收集 Google Cloud 滥用事件日志

支持的语言:

本文档介绍了如何通过启用向 Google SecOps 遥测数据提取来收集 Google Cloud 滥用事件日志,以及 Google Cloud 滥用事件日志的日志字段如何映射到 Google SecOps 统一数据模型 (UDM) 字段。 Google Cloud

如需了解详情,请参阅将数据注入 Google Security Operations

部署包含以下组件:

  • Google Cloud:您从中收集日志的 Google Cloud 服务和产品。

  • Google Cloud 滥用事件日志:已启用以注入到 Google SecOps 的 Google Cloud 滥用事件日志。

  • Google SecOps:Google SecOps 会保留并分析 Google Cloud 滥用事件的日志。

注入标签用于标识将原始日志数据标准化为结构化 UDM 格式的解析器。本文档中的信息适用于具有 GCP_ABUSE_EVENTS 注入标签的解析器。

准备工作

确保部署架构中的所有系统都配置为世界协调时间 (UTC) 时区。

配置 Google Cloud 以注入 Google Cloud 滥用事件日志

如需将 Google Cloud 滥用事件日志注入到 Google SecOps,请按照将 Google Cloud 日志注入到 Google SecOps 中的步骤操作。

典型部署包括启用 Google Cloud 滥用事件日志以供 Google SecOps 提取。每个客户部署都可能与此表示法不同,并且可能更复杂。

如果您在注入 Google Cloud 滥用事件日志时遇到问题,请与 Google SecOps 支持团队联系。

支持的 Google Cloud 滥用事件日志格式和示例

Google Cloud 滥用事件解析器支持 JSON 格式的日志。下面给出了一个示例:

    {
        "insertId": "dummy-insert-id",
        "jsonPayload": {
            "action": "NOTIFY",
            "@type": "type.googleapis.com/google.cloud.abuseevent.logging.v1.AbuseEvent",
            "cryptoMiningEvent": {
                "detectedMiningEndTime": "2048-03-18T07: 10: 00Z",
                "detectedMiningStartTime": "2016-07-10T05: 24: 00Z",
                "vmIp": [
                    "dummy.ip.address.1",
                    "dummy.ip.address.2",
                    "dummy.ip.address.3"
                ],
                "vmResource": [
                    "projects/dummy-project-id/zones/dummy-zone/instances/dummy-instance-id"
                ]
            },
            "detectionType": "CRYPTO_MINING",
            "reason": "The monitored resource is mining cryptocurrencies",
            "remediationLink": "https://dummy-remediation-link"
        },
        "resource": {
            "type": "abuseevent.googleapis.com/Location",
            "labels": {
                "location": "global",
                "resource_container": "projects/dummy-resource-container-id"
            }
        },
        "timestamp": "2025-07-10T17:31:53.966189618Z",
        "severity": "NOTICE",
        "labels": {
            "abuseevent.googleapis.com/vm_resource": "projects/dummy-project-id/zones/dummy-zone/instances/dummy-instance-id"
        },
        "logName": "projects/dummy-project-id/logs/abuseevent.googleapis.com%2Fabuse_events",
        "receiveTimestamp": "2025-07-10T17:31:54.754890208Z"
    }

字段映射参考

字段映射参考信息:GCP_ABUSE_EVENTS

下表列出了日志字段及其对应的 UDM 字段。

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to SCAN_UNCATEGORIZED.
metadata.vendor_name The metadata.vendor_name UDM field is set to Google Cloud Platform.
metadata.product_name The metadata.product_name UDM field is set to GCP Abuse Events.
insertId metadata.product_log_id
resource.type target.resource.resource_subtype
resource.labels.location target.location.name
timestamp metadata.event_timestamp
security_result.severity If the severity log field value is equal to CRITICAL then, the security_result.severity UDM field is set to CRITICAL.
Else, if severity log field value is equal to ERROR then, the security_result.severity UDM field is set to ERROR.
Else, if severity log field value contain one of the following values
  • ALERT
  • EMERGENCY
then, the security_result.severity UDM field is set to HIGH.
Else, if severity log field value contain one of the following values
  • INFO
  • NOTICE
then, the security_result.severity UDM field is set to INFORMATIONAL.
Else, if severity log field value is equal to DEBUG then, the security_result.severity UDM field is set to LOW.
Else, if severity log field value is equal to WARNING then, the security_result.severity UDM field is set to MEDIUM.
Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY.
severity security_result.severity_details
logName metadata.url_back_to_product
receiveTimestamp metadata.collected_timestamp
jsonPayload.detectionType security_result.category_details
security_result.category If the security_result.category_mapping log field value is equal to DETECTION_TYPE_UNSPECIFIED then, the security_result.category UDM field is set to UNKNOWN_CATEGORY.
Else, if security_result.category_mapping log field value is equal to CRYPTO_MINING then, the security_result.category UDM field is set to EXPLOIT.
Else, if security_result.category_mapping log field value is equal to LEAKED_CREDENTIALS then, the security_result.category UDM field is set to PHISHING.
Else, if security_result.category_mapping log field value is equal to PHISHING then, the security_result.category UDM field is set to PHISHING.
Else, if security_result.category_mapping log field value is equal to MALWARE then, the security_result.category UDM field is set to SOFTWARE_MALICIOUS.
Else, if security_result.category_mapping log field value is equal to NO_ABUSE then, the security_result.category UDM field is set to POLICY_VIOLATION.
jsonPayload.reason security_result.description
security_result.action If the jsonPayload.action log field value is equal to ACTION_TYPE_UNSPECIFIED then, the security_result.action UDM field is set to UNKNOWN_ACTION.
Else, if the jsonPayload.action log field value is equal to NOTIFY then, the security_result.action UDM field is set to ALLOW.
Else, if the jsonPayload.action log field value is equal to PROJECT_SUSPENSION then, the security_result.action UDM field is set to BLOCK.
Else, if the jsonPayload.action log field value is equal to REINSTATE then, the security_result.action UDM field is set to ALLOW.
Else, if the jsonPayload.action log field value is equal to WARN then, the security_result.action UDM field is set to ALLOW.
Else, if the jsonPayload.action log field value is equal to RESOURCE_SUSPENSION then, the security_result.action UDM field is set to BLOCK.
labels.abuseevent.googleapis.com/vm_resource principal.resource.name
principal.resource.resource_type If the event_type.crypto_mining_event.vm_resource log field value is not empty then, the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.
jsonPayload.cryptoMiningEvent.detectedMiningStartTime security_result.detection_fields[detected_mining_start_time]
jsonPayload.cryptoMiningEvent.detectedMiningEndTime security_result.detection_fields[detected_mining_end_time]
jsonPayload.cryptoMiningEvent.vmIp principal.ip
jsonPayload.leaked_credential_event.credential_type.service_account_credential.service_account.service_account principal.user.userid
jsonPayload.leaked_credential_event.credential_type.service_account_credential.service_account.key_id principal.user.attribute.labels[service_account_key_id]
jsonPayload.leakedCredentialEvent.apiKeyCredential.apiKey principal.user.attribute.labels[api_key_credential_api_key]
jsonPayload.leakedCredentialEvent.detectedUri security_result.about.url
jsonPayload.harmfulContentEvent.uri security_result.detection_fields[harmful_content_event_uri]
jsonPayload.remediationLink security_result.detection_fields[remediation_link]
jsonPayload.@type security_result.detection_fields[jsonPayload_type]
resource.labels.resource_container principal.resource.attribute.labels[resource_container]

后续步骤

需要更多帮助?从社区成员和 Google SecOps 专业人士那里获得解答。