Recolha registos de eventos de abuso do Google Cloud
Este documento descreve como pode recolher registos de eventos de abuso do Google Cloud ativando o Google Cloud carregamento de telemetria para o Google SecOps e como os campos de registo dos registos de eventos de abuso do Google Cloud são mapeados para os campos do modelo de dados unificado (UDM) do Google SecOps.
Para mais informações, consulte o artigo Ingestão de dados no Google Security Operations.
A implementação contém os seguintes componentes:
Google Cloud: os Google Cloud serviços e produtos a partir dos quais recolhe registos.
Registos de eventos de abuso do Google Cloud: os registos de eventos de abuso do Google Cloud que estão ativados para carregamento para o Google SecOps.
Google SecOps: o Google SecOps retém e analisa os registos de eventos de abuso do Google Cloud.
Uma etiqueta de carregamento identifica o analisador que normaliza os dados de registo não processados para o formato UDM estruturado. As informações neste documento aplicam-se ao analisador com a etiqueta de carregamento GCP_ABUSE_EVENTS.
Antes de começar
Certifique-se de que todos os sistemas na arquitetura de implementação estão configurados no fuso horário UTC.
Configure Google Cloud para carregar registos de eventos de abuso do Google Cloud
Para carregar registos de eventos de abuso do Google Cloud para o Google SecOps, siga os passos descritos no artigo Carregue Google Cloud registos para o Google SecOps.
Uma implementação típica consiste em registos de eventos de abuso do Google Cloud ativados para carregamento no Google SecOps. Cada implementação do cliente pode diferir desta representação e pode ser mais complexa.
Se tiver problemas ao carregar registos de eventos de abuso do Google Cloud, contacte o apoio técnico do Google SecOps.
Formato de registo e exemplo de eventos de abuso do Google Cloud suportados
O analisador de eventos de abuso do Google Cloud suporta registos no formato JSON. Segue-se um exemplo:
{
"insertId": "dummy-insert-id",
"jsonPayload": {
"action": "NOTIFY",
"@type": "type.googleapis.com/google.cloud.abuseevent.logging.v1.AbuseEvent",
"cryptoMiningEvent": {
"detectedMiningEndTime": "2048-03-18T07: 10: 00Z",
"detectedMiningStartTime": "2016-07-10T05: 24: 00Z",
"vmIp": [
"dummy.ip.address.1",
"dummy.ip.address.2",
"dummy.ip.address.3"
],
"vmResource": [
"projects/dummy-project-id/zones/dummy-zone/instances/dummy-instance-id"
]
},
"detectionType": "CRYPTO_MINING",
"reason": "The monitored resource is mining cryptocurrencies",
"remediationLink": "https://dummy-remediation-link"
},
"resource": {
"type": "abuseevent.googleapis.com/Location",
"labels": {
"location": "global",
"resource_container": "projects/dummy-resource-container-id"
}
},
"timestamp": "2025-07-10T17:31:53.966189618Z",
"severity": "NOTICE",
"labels": {
"abuseevent.googleapis.com/vm_resource": "projects/dummy-project-id/zones/dummy-zone/instances/dummy-instance-id"
},
"logName": "projects/dummy-project-id/logs/abuseevent.googleapis.com%2Fabuse_events",
"receiveTimestamp": "2025-07-10T17:31:54.754890208Z"
}
Referência de mapeamento de campos
Referência de mapeamento de campos: GCP_ABUSE_EVENTS
A tabela seguinte apresenta os campos de registo e os respetivos campos da UDM.
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.event_type |
The metadata.event_type UDM field is set to SCAN_UNCATEGORIZED. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Cloud Platform. |
|
metadata.product_name |
The metadata.product_name UDM field is set to GCP Abuse Events. |
insertId |
metadata.product_log_id |
|
resource.type |
target.resource.resource_subtype |
|
resource.labels.location |
target.location.name |
|
timestamp |
metadata.event_timestamp |
|
|
security_result.severity |
If the severity log field value is equal to CRITICAL then, the security_result.severity UDM field is set to CRITICAL. Else, if severity log field value is equal to ERROR then, the security_result.severity UDM field is set to ERROR. Else, if severity log field value contain one of the following values
security_result.severity UDM field is set to HIGH. Else, if severity log field value contain one of the following values
security_result.severity UDM field is set to INFORMATIONAL. Else, if severity log field value is equal to DEBUG then, the security_result.severity UDM field is set to LOW. Else, if severity log field value is equal to WARNING then, the security_result.severity UDM field is set to MEDIUM. Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY. |
severity |
security_result.severity_details |
|
logName |
metadata.url_back_to_product |
|
receiveTimestamp |
metadata.collected_timestamp |
|
jsonPayload.detectionType |
security_result.category_details |
|
|
security_result.category |
If the security_result.category_mapping log field value is equal to DETECTION_TYPE_UNSPECIFIED then, the security_result.category UDM field is set to UNKNOWN_CATEGORY. Else, if security_result.category_mapping log field value is equal to CRYPTO_MINING then, the security_result.category UDM field is set to EXPLOIT. Else, if security_result.category_mapping log field value is equal to LEAKED_CREDENTIALS then, the security_result.category UDM field is set to PHISHING. Else, if security_result.category_mapping log field value is equal to PHISHING then, the security_result.category UDM field is set to PHISHING. Else, if security_result.category_mapping log field value is equal to MALWARE then, the security_result.category UDM field is set to SOFTWARE_MALICIOUS. Else, if security_result.category_mapping log field value is equal to NO_ABUSE then, the security_result.category UDM field is set to POLICY_VIOLATION. |
jsonPayload.reason |
security_result.description |
|
|
security_result.action |
If the jsonPayload.action log field value is equal to ACTION_TYPE_UNSPECIFIED then, the security_result.action UDM field is set to UNKNOWN_ACTION. Else, if the jsonPayload.action log field value is equal to NOTIFY then, the security_result.action UDM field is set to ALLOW. Else, if the jsonPayload.action log field value is equal to PROJECT_SUSPENSION then, the security_result.action UDM field is set to BLOCK. Else, if the jsonPayload.action log field value is equal to REINSTATE then, the security_result.action UDM field is set to ALLOW. Else, if the jsonPayload.action log field value is equal to WARN then, the security_result.action UDM field is set to ALLOW. Else, if the jsonPayload.action log field value is equal to RESOURCE_SUSPENSION then, the security_result.action UDM field is set to BLOCK. |
labels.abuseevent.googleapis.com/vm_resource |
principal.resource.name |
|
|
principal.resource.resource_type |
If the event_type.crypto_mining_event.vm_resource log field value is not empty then, the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE. |
jsonPayload.cryptoMiningEvent.detectedMiningStartTime |
security_result.detection_fields[detected_mining_start_time] |
|
jsonPayload.cryptoMiningEvent.detectedMiningEndTime |
security_result.detection_fields[detected_mining_end_time] |
|
jsonPayload.cryptoMiningEvent.vmIp |
principal.ip |
|
jsonPayload.leaked_credential_event.credential_type.service_account_credential.service_account.service_account |
principal.user.userid |
|
jsonPayload.leaked_credential_event.credential_type.service_account_credential.service_account.key_id |
principal.user.attribute.labels[service_account_key_id] |
|
jsonPayload.leakedCredentialEvent.apiKeyCredential.apiKey |
principal.user.attribute.labels[api_key_credential_api_key] |
|
jsonPayload.leakedCredentialEvent.detectedUri |
security_result.about.url |
|
jsonPayload.harmfulContentEvent.uri |
security_result.detection_fields[harmful_content_event_uri] |
|
jsonPayload.remediationLink |
security_result.detection_fields[remediation_link] |
|
jsonPayload.@type |
security_result.detection_fields[jsonPayload_type] |
|
resource.labels.resource_container |
principal.resource.attribute.labels[resource_container] |
O que se segue?
Precisa de mais ajuda? Receba respostas de membros da comunidade e profissionais da Google SecOps.