# Copyright 2015 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. require 'date' require 'google/apis/core/base_service' require 'google/apis/core/json_representation' require 'google/apis/core/hashable' require 'google/apis/errors' module Google module Apis module AlertcenterV1beta1 # Alerts for user account warning events. class AccountWarning include Google::Apis::Core::Hashable # Required. Email of the user that this event belongs to. # Corresponds to the JSON property `email` # @return [String] attr_accessor :email # Details of the login action # Corresponds to the JSON property `loginDetails` # @return [Google::Apis::AlertcenterV1beta1::LoginDetails] attr_accessor :login_details def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @email = args[:email] if args.key?(:email) @login_details = args[:login_details] if args.key?(:login_details) end end # An alert affecting a customer. # All fields are read-only once created. class Alert include Google::Apis::Core::Hashable # Output only. The unique identifier for the alert. # Corresponds to the JSON property `alertId` # @return [String] attr_accessor :alert_id # Output only. The time this alert was created. Assigned by the server. # Corresponds to the JSON property `createTime` # @return [String] attr_accessor :create_time # Output only. The unique identifier of the Google account of the customer. # Corresponds to the JSON property `customerId` # @return [String] attr_accessor :customer_id # Optional. Specific data associated with this alert. # e.g. google.apps.alertcenter.type.DeviceCompromised. # Corresponds to the JSON property `data` # @return [Hash] attr_accessor :data # Optional. The time this alert was no longer active. If provided, the # end time must not be earlier than the start time. If not provided, the end # time will default to the start time. # Corresponds to the JSON property `endTime` # @return [String] attr_accessor :end_time # Output only. An optional Security Investigation Tool query for this # alert. # Corresponds to the JSON property `securityInvestigationToolLink` # @return [String] attr_accessor :security_investigation_tool_link # Required. A unique identifier for the system that is reported the alert. # Supported sources are any of the following: # * "Google Operations" # * "Mobile device management" # * "Gmail phishing" # * "Domain wide takeout" # * "Government attack warning" # * "Google identity" # Corresponds to the JSON property `source` # @return [String] attr_accessor :source # Required. The time this alert became active. # Corresponds to the JSON property `startTime` # @return [String] attr_accessor :start_time # Required. The type of the alert. # Supported types are any of the following: # * "Google Operations" # * "Device compromised" # * "Suspicious activity" # * "User reported phishing" # * "Misconfigured whitelist" # * "Customer takeout initiated" # * "Government attack warning" # * "User reported spam spike" # * "Suspicious message reported" # * "Phishing reclassification" # * "Malware reclassification" # LINT.IfChange # * "Suspicious login" # * "Suspicious login (less secure app)" # * "User suspended" # * "Leaked password" # * "User suspended (suspicious activity)" # * "User suspended (spam)" # * "User suspended (spam through relay)" # LINT.ThenChange(//depot/google3/apps/albert/data/albert_enums.proto) # Corresponds to the JSON property `type` # @return [String] attr_accessor :type def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @alert_id = args[:alert_id] if args.key?(:alert_id) @create_time = args[:create_time] if args.key?(:create_time) @customer_id = args[:customer_id] if args.key?(:customer_id) @data = args[:data] if args.key?(:data) @end_time = args[:end_time] if args.key?(:end_time) @security_investigation_tool_link = args[:security_investigation_tool_link] if args.key?(:security_investigation_tool_link) @source = args[:source] if args.key?(:source) @start_time = args[:start_time] if args.key?(:start_time) @type = args[:type] if args.key?(:type) end end # A customer feedback about an alert. class AlertFeedback include Google::Apis::Core::Hashable # Output only. The alert identifier. # Corresponds to the JSON property `alertId` # @return [String] attr_accessor :alert_id # Output only. The time this feedback was created. Assigned by the server. # Corresponds to the JSON property `createTime` # @return [String] attr_accessor :create_time # Output only. The unique identifier of the Google account of the customer. # Corresponds to the JSON property `customerId` # @return [String] attr_accessor :customer_id # Output only. The email of the user that provided the feedback. # Corresponds to the JSON property `email` # @return [String] attr_accessor :email # Output only. A unique identifier for the feedback. When creating a new # feedback the system will assign one. # Corresponds to the JSON property `feedbackId` # @return [String] attr_accessor :feedback_id # Required. The type of the feedback. # Corresponds to the JSON property `type` # @return [String] attr_accessor :type def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @alert_id = args[:alert_id] if args.key?(:alert_id) @create_time = args[:create_time] if args.key?(:create_time) @customer_id = args[:customer_id] if args.key?(:customer_id) @email = args[:email] if args.key?(:email) @feedback_id = args[:feedback_id] if args.key?(:feedback_id) @type = args[:type] if args.key?(:type) end end # Attachment with application-specific information about an alert. class Attachment include Google::Apis::Core::Hashable # Representation of a CSV file attachment, as a list of column headers and # a list of data rows. # Corresponds to the JSON property `csv` # @return [Google::Apis::AlertcenterV1beta1::Csv] attr_accessor :csv def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @csv = args[:csv] if args.key?(:csv) end end # Alert for setting the domain or ip that malicious email comes from as # whitelisted domain or ip in Gmail advanced settings. class BadWhitelist include Google::Apis::Core::Hashable # Domain id of Gmail phishing alerts. # Corresponds to the JSON property `domainId` # @return [Google::Apis::AlertcenterV1beta1::DomainId] attr_accessor :domain_id # Entity whose actions triggered a Gmail phishing alert. # Corresponds to the JSON property `maliciousEntity` # @return [Google::Apis::AlertcenterV1beta1::MaliciousEntity] attr_accessor :malicious_entity # Every alert could contain multiple messages. # Corresponds to the JSON property `messages` # @return [Array] attr_accessor :messages # The source ip address of the malicious email. e.g. "127.0.0.1". # Corresponds to the JSON property `sourceIp` # @return [String] attr_accessor :source_ip def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @domain_id = args[:domain_id] if args.key?(:domain_id) @malicious_entity = args[:malicious_entity] if args.key?(:malicious_entity) @messages = args[:messages] if args.key?(:messages) @source_ip = args[:source_ip] if args.key?(:source_ip) end end # Representation of a CSV file attachment, as a list of column headers and # a list of data rows. class Csv include Google::Apis::Core::Hashable # List of data rows in a CSV file, as string arrays rather than as a # single comma-separated string. # Corresponds to the JSON property `dataRows` # @return [Array] attr_accessor :data_rows # List of headers for data columns in a CSV file. # Corresponds to the JSON property `headers` # @return [Array] attr_accessor :headers def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @data_rows = args[:data_rows] if args.key?(:data_rows) @headers = args[:headers] if args.key?(:headers) end end # Representation of a single data row in a CSV file. class CsvRow include Google::Apis::Core::Hashable # Data entries in a CSV file row, as a string array rather than a single # comma-separated string. # Corresponds to the JSON property `entries` # @return [Array] attr_accessor :entries def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @entries = args[:entries] if args.key?(:entries) end end # A mobile device compromised alert. Derived from audit logs. class DeviceCompromised include Google::Apis::Core::Hashable # The email of the user this alert was created for. # Corresponds to the JSON property `email` # @return [String] attr_accessor :email # Required. List of security events. # Corresponds to the JSON property `events` # @return [Array] attr_accessor :events def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @email = args[:email] if args.key?(:email) @events = args[:events] if args.key?(:events) end end # Detailed information of a single MDM device compromised event. class DeviceCompromisedSecurityDetail include Google::Apis::Core::Hashable # Device compromised state includes: "Compromised" and "Not Compromised". # Corresponds to the JSON property `deviceCompromisedState` # @return [String] attr_accessor :device_compromised_state # Required. Device Info. # Corresponds to the JSON property `deviceId` # @return [String] attr_accessor :device_id # The model of the device. # Corresponds to the JSON property `deviceModel` # @return [String] attr_accessor :device_model # The type of the device. # Corresponds to the JSON property `deviceType` # @return [String] attr_accessor :device_type # Required for IOS, empty for others. # Corresponds to the JSON property `iosVendorId` # @return [String] attr_accessor :ios_vendor_id # The device resource id. # Corresponds to the JSON property `resourceId` # @return [String] attr_accessor :resource_id # The serial number of the device. # Corresponds to the JSON property `serialNumber` # @return [String] attr_accessor :serial_number def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @device_compromised_state = args[:device_compromised_state] if args.key?(:device_compromised_state) @device_id = args[:device_id] if args.key?(:device_id) @device_model = args[:device_model] if args.key?(:device_model) @device_type = args[:device_type] if args.key?(:device_type) @ios_vendor_id = args[:ios_vendor_id] if args.key?(:ios_vendor_id) @resource_id = args[:resource_id] if args.key?(:resource_id) @serial_number = args[:serial_number] if args.key?(:serial_number) end end # Domain id of Gmail phishing alerts. class DomainId include Google::Apis::Core::Hashable # The primary domain for the customer. # Corresponds to the JSON property `customerPrimaryDomain` # @return [String] attr_accessor :customer_primary_domain def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @customer_primary_domain = args[:customer_primary_domain] if args.key?(:customer_primary_domain) end end # A takeout operation for the entire domain was initiated by an admin. Derived # from audit logs. class DomainWideTakeoutInitiated include Google::Apis::Core::Hashable # Email of the admin who initiated the takeout. # Corresponds to the JSON property `email` # @return [String] attr_accessor :email # takeout request id. # Corresponds to the JSON property `takeoutRequestId` # @return [String] attr_accessor :takeout_request_id def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @email = args[:email] if args.key?(:email) @takeout_request_id = args[:takeout_request_id] if args.key?(:takeout_request_id) end end # A generic empty message that you can re-use to avoid defining duplicated # empty messages in your APIs. A typical example is to use it as the request # or the response type of an API method. For instance: # service Foo ` # rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); # ` # The JSON representation for `Empty` is empty JSON object ````. class Empty include Google::Apis::Core::Hashable def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) end end # Details of a message in phishing spike alert. class GmailMessageInfo include Google::Apis::Core::Hashable # SHA256 Hash of email's attachment and all MIME parts. # Corresponds to the JSON property `attachmentsSha256Hash` # @return [Array] attr_accessor :attachments_sha256_hash # The date the malicious email was sent. # Corresponds to the JSON property `date` # @return [String] attr_accessor :date # Hash of message body text. # Corresponds to the JSON property `md5HashMessageBody` # @return [String] attr_accessor :md5_hash_message_body # MD5 Hash of email's subject. (Only available for reported emails). # Corresponds to the JSON property `md5HashSubject` # @return [String] attr_accessor :md5_hash_subject # Snippet of the message body text. (Only available for reported emails) # Corresponds to the JSON property `messageBodySnippet` # @return [String] attr_accessor :message_body_snippet # Message id. # Corresponds to the JSON property `messageId` # @return [String] attr_accessor :message_id # Recipient of this email. # Corresponds to the JSON property `recipient` # @return [String] attr_accessor :recipient # Email subject text. (Only available for reported emails). # Corresponds to the JSON property `subjectText` # @return [String] attr_accessor :subject_text def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @attachments_sha256_hash = args[:attachments_sha256_hash] if args.key?(:attachments_sha256_hash) @date = args[:date] if args.key?(:date) @md5_hash_message_body = args[:md5_hash_message_body] if args.key?(:md5_hash_message_body) @md5_hash_subject = args[:md5_hash_subject] if args.key?(:md5_hash_subject) @message_body_snippet = args[:message_body_snippet] if args.key?(:message_body_snippet) @message_id = args[:message_id] if args.key?(:message_id) @recipient = args[:recipient] if args.key?(:recipient) @subject_text = args[:subject_text] if args.key?(:subject_text) end end # An incident reported by Google Operations for a G Suite application. class GoogleOperations include Google::Apis::Core::Hashable # List of emails which correspond to the users directly affected by the # incident. # Corresponds to the JSON property `affectedUserEmails` # @return [Array] attr_accessor :affected_user_emails # Attachment with application-specific information about an alert. # Corresponds to the JSON property `attachmentData` # @return [Google::Apis::AlertcenterV1beta1::Attachment] attr_accessor :attachment_data # Detailed, freeform incident description. # Corresponds to the JSON property `description` # @return [String] attr_accessor :description # One-line incident description. # Corresponds to the JSON property `title` # @return [String] attr_accessor :title def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @affected_user_emails = args[:affected_user_emails] if args.key?(:affected_user_emails) @attachment_data = args[:attachment_data] if args.key?(:attachment_data) @description = args[:description] if args.key?(:description) @title = args[:title] if args.key?(:title) end end # Response message for an alert feedback listing request. class ListAlertFeedbackResponse include Google::Apis::Core::Hashable # The list of alert feedback. # Result is ordered descending by creation time. # Corresponds to the JSON property `feedback` # @return [Array] attr_accessor :feedback def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @feedback = args[:feedback] if args.key?(:feedback) end end # Response message for an alert listing request. class ListAlertsResponse include Google::Apis::Core::Hashable # The list of alerts. # Corresponds to the JSON property `alerts` # @return [Array] attr_accessor :alerts # If not empty, indicates that there may be more alerts that match the # request; this value can be passed in a new ListAlertsRequest to get the # next page of values. # Corresponds to the JSON property `nextPageToken` # @return [String] attr_accessor :next_page_token def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @alerts = args[:alerts] if args.key?(:alerts) @next_page_token = args[:next_page_token] if args.key?(:next_page_token) end end # Details of the login action class LoginDetails include Google::Apis::Core::Hashable # Required. Human readable IP address (e.g., 11.22.33.44) that is # associated with the warning event. # Corresponds to the JSON property `ipAddress` # @return [String] attr_accessor :ip_address # Required. Login time that is associated with the warning event. # Corresponds to the JSON property `loginTime` # @return [String] attr_accessor :login_time def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @ip_address = args[:ip_address] if args.key?(:ip_address) @login_time = args[:login_time] if args.key?(:login_time) end end # Proto for all phishing alerts with common payload. # Supported types are any of the following: # User reported phishing # User reported spam spike # Suspicious message reported # Phishing reclassification # Malware reclassification class MailPhishing include Google::Apis::Core::Hashable # Domain id of Gmail phishing alerts. # Corresponds to the JSON property `domainId` # @return [Google::Apis::AlertcenterV1beta1::DomainId] attr_accessor :domain_id # If true, the email is originated from within the organization. # Corresponds to the JSON property `isInternal` # @return [Boolean] attr_accessor :is_internal alias_method :is_internal?, :is_internal # Entity whose actions triggered a Gmail phishing alert. # Corresponds to the JSON property `maliciousEntity` # @return [Google::Apis::AlertcenterV1beta1::MaliciousEntity] attr_accessor :malicious_entity # Every alert could contain multiple messages. # Corresponds to the JSON property `messages` # @return [Array] attr_accessor :messages def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @domain_id = args[:domain_id] if args.key?(:domain_id) @is_internal = args[:is_internal] if args.key?(:is_internal) @malicious_entity = args[:malicious_entity] if args.key?(:malicious_entity) @messages = args[:messages] if args.key?(:messages) end end # Entity whose actions triggered a Gmail phishing alert. class MaliciousEntity include Google::Apis::Core::Hashable # Sender email address. # Corresponds to the JSON property `fromHeader` # @return [String] attr_accessor :from_header def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @from_header = args[:from_header] if args.key?(:from_header) end end # Alert for a spike in user reported phishing. # This will be deprecated in favor of MailPhishing. class PhishingSpike include Google::Apis::Core::Hashable # Domain id of Gmail phishing alerts. # Corresponds to the JSON property `domainId` # @return [Google::Apis::AlertcenterV1beta1::DomainId] attr_accessor :domain_id # If true, the email is originated from within the organization. # Corresponds to the JSON property `isInternal` # @return [Boolean] attr_accessor :is_internal alias_method :is_internal?, :is_internal # Entity whose actions triggered a Gmail phishing alert. # Corresponds to the JSON property `maliciousEntity` # @return [Google::Apis::AlertcenterV1beta1::MaliciousEntity] attr_accessor :malicious_entity # Every alert could contain multiple messages. # Corresponds to the JSON property `messages` # @return [Array] attr_accessor :messages def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @domain_id = args[:domain_id] if args.key?(:domain_id) @is_internal = args[:is_internal] if args.key?(:is_internal) @malicious_entity = args[:malicious_entity] if args.key?(:malicious_entity) @messages = args[:messages] if args.key?(:messages) end end # A state sponsored attack alert. Derived from audit logs. class StateSponsoredAttack include Google::Apis::Core::Hashable # The email of the user this incident was created for. # Corresponds to the JSON property `email` # @return [String] attr_accessor :email def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @email = args[:email] if args.key?(:email) end end # A mobile suspicious activity alert. Derived from audit logs. class SuspiciousActivity include Google::Apis::Core::Hashable # The email of the user this alert was created for. # Corresponds to the JSON property `email` # @return [String] attr_accessor :email # Required. List of security events. # Corresponds to the JSON property `events` # @return [Array] attr_accessor :events def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @email = args[:email] if args.key?(:email) @events = args[:events] if args.key?(:events) end end # Detailed information of a single MDM suspicious activity event. class SuspiciousActivitySecurityDetail include Google::Apis::Core::Hashable # Required. Device Info. # Corresponds to the JSON property `deviceId` # @return [String] attr_accessor :device_id # The model of the device. # Corresponds to the JSON property `deviceModel` # @return [String] attr_accessor :device_model # Device property which is changed. # Corresponds to the JSON property `deviceProperty` # @return [String] attr_accessor :device_property # The type of the device. # Corresponds to the JSON property `deviceType` # @return [String] attr_accessor :device_type # Required for IOS, empty for others. # Corresponds to the JSON property `iosVendorId` # @return [String] attr_accessor :ios_vendor_id # New value of the device property after change. # Corresponds to the JSON property `newValue` # @return [String] attr_accessor :new_value # Old value of the device property before change. # Corresponds to the JSON property `oldValue` # @return [String] attr_accessor :old_value # The device resource id. # Corresponds to the JSON property `resourceId` # @return [String] attr_accessor :resource_id # The serial number of the device. # Corresponds to the JSON property `serialNumber` # @return [String] attr_accessor :serial_number def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @device_id = args[:device_id] if args.key?(:device_id) @device_model = args[:device_model] if args.key?(:device_model) @device_property = args[:device_property] if args.key?(:device_property) @device_type = args[:device_type] if args.key?(:device_type) @ios_vendor_id = args[:ios_vendor_id] if args.key?(:ios_vendor_id) @new_value = args[:new_value] if args.key?(:new_value) @old_value = args[:old_value] if args.key?(:old_value) @resource_id = args[:resource_id] if args.key?(:resource_id) @serial_number = args[:serial_number] if args.key?(:serial_number) end end end end end