within 5 seconds.
97  string repeat_count = 15;
98
99  // Application associated with the session.
100  string application = 16;
101
102  // Variable field. URI or filename of the relevant threat, if applicable.
103  string uri_or_filename = 17;
104
105  // CVE IDs of the threat.
106  repeated string cves = 20;
107
108  // Details of the threat reported by the IDS VM
109  string details = 11;
110
111  // The network associated with the IDS Endpoint.
112  string network = 12;
113}
114
115// Traffic detected by Cloud IDS.
116// Fields taken from:
117// https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields.html.
118message TrafficLog {
119  // Time of session start.
120  google.protobuf.Timestamp start_time = 1;
121
122  // Elapsed time of the session.
123  google.protobuf.Duration elapsed_time = 2;
124
125  // The network associated with the IDS Endpoint.
126  string network = 3;
127
128  // The source IP Address of the packet, e.g. "35.191.8.79"
129  string source_ip_address = 4;
130
131  // The source port of the packet, e.g. 8080
132  int32 source_port = 5;
133
134  // The destination IP Address of the packet, e.g. "192.168.100.2"
135  string destination_ip_address = 6;
136
137  // The destination port of the packet, e.g. 100
138  int32 destination_port = 7;
139
140  // The IP protocol of the packet, e.g. "TCP".
141  string ip_protocol = 8;
142
143  // Application associated with the session.
144  string application = 9;
145
146  // The direction of the packet.
147  string session_id = 12;
148
149  // Number of sessions with same source IP, destination IP, application, and
150  // type seen within 5 seconds.
151  string repeat_count = 13;
152
153  // Total number of bytes transferred in the session.
154  int64 total_bytes = 14;
155
156  // Total number of packets transferred in the session.
157  int64 total_packets = 15;
158}
159