google-backstory 0.a → 0.1.0

data/lib/backstory/entity_pb.rb

@@ -0,0 +1,694 @@
+# frozen_string_literal: true
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: backstory/entity.proto
+
+require 'google/protobuf'
+
+require 'backstory/entity_risk_pb'
+require 'backstory/udm_pb'
+require 'google/protobuf/struct_pb'
+require 'google/protobuf/timestamp_pb'
+require 'google/type/interval_pb'
+
+
+descriptor_data = "\n\x16\x62\x61\x63kstory/entity.proto\x12\x10google.backstory\x1a\x1b\x62\x61\x63kstory/entity_risk.proto\x1a\x13\x62\x61\x63kstory/udm.proto\x1a\x1cgoogle/protobuf/struct.proto\x1a\x1fgoogle/protobuf/timestamp.proto\x1a\x1agoogle/type/interval.proto\"\x85\x08\n\x0e\x45ntityMetadata\x12\x19\n\x11product_entity_id\x18\x01 \x01(\t\x12\x37\n\x13\x63ollected_timestamp\x18\x02 \x01(\x0b\x32\x1a.google.protobuf.Timestamp\x12\x36\n\x12\x63reation_timestamp\x18\x08 \x01(\x0b\x32\x1a.google.protobuf.Timestamp\x12\'\n\x08interval\x18\t \x01(\x0b\x32\x15.google.type.Interval\x12\x13\n\x0bvendor_name\x18\x03 \x01(\t\x12\x14\n\x0cproduct_name\x18\x04 \x01(\t\x12\x0c\n\x04\x66\x65\x65\x64\x18\x0e \x01(\t\x12\x17\n\x0fproduct_version\x18\x05 \x01(\t\x12@\n\x0b\x65ntity_type\x18\x06 \x01(\x0e\x32+.google.backstory.EntityMetadata.EntityType\x12\x13\n\x0b\x64\x65scription\x18\x07 \x01(\t\x12\x30\n\x06threat\x18\n \x03(\x0b\x32 .google.backstory.SecurityResult\x12@\n\x0bsource_type\x18\x0b \x01(\x0e\x32+.google.backstory.EntityMetadata.SourceType\x12.\n\rsource_labels\x18\x0c \x03(\x0b\x32\x17.google.backstory.Label\x12\x32\n\x0e\x65vent_metadata\x18\r \x01(\x0b\x32\x1a.google.backstory.Metadata\x12\x36\n\x11structured_fields\x18\x0f \x01(\x0b\x32\x17.google.protobuf.StructB\x02\x18\x01\x12*\n\textracted\x18\x10 \x01(\x0b\x32\x17.google.protobuf.Struct\x12?\n\x12\x61ti_prioritization\x18\x11 \x01(\x0b\x32#.google.backstory.AtiPrioritization\"\xaf\x01\n\nEntityType\x12\x16\n\x12UNKNOWN_ENTITYTYPE\x10\x00\x12\t\n\x05\x41SSET\x10\x01\x12\t\n\x04USER\x10\x90N\x12\n\n\x05GROUP\x10\x91N\x12\x0c\n\x08RESOURCE\x10\x02\x12\x0e\n\nIP_ADDRESS\x10\x03\x12\x0e\n\nCIDR_BLOCK\x10\t\x12\x08\n\x04\x46ILE\x10\x04\x12\x0f\n\x0b\x44OMAIN_NAME\x10\x05\x12\x07\n\x03URL\x10\x06\x12\t\n\x05MUTEX\x10\x07\x12\n\n\x06METRIC\x10\x08\"f\n\nSourceType\x12\x1b\n\x17SOURCE_TYPE_UNSPECIFIED\x10\x00\x12\x12\n\x0e\x45NTITY_CONTEXT\x10\x01\x12\x13\n\x0f\x44\x45RIVED_CONTEXT\x10\x02\x12\x12\n\x0eGLOBAL_CONTEXT\x10\x03\"\x9e\x04\n\x11\x41tiPrioritization\x12\x13\n\x0bgti_verdict\x18\x01 \x01(\x05\x12\x14\n\x0cgti_severity\x18\x02 \x01(\x05\x12\x18\n\x10gti_threat_score\x18\x03 \x01(\x05\x12#\n\x1bmandiant_analyst_confidence\x18\x04 \x01(\x05\x12\x33\n\x0fgti_update_time\x18\x05 \x01(\x0b\x32\x1a.google.protobuf.Timestamp\x12\x11\n\tactive_ir\x18\x06 \x01(\x08\x12?\n\x1b\x61\x63tive_ir_first_tagged_time\x18\x07 \x01(\x0b\x32\x1a.google.protobuf.Timestamp\x12\x1d\n\x15global_customer_count\x18\x08 \x01(\x03\x12\x18\n\x10global_hit_count\x18\t \x01(\x03\x12\x11\n\texclusive\x18\n \x01(\x08\x12\r\n\x05osint\x18\x0b \x01(\x08\x12\x0f\n\x07scanner\x18\x0c \x01(\x08\x12\x10\n\x08reviewed\x18\r \x01(\x08\x12H\n\x12\x61ttributed_malware\x18\x0e \x03(\x0b\x32,.google.backstory.SecurityResult.Association\x12N\n\x18\x61ttributed_threat_actors\x18\x0f \x03(\x0b\x32,.google.backstory.SecurityResult.Association\"\xb0\x02\n\x06\x45ntity\x12\x32\n\x08metadata\x18\x01 \x01(\x0b\x32 .google.backstory.EntityMetadata\x12&\n\x06\x65ntity\x18\x02 \x01(\x0b\x32\x16.google.backstory.Noun\x12-\n\trelations\x18\x04 \x03(\x0b\x32\x1a.google.backstory.Relation\x12+\n\nadditional\x18\x03 \x01(\x0b\x32\x17.google.protobuf.Struct\x12\x35\n\nrisk_score\x18\x05 \x01(\x0b\x32\x1c.google.backstory.EntityRiskH\x00\x88\x01\x01\x12(\n\x06metric\x18\x06 \x01(\x0b\x32\x18.google.backstory.MetricB\r\n\x0b_risk_score\"\xb0\x05\n\x08Relation\x12&\n\x06\x65ntity\x18\x01 \x01(\x0b\x32\x16.google.backstory.Noun\x12@\n\x0b\x65ntity_type\x18\x02 \x01(\x0e\x32+.google.backstory.EntityMetadata.EntityType\x12=\n\x0crelationship\x18\x03 \x01(\x0e\x32\'.google.backstory.Relation.Relationship\x12<\n\tdirection\x18\x04 \x01(\x0e\x32).google.backstory.Relation.Directionality\x12\x0b\n\x03uid\x18\x05 \x01(\x0c\x12<\n\x0c\x65ntity_label\x18\x06 \x01(\x0e\x32&.google.backstory.Relation.EntityLabel\"\x84\x01\n\x0cRelationship\x12\x1c\n\x18RELATIONSHIP_UNSPECIFIED\x10\x00\x12\x08\n\x04OWNS\x10\x01\x12\x0f\n\x0b\x41\x44MINISTERS\x10\x02\x12\n\n\x06MEMBER\x10\x03\x12\x0c\n\x08\x45XECUTES\x10\x04\x12\x13\n\x0f\x44OWNLOADED_FROM\x10\x05\x12\x0c\n\x08\x43ONTACTS\x10\x06\"W\n\x0e\x44irectionality\x12\x1e\n\x1a\x44IRECTIONALITY_UNSPECIFIED\x10\x00\x12\x11\n\rBIDIRECTIONAL\x10\x01\x12\x12\n\x0eUNIDIRECTIONAL\x10\x02\"\x91\x01\n\x0b\x45ntityLabel\x12\x1c\n\x18\x45NTITY_LABEL_UNSPECIFIED\x10\x00\x12\r\n\tPRINCIPAL\x10\x01\x12\n\n\x06TARGET\x10\x02\x12\x0c\n\x08OBSERVER\x10\x03\x12\x07\n\x03SRC\x10\x04\x12\x0b\n\x07NETWORK\x10\x05\x12\x13\n\x0fSECURITY_RESULT\x10\x06\x12\x10\n\x0cINTERMEDIARY\x10\x07\"\xc4\x15\n\x06Metric\x12.\n\nfirst_seen\x18\x01 \x01(\x0b\x32\x1a.google.protobuf.Timestamp\x12-\n\tlast_seen\x18\x02 \x01(\x0b\x32\x1a.google.protobuf.Timestamp\x12\x35\n\x0bsum_measure\x18\x03 \x01(\x0b\x32 .google.backstory.Metric.Measure\x12\x14\n\x0ctotal_events\x18\x04 \x01(\x03\x12\x38\n\x0bmetric_name\x18\x05 \x01(\x0e\x32#.google.backstory.Metric.MetricName\x12\x36\n\ndimensions\x18\x06 \x03(\x0e\x32\".google.backstory.Metric.Dimension\x12\x15\n\rexport_window\x18\x07 \x01(\x03\x12\x14\n\x0c\x64isplay_name\x18\x08 \x01(\t\x12<\n\x11outcome_variables\x18\t \x03(\x0b\x32!.google.backstory.FindingVariable\x12:\n\x0fmatch_variables\x18\n \x03(\x0b\x32!.google.backstory.FindingVariable\x12)\n\ntime_range\x18\x0b \x01(\x0b\x32\x15.google.type.Interval\x1a`\n\x07Measure\x12\r\n\x05value\x18\x01 \x01(\x01\x12\x46\n\x12\x61ggregate_function\x18\x02 \x01(\x0e\x32*.google.backstory.Metric.AggregateFunction\"r\n\x11\x41ggregateFunction\x12\"\n\x1e\x41GGREGATE_FUNCTION_UNSPECIFIED\x10\x00\x12\x07\n\x03MIN\x10\x01\x12\x07\n\x03MAX\x10\x02\x12\t\n\x05\x43OUNT\x10\x03\x12\x07\n\x03SUM\x10\x04\x12\x07\n\x03\x41VG\x10\x05\x12\n\n\x06STDDEV\x10\x06\"\xf1\x08\n\nMetricName\x12\x1b\n\x17METRIC_NAME_UNSPECIFIED\x10\x00\x12\x19\n\x15NETWORK_BYTES_INBOUND\x10\x01\x12\x1a\n\x16NETWORK_BYTES_OUTBOUND\x10\x02\x12\x17\n\x13NETWORK_BYTES_TOTAL\x10\x03\x12\x19\n\x15\x41UTH_ATTEMPTS_SUCCESS\x10\x04\x12\x16\n\x12\x41UTH_ATTEMPTS_FAIL\x10\x05\x12\x17\n\x13\x41UTH_ATTEMPTS_TOTAL\x10\x06\x12\x16\n\x12\x44NS_BYTES_OUTBOUND\x10\x07\x12\x19\n\x15NETWORK_FLOWS_INBOUND\x10\x08\x12\x1a\n\x16NETWORK_FLOWS_OUTBOUND\x10\t\x12\x17\n\x13NETWORK_FLOWS_TOTAL\x10\n\x12\x17\n\x13\x44NS_QUERIES_SUCCESS\x10\x0b\x12\x14\n\x10\x44NS_QUERIES_FAIL\x10\x0c\x12\x15\n\x11\x44NS_QUERIES_TOTAL\x10\r\x12\x1b\n\x17\x46ILE_EXECUTIONS_SUCCESS\x10\x0e\x12\x18\n\x14\x46ILE_EXECUTIONS_FAIL\x10\x0f\x12\x19\n\x15\x46ILE_EXECUTIONS_TOTAL\x10\x10\x12\x18\n\x14HTTP_QUERIES_SUCCESS\x10\x11\x12\x15\n\x11HTTP_QUERIES_FAIL\x10\x12\x12\x16\n\x12HTTP_QUERIES_TOTAL\x10\x13\x12\x1f\n\x1bWORKSPACE_EMAILS_SENT_TOTAL\x10\x14\x12$\n WORKSPACE_TOTAL_DOWNLOAD_ACTIONS\x10\x15\x12\"\n\x1eWORKSPACE_TOTAL_CHANGE_ACTIONS\x10\x16\x12!\n\x1dWORKSPACE_AUTH_ATTEMPTS_TOTAL\x10\x17\x12$\n WORKSPACE_NETWORK_BYTES_OUTBOUND\x10\x18\x12!\n\x1dWORKSPACE_NETWORK_BYTES_TOTAL\x10\x19\x12\x1a\n\x16\x41LERT_EVENT_NAME_COUNT\x10\x1a\x12\x1b\n\x17RESOURCE_CREATION_TOTAL\x10\x1b\x12\x1d\n\x19RESOURCE_CREATION_SUCCESS\x10\x1c\x12\x19\n\x15RESOURCE_READ_SUCCESS\x10\x1d\x12\x16\n\x12RESOURCE_READ_FAIL\x10\x1e\x12\x1d\n\x19RESOURCE_DELETION_SUCCESS\x10\x1f\x12\x1a\n\x16RESOURCE_CREATION_FAIL\x10 \x12\x1a\n\x16RESOURCE_DELETION_FAIL\x10!\x12\x1b\n\x17RESOURCE_DELETION_TOTAL\x10\"\x12\x17\n\x13RESOURCE_READ_TOTAL\x10#\x12\x19\n\x15RESOURCE_WRITTEN_FAIL\x10$\x12\x1c\n\x18RESOURCE_WRITTEN_SUCCESS\x10%\x12\x1a\n\x16RESOURCE_WRITTEN_TOTAL\x10&\x12\x1d\n\x19UDM_DATA_PRESENCE_SUMMARY\x10\'\"\xff\x06\n\tDimension\x12\x19\n\x15\x44IMENSION_UNSPECIFIED\x10\x00\x12\x14\n\x10PRINCIPAL_DEVICE\x10\x01\x12\x0f\n\x0bTARGET_USER\x10\x02\x12\x11\n\rTARGET_DEVICE\x10\x03\x12\x12\n\x0ePRINCIPAL_USER\x10\x04\x12\r\n\tTARGET_IP\x10\x05\x12\x17\n\x13PRINCIPAL_FILE_HASH\x10\x06\x12\x15\n\x11PRINCIPAL_COUNTRY\x10\x07\x12\x15\n\x11SECURITY_CATEGORY\x10\x08\x12\x0f\n\x0bNETWORK_ASN\x10\t\x12\x1b\n\x17\x43LIENT_CERTIFICATE_HASH\x10\n\x12\x12\n\x0e\x44NS_QUERY_TYPE\x10\x0b\x12\x0e\n\nDNS_DOMAIN\x10\x0c\x12\x13\n\x0fHTTP_USER_AGENT\x10\r\x12\x0e\n\nEVENT_TYPE\x10\x0e\x12\x10\n\x0cPRODUCT_NAME\x10\x0f\x12\x16\n\x12PRODUCT_EVENT_TYPE\x10\x10\x12\x16\n\x12PARENT_FOLDER_PATH\x10\x11\x12\x18\n\x14TARGET_RESOURCE_NAME\x10\x12\x12\x19\n\x15PRINCIPAL_APPLICATION\x10\x13\x12\x16\n\x12TARGET_APPLICATION\x10\x14\x12\x14\n\x10\x45MAIL_TO_ADDRESS\x10\x15\x12\x16\n\x12\x45MAIL_FROM_ADDRESS\x10\x16\x12\x0b\n\x07MAIL_ID\x10\x17\x12\x10\n\x0cPRINCIPAL_IP\x10\x18\x12\x13\n\x0fSECURITY_ACTION\x10\x19\x12\x14\n\x10SECURITY_RULE_ID\x10\x1c\x12$\n TARGET_NETWORK_ORGANIZATION_NAME\x10\x1d\x12\'\n#PRINCIPAL_NETWORK_ORGANIZATION_NAME\x10\x1e\x12\x1f\n\x1bPRINCIPAL_PROCESS_FILE_PATH\x10\x1f\x12\x1f\n\x1bPRINCIPAL_PROCESS_FILE_HASH\x10 \x12\x1d\n\x19SECURITY_RESULT_RULE_NAME\x10!\x12\x1d\n\x19TARGET_RESOURCE_LABEL_KEY\x10\"\x12\x0f\n\x0bVENDOR_NAME\x10#\x12\x18\n\x14TARGET_RESOURCE_TYPE\x10$\x12\x18\n\x14TARGET_LOCATION_NAME\x10%\x12\x0c\n\x08LOG_TYPE\x10&\x12\x13\n\x0fTARGET_HOSTNAME\x10\'B\x9a\x01\n\x14\x63om.google.backstoryB\x0b\x45ntityProtoP\x01Z9google.golang.org/genproto/googleapis/backstory;backstory\xaa\x02\x10Google.Backstory\xca\x02\x10Google\\Backstory\xea\x02\x11Google::Backstoryb\x06proto3"
+
+pool = Google::Protobuf::DescriptorPool.generated_pool
+
+begin
+  pool.add_serialized_file(descriptor_data)
+rescue TypeError
+  # Compatibility code: will be removed in the next major version.
+  require 'google/protobuf/descriptor_pb'
+  parsed = Google::Protobuf::FileDescriptorProto.decode(descriptor_data)
+  parsed.clear_dependency
+  serialized = parsed.class.encode(parsed)
+  file = pool.add_serialized_file(serialized)
+  warn "Warning: Protobuf detected an import path issue while loading generated file #{__FILE__}"
+  imports = [
+    ["google.protobuf.Timestamp", "google/protobuf/timestamp.proto"],
+    ["google.type.Interval", "google/type/interval.proto"],
+    ["google.backstory.SecurityResult", "backstory/udm.proto"],
+    ["google.protobuf.Struct", "google/protobuf/struct.proto"],
+    ["google.backstory.EntityRisk", "backstory/entity_risk.proto"],
+  ]
+  imports.each do |type_name, expected_filename|
+    import_file = pool.lookup(type_name).file_descriptor
+    if import_file.name != expected_filename
+      warn "- #{file.name} imports #{expected_filename}, but that import was loaded as #{import_file.name}"
+    end
+  end
+  warn "Each proto file must use a consistent fully-qualified name."
+  warn "This will become an error in the next major version."
+end
+
+module Google
+  module Backstory
+    EntityMetadata = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.EntityMetadata").msgclass
+    EntityMetadata::EntityType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.EntityMetadata.EntityType").enummodule
+    EntityMetadata::SourceType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.EntityMetadata.SourceType").enummodule
+    AtiPrioritization = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.AtiPrioritization").msgclass
+    Entity = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.Entity").msgclass
+    Relation = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.Relation").msgclass
+    Relation::Relationship = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.Relation.Relationship").enummodule
+    Relation::Directionality = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.Relation.Directionality").enummodule
+    Relation::EntityLabel = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.Relation.EntityLabel").enummodule
+    Metric = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.Metric").msgclass
+    Metric::Measure = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.Metric.Measure").msgclass
+    Metric::AggregateFunction = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.Metric.AggregateFunction").enummodule
+    Metric::MetricName = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.Metric.MetricName").enummodule
+    Metric::Dimension = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.Metric.Dimension").enummodule
+  end
+end
+
+#### Source proto file: backstory/entity.proto ####
+#
+# // Copyright 2026 Google LLC
+# //
+# // Licensed under the Apache License, Version 2.0 (the "License");
+# // you may not use this file except in compliance with the License.
+# // You may obtain a copy of the License at
+# //
+# //     http://www.apache.org/licenses/LICENSE-2.0
+# //
+# // Unless required by applicable law or agreed to in writing, software
+# // distributed under the License is distributed on an "AS IS" BASIS,
+# // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# // See the License for the specific language governing permissions and
+# // limitations under the License.
+#
+# syntax = "proto3";
+#
+# package google.backstory;
+#
+# import "backstory/entity_risk.proto";
+# import "backstory/udm.proto";
+# import "google/protobuf/struct.proto";
+# import "google/protobuf/timestamp.proto";
+# import "google/type/interval.proto";
+#
+# option csharp_namespace = "Google.Backstory";
+# option go_package = "google.golang.org/genproto/googleapis/backstory;backstory";
+# option java_multiple_files = true;
+# option java_outer_classname = "EntityProto";
+# option java_package = "com.google.backstory";
+# option php_namespace = "Google\\Backstory";
+# option ruby_package = "Google::Backstory";
+#
+# // Information about the Entity and the product where the entity was created.
+# message EntityMetadata {
+#   // Describes the type of entity.
+#   // An unknown event type.
+#   enum EntityType {
+#     // @hide_from_doc
+#     UNKNOWN_ENTITYTYPE = 0;
+#
+#     // An asset, such as workstation, laptop, phone, virtual machine, etc.
+#     ASSET = 1;
+#
+#     // User.
+#     USER = 10000;
+#
+#     // Group.
+#     GROUP = 10001;
+#
+#     // Resource.
+#     RESOURCE = 2;
+#
+#     // An external IP address.
+#     IP_ADDRESS = 3;
+#
+#     // A CIDR block.
+#     CIDR_BLOCK = 9;
+#
+#     // A file.
+#     FILE = 4;
+#
+#     // A domain.
+#     DOMAIN_NAME = 5;
+#
+#     // A url.
+#     URL = 6;
+#
+#     // A mutex.
+#     MUTEX = 7;
+#
+#     // A metric.
+#     METRIC = 8;
+#   }
+#
+#   // Describes the source of an entity.
+#   enum SourceType {
+#     // Default source type
+#     SOURCE_TYPE_UNSPECIFIED = 0;
+#
+#     // Entities ingested from customers (e.g. AD_CONTEXT, DLP_CONTEXT)
+#     ENTITY_CONTEXT = 1;
+#
+#     // Entities derived from customer data such as prevalence, artifact
+#     // first/last seen, or asset/user first seen stats.
+#     DERIVED_CONTEXT = 2;
+#
+#     // Global contextual entities such as WHOIS or Safe Browsing.
+#     GLOBAL_CONTEXT = 3;
+#   }
+#
+#   // A vendor-specific identifier that uniquely identifies the entity
+#   // (e.g. a GUID, LDAP, OID, or similar).
+#   string product_entity_id = 1;
+#
+#   // GMT timestamp when the entity information was collected by the vendor's
+#   // local collection infrastructure.
+#   google.protobuf.Timestamp collected_timestamp = 2;
+#
+#   // GMT timestamp when the entity described by the product_entity_id was
+#   // created on the system where data was collected.
+#   google.protobuf.Timestamp creation_timestamp = 8;
+#
+#   // Valid existence time range for the version of the entity represented by
+#   // this entity data.
+#   google.type.Interval interval = 9;
+#
+#   // Vendor name of the product that produced the entity information.
+#   string vendor_name = 3;
+#
+#   // Product name that produced the entity information.
+#   string product_name = 4;
+#
+#   // Vendor feed name for a threat indicator feed.
+#   string feed = 14;
+#
+#   // Version of the product that produced the entity information.
+#   string product_version = 5;
+#
+#   // Entity type.
+#   // If an entity has multiple possible types, this specifies the most specific
+#   // type.
+#   EntityType entity_type = 6;
+#
+#   // Human-readable description of the entity.
+#   string description = 7;
+#
+#   // Metadata provided by a threat intelligence feed that identified the
+#   // entity as malicious.
+#   repeated SecurityResult threat = 10;
+#
+#   // The source of the entity.
+#   SourceType source_type = 11;
+#
+#   // Entity source metadata labels.
+#   repeated Label source_labels = 12;
+#
+#   // Metadata field from the event.
+#   Metadata event_metadata = 13;
+#
+#   // Structured fields extracted from the log.
+#   google.protobuf.Struct structured_fields = 15 [deprecated = true];
+#
+#   // Flattened fields extracted from the log.
+#   google.protobuf.Struct extracted = 16;
+#
+#   // Prioritization factors used by ATI curated rules.
+#   AtiPrioritization ati_prioritization = 17;
+# }
+#
+# // AtiPrioritization contains various fields used to calculate a priority score
+# // for an entity identified as a threat.
+# message AtiPrioritization {
+#   // The confidence score from "GTI verdict" source.
+#   int32 gti_verdict = 1;
+#
+#   // The confidence score from "GTI severity" source.
+#   int32 gti_severity = 2;
+#
+#   // The confidence score from "GTI threat score" source.
+#   int32 gti_threat_score = 3;
+#
+#   // The confidence score from "Mandiant Analyst Intel" source.
+#   int32 mandiant_analyst_confidence = 4;
+#
+#   // Timestamp of the latest update for GTI verdict, severity, or threat score.
+#   google.protobuf.Timestamp gti_update_time = 5;
+#
+#   // Whether one or more Mandiant incident response customers had this indicator
+#   // in their environment.
+#   bool active_ir = 6;
+#
+#   // The timestamp of the first time an active IR was applied to this entity.
+#   google.protobuf.Timestamp active_ir_first_tagged_time = 7;
+#
+#   // Global customer count over the last 30 days
+#   int64 global_customer_count = 8;
+#
+#   // Global hit count over the last 30 days
+#   int64 global_hit_count = 9;
+#
+#   // Whether the indicator is being used by a maximum of one threat actor.
+#   bool exclusive = 10;
+#
+#   // Whether the indicator details are available in open source.
+#   bool osint = 11;
+#
+#   // Whether the indicator is a scanner.
+#   bool scanner = 12;
+#
+#   // Whether the indicator verdict has passed review.
+#   bool reviewed = 13;
+#
+#   // Malware families associated with this indicator.
+#   repeated SecurityResult.Association attributed_malware = 14;
+#
+#   // Threat actors associated with this indicator.
+#   repeated SecurityResult.Association attributed_threat_actors = 15;
+# }
+#
+# // An Entity provides additional context about an item in a UDM event. For
+# // example, a PROCESS_LAUNCH event describes that user 'abc@example.corp'
+# // launched process 'shady.exe'.
+# // The event does not include information that user 'abc@example.com' is a
+# // recently terminated employee who administers a server storing finance data.
+# // Information stored in one or more Entities can add this additional context.
+# message Entity {
+#   // Entity metadata such as timestamp, product, etc.
+#   EntityMetadata metadata = 1;
+#
+#   // Noun in the UDM event that this entity represents.
+#   Noun entity = 2;
+#
+#   // One or more relationships between the entity (a) and other entities,
+#   // including the relationship type and related entity.
+#   repeated Relation relations = 4;
+#
+#   // Important entity data that cannot be adequately represented within
+#   // the formal sections of the Entity.
+#   google.protobuf.Struct additional = 3;
+#
+#   // Stores information related to the entity's risk score.
+#   optional EntityRisk risk_score = 5;
+#
+#   // Stores statistical metrics about the entity. Used if metadata.entity_type
+#   // is METRIC.
+#   Metric metric = 6;
+# }
+#
+# // Defines the relationship between the entity (a) and another entity (b).
+# message Relation {
+#   // Type of relationship between the primary entity (a) and related entity (b).
+#   enum Relationship {
+#     // Default value
+#     RELATIONSHIP_UNSPECIFIED = 0;
+#
+#     // Related entity is owned by the primary entity (e.g. user owns device
+#     // asset).
+#     OWNS = 1;
+#
+#     // Related entity is administered by the primary entity (e.g. user
+#     // administers a group).
+#     ADMINISTERS = 2;
+#
+#     // Primary entity is a member of the related entity (e.g. user is a member
+#     // of a group).
+#     MEMBER = 3;
+#
+#     // Primary entity may have executed the related entity.
+#     EXECUTES = 4;
+#
+#     // Primary entity may have been downloaded from the related entity.
+#     DOWNLOADED_FROM = 5;
+#
+#     // Primary entity contacts the related entity.
+#     CONTACTS = 6;
+#   }
+#
+#   // Describes the relationship model as directed or undirected.
+#   enum Directionality {
+#     // Default value.
+#     DIRECTIONALITY_UNSPECIFIED = 0;
+#
+#     // Modeled in both directions. Primary entity (a) to related entity (b) and
+#     // related entity (b) to primary entity (a).
+#     BIDIRECTIONAL = 1;
+#
+#     // Modeled in a single direction. Primary entity (a) to related entity (b).
+#     UNIDIRECTIONAL = 2;
+#   }
+#
+#   // Entity label of the relation.
+#   enum EntityLabel {
+#     // Default value.
+#     ENTITY_LABEL_UNSPECIFIED = 0;
+#
+#     // The Noun represents a principal type object.
+#     PRINCIPAL = 1;
+#
+#     // The Noun represents a target type object.
+#     TARGET = 2;
+#
+#     // The Noun represents an observer type object.
+#     OBSERVER = 3;
+#
+#     // The Noun represents src type object.
+#     SRC = 4;
+#
+#     // The Noun represents a network type object.
+#     NETWORK = 5;
+#
+#     // The Noun represents a SecurityResult object.
+#     SECURITY_RESULT = 6;
+#
+#     // The Noun represents an intermediary type object.
+#     INTERMEDIARY = 7;
+#   }
+#
+#   // Entity (b) that the primary entity (a) is related to.
+#   Noun entity = 1;
+#
+#   // Type of the related entity (b) in this relationship.
+#   EntityMetadata.EntityType entity_type = 2;
+#
+#   // Type of relationship.
+#   Relationship relationship = 3;
+#
+#   // Directionality of relationship between primary entity (a) and the
+#   // related entity (b).
+#   Directionality direction = 4;
+#
+#   // UID of the relationship.
+#   bytes uid = 5;
+#
+#   // Label to identify the Noun of the relation.
+#   EntityLabel entity_label = 6;
+# }
+#
+# // Stores precomputed aggregated analytic data for an entity.
+# message Metric {
+#   // Mathematic function used to calculate the value.
+#   enum AggregateFunction {
+#     // Default value.
+#     AGGREGATE_FUNCTION_UNSPECIFIED = 0;
+#
+#     // Minimum.
+#     MIN = 1;
+#
+#     // Maximum.
+#     MAX = 2;
+#
+#     // Count.
+#     COUNT = 3;
+#
+#     // Sum.
+#     SUM = 4;
+#
+#     // Average.
+#     AVG = 5;
+#
+#     // Standard Deviation.
+#     STDDEV = 6;
+#   }
+#
+#   // Describes the precomputed measure.
+#   message Measure {
+#     // Value of the aggregated measure.
+#     double value = 1;
+#
+#     // Function used to calculate the aggregated measure.
+#     AggregateFunction aggregate_function = 2;
+#   }
+#
+#   // The name of the precomputed analytic.
+#   enum MetricName {
+#     // Default
+#     METRIC_NAME_UNSPECIFIED = 0;
+#
+#     // Total received network bytes.
+#     NETWORK_BYTES_INBOUND = 1;
+#
+#     // Total network sent bytes.
+#     NETWORK_BYTES_OUTBOUND = 2;
+#
+#     // Total network sent bytes and received bytes.
+#     NETWORK_BYTES_TOTAL = 3;
+#
+#     // Successful authentication attempts.
+#     AUTH_ATTEMPTS_SUCCESS = 4;
+#
+#     // Failed authentication attempts.
+#     AUTH_ATTEMPTS_FAIL = 5;
+#
+#     // Total authentication attempts.
+#     AUTH_ATTEMPTS_TOTAL = 6;
+#
+#     // Total number of sent bytes for DNS events.
+#     DNS_BYTES_OUTBOUND = 7;
+#
+#     // Total number of events having non-null received bytes.
+#     NETWORK_FLOWS_INBOUND = 8;
+#
+#     // Total number of events having non-null sent bytes.
+#     NETWORK_FLOWS_OUTBOUND = 9;
+#
+#     // Total events having non-null sent or received bytes.
+#     NETWORK_FLOWS_TOTAL = 10;
+#
+#     // DNS query success count - Number of events with response_code = 0.
+#     DNS_QUERIES_SUCCESS = 11;
+#
+#     // Number of events with response_code != 0.
+#     DNS_QUERIES_FAIL = 12;
+#
+#     // Total number of DNS queries made.
+#     DNS_QUERIES_TOTAL = 13;
+#
+#     // Number of successfule file executions.
+#     FILE_EXECUTIONS_SUCCESS = 14;
+#
+#     // Number of failed file executions.
+#     FILE_EXECUTIONS_FAIL = 15;
+#
+#     // Total number file executions.
+#     FILE_EXECUTIONS_TOTAL = 16;
+#
+#     // Number of successful HTTP queries.
+#     HTTP_QUERIES_SUCCESS = 17;
+#
+#     // Number of failed HTTP queries.
+#     HTTP_QUERIES_FAIL = 18;
+#
+#     // Total number of HTTP queries.
+#     HTTP_QUERIES_TOTAL = 19;
+#
+#     // Total number of emails sent in Google Workspace.
+#     WORKSPACE_EMAILS_SENT_TOTAL = 20;
+#
+#     // Total number of download actions in Google Workspace.
+#     WORKSPACE_TOTAL_DOWNLOAD_ACTIONS = 21;
+#
+#     // Total number of change actions in Google Workspace.
+#     WORKSPACE_TOTAL_CHANGE_ACTIONS = 22;
+#
+#     // Total number of authentication attempts in Google Workspace.
+#     WORKSPACE_AUTH_ATTEMPTS_TOTAL = 23;
+#
+#     // Number of outbound network bytes (total sent) in Google Workspace.
+#     WORKSPACE_NETWORK_BYTES_OUTBOUND = 24;
+#
+#     // Total number of network bytes (both sent and received) in Google
+#     // Workspace.
+#     WORKSPACE_NETWORK_BYTES_TOTAL = 25;
+#
+#     // Track number of alerts fired by EDR/SENTINEL/MICROSOFT_GRAPH.
+#     ALERT_EVENT_NAME_COUNT = 26;
+#
+#     // Analytic tracking successful resource creations.
+#     RESOURCE_CREATION_TOTAL = 27;
+#
+#     // Analytic tracking successful resource creations.
+#     RESOURCE_CREATION_SUCCESS = 28;
+#
+#     // Analytic tracking successful resource reads.
+#     RESOURCE_READ_SUCCESS = 29;
+#
+#     // Analytic tracking failed resource reads.
+#     RESOURCE_READ_FAIL = 30;
+#
+#     // Analytic tracking successful resource deletions.
+#     RESOURCE_DELETION_SUCCESS = 31;
+#
+#     // Analytic tracking failed resource creations.
+#     RESOURCE_CREATION_FAIL = 32;
+#
+#     // Analytic tracking failed resource deletions.
+#     RESOURCE_DELETION_FAIL = 33;
+#
+#     // Analytic tracking total resource deletions.
+#     RESOURCE_DELETION_TOTAL = 34;
+#
+#     // Analytic tracking total resource reads.
+#     RESOURCE_READ_TOTAL = 35;
+#
+#     // Analytic tracking failed resource writes.
+#     RESOURCE_WRITTEN_FAIL = 36;
+#
+#     // Analytic tracking successful resource writes.
+#     RESOURCE_WRITTEN_SUCCESS = 37;
+#
+#     // Analytic tracking total resource writes.
+#     RESOURCE_WRITTEN_TOTAL = 38;
+#
+#     // UDM data summary tracking unique values of dimensions.
+#     UDM_DATA_PRESENCE_SUMMARY = 39;
+#   }
+#
+#   // Describes field used as the dimension when grouping data to calculate the
+#   // aggregate metric.
+#   enum Dimension {
+#     // Default
+#     DIMENSION_UNSPECIFIED = 0;
+#
+#     // Principal Device
+#     PRINCIPAL_DEVICE = 1;
+#
+#     // Target User
+#     TARGET_USER = 2;
+#
+#     // Target Device
+#     TARGET_DEVICE = 3;
+#
+#     // Principal User
+#     PRINCIPAL_USER = 4;
+#
+#     // Target IP
+#     TARGET_IP = 5;
+#
+#     // Principal File Hash
+#     PRINCIPAL_FILE_HASH = 6;
+#
+#     // Principal Country
+#     PRINCIPAL_COUNTRY = 7;
+#
+#     // Security Category
+#     SECURITY_CATEGORY = 8;
+#
+#     // Network ASN
+#     NETWORK_ASN = 9;
+#
+#     // Client Certificate Hash
+#     CLIENT_CERTIFICATE_HASH = 10;
+#
+#     // DNS Query Type
+#     DNS_QUERY_TYPE = 11;
+#
+#     // DNS Domain
+#     DNS_DOMAIN = 12;
+#
+#     // HTTP User Agent
+#     HTTP_USER_AGENT = 13;
+#
+#     // Event Type
+#     EVENT_TYPE = 14;
+#
+#     // Product Name
+#     PRODUCT_NAME = 15;
+#
+#     // Product Event Type
+#     PRODUCT_EVENT_TYPE = 16;
+#
+#     // Parent Folder Path
+#     PARENT_FOLDER_PATH = 17;
+#
+#     // Target resource Name
+#     TARGET_RESOURCE_NAME = 18;
+#
+#     // Principal Application.
+#     PRINCIPAL_APPLICATION = 19;
+#
+#     // Target Application.
+#     TARGET_APPLICATION = 20;
+#
+#     // Email To Address.
+#     EMAIL_TO_ADDRESS = 21;
+#
+#     // Email From Address.
+#     EMAIL_FROM_ADDRESS = 22;
+#
+#     // Mail Id.
+#     MAIL_ID = 23;
+#
+#     // Principal IP.
+#     PRINCIPAL_IP = 24;
+#
+#     // Security Action.
+#     SECURITY_ACTION = 25;
+#
+#     // Security Rule Id.
+#     SECURITY_RULE_ID = 28;
+#
+#     // Target Network Organization name.
+#     TARGET_NETWORK_ORGANIZATION_NAME = 29;
+#
+#     // Principal Network Organization name.
+#     PRINCIPAL_NETWORK_ORGANIZATION_NAME = 30;
+#
+#     // Principal Process File Path.
+#     PRINCIPAL_PROCESS_FILE_PATH = 31;
+#
+#     // Principal Process File SHA256 Hash.
+#     PRINCIPAL_PROCESS_FILE_HASH = 32;
+#
+#     // Security Result rule name.
+#     SECURITY_RESULT_RULE_NAME = 33;
+#
+#     // Target Resource label key.
+#     TARGET_RESOURCE_LABEL_KEY = 34;
+#
+#     // Vendor name.
+#     VENDOR_NAME = 35;
+#
+#     // Target Resource type.
+#     TARGET_RESOURCE_TYPE = 36;
+#
+#     // Target Location name.
+#     TARGET_LOCATION_NAME = 37;
+#
+#     // Log type.
+#     LOG_TYPE = 38;
+#
+#     // Target Hostname.
+#     TARGET_HOSTNAME = 39;
+#   }
+#
+#   // Timestamp of the first time the entity was seen in the environment.
+#   google.protobuf.Timestamp first_seen = 1;
+#
+#   // Time stamp of the last time last time the entity was seen in the
+#   // environment.
+#   google.protobuf.Timestamp last_seen = 2;
+#
+#   // Sum of all precomputed measures for the given metric.
+#   Measure sum_measure = 3;
+#
+#   // Total number of events used to calculate the given precomputed metric.
+#   int64 total_events = 4;
+#
+#   // Name of the analytic.
+#   MetricName metric_name = 5;
+#
+#   // All group by clauses used to calculate the metric.
+#   repeated Dimension dimensions = 6;
+#
+#   // Export window for which the metric was exported.
+#   int64 export_window = 7;
+#
+#   // Display name of the custom metric. Google-authored metrics do not have a
+#   // display name.
+#   string display_name = 8;
+#
+#   // List of outcome variables used in the custom metric.
+#   repeated FindingVariable outcome_variables = 9;
+#
+#   // List of match variables used in the custom metric.
+#   repeated FindingVariable match_variables = 10;
+#
+#   // Time range for which the custom metric was calculated.
+#   google.type.Interval time_range = 11;
+# }