google-backstory 0.a → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5639da2b5abf65a2cb48086225c5af2fdaed46fd86edfdcbff9eca6451d5c0df
-  data.tar.gz: f4533d954b7dec2a7e241e75964eed42ca53287e4910622f3ea02448fad3439d
+  metadata.gz: a8a7a7a745801e4f69210c2fa8861de431e16a55f6a405a30f2b31f8fbfc6c74
+  data.tar.gz: 8c18b5ddc75aa577b6afd9e6a71decece8f5ed2056e3fcba0ea399cbb8b169b6
 SHA512:
-  metadata.gz: 376dd5395aa33ce263e803593493a89a1383fef040c93b2a0de2d9b3824ea0e26690baec7d02e5ff4baa79eee09371a007b32ef5bb60612e7daeac5100d6e4d5
-  data.tar.gz: f9c59a59e85c87f5b28630f77b5e0338828fbda15c0e28ab825cffd27d17fe52c6af88feeca20a01bf58052a1fa435af35de5ae63b9e8e6df395cbb1b3b309c4
+  metadata.gz: c7a81023af52d95d1734791819ecd43045c4a628366e60c0e966c1862e18f33e9d16af754acaba4300609e03453ebb2eb03470ff63fb04a2fbe94e1706a53443
+  data.tar.gz: 65127433be485d05f07c986cea702755ddb37f3645e5a68fad4fd9c91e826194e11dca849e785e57ba8004e5b8ef0383aff79bf049b6e95f2281002d98ce772c

data/CHANGELOG.md

@@ -0,0 +1,9 @@
+# Changelog
+
+### 0.1.0 (2026-05-19)
+
+#### Features
+
+* Initial generation of google-backstory ([#411](https://github.com/googleapis/common-protos-ruby/issues/411)) 
+
+## Changelog

data/README.md

@@ -1,8 +1,9 @@
-# Placeholder for Ruby gem google-backstory
+# Common Protocol Buffer Types
 
-This is a placeholder for the future Google-authored gem google-backstory.
-This placeholder is being released on 2026-05-18 in order to reserve the name.
-The final gem should be available shortly after that date. If it has not been
-released in a timely manner, or if this placeholder interferes with your work,
-you can contact the Google Ruby team by opening an issue in the GitHub
-repository https://github.com/googleapis/google-cloud-ruby.
+This gem contains common protocol buffer types used by certain client libraries.
+
+## Installation
+
+This library is generally brought in as a dependency by Google API client
+libraries that use it. However, you can include it directly in your
+application's Gemfile if you need to use its protos directly.

data/lib/backstory/collection_pb.rb

@@ -0,0 +1,439 @@
+# frozen_string_literal: true
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: backstory/collection.proto
+
+require 'google/protobuf'
+
+require 'backstory/entity_pb'
+require 'backstory/id_pb'
+require 'backstory/udm_pb'
+require 'google/protobuf/duration_pb'
+require 'google/protobuf/struct_pb'
+require 'google/protobuf/timestamp_pb'
+require 'google/type/interval_pb'
+
+
+descriptor_data = "\n\x1a\x62\x61\x63kstory/collection.proto\x12\x10google.backstory\x1a\x16\x62\x61\x63kstory/entity.proto\x1a\x12\x62\x61\x63kstory/id.proto\x1a\x13\x62\x61\x63kstory/udm.proto\x1a\x1egoogle/protobuf/duration.proto\x1a\x1cgoogle/protobuf/struct.proto\x1a\x1fgoogle/protobuf/timestamp.proto\x1a\x1agoogle/type/interval.proto\"\xc2\x0b\n\nCollection\x12\n\n\x02id\x18\x07 \x01(\t\x12\x39\n\x04type\x18\x01 \x01(\x0e\x32+.google.backstory.Collection.CollectionType\x12\x34\n\x0cid_namespace\x18\x0c \x01(\x0e\x32\x1e.google.backstory.Id.Namespace\x12\x30\n\x0c\x63reated_time\x18\x05 \x01(\x0b\x32\x1a.google.protobuf.Timestamp\x12\x35\n\x11last_updated_time\x18\x06 \x01(\x0b\x32\x1a.google.protobuf.Timestamp\x12*\n\x0btime_window\x18\x08 \x01(\x0b\x32\x15.google.type.Interval\x12\x36\n\x13\x63ollection_elements\x18\t \x03(\x0b\x32\x19.google.backstory.Element\x12\x33\n\tdetection\x18\x03 \x03(\x0b\x32 .google.backstory.SecurityResult\x12\x32\n\x0e\x64\x65tection_time\x18\n \x01(\x0b\x32\x1a.google.protobuf.Timestamp\x12\x36\n\rinvestigation\x18\x04 \x01(\x0b\x32\x1f.google.backstory.Investigation\x12\x0c\n\x04tags\x18\x0b \x03(\t\x12\x46\n\x16response_platform_info\x18\r \x01(\x0b\x32&.google.backstory.ResponsePlatformInfo\x12\x11\n\tcase_name\x18\x0e \x01(\t\x12\x12\n\nsoar_alert\x18\x11 \x01(\x08\x12@\n\x13soar_alert_metadata\x18\x12 \x01(\x0b\x32#.google.backstory.SoarAlertMetadata\x12\x19\n\x11\x64\x61ta_access_scope\x18\x13 \x01(\t\x12U\n\x18\x64\x65tection_timing_details\x18\x14 \x03(\x0e\x32\x33.google.backstory.Collection.DetectionTimingDetails\x12\x39\n\x0flatency_metrics\x18\x15 \x01(\x0b\x32 .google.backstory.LatencyMetrics\x12\x45\n\x12rule_run_frequency\x18\x16 \x01(\x0e\x32).google.backstory.Collection.RunFrequency\x12\x1d\n\x15simulated_event_count\x18\x17 \x01(\x03\x12\x1d\n\x15simulated_event_names\x18\x18 \x03(\t\"\xb5\x01\n\x0e\x43ollectionType\x12\x1f\n\x1b\x43OLLECTION_TYPE_UNSPECIFIED\x10\x00\x12\x13\n\x0fTELEMETRY_ALERT\x10\x01\x12\x10\n\x0cGCTI_FINDING\x10\x02\x12\x13\n\x0fUPPERCASE_ALERT\x10\x02\x12\x12\n\x0eRULE_DETECTION\x10\x03\x12\x1e\n\x1aMACHINE_INTELLIGENCE_ALERT\x10\x04\x12\x0e\n\nSOAR_ALERT\x10\x05\x1a\x02\x10\x01\"\x95\x01\n\x16\x44\x65tectionTimingDetails\x12(\n$DETECTION_TIMING_DETAILS_UNSPECIFIED\x10\x00\x12)\n%DETECTION_TIMING_DETAILS_REPROCESSING\x10\x01\x12&\n\"DETECTION_TIMING_DETAILS_RETROHUNT\x10\x02\"|\n\x0cRunFrequency\x12\x1d\n\x19RUN_FREQUENCY_UNSPECIFIED\x10\x00\x12\x1a\n\x16RUN_FREQUENCY_REALTIME\x10\x01\x12\x18\n\x14RUN_FREQUENCY_HOURLY\x10\x02\x12\x17\n\x13RUN_FREQUENCY_DAILY\x10\x03J\x04\x08\x0f\x10\x10J\x04\x08\x10\x10\x11\"\xfe\x01\n\x15\x45ntityGraphEnrichment\x12\x12\n\ndata_table\x18\x01 \x01(\t\x12O\n\x0f\x65nrichment_type\x18\x03 \x01(\x0e\x32\x36.google.backstory.EntityGraphEnrichment.EnrichmentType\x12\x33\n\x11overridden_entity\x18\x02 \x01(\x0b\x32\x18.google.backstory.Entity\"K\n\x0e\x45nrichmentType\x12\x1f\n\x1b\x45NRICHMENT_TYPE_UNSPECIFIED\x10\x00\x12\n\n\x06\x41PPEND\x10\x01\x12\x0c\n\x08OVERRIDE\x10\x02\"\\\n\x10\x44\x61taTableRowInfo\x12\x12\n\ndata_table\x18\x01 \x01(\t\x12$\n\x03row\x18\x02 \x01(\x0b\x32\x17.google.protobuf.Struct\x12\x0e\n\x06row_id\x18\x03 \x01(\t\"\xaa\x02\n\x0eLatencyMetrics\x12\x39\n\x15oldest_ingestion_time\x18\x01 \x01(\x0b\x32\x1a.google.protobuf.Timestamp\x12\x39\n\x15newest_ingestion_time\x18\x02 \x01(\x0b\x32\x1a.google.protobuf.Timestamp\x12\x35\n\x11oldest_event_time\x18\x03 \x01(\x0b\x32\x1a.google.protobuf.Timestamp\x12\x35\n\x11newest_event_time\x18\x04 \x01(\x0b\x32\x1a.google.protobuf.Timestamp\x12\x34\n\x11ingestion_latency\x18\x05 \x01(\x0b\x32\x19.google.protobuf.Duration\"\x9d\x02\n\tReference\x12$\n\x05\x65vent\x18\x01 \x01(\x0b\x32\x15.google.backstory.UDM\x12(\n\x06\x65ntity\x18\x02 \x01(\x0b\x32\x18.google.backstory.Entity\x12\x42\n\x16joined_data_table_rows\x18\x04 \x03(\x0b\x32\".google.backstory.DataTableRowInfo\x12\x41\n\x10graph_enrichment\x18\x05 \x01(\x0b\x32\'.google.backstory.EntityGraphEnrichment\x12 \n\x02id\x18\x03 \x01(\x0b\x32\x14.google.backstory.Id\x12\x17\n\x0flog_batch_token\x18\x06 \x01(\t\"\xd7\x01\n\x07\x45lement\x12\x35\n\x0b\x61ssociation\x18\x01 \x01(\x0b\x32 .google.backstory.SecurityResult\x12/\n\nreferences\x18\x02 \x03(\x0b\x32\x1b.google.backstory.Reference\x12\r\n\x05label\x18\x03 \x01(\t\x12\x1a\n\x12references_sampled\x18\x04 \x01(\x08\x12\x39\n\x0flatency_metrics\x18\x05 \x01(\x0b\x32 .google.backstory.LatencyMetrics\"\xeb\x01\n\x14ResponsePlatformInfo\x12\x10\n\x08\x61lert_id\x18\x02 \x01(\t\x12[\n\x16response_platform_type\x18\x03 \x01(\x0e\x32;.google.backstory.ResponsePlatformInfo.ResponsePlatformType\"d\n\x14ResponsePlatformType\x12&\n\"RESPONSE_PLATFORM_TYPE_UNSPECIFIED\x10\x00\x12$\n RESPONSE_PLATFORM_TYPE_SIEMPLIFY\x10\x01\"\xae\x01\n\x11SoarAlertMetadata\x12\x10\n\x08\x61lert_id\x18\x01 \x01(\t\x12\x13\n\x0bsource_rule\x18\x02 \x01(\t\x12\x0e\n\x06vendor\x18\x03 \x01(\t\x12\x15\n\rsource_system\x18\x04 \x01(\t\x12\x0f\n\x07product\x18\x05 \x01(\t\x12\x1f\n\x17source_system_ticket_id\x18\x06 \x01(\t\x12\x19\n\x11source_system_uri\x18\x07 \x01(\tB\x8d\x01\n\x14\x63om.google.backstoryP\x01Z9google.golang.org/genproto/googleapis/backstory;backstory\xaa\x02\x10Google.Backstory\xca\x02\x10Google\\Backstory\xea\x02\x11Google::Backstoryb\x06proto3"
+
+pool = Google::Protobuf::DescriptorPool.generated_pool
+
+begin
+  pool.add_serialized_file(descriptor_data)
+rescue TypeError
+  # Compatibility code: will be removed in the next major version.
+  require 'google/protobuf/descriptor_pb'
+  parsed = Google::Protobuf::FileDescriptorProto.decode(descriptor_data)
+  parsed.clear_dependency
+  serialized = parsed.class.encode(parsed)
+  file = pool.add_serialized_file(serialized)
+  warn "Warning: Protobuf detected an import path issue while loading generated file #{__FILE__}"
+  imports = [
+    ["google.protobuf.Timestamp", "google/protobuf/timestamp.proto"],
+    ["google.type.Interval", "google/type/interval.proto"],
+    ["google.backstory.SecurityResult", "backstory/udm.proto"],
+    ["google.backstory.Entity", "backstory/entity.proto"],
+    ["google.protobuf.Struct", "google/protobuf/struct.proto"],
+    ["google.protobuf.Duration", "google/protobuf/duration.proto"],
+    ["google.backstory.Id", "backstory/id.proto"],
+  ]
+  imports.each do |type_name, expected_filename|
+    import_file = pool.lookup(type_name).file_descriptor
+    if import_file.name != expected_filename
+      warn "- #{file.name} imports #{expected_filename}, but that import was loaded as #{import_file.name}"
+    end
+  end
+  warn "Each proto file must use a consistent fully-qualified name."
+  warn "This will become an error in the next major version."
+end
+
+module Google
+  module Backstory
+    Collection = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.Collection").msgclass
+    Collection::CollectionType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.Collection.CollectionType").enummodule
+    Collection::DetectionTimingDetails = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.Collection.DetectionTimingDetails").enummodule
+    Collection::RunFrequency = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.Collection.RunFrequency").enummodule
+    EntityGraphEnrichment = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.EntityGraphEnrichment").msgclass
+    EntityGraphEnrichment::EnrichmentType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.EntityGraphEnrichment.EnrichmentType").enummodule
+    DataTableRowInfo = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.DataTableRowInfo").msgclass
+    LatencyMetrics = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.LatencyMetrics").msgclass
+    Reference = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.Reference").msgclass
+    Element = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.Element").msgclass
+    ResponsePlatformInfo = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.ResponsePlatformInfo").msgclass
+    ResponsePlatformInfo::ResponsePlatformType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.ResponsePlatformInfo.ResponsePlatformType").enummodule
+    SoarAlertMetadata = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.SoarAlertMetadata").msgclass
+  end
+end
+
+#### Source proto file: backstory/collection.proto ####
+#
+# // Copyright 2026 Google LLC
+# //
+# // Licensed under the Apache License, Version 2.0 (the "License");
+# // you may not use this file except in compliance with the License.
+# // You may obtain a copy of the License at
+# //
+# //     http://www.apache.org/licenses/LICENSE-2.0
+# //
+# // Unless required by applicable law or agreed to in writing, software
+# // distributed under the License is distributed on an "AS IS" BASIS,
+# // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# // See the License for the specific language governing permissions and
+# // limitations under the License.
+#
+# syntax = "proto3";
+#
+# package google.backstory;
+#
+# import "backstory/entity.proto";
+# import "backstory/id.proto";
+# import "backstory/udm.proto";
+# import "google/protobuf/duration.proto";
+# import "google/protobuf/struct.proto";
+# import "google/protobuf/timestamp.proto";
+# import "google/type/interval.proto";
+#
+# option csharp_namespace = "Google.Backstory";
+# option go_package = "google.golang.org/genproto/googleapis/backstory;backstory";
+# option java_multiple_files = true;
+# option java_package = "com.google.backstory";
+# option php_namespace = "Google\\Backstory";
+# option ruby_package = "Google::Backstory";
+#
+# // Collection represents a container of objects (such as events, entity
+# // context metadata, detection finding metadata) and state (such as
+# // investigation details).
+# //
+# // An example use case for Collection is to model a detection and investigation
+# // from detection finding metadata to investigative state collected in the
+# // course of the investigation. For more complex investigation and response
+# // workflows a Collection could represent an incident consisting of multiple
+# // child findings or incidents. This can be expanded on to model remediation
+# // elements of a full detection and response workflow.
+# //
+# message Collection {
+#   // The type of the collection which will indicate which other fields are
+#   // relevant. For example, detection finding collections will populate the
+#   // detection field. Findings that evolve into investigations will populate the
+#   // investigation field.
+#   enum CollectionType {
+#     option allow_alias = true;
+#
+#     // An unspecified collection type.
+#     COLLECTION_TYPE_UNSPECIFIED = 0;
+#
+#     // An alert reported in customer telemetry.
+#     TELEMETRY_ALERT = 1;
+#
+#     // A finding from the Uppercase team.
+#     GCTI_FINDING = 2;
+#
+#     UPPERCASE_ALERT = 2;
+#
+#     // A detection found by applying a rule.
+#     RULE_DETECTION = 3;
+#
+#     // An alert generated by Chronicle machine learning models.
+#     MACHINE_INTELLIGENCE_ALERT = 4;
+#
+#     // An alert coming from other SIEMs via Chronicle SOAR.
+#     SOAR_ALERT = 5;
+#   }
+#
+#   // Detection timing details for the collection.
+#   enum DetectionTimingDetails {
+#     // Detection timing details are unspecified.
+#     DETECTION_TIMING_DETAILS_UNSPECIFIED = 0;
+#
+#     // Detection is generated by a reprocessing run.
+#     DETECTION_TIMING_DETAILS_REPROCESSING = 1;
+#
+#     // Detection is generated by a retrohunt run.
+#     DETECTION_TIMING_DETAILS_RETROHUNT = 2;
+#   }
+#
+#   // Run frequencies used by rule executions.
+#   enum RunFrequency {
+#     // Unspecified run frequency.
+#     RUN_FREQUENCY_UNSPECIFIED = 0;
+#
+#     // Real-time run frequency.
+#     RUN_FREQUENCY_REALTIME = 1;
+#
+#     // Executes once an hour.
+#     RUN_FREQUENCY_HOURLY = 2;
+#
+#     // Executes once a day.
+#     RUN_FREQUENCY_DAILY = 3;
+#   }
+#
+#   // Unique ID for the collection.
+#   // The ID is specific to the type of collection. For example, with rule
+#   // detections this is the detection ID.
+#   string id = 7;
+#
+#   // What the collection represents.
+#   CollectionType type = 1;
+#
+#   // The ID namespace used for the Collection.
+#   Id.Namespace id_namespace = 12;
+#
+#   // Time the collection was created.
+#   google.protobuf.Timestamp created_time = 5;
+#
+#   // Time the collection was last updated.
+#   google.protobuf.Timestamp last_updated_time = 6;
+#
+#   // Time interval that the collection represents.
+#   google.type.Interval time_window = 8;
+#
+#   // Constituent elements of the collection. Each element shares an association
+#   // that groups it together and is a component of the overall collection. For
+#   // example, a detection collection may have several constituent elements that
+#   // each share a correlation association that together represent a particular
+#   // pattern or behavior.
+#   repeated Element collection_elements = 9;
+#
+#   // Detection metadata for findings that represent detections, can include
+#   // rule details, machine learning model metadata, and indicators implicated
+#   // in the detection (using the .about field).
+#   repeated SecurityResult detection = 3;
+#
+#   // Timestamp within the time_window related to the time of the
+#   // collection_elements. For Rule Detections, this timestamp is the end of the
+#   // the time_window for multi-event rules or the time of the event for single
+#   // event rules. For late-arriving events that trigger new alerts, the
+#   // detection_time will be the event time of the event.
+#   google.protobuf.Timestamp detection_time = 10;
+#
+#   // Consolidated investigation details (categorization, status, etc) typically
+#   // for collections that begin as detection findings and then evolve with
+#   // analyst action and feedback into investigations around the detection
+#   // output.
+#   Investigation investigation = 4;
+#
+#   // Tags set by UC/DSML/RE for the Finding during creation.
+#   repeated string tags = 11;
+#
+#   // Alert related info of this same alert in customer's SOAR platform.
+#   ResponsePlatformInfo response_platform_info = 13;
+#
+#   // The resource name of the Case that this collection belongs to.
+#   // Example:
+#   // projects/{project id}/locations/{region}/chronicle/cases/{internal_case_id}
+#   string case_name = 14;
+#
+#   // The current primary analyst feedback.
+#   // This does not include the history of feedback given, which may be supplied
+#   // in `feedback`.
+#   reserved 15;
+#
+#   // The history of feedback submitted by analysts for this finding,
+#   // in descending order by timestamp.
+#   // This field is limited to the most recent 1000 feedback events.
+#   // The primary feedback will also be included in this list.
+#   reserved 16;
+#
+#   // A boolean field indicating that the alert is present in SOAR.
+#   bool soar_alert = 17;
+#
+#   // Metadata fields of alerts coming from other SIEM systems via SOAR.
+#   SoarAlertMetadata soar_alert_metadata = 18;
+#
+#   // The resource name of the DataAccessScope of this collection.
+#   string data_access_scope = 19;
+#
+#   // Detection timing details for the collection. These details are used to
+#   // determine prossible causes of latency for the detection.
+#   // This field is only set for detections that are generated by rules.
+#   repeated DetectionTimingDetails detection_timing_details = 20;
+#
+#   // The latency metrics for the specific detection. These metrics are
+#   // calculated from ALL of the events that contribute to the detection, not
+#   // just the sampled ones.
+#   LatencyMetrics latency_metrics = 21;
+#
+#   // The run frequency of the rule when it generated the detection.
+#   RunFrequency rule_run_frequency = 22;
+#
+#   // The total number of simulated events that contributed to this detection.
+#   // Simulated events are realistic threat sequences (Raw Logs or UDM)
+#   // programmatically delivered into the production ingestion pipeline to verify
+#   // the entire detection lifecycle—from identification to action.
+#   int64 simulated_event_count = 23;
+#
+#   // The set of all values from event ingestion_labels where SIMULATED is set as
+#   // the key, for all simulated events that participated in this detection.
+#   repeated string simulated_event_names = 24;
+# }
+#
+# // EntityGraphEnrichment contains the data table name and the enrichment applied
+# // to the entity.
+# message EntityGraphEnrichment {
+#   // Type of enrichment.
+#   enum EnrichmentType {
+#     // Enrichment type is unspecified.
+#     ENRICHMENT_TYPE_UNSPECIFIED = 0;
+#
+#     // The data table was appended to the entity graph.
+#     APPEND = 1;
+#
+#     // The entity graph was overridden by the data table.
+#     OVERRIDE = 2;
+#   }
+#
+#   // The name of the data table.
+#   string data_table = 1;
+#
+#   // The type of enrichment.
+#   EnrichmentType enrichment_type = 3;
+#
+#   // The entity which has only the overridden fields populated. Only populated
+#   // if the enrichment type is OVERRIDE.
+#   Entity overridden_entity = 2;
+# }
+#
+# // DataTableRowInfo captures information about a data table row including the
+# // name of the data table.
+# message DataTableRowInfo {
+#   // The name of data table.
+#   string data_table = 1;
+#
+#   // Stores the key value pair for a data table row where the key is the name
+#   // of the column for the given value.
+#   google.protobuf.Struct row = 2;
+#
+#   // The row id of the data table row.
+#   string row_id = 3;
+# }
+#
+# // LatencyMetrics contains relevant timestamps for measuring latency per event
+# // variable. These metrics are calculated from ALL of the events that contribute
+# // to the detection, not just the sampled ones.
+# message LatencyMetrics {
+#   // The oldest ingestion timestamp from the events used to create the
+#   // detection.
+#   google.protobuf.Timestamp oldest_ingestion_time = 1;
+#
+#   // The newest (most recent) ingestion timestamp from the events used to
+#   // create the detection.
+#   google.protobuf.Timestamp newest_ingestion_time = 2;
+#
+#   // The oldest event timestamp from the events used to create the detection.
+#   google.protobuf.Timestamp oldest_event_time = 3;
+#
+#   // The newest (most recent) event timestamp from the events used to create
+#   // the detection.
+#   google.protobuf.Timestamp newest_event_time = 4;
+#
+#   // The difference between newest ingestion timestamp and newest event
+#   // timestamp.
+#   google.protobuf.Duration ingestion_latency = 5;
+# }
+#
+# // Reference to model primatives including event and entity. As support is added
+# // for fast retrieval of objects by identifiers, this will be
+# // expanded to include ID references rather than full object copies.
+# message Reference {
+#   // Only one of event or entity will be populated for a single
+#   // reference.
+#   // Start one-of
+#   // Event being referenced.
+#   UDM event = 1;
+#
+#   // Entity being referenced. In cases where the entity graph is overridden by
+#   // data table, this will represent the original entity.
+#   // End one-of
+#   Entity entity = 2;
+#
+#   // The data table rows joined with the event.
+#   repeated DataTableRowInfo joined_data_table_rows = 4;
+#
+#   // The entity graph enrichment details. Only set when the reference is an
+#   // Entity which has been overridden by a data table or appended from a data
+#   // table.
+#   EntityGraphEnrichment graph_enrichment = 5;
+#
+#   // Id being referenced. This field will also be populated for both event and
+#   // entity with the event id. For detections, only this field will be
+#   // populated.
+#   Id id = 3;
+#
+#   // The log batch token of the event being referenced. This field is
+#   // used to fetch the raw log associated with the event in some legacy systems.
+#   // This field is only populated for events/entities.
+#   string log_batch_token = 6;
+# }
+#
+# message Element {
+#   // Metadata that provides the relevant association for the references in the
+#   // element. For a detection, this can be the correlated aspect of the
+#   // references that contributed to the overall detection. For example, may
+#   // include sub-rule condition, machine learning model metadata, and/or
+#   // indicators implicated in this component of the detection
+#   // (using the .about field).
+#   SecurityResult association = 1;
+#
+#   // References to model primatives including events and entities that share a
+#   // common association.
+#   // Even though a reference can have both UDM and entity, a collection of
+#   // references (of a single element) will only have one type of message in it
+#   // (either UDM / Entity).
+#   repeated Reference references = 2;
+#
+#   // A name that labels the entire references group.
+#   string label = 3;
+#
+#   // Copied from the detection event_sample.too_many_event_samples field.
+#   // If true, the number of references will be capped at the sample limit
+#   // (set at rule service).
+#   // This is applicable to both UDM references and Entity references.
+#   bool references_sampled = 4;
+#
+#   // Latency metrics for the specific element. These are
+#   // calculated from all the contributing events or entities for a single event
+#   // variable, not just the sampled ones included in references. This is
+#   // currently only populated for UDM events.
+#   LatencyMetrics latency_metrics = 5;
+# }
+#
+# // Related info of an Alert in customer's SOAR platform.
+# message ResponsePlatformInfo {
+#   // Available response platforms.
+#   enum ResponsePlatformType {
+#     // Response platform not specified.
+#     RESPONSE_PLATFORM_TYPE_UNSPECIFIED = 0;
+#
+#     // Siemplify
+#     RESPONSE_PLATFORM_TYPE_SIEMPLIFY = 1;
+#   }
+#
+#   // Id of the alert in SOAR product.
+#   string alert_id = 2;
+#
+#   // Type of SOAR product.
+#   ResponsePlatformType response_platform_type = 3;
+# }
+#
+# // Metadata fields of alerts coming from other SIEM systems.
+# message SoarAlertMetadata {
+#   // Alert ID in the source SIEM system.
+#   string alert_id = 1;
+#
+#   // Name of the rule triggering the alert in the source SIEM.
+#   string source_rule = 2;
+#
+#   // Name of the vendor.
+#   string vendor = 3;
+#
+#   // Name of the Source SIEM system.
+#   string source_system = 4;
+#
+#   // Name of the product the alert is coming from.
+#   string product = 5;
+#
+#   // Ticket id for the alert in the source system.
+#   string source_system_ticket_id = 6;
+#
+#   // Url to the source SIEM system.
+#   string source_system_uri = 7;
+# }

data/lib/backstory/data_access_pb.rb

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: backstory/data_access.proto
+
+require 'google/protobuf'
+
+
+descriptor_data = "\n\x1b\x62\x61\x63kstory/data_access.proto\x12\x10google.backstory\"6\n\x18\x44\x61taAccessIngestionLabel\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t\"\xd4\x01\n\x10\x44\x61taAccessLabels\x12\x11\n\tlog_types\x18\x01 \x03(\t\x12\x1c\n\x10ingestion_labels\x18\x02 \x03(\tB\x02\x18\x01\x12\x12\n\nnamespaces\x18\x03 \x03(\t\x12\x15\n\rcustom_labels\x18\x04 \x03(\t\x12G\n\x13ingestion_kv_labels\x18\x05 \x03(\x0b\x32*.google.backstory.DataAccessIngestionLabel\x12\x1b\n\x13\x61llow_scoped_access\x18\x06 \x01(\x08\x42\x8d\x01\n\x14\x63om.google.backstoryP\x01Z9google.golang.org/genproto/googleapis/backstory;backstory\xaa\x02\x10Google.Backstory\xca\x02\x10Google\\Backstory\xea\x02\x11Google::Backstoryb\x06proto3"
+
+pool = Google::Protobuf::DescriptorPool.generated_pool
+
+begin
+  pool.add_serialized_file(descriptor_data)
+rescue TypeError
+  # Compatibility code: will be removed in the next major version.
+  require 'google/protobuf/descriptor_pb'
+  parsed = Google::Protobuf::FileDescriptorProto.decode(descriptor_data)
+  parsed.clear_dependency
+  serialized = parsed.class.encode(parsed)
+  file = pool.add_serialized_file(serialized)
+  warn "Warning: Protobuf detected an import path issue while loading generated file #{__FILE__}"
+  imports = [
+  ]
+  imports.each do |type_name, expected_filename|
+    import_file = pool.lookup(type_name).file_descriptor
+    if import_file.name != expected_filename
+      warn "- #{file.name} imports #{expected_filename}, but that import was loaded as #{import_file.name}"
+    end
+  end
+  warn "Each proto file must use a consistent fully-qualified name."
+  warn "This will become an error in the next major version."
+end
+
+module Google
+  module Backstory
+    DataAccessIngestionLabel = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.DataAccessIngestionLabel").msgclass
+    DataAccessLabels = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.DataAccessLabels").msgclass
+  end
+end
+
+#### Source proto file: backstory/data_access.proto ####
+#
+# // Copyright 2026 Google LLC
+# //
+# // Licensed under the Apache License, Version 2.0 (the "License");
+# // you may not use this file except in compliance with the License.
+# // You may obtain a copy of the License at
+# //
+# //     http://www.apache.org/licenses/LICENSE-2.0
+# //
+# // Unless required by applicable law or agreed to in writing, software
+# // distributed under the License is distributed on an "AS IS" BASIS,
+# // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# // See the License for the specific language governing permissions and
+# // limitations under the License.
+#
+# syntax = "proto3";
+#
+# package google.backstory;
+#
+# option csharp_namespace = "Google.Backstory";
+# option go_package = "google.golang.org/genproto/googleapis/backstory;backstory";
+# option java_multiple_files = true;
+# option java_package = "com.google.backstory";
+# option php_namespace = "Google\\Backstory";
+# option ruby_package = "Google::Backstory";
+#
+# // Label used in data access for ingestion.
+# message DataAccessIngestionLabel {
+#   // The key.
+#   string key = 1;
+#
+#   // The value.
+#   string value = 2;
+# }
+#
+# // Label used in data access.
+# message DataAccessLabels {
+#   // All the LogType labels.
+#   repeated string log_types = 1;
+#
+#   // All the ingestion labels.
+#   repeated string ingestion_labels = 2 [deprecated = true];
+#
+#   // All the namespaces.
+#   repeated string namespaces = 3;
+#
+#   // All the complex labels (UDM search syntax based).
+#   repeated string custom_labels = 4;
+#
+#   // All the ingestion labels (key/value pairs).
+#   repeated DataAccessIngestionLabel ingestion_kv_labels = 5;
+#
+#   // Are the labels ready for scoped access
+#   bool allow_scoped_access = 6;
+# }