Protokolle zu Google Cloud-Missbrauchserkennung erfassen
In diesem Dokument wird beschrieben, wie Sie Protokolle für Google Cloud-Missbrauchsereignisse erfassen können, indem Sie die Telemetrieaufnahme in Google SecOps aktivieren. Außerdem wird beschrieben, wie Protokollfelder von Google Cloud-Missbrauchsereignisprotokollen UDM-Feldern (Unified Data Model) von Google SecOps zugeordnet werden. Google Cloud
Weitere Informationen finden Sie unter Datenaufnahme in Google Security Operations.
Die Bereitstellung enthält die folgenden Komponenten:
Google Cloud: Die Google Cloud Dienste und Produkte, aus denen Sie Logs erfassen.
Google Cloud Abuse Events-Logs: Die Google Cloud Abuse Events-Logs, die für die Aufnahme in Google SecOps aktiviert sind.
Google SecOps: In Google SecOps werden die Logs von Google Cloud-Missbrauchsereignissen aufbewahrt und analysiert.
Ein Erfassungslabel identifiziert den Parser, der Logrohdaten in das strukturierte UDM-Format normalisiert. Die Informationen in diesem Dokument beziehen sich auf den Parser mit dem Aufnahme-Label GCP_ABUSE_EVENTS.
Hinweise
Achten Sie darauf, dass alle Systeme in der Bereitstellungsarchitektur in der UTC-Zeitzone konfiguriert sind.
Google Cloud konfigurieren, um Google Cloud-Protokolle für Missbrauchsereignisse aufzunehmen
Wenn Sie Google Cloud-Missbrauchsereignisprotokolle in Google SecOps aufnehmen möchten, folgen Sie der Anleitung unter Protokolle in Google SecOps aufnehmen. Google Cloud
Eine typische Bereitstellung besteht aus Google Cloud Abuse Events-Logs, die für die Aufnahme in Google SecOps aktiviert sind. Die Bereitstellung bei jedem Kunden kann von dieser Darstellung abweichen und komplexer sein.
Wenn beim Erfassen von Google Cloud Abuse Events-Logs Probleme auftreten, wenden Sie sich an den Google SecOps-Support.
Unterstütztes Google Cloud-Protokollformat für Missbrauchsereignisse und Beispiel
Der Parser für Google Cloud-Missbrauchsereignisse unterstützt Logs im JSON-Format. Hier ein Beispiel:
{
"insertId": "dummy-insert-id",
"jsonPayload": {
"action": "NOTIFY",
"@type": "type.googleapis.com/google.cloud.abuseevent.logging.v1.AbuseEvent",
"cryptoMiningEvent": {
"detectedMiningEndTime": "2048-03-18T07: 10: 00Z",
"detectedMiningStartTime": "2016-07-10T05: 24: 00Z",
"vmIp": [
"dummy.ip.address.1",
"dummy.ip.address.2",
"dummy.ip.address.3"
],
"vmResource": [
"projects/dummy-project-id/zones/dummy-zone/instances/dummy-instance-id"
]
},
"detectionType": "CRYPTO_MINING",
"reason": "The monitored resource is mining cryptocurrencies",
"remediationLink": "https://dummy-remediation-link"
},
"resource": {
"type": "abuseevent.googleapis.com/Location",
"labels": {
"location": "global",
"resource_container": "projects/dummy-resource-container-id"
}
},
"timestamp": "2025-07-10T17:31:53.966189618Z",
"severity": "NOTICE",
"labels": {
"abuseevent.googleapis.com/vm_resource": "projects/dummy-project-id/zones/dummy-zone/instances/dummy-instance-id"
},
"logName": "projects/dummy-project-id/logs/abuseevent.googleapis.com%2Fabuse_events",
"receiveTimestamp": "2025-07-10T17:31:54.754890208Z"
}
Referenz zur Feldzuordnung
Referenz zur Feldzuordnung: GCP_ABUSE_EVENTS
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Felder aufgeführt.
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.event_type |
The metadata.event_type UDM field is set to SCAN_UNCATEGORIZED. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Cloud Platform. |
|
metadata.product_name |
The metadata.product_name UDM field is set to GCP Abuse Events. |
insertId |
metadata.product_log_id |
|
resource.type |
target.resource.resource_subtype |
|
resource.labels.location |
target.location.name |
|
timestamp |
metadata.event_timestamp |
|
|
security_result.severity |
If the severity log field value is equal to CRITICAL then, the security_result.severity UDM field is set to CRITICAL. Else, if severity log field value is equal to ERROR then, the security_result.severity UDM field is set to ERROR. Else, if severity log field value contain one of the following values
security_result.severity UDM field is set to HIGH. Else, if severity log field value contain one of the following values
security_result.severity UDM field is set to INFORMATIONAL. Else, if severity log field value is equal to DEBUG then, the security_result.severity UDM field is set to LOW. Else, if severity log field value is equal to WARNING then, the security_result.severity UDM field is set to MEDIUM. Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY. |
severity |
security_result.severity_details |
|
logName |
metadata.url_back_to_product |
|
receiveTimestamp |
metadata.collected_timestamp |
|
jsonPayload.detectionType |
security_result.category_details |
|
|
security_result.category |
If the security_result.category_mapping log field value is equal to DETECTION_TYPE_UNSPECIFIED then, the security_result.category UDM field is set to UNKNOWN_CATEGORY. Else, if security_result.category_mapping log field value is equal to CRYPTO_MINING then, the security_result.category UDM field is set to EXPLOIT. Else, if security_result.category_mapping log field value is equal to LEAKED_CREDENTIALS then, the security_result.category UDM field is set to PHISHING. Else, if security_result.category_mapping log field value is equal to PHISHING then, the security_result.category UDM field is set to PHISHING. Else, if security_result.category_mapping log field value is equal to MALWARE then, the security_result.category UDM field is set to SOFTWARE_MALICIOUS. Else, if security_result.category_mapping log field value is equal to NO_ABUSE then, the security_result.category UDM field is set to POLICY_VIOLATION. |
jsonPayload.reason |
security_result.description |
|
|
security_result.action |
If the jsonPayload.action log field value is equal to ACTION_TYPE_UNSPECIFIED then, the security_result.action UDM field is set to UNKNOWN_ACTION. Else, if the jsonPayload.action log field value is equal to NOTIFY then, the security_result.action UDM field is set to ALLOW. Else, if the jsonPayload.action log field value is equal to PROJECT_SUSPENSION then, the security_result.action UDM field is set to BLOCK. Else, if the jsonPayload.action log field value is equal to REINSTATE then, the security_result.action UDM field is set to ALLOW. Else, if the jsonPayload.action log field value is equal to WARN then, the security_result.action UDM field is set to ALLOW. Else, if the jsonPayload.action log field value is equal to RESOURCE_SUSPENSION then, the security_result.action UDM field is set to BLOCK. |
labels.abuseevent.googleapis.com/vm_resource |
principal.resource.name |
|
|
principal.resource.resource_type |
If the event_type.crypto_mining_event.vm_resource log field value is not empty then, the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE. |
jsonPayload.cryptoMiningEvent.detectedMiningStartTime |
security_result.detection_fields[detected_mining_start_time] |
|
jsonPayload.cryptoMiningEvent.detectedMiningEndTime |
security_result.detection_fields[detected_mining_end_time] |
|
jsonPayload.cryptoMiningEvent.vmIp |
principal.ip |
|
jsonPayload.leaked_credential_event.credential_type.service_account_credential.service_account.service_account |
principal.user.userid |
|
jsonPayload.leaked_credential_event.credential_type.service_account_credential.service_account.key_id |
principal.user.attribute.labels[service_account_key_id] |
|
jsonPayload.leakedCredentialEvent.apiKeyCredential.apiKey |
principal.user.attribute.labels[api_key_credential_api_key] |
|
jsonPayload.leakedCredentialEvent.detectedUri |
security_result.about.url |
|
jsonPayload.harmfulContentEvent.uri |
security_result.detection_fields[harmful_content_event_uri] |
|
jsonPayload.remediationLink |
security_result.detection_fields[remediation_link] |
|
jsonPayload.@type |
security_result.detection_fields[jsonPayload_type] |
|
resource.labels.resource_container |
principal.resource.attribute.labels[resource_container] |
Nächste Schritte
Benötigen Sie weitere Hilfe? Antworten von Community-Mitgliedern und Google SecOps-Experten erhalten