// Copyright 2025 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. syntax = "proto3"; package google.cloud.chronicle.v1; import "google/api/annotations.proto"; import "google/api/client.proto"; import "google/api/field_behavior.proto"; import "google/api/resource.proto"; import "google/longrunning/operations.proto"; import "google/protobuf/empty.proto"; import "google/protobuf/field_mask.proto"; import "google/protobuf/timestamp.proto"; import "google/type/interval.proto"; option csharp_namespace = "Google.Cloud.Chronicle.V1"; option go_package = "cloud.google.com/go/chronicle/apiv1/chroniclepb;chroniclepb"; option java_multiple_files = true; option java_outer_classname = "RuleProto"; option java_package = "com.google.cloud.chronicle.v1"; option php_namespace = "Google\\Cloud\\Chronicle\\V1"; option ruby_package = "Google::Cloud::Chronicle::V1"; // RuleService provides interface for user-created rules. service RuleService { option (google.api.default_host) = "chronicle.googleapis.com"; option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; // Creates a new Rule. rpc CreateRule(CreateRuleRequest) returns (Rule) { option (google.api.http) = { post: "/v1/{parent=projects/*/locations/*/instances/*}/rules" body: "rule" }; option (google.api.method_signature) = "parent,rule"; } // Gets a Rule. rpc GetRule(GetRuleRequest) returns (Rule) { option (google.api.http) = { get: "/v1/{name=projects/*/locations/*/instances/*/rules/*}" }; option (google.api.method_signature) = "name"; } // Lists Rules. rpc ListRules(ListRulesRequest) returns (ListRulesResponse) { option (google.api.http) = { get: "/v1/{parent=projects/*/locations/*/instances/*}/rules" }; option (google.api.method_signature) = "parent"; } // Updates a Rule. rpc UpdateRule(UpdateRuleRequest) returns (Rule) { option (google.api.http) = { patch: "/v1/{rule.name=projects/*/locations/*/instances/*/rules/*}" body: "rule" }; option (google.api.method_signature) = "rule,update_mask"; } // Deletes a Rule. rpc DeleteRule(DeleteRuleRequest) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/v1/{name=projects/*/locations/*/instances/*/rules/*}" }; option (google.api.method_signature) = "name"; } // Lists all revisions of the rule. rpc ListRuleRevisions(ListRuleRevisionsRequest) returns (ListRuleRevisionsResponse) { option (google.api.http) = { get: "/v1/{name=projects/*/locations/*/instances/*/rules/*}:listRevisions" }; option (google.api.method_signature) = "name"; } // Create a Retrohunt. rpc CreateRetrohunt(CreateRetrohuntRequest) returns (google.longrunning.Operation) { option (google.api.http) = { post: "/v1/{parent=projects/*/locations/*/instances/*/rules/*}/retrohunts" body: "retrohunt" }; option (google.api.method_signature) = "parent,retrohunt"; option (google.longrunning.operation_info) = { response_type: "Retrohunt" metadata_type: "RetrohuntMetadata" }; } // Get a Retrohunt. rpc GetRetrohunt(GetRetrohuntRequest) returns (Retrohunt) { option (google.api.http) = { get: "/v1/{name=projects/*/locations/*/instances/*/rules/*/retrohunts/*}" }; option (google.api.method_signature) = "name"; } // List Retrohunts. rpc ListRetrohunts(ListRetrohuntsRequest) returns (ListRetrohuntsResponse) { option (google.api.http) = { get: "/v1/{parent=projects/*/locations/*/instances/*/rules/*}/retrohunts" }; option (google.api.method_signature) = "parent"; } // Gets a RuleDeployment. rpc GetRuleDeployment(GetRuleDeploymentRequest) returns (RuleDeployment) { option (google.api.http) = { get: "/v1/{name=projects/*/locations/*/instances/*/rules/*/deployment}" }; option (google.api.method_signature) = "name"; } // Lists RuleDeployments across all Rules. rpc ListRuleDeployments(ListRuleDeploymentsRequest) returns (ListRuleDeploymentsResponse) { option (google.api.http) = { get: "/v1/{parent=projects/*/locations/*/instances/*/rules/*}/deployments" }; option (google.api.method_signature) = "parent"; } // Updates a RuleDeployment. // Failures are not necessarily atomic. If there is a request to update // multiple fields, and any update to a single field fails, an error will be // returned, but other fields may remain successfully updated. rpc UpdateRuleDeployment(UpdateRuleDeploymentRequest) returns (RuleDeployment) { option (google.api.http) = { patch: "/v1/{rule_deployment.name=projects/*/locations/*/instances/*/rules/*/deployment}" body: "rule_deployment" }; option (google.api.method_signature) = "rule_deployment,update_mask"; } } // RunFrequency indicates the run frequency at which a YARA-L 2 rule will run if // enabled. enum RunFrequency { // The run frequency is unspecified/unknown. RUN_FREQUENCY_UNSPECIFIED = 0; // Executes in real time. LIVE = 1; // Executes once per hour. HOURLY = 2; // Executes once per day. DAILY = 3; } // RuleType indicates the YARA-L rule type of user-created and Google Cloud // Threat Intelligence (GCTI) authored rules. enum RuleType { // The rule type is unspecified/unknown. RULE_TYPE_UNSPECIFIED = 0; // Rule checks for the existence of a single event. SINGLE_EVENT = 1; // Rule checks for correlation between multiple events MULTI_EVENT = 2; } // RuleView indicates the scope of fields to populate when returning the Rule // resource. enum RuleView { // The default/unset value. // The API will default to the BASIC view for ListRules/ListRuleRevisions. // The API will default to the FULL view for GetRule. RULE_VIEW_UNSPECIFIED = 0; // Include basic metadata about the rule, but not the full contents. // Returned fields include: revision_id, revision_create_time, display_name, // author, severity, type, allowed_run_frequency, // near_real_time_live_rule_eligible, etag, and scope. // This is the default value for ListRules and ListRuleRevisions. BASIC = 1; // Include all fields. // This is the default value for GetRule. FULL = 2; // Include basic metadata about the rule's revision only. // Returned fields include: revision_id and revision_create_time. REVISION_METADATA_ONLY = 3; } // The Rule resource represents a user-created rule. // NEXT TAG: 21 message Rule { option (google.api.resource) = { type: "chronicle.googleapis.com/Rule" pattern: "projects/{project}/locations/{location}/instances/{instance}/rules/{rule}" }; // The current compilation state of the rule. enum CompilationState { // The compilation state is unspecified/unknown. COMPILATION_STATE_UNSPECIFIED = 0; // The Rule can successfully compile. SUCCEEDED = 1; // The Rule cannot successfully compile. // This is possible if a backwards-incompatible change was made to the // compiler. FAILED = 2; } // Identifier. Full resource name for the rule. // Format: // `projects/{project}/locations/{location}/instances/{instance}/rules/{rule}` string name = 1 [(google.api.field_behavior) = IDENTIFIER]; // Output only. The revision ID of the rule. // A new revision is created whenever the rule text is changed in any way. // Format: `v_{10 digits}_{9 digits}` // Populated in REVISION_METADATA_ONLY view and FULL view. string revision_id = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. Display name of the rule. // Populated in BASIC view and FULL view. string display_name = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; // The YARA-L content of the rule. // Populated in FULL view. string text = 4; // Output only. The author of the rule. Extracted from the meta section of // text. Populated in BASIC view and FULL view. string author = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The severity of the rule as specified in the meta section of // text. Populated in BASIC view and FULL view. Severity severity = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. Additional metadata specified in the meta section of text. // Populated in FULL view. map metadata = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The timestamp of when the rule was created. // Populated in FULL view. google.protobuf.Timestamp create_time = 8 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The timestamp of when the rule revision was created. // Populated in FULL, REVISION_METADATA_ONLY views. google.protobuf.Timestamp revision_create_time = 9 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The current compilation state of the rule. // Populated in FULL view. CompilationState compilation_state = 10 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. User-facing type of the rule. Extracted from the events // section of rule text. Populated in BASIC view and FULL view. RuleType type = 12 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. Resource names of the reference lists used in this rule. // Populated in FULL view. repeated string reference_lists = 13 [ (google.api.field_behavior) = OUTPUT_ONLY, (google.api.resource_reference) = { type: "chronicle.googleapis.com/ReferenceList" } ]; // Output only. The run frequencies that are allowed for the rule. // Populated in BASIC view and FULL view. repeated RunFrequency allowed_run_frequencies = 14 [(google.api.field_behavior) = OUTPUT_ONLY]; // The etag for this rule. // If this is provided on update, the request will succeed if and only if it // matches the server-computed value, and will fail with an ABORTED error // otherwise. // Populated in BASIC view and FULL view. string etag = 15; // Resource name of the DataAccessScope bound to this rule. // Populated in BASIC view and FULL view. // If reference lists are used in the rule, validations will be performed // against this scope to ensure that the reference lists are compatible with // both the user's and the rule's scopes. // The scope should be in the format: // `projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}`. string scope = 16 [(google.api.resource_reference) = { type: "chronicle.googleapis.com/DataAccessScope" }]; // Output only. A list of a rule's corresponding compilation diagnostic // messages such as compilation errors and compilation warnings. Populated in // FULL view. repeated CompilationDiagnostic compilation_diagnostics = 17 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. Indicate the rule can run in near real time live rule. // If this is true, the rule uses the near real time live rule when the run // frequency is set to LIVE. bool near_real_time_live_rule_eligible = 18 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The set of inputs used in the rule. For example, if the rule // uses $e.principal.hostname, then the uses_udm field will be true. InputsUsed inputs_used = 20 [(google.api.field_behavior) = OUTPUT_ONLY]; } // The RuleDeployment resource represents the deployment state of a Rule. message RuleDeployment { option (google.api.resource) = { type: "chronicle.googleapis.com/RuleDeployment" pattern: "projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment" }; // The possible execution states the rule deployment can be in. enum ExecutionState { // Unspecified or unknown execution state. EXECUTION_STATE_UNSPECIFIED = 0; // Default execution state. DEFAULT = 1; // Rules in limited state may not have their executions guaranteed. LIMITED = 2; // Paused rules are not executed at all. PAUSED = 3; } // Required. The resource name of the rule deployment. // Note that RuleDeployment is a child of the overall Rule, not any individual // revision, so the resource ID segment for the Rule resource must not // reference a specific revision. // Format: // `projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment` string name = 1 [(google.api.field_behavior) = REQUIRED]; // Whether the rule is currently deployed continuously against incoming data. bool enabled = 2; // Whether detections resulting from this deployment should be considered // alerts. bool alerting = 3; // The archive state of the rule deployment. // Cannot be set to true unless enabled is set to false. // If set to true, alerting will automatically be set to false. // If currently set to true, enabled, alerting, and run_frequency cannot be // updated. bool archived = 4; // Output only. The timestamp when the rule deployment archive state was last // set to true. If the rule deployment's current archive state is not set to // true, the field will be empty. google.protobuf.Timestamp archive_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; // The run frequency of the rule deployment. RunFrequency run_frequency = 6; // Output only. The execution state of the rule deployment. ExecutionState execution_state = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The names of the associated/chained producer rules. Rules are // considered producers for this rule if this rule explicitly filters on their // ruleid. Format: // `projects/{project}/locations/{location}/instances/{instance}/rules/{rule}` repeated string producer_rules = 8 [ (google.api.field_behavior) = OUTPUT_ONLY, (google.api.resource_reference) = { child_type: "chronicle.googleapis.com/Rule" } ]; // Output only. The names of the associated/chained consumer rules. Rules are // considered consumers of this rule if their rule text explicitly filters on // this rule's ruleid. Format: // `projects/{project}/locations/{location}/instances/{instance}/rules/{rule}` repeated string consumer_rules = 9 [ (google.api.field_behavior) = OUTPUT_ONLY, (google.api.resource_reference) = { child_type: "chronicle.googleapis.com/Rule" } ]; // Output only. The timestamp when the rule deployment alert state was lastly // changed. This is filled regardless of the current alert state. E.g. if the // current alert status is false, this timestamp will be the timestamp when // the alert status was changed to false. google.protobuf.Timestamp last_alert_status_change_time = 10 [(google.api.field_behavior) = OUTPUT_ONLY]; } // Retrohunt is an execution of a Rule over a time range in the past. message Retrohunt { option (google.api.resource) = { type: "chronicle.googleapis.com/Retrohunt" pattern: "projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt}" }; // The possible states a retrohunt can be in. enum State { // Unspecified or unknown retrohunt state. STATE_UNSPECIFIED = 0; // Running state. RUNNING = 1; // Done state. DONE = 2; // Cancelled state. CANCELLED = 3; // Failed state. FAILED = 4; } // The resource name of the retrohunt. // Retrohunt is the child of a rule revision. {rule} in the format below is // structured as {rule_id@revision_id}. // Format: // `projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt}` string name = 1; // Required. The start and end time of the event time range this retrohunt // processes. google.type.Interval process_interval = 2 [(google.api.field_behavior) = REQUIRED]; // Output only. The start and end time of the retrohunt execution. If the // retrohunt is not yet finished, the end time of the interval will not be // populated. google.type.Interval execution_interval = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The state of the retrohunt. State state = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. Percent progress of the retrohunt towards completion, from // 0.00 to 100.00. float progress_percentage = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; } // Request message for CreateRule method. message CreateRuleRequest { // Required. The parent resource where this rule will be created. // Format: `projects/{project}/locations/{location}/instances/{instance}` string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { child_type: "chronicle.googleapis.com/Rule" } ]; // Required. The rule to create. Rule rule = 2 [(google.api.field_behavior) = REQUIRED]; } // Request message for GetRule method. message GetRuleRequest { // Required. The name of the rule to retrieve. // Format: // `projects/{project}/locations/{location}/instances/{instance}/rules/{rule}` string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "chronicle.googleapis.com/Rule" } ]; // The view field indicates the scope of fields to populate for the Rule being // returned. If unspecified, defaults to FULL. RuleView view = 2; } // Request message for ListRules method. message ListRulesRequest { // Required. The parent, which owns this collection of rules. // Format: // `projects/{project}/locations/{location}/instances/{instance}` string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { child_type: "chronicle.googleapis.com/Rule" } ]; // The maximum number of rules to return. The service may return fewer than // this value. If unspecified, at most 100 rules will be returned. The // maximum value is 1000; values above 1000 will be coerced to 1000. int32 page_size = 2; // A page token, received from a previous `ListRules` call. // Provide this to retrieve the subsequent page. // // When paginating, all other parameters provided to `ListRules` // must match the call that provided the page token. string page_token = 3; // view indicates the scope of fields to populate for the Rule being returned. // If unspecified, defaults to BASIC. RuleView view = 4; // Only the following filters are allowed: // "reference_lists:{reference_list_name}" // "data_tables:{data_table_name}" // "display_name:{display_name}" string filter = 5; } // Response message for ListRules method. message ListRulesResponse { // The rules from the specified instance. repeated Rule rules = 1; // A token, which can be sent as `page_token` to retrieve the next page. // If this field is omitted, there are no subsequent pages. string next_page_token = 2; } // Request message for UpdateRule method. message UpdateRuleRequest { // Required. The rule to update. // // The rule's `name` field is used to identify the rule to update. // Format: // `projects/{project}/locations/{location}/instances/{instance}/rules/{rule}` Rule rule = 1 [(google.api.field_behavior) = REQUIRED]; // The list of fields to update. If not included, all fields with a non-empty // value will be overwritten. google.protobuf.FieldMask update_mask = 2; } // Request message for the DeleteRule method. message DeleteRuleRequest { // Required. The name of the rule to delete. A rule revision timestamp cannot // be specified as part of the name, as deleting specific revisions is not // supported. // Format: // `projects/{project}/locations/{location}/instances/{instance}/rules/{rule}` string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "chronicle.googleapis.com/Rule" } ]; // Optional. If set to true, any retrohunts and any detections associated with // the rule will also be deleted. If set to false, the call will only succeed // if the rule has no associated retrohunts, including completed retrohunts, // and no associated detections. Regardless of this field's value, the rule // deployment associated with this rule will also be deleted. bool force = 2 [(google.api.field_behavior) = OPTIONAL]; } // Request message for ListRuleRevisions method. message ListRuleRevisionsRequest { // Required. The name of the rule to list revisions for. // Format: // `projects/{project}/locations/{location}/instances/{instance}/rules/{rule}` string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "chronicle.googleapis.com/Rule" } ]; // The maximum number of revisions to return per page. The service may return // fewer than this value. If unspecified, at most 100 revisions will be // returned. The maximum value is 1000; values above 1000 will be coerced to // 1000. int32 page_size = 2; // The page token, received from a previous `ListRuleRevisions` call. // Provide this to retrieve the subsequent page. // // When paginating, all other parameters provided to `ListRuleRevisions` // must match the call that provided the page token. string page_token = 3; // The view field indicates the scope of fields to populate for the revision // being returned. If unspecified, defaults to BASIC. RuleView view = 4; } // Response message for ListRuleRevisions method. message ListRuleRevisionsResponse { // The revisions of the rule. repeated Rule rules = 1; // A token that can be sent as `page_token` to retrieve the next page. // If this field is omitted, there are no subsequent pages. string next_page_token = 2; } // Request message for CreateRetrohunt method. message CreateRetrohuntRequest { // Required. The parent of retrohunt, which is a rule. // Format: // `projects/{project}/locations/{location}/instances/{instance}/rules/{rule}` string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { child_type: "chronicle.googleapis.com/Retrohunt" } ]; // Required. The retrohunt to create. Retrohunt retrohunt = 2 [(google.api.field_behavior) = REQUIRED]; } // Request message for GetRetrohunt method. message GetRetrohuntRequest { // Required. The name of the retrohunt to retrieve. // Format: // `projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt}` string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "chronicle.googleapis.com/Retrohunt" } ]; } // Request message for ListRetrohunts method. message ListRetrohuntsRequest { // Required. The rule that the retrohunts belong to. // Format: // `projects/{project}/locations/{location}/instances/{instance}/rules/{rule}` string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { child_type: "chronicle.googleapis.com/Retrohunt" } ]; // The maximum number of retrohunt to return. The service may return fewer // than this value. If unspecified, at most 100 retrohunts will be returned. // The maximum value is 1000; values above 1000 will be coerced to // 1000. int32 page_size = 2; // A page token, received from a previous `ListRetrohunts` call. // Provide this to retrieve the subsequent page. // // When paginating, all other parameters provided to `ListRetrohunts` must // match the call that provided the page token. string page_token = 3; // A filter that can be used to retrieve specific rule deployments. // The following fields are filterable: // state string filter = 4; } // Response message for ListRetrohunts method. message ListRetrohuntsResponse { // The retrohunts from the specified rule. repeated Retrohunt retrohunts = 1; // A token, which can be sent as `page_token` to retrieve the next page. // If this field is omitted, there are no subsequent pages. string next_page_token = 2; } // Request message for GetRuleDeployment. message GetRuleDeploymentRequest { // Required. The name of the rule deployment to retrieve. // Format: // `projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment` string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "chronicle.googleapis.com/RuleDeployment" } ]; } // Request message for ListRuleDeployments. message ListRuleDeploymentsRequest { // Required. The collection of all parents which own all rule deployments. The // "-" wildcard token must be used as the rule identifier in the resource // path. Format: // `projects/{project}/locations/{location}/instances/{instance}/rules/-` string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { child_type: "chronicle.googleapis.com/RuleDeployment" } ]; // The maximum number of rule deployments to return. The service may return // fewer than this value. If unspecified, at most 100 rule deployments will be // returned. The maximum value is 1000; values above 1000 will be coerced to // 1000. int32 page_size = 2; // A page token, received from a previous `ListRuleDeployments` call. // Provide this to retrieve the subsequent page. // // When paginating, all other parameters provided to `ListRuleDeployments` // must match the call that provided the page token. string page_token = 3; // A filter that can be used to retrieve specific rule deployments. // The following fields are filterable: // archived, name string filter = 4; } // Response message for ListRuleDeployments. message ListRuleDeploymentsResponse { // The rule deployments from all rules. repeated RuleDeployment rule_deployments = 1; // A token, which can be sent as `page_token` to retrieve the next page. // If this field is omitted, there are no subsequent pages. string next_page_token = 2; } // Request message for UpdateRuleDeployment. message UpdateRuleDeploymentRequest { // Required. The rule deployment to update. // // The rule deployment's `name` field is used to identify the rule deployment // to update. Format: // `projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment` RuleDeployment rule_deployment = 1 [(google.api.field_behavior) = REQUIRED]; // Required. The list of fields to update. google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED]; } // CompilationPosition represents the location of a compilation diagnostic in // rule text. message CompilationPosition { // Output only. Start line number, beginning at 1. int32 start_line = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. Start column number, beginning at 1. int32 start_column = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. End line number, beginning at 1. int32 end_line = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. End column number, beginning at 1. int32 end_column = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; } // CompilationDiagnostic represents a compilation diagnostic generated // during a rule's compilation, such as a compilation error or a compilation // warning. message CompilationDiagnostic { // The severity level of the compilation diagnostic. enum Severity { // An unspecified severity level. SEVERITY_UNSPECIFIED = 0; // A compilation warning. WARNING = 1; // A compilation error. ERROR = 2; } // Output only. The diagnostic message. string message = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The approximate position in the rule text associated with the // compilation diagnostic. // Compilation Position may be empty. CompilationPosition position = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The severity of a rule's compilation diagnostic. Severity severity = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. Link to documentation that describes a diagnostic in more // detail. string uri = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; } // Severity represents the severity level of the rule. message Severity { // The display name of the severity level. Extracted from the meta section of // the rule text. string display_name = 1; } // Operation Metadata for Retrohunts. message RetrohuntMetadata { // The name of the retrohunt. // Format: // `projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt}` string retrohunt = 1 [ (google.api.resource_reference) = { type: "chronicle.googleapis.com/Rule" } ]; // The start and end time of the retrohunt execution. If the retrohunt is not // yet finished, the end time of the interval will not be filled. google.type.Interval execution_interval = 2; // Percent progress of the retrohunt towards completion, from 0.00 to 100.00. float progress_percentage = 3; } // InputsUsed is a convenience field that tells us which sources // of events (if any) were used in the rule. // NEXT TAG: 4 message InputsUsed { // Optional. Whether the rule queries UDM events. bool uses_udm = 1 [(google.api.field_behavior) = OPTIONAL]; // Optional. Whether the rule queries entity events. bool uses_entity = 2 [(google.api.field_behavior) = OPTIONAL]; // Optional. Whether the rule queries detections. bool uses_detection = 3 [(google.api.field_behavior) = OPTIONAL]; }