google-backstory 0.a → 0.1.0

data/lib/backstory/entity_risk_pb.rb

@@ -0,0 +1,153 @@
+# frozen_string_literal: true
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: backstory/entity_risk.proto
+
+require 'google/protobuf'
+
+require 'google/protobuf/duration_pb'
+require 'google/protobuf/timestamp_pb'
+require 'google/type/interval_pb'
+
+
+descriptor_data = "\n\x1b\x62\x61\x63kstory/entity_risk.proto\x12\x10google.backstory\x1a\x1egoogle/protobuf/duration.proto\x1a\x1fgoogle/protobuf/timestamp.proto\x1a\x1agoogle/type/interval.proto\"\xfe\x04\n\nEntityRisk\x12\x14\n\x0crisk_version\x18\x01 \x01(\t\x12*\n\x0brisk_window\x18\x02 \x01(\x0b\x32\x15.google.type.Interval\x12\x36\n\x15\x44\x45PRECATED_risk_score\x18\x03 \x01(\x05\x42\x02\x18\x01R\x13\x44\x45PRECATEDRiskScore\x12\x34\n\nrisk_delta\x18\x04 \x01(\x0b\x32\x1b.google.backstory.RiskDeltaH\x00\x88\x01\x01\x12\x18\n\x10\x64\x65tections_count\x18\x05 \x01(\x05\x12\x38\n\x14\x66irst_detection_time\x18\x06 \x01(\x0b\x32\x1a.google.protobuf.Timestamp\x12\x37\n\x13last_detection_time\x18\x07 \x01(\x0b\x32\x1a.google.protobuf.Timestamp\x12\x12\n\nrisk_score\x18\x08 \x01(\x02\x12\x1d\n\x15normalized_risk_score\x18\t \x01(\x05\x12\x33\n\x10risk_window_size\x18\n \x01(\x0b\x32\x19.google.protobuf.Duration\x12\x38\n\x0eraw_risk_delta\x18\x0b \x01(\x0b\x32\x1b.google.backstory.RiskDeltaH\x01\x88\x01\x01\x12\x33\n\x0flast_reset_time\x18\x0c \x01(\x0b\x32\x1a.google.protobuf.Timestamp\x12\x12\n\ndetail_uri\x18\r \x01(\t\x12&\n\x1erisk_window_has_new_detections\x18\x0e \x01(\x08\x42\r\n\x0b_risk_deltaB\x11\n\x0f_raw_risk_delta\"\xa1\x01\n\tRiskDelta\x12;\n\x17previous_range_end_time\x18\x01 \x01(\x0b\x32\x1a.google.protobuf.Timestamp\x12\x18\n\x10risk_score_delta\x18\x02 \x01(\x05\x12\x1b\n\x13previous_risk_score\x18\x03 \x01(\x05\x12 \n\x18risk_score_numeric_delta\x18\x04 \x01(\x05\x42\x9e\x01\n\x14\x63om.google.backstoryB\x0f\x45ntityRiskProtoP\x01Z9google.golang.org/genproto/googleapis/backstory;backstory\xaa\x02\x10Google.Backstory\xca\x02\x10Google\\Backstory\xea\x02\x11Google::Backstoryb\x06proto3"
+
+pool = Google::Protobuf::DescriptorPool.generated_pool
+
+begin
+  pool.add_serialized_file(descriptor_data)
+rescue TypeError
+  # Compatibility code: will be removed in the next major version.
+  require 'google/protobuf/descriptor_pb'
+  parsed = Google::Protobuf::FileDescriptorProto.decode(descriptor_data)
+  parsed.clear_dependency
+  serialized = parsed.class.encode(parsed)
+  file = pool.add_serialized_file(serialized)
+  warn "Warning: Protobuf detected an import path issue while loading generated file #{__FILE__}"
+  imports = [
+    ["google.type.Interval", "google/type/interval.proto"],
+    ["google.protobuf.Timestamp", "google/protobuf/timestamp.proto"],
+    ["google.protobuf.Duration", "google/protobuf/duration.proto"],
+  ]
+  imports.each do |type_name, expected_filename|
+    import_file = pool.lookup(type_name).file_descriptor
+    if import_file.name != expected_filename
+      warn "- #{file.name} imports #{expected_filename}, but that import was loaded as #{import_file.name}"
+    end
+  end
+  warn "Each proto file must use a consistent fully-qualified name."
+  warn "This will become an error in the next major version."
+end
+
+module Google
+  module Backstory
+    EntityRisk = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.EntityRisk").msgclass
+    RiskDelta = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.RiskDelta").msgclass
+  end
+end
+
+#### Source proto file: backstory/entity_risk.proto ####
+#
+# // Copyright 2026 Google LLC
+# //
+# // Licensed under the Apache License, Version 2.0 (the "License");
+# // you may not use this file except in compliance with the License.
+# // You may obtain a copy of the License at
+# //
+# //     http://www.apache.org/licenses/LICENSE-2.0
+# //
+# // Unless required by applicable law or agreed to in writing, software
+# // distributed under the License is distributed on an "AS IS" BASIS,
+# // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# // See the License for the specific language governing permissions and
+# // limitations under the License.
+#
+# syntax = "proto3";
+#
+# package google.backstory;
+#
+# import "google/protobuf/duration.proto";
+# import "google/protobuf/timestamp.proto";
+# import "google/type/interval.proto";
+#
+# option csharp_namespace = "Google.Backstory";
+# option go_package = "google.golang.org/genproto/googleapis/backstory;backstory";
+# option java_multiple_files = true;
+# option java_outer_classname = "EntityRiskProto";
+# option java_package = "com.google.backstory";
+# option php_namespace = "Google\\Backstory";
+# option ruby_package = "Google::Backstory";
+#
+# // This is branched of the original entity.proto in
+# // googlex/security/malachite/proto/external/entity.proto.
+# // This is to avoid the circular dependency between udm.proto and
+# // entity.proto.
+#
+# // Stores information related to the risk score of an entity.
+# message EntityRisk {
+#   // Version of the risk score calculation algorithm.
+#   string risk_version = 1;
+#
+#   // Time window used when computing the risk score for an entity, for
+#   // example 24 hours or 7 days.
+#   google.type.Interval risk_window = 2;
+#
+#   // Deprecated risk score.
+#   int32 DEPRECATED_risk_score = 3
+#       [deprecated = true, json_name = "DEPRECATEDRiskScore"];
+#
+#   // Represents the change in risk score for an entity between the end of the
+#   // previous time window and the end of the current time window.
+#   optional RiskDelta risk_delta = 4;
+#
+#   // Number of detections that make up the risk score within the time window.
+#   int32 detections_count = 5;
+#
+#   // Timestamp of the first detection within the specified time window.
+#   // This field is empty when there are no detections.
+#   google.protobuf.Timestamp first_detection_time = 6;
+#
+#   // Timestamp of the last detection within the specified time window.
+#   // This field is empty when there are no detections.
+#   google.protobuf.Timestamp last_detection_time = 7;
+#
+#   // Raw risk score for the entity.
+#   float risk_score = 8;
+#
+#   // Normalized risk score for the entity. This value is between 0-1000.
+#   int32 normalized_risk_score = 9;
+#
+#   // Risk window duration for the entity.
+#   google.protobuf.Duration risk_window_size = 10;
+#
+#   // Represents the change in raw risk score for an entity between the end of
+#   // the previous time window and the end of the current time window.
+#   optional RiskDelta raw_risk_delta = 11;
+#
+#   // Timestamp for UEBA risk score reset based deduplication. Used specifically
+#   // for risk based meta rules.
+#   google.protobuf.Timestamp last_reset_time = 12;
+#
+#   // Link to the Google Security Operations UI with information about the entity
+#   // risk score.
+#   // If the SecOps instance has multiple frontend paths configured, this will be
+#   // a relative path that can be used to construct the full URL.
+#   string detail_uri = 13;
+#
+#   // Whether there are new detections for the risk window.
+#   bool risk_window_has_new_detections = 14;
+# }
+#
+# // Describes the difference in risk score between two points in time.
+# message RiskDelta {
+#   // End time of the previous time window.
+#   google.protobuf.Timestamp previous_range_end_time = 1;
+#
+#   // Difference in the normalized risk score from the previous recorded value.
+#   int32 risk_score_delta = 2;
+#
+#   // Risk score from previous risk window
+#   int32 previous_risk_score = 3;
+#
+#   // Numeric change between current and previous risk score
+#   int32 risk_score_numeric_delta = 4;
+# }

data/lib/backstory/id_pb.rb

@@ -0,0 +1,114 @@
+# frozen_string_literal: true
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: backstory/id.proto
+
+require 'google/protobuf'
+
+
+descriptor_data = "\n\x12\x62\x61\x63kstory/id.proto\x12\x10google.backstory\"\x9e\x02\n\x02Id\x12\x31\n\tnamespace\x18\x01 \x01(\x0e\x32\x1e.google.backstory.Id.Namespace\x12\n\n\x02id\x18\x02 \x01(\x0c\x12\x11\n\tstring_id\x18\x03 \x01(\t\"\xc5\x01\n\tNamespace\x12\x18\n\x14NORMALIZED_TELEMETRY\x10\x00\x12\x11\n\rRAW_TELEMETRY\x10\x01\x12\x13\n\x0fRULE_DETECTIONS\x10\x02\x12\r\n\tUPPERCASE\x10\x03\x12\x18\n\x14MACHINE_INTELLIGENCE\x10\x04\x12\x1b\n\x17SECURITY_COMMAND_CENTER\x10\x05\x12\x0f\n\x0bUNSPECIFIED\x10\x06\x12\x0e\n\nSOAR_ALERT\x10\x07\x12\x0f\n\x0bVIRUS_TOTAL\x10\x08\x42\x8d\x01\n\x14\x63om.google.backstoryP\x01Z9google.golang.org/genproto/googleapis/backstory;backstory\xaa\x02\x10Google.Backstory\xca\x02\x10Google\\Backstory\xea\x02\x11Google::Backstoryb\x06proto3"
+
+pool = Google::Protobuf::DescriptorPool.generated_pool
+
+begin
+  pool.add_serialized_file(descriptor_data)
+rescue TypeError
+  # Compatibility code: will be removed in the next major version.
+  require 'google/protobuf/descriptor_pb'
+  parsed = Google::Protobuf::FileDescriptorProto.decode(descriptor_data)
+  parsed.clear_dependency
+  serialized = parsed.class.encode(parsed)
+  file = pool.add_serialized_file(serialized)
+  warn "Warning: Protobuf detected an import path issue while loading generated file #{__FILE__}"
+  imports = [
+  ]
+  imports.each do |type_name, expected_filename|
+    import_file = pool.lookup(type_name).file_descriptor
+    if import_file.name != expected_filename
+      warn "- #{file.name} imports #{expected_filename}, but that import was loaded as #{import_file.name}"
+    end
+  end
+  warn "Each proto file must use a consistent fully-qualified name."
+  warn "This will become an error in the next major version."
+end
+
+module Google
+  module Backstory
+    Id = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.Id").msgclass
+    Id::Namespace = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.backstory.Id.Namespace").enummodule
+  end
+end
+
+#### Source proto file: backstory/id.proto ####
+#
+# // Copyright 2026 Google LLC
+# //
+# // Licensed under the Apache License, Version 2.0 (the "License");
+# // you may not use this file except in compliance with the License.
+# // You may obtain a copy of the License at
+# //
+# //     http://www.apache.org/licenses/LICENSE-2.0
+# //
+# // Unless required by applicable law or agreed to in writing, software
+# // distributed under the License is distributed on an "AS IS" BASIS,
+# // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# // See the License for the specific language governing permissions and
+# // limitations under the License.
+#
+# syntax = "proto3";
+#
+# package google.backstory;
+#
+# option csharp_namespace = "Google.Backstory";
+# option go_package = "google.golang.org/genproto/googleapis/backstory;backstory";
+# option java_multiple_files = true;
+# option java_package = "com.google.backstory";
+# option php_namespace = "Google\\Backstory";
+# option ruby_package = "Google::Backstory";
+#
+# // Identifier to identify a UDM object like a UDM event, Entity, Collection.
+# // The full identifier for persistence is created by setting the 32 most
+# // significant bits as the Id.Namespace enum This is a convenience wrapper to
+# // define the id space enum values and provide an easy interface for RPCs, most
+# // persistence use cases should use a denormalized form.
+# message Id {
+#   // Extracted Namespace Component
+#   enum Namespace {
+#     // Ingested and Normalized telemetry events
+#     NORMALIZED_TELEMETRY = 0;
+#
+#     // Ingested Raw telemetry
+#     RAW_TELEMETRY = 1;
+#
+#     // Chronicle Rules engine
+#     RULE_DETECTIONS = 2;
+#
+#     // Uppercase
+#     UPPERCASE = 3;
+#
+#     // DSML - Machine Intelligence
+#     MACHINE_INTELLIGENCE = 4;
+#
+#     // A normalized telemetry event from Google Security Command Center.
+#     SECURITY_COMMAND_CENTER = 5;
+#
+#     // Unspecified Namespace
+#     UNSPECIFIED = 6;
+#
+#     // An alert coming from other SIEMs via Chronicle SOAR.
+#     SOAR_ALERT = 7;
+#
+#     // VirusTotal.
+#     VIRUS_TOTAL = 8;
+#   }
+#
+#   // Namespace the id belongs to.
+#   Namespace namespace = 1;
+#
+#   // Full raw ID.
+#   bytes id = 2;
+#
+#   // Some ids are stored as strings that are not able to be translated to bytes,
+#   // so store these separately.
+#   // Ex. detection id of the form de_aaaaaaaa-aaaa...
+#   string string_id = 3;
+# }