Introducing Google Cloud Abuse Event Logging to enable automated incident remediation

At Google Cloud, we are deeply committed to partnering with our customers to help achieve stronger security outcomes. 

As a part of this commitment, we're excited to announce that Google Cloud customers can now track Cloud Abuse Events using Cloud Logging. These events can include leaked service account keys, crypto mining incidents, and malware.

When we identify one of these abuse issues that’s affecting your cloud resources, you'll now receive two detailed notifications: one in a structured log format, and an email notification. 

Cloud Abuse Event Logging is focused on providing a more efficient and effective method for customers to receive important abuse and security notifications. Previously, notifications were sent to customers only in an email, which at times created challenges around consistency, automation, and continuity.

In response to customer feedback, we developed Cloud Abuse Event Logging to help supplement email notifications. By leveraging these log notifications, customers can consume these logs and develop consistent automated processes to resolve abuse and security issues more efficiently and effectively. Here are few benefits:

• Direct access in Cloud Logging: These notifications are readily available as logs in Cloud Logging, making them easier to find and manage.

• Enhanced automation: The structured log format allows you to integrate these notifications into your existing security monitoring and incident response systems, which can help reduce the time it takes to address potential threats.

• Historical trend analysis: Gain insights into past abuse events to identify patterns and proactively strengthen your security measures.

This new logging system reinforces our commitment to our customers, aligns with our shared fate model, and makes Google Cloud more secure. Cloud Abuse Events are provided on a best-effort basis to assist you in identifying potential abuse and we encourage you to combine these notifications with your own security practices for comprehensive protection. 

Monitoring and dashboarding

This new integration of Cloud Abuse Events with Cloud Logging helps you strengthen your security with automated and timely notifications. You can use Cloud Monitoring to observe trends in your logs and notify you when specific conditions are met, such as receiving important types of abuse events. For example, based on the logs provided via Cloud Abuse Events, you can configure an alerting policy to notify you whenever we’ve become aware that your service account key has been leaked to the public.

You can also set up custom dashboards for your logs to get insights into the overall health and security of your environment. Cloud Abuse Events in Cloud Logging gives you many flexible options to effectively manage your security and monitoring. For example, if you’d like to aggregate the logs from each project in one place, an aggregate sink at the organization level may be useful. Additionally, you can use Log Analytics to run queries that analyze your log data, which allows you to easily chart and query results and can help uncover patterns and trends in your logs.

Automate response to abuse events

There are several ways to detect and respond to Cloud Logging events in real-time. For example, if you would like to configure automated deprovisioning of a VM after cryptomining has been detected on the instance, you can follow these steps:

1. Create a Logging sink to direct crypto mining related Abuse Events to your business logic. You can use the following filters to isolate these logs:

1. resource.type="abuseevent.googleapis.com/Location"

2. jsonPayload.detectionType="CRYPTO_MINING"

2. Create a Pub/Sub topic. The Logging sink will route the filtered Abuse Events to this topic. It initiates Cloud Functions asynchronously based on the Abuse Events via a Pub/Sub message.

3. Set up a Cloud Function that uses either compute.instances.stop or compute.instances.suspend to shut down or temporarily suspend the VM. You can populate the parameters required for the HTTP request using the data from the AbuseEvent jsonPayload. Alternatively, you can have the Pub/Sub topic trigger the Cloud Scheduler to shut down the VM instance.

You can ingest Cloud Abuse Event logs into Google Security Operations which lets you store, search, and examine aggregated security information for your enterprise. If you prefer to export your abuse logs to an external security information and event management system (SIEM) for further analysis or custom automation, you’ll need to route your logs to a supported destination, such as a Google Cloud Storage bucket or a Pub/Sub topic that can provide support for third-party integrations.

You can learn more about responding to abuse notifications and warnings by visiting our documentation. For technical information about our Cloud Abuse Event log payload format, please click here.