收集 Google Cloud 濫用事件記錄

支援的國家/地區:

本文說明如何啟用 Google Cloud 遙測資料擷取功能,將 Google Cloud Abuse Events 記錄檔匯入 Google SecOps,以及 Google Cloud Abuse Events 記錄檔的記錄欄位如何對應至 Google SecOps 統合資料模型 (UDM) 欄位。

詳情請參閱「將資料擷取至 Google Security Operations」。

部署作業包含下列元件:

  • Google Cloud:您要收集記錄的 Google Cloud 服務和產品。

  • Google Cloud 濫用事件記錄:已啟用擷取至 Google SecOps 的 Google Cloud 濫用事件記錄。

  • Google SecOps:Google SecOps 會保留及分析 Google Cloud 濫用事件的記錄。

擷取標籤會識別剖析器,該剖析器會將原始記錄資料正規化為具結構性的 UDM 格式。本文中的資訊適用於具有 GCP_ABUSE_EVENTS 攝入標籤的剖析器。

事前準備

請確認部署架構中的所有系統都已設定為世界標準時間。

設定 Google Cloud ,以便擷取 Google Cloud 濫用事件記錄

如要將 Google Cloud 濫用事件記錄擷取至 Google SecOps,請按照「將記錄擷取至 Google SecOps Google Cloud 」一文中的步驟操作。

一般部署作業包括啟用 Google Cloud Abuse Events 記錄,以便擷取至 Google SecOps。每個客戶部署作業可能與此表示法不同,且可能更複雜。

如果在擷取 Google Cloud Abuse Events 記錄時遇到問題,請與 Google SecOps 支援團隊聯絡。

支援的 Google Cloud 濫用事件記錄格式和範例

Google Cloud Abuse Events 剖析器支援 JSON 格式的記錄。範例如下:

    {
        "insertId": "dummy-insert-id",
        "jsonPayload": {
            "action": "NOTIFY",
            "@type": "type.googleapis.com/google.cloud.abuseevent.logging.v1.AbuseEvent",
            "cryptoMiningEvent": {
                "detectedMiningEndTime": "2048-03-18T07: 10: 00Z",
                "detectedMiningStartTime": "2016-07-10T05: 24: 00Z",
                "vmIp": [
                    "dummy.ip.address.1",
                    "dummy.ip.address.2",
                    "dummy.ip.address.3"
                ],
                "vmResource": [
                    "projects/dummy-project-id/zones/dummy-zone/instances/dummy-instance-id"
                ]
            },
            "detectionType": "CRYPTO_MINING",
            "reason": "The monitored resource is mining cryptocurrencies",
            "remediationLink": "https://dummy-remediation-link"
        },
        "resource": {
            "type": "abuseevent.googleapis.com/Location",
            "labels": {
                "location": "global",
                "resource_container": "projects/dummy-resource-container-id"
            }
        },
        "timestamp": "2025-07-10T17:31:53.966189618Z",
        "severity": "NOTICE",
        "labels": {
            "abuseevent.googleapis.com/vm_resource": "projects/dummy-project-id/zones/dummy-zone/instances/dummy-instance-id"
        },
        "logName": "projects/dummy-project-id/logs/abuseevent.googleapis.com%2Fabuse_events",
        "receiveTimestamp": "2025-07-10T17:31:54.754890208Z"
    }

欄位對應參考資料

欄位對應參考資料:GCP_ABUSE_EVENTS

下表列出記錄檔欄位和對應的 UDM 欄位。

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to SCAN_UNCATEGORIZED.
metadata.vendor_name The metadata.vendor_name UDM field is set to Google Cloud Platform.
metadata.product_name The metadata.product_name UDM field is set to GCP Abuse Events.
insertId metadata.product_log_id
resource.type target.resource.resource_subtype
resource.labels.location target.location.name
timestamp metadata.event_timestamp
security_result.severity If the severity log field value is equal to CRITICAL then, the security_result.severity UDM field is set to CRITICAL.
Else, if severity log field value is equal to ERROR then, the security_result.severity UDM field is set to ERROR.
Else, if severity log field value contain one of the following values
  • ALERT
  • EMERGENCY
then, the security_result.severity UDM field is set to HIGH.
Else, if severity log field value contain one of the following values
  • INFO
  • NOTICE
then, the security_result.severity UDM field is set to INFORMATIONAL.
Else, if severity log field value is equal to DEBUG then, the security_result.severity UDM field is set to LOW.
Else, if severity log field value is equal to WARNING then, the security_result.severity UDM field is set to MEDIUM.
Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY.
severity security_result.severity_details
logName metadata.url_back_to_product
receiveTimestamp metadata.collected_timestamp
jsonPayload.detectionType security_result.category_details
security_result.category If the security_result.category_mapping log field value is equal to DETECTION_TYPE_UNSPECIFIED then, the security_result.category UDM field is set to UNKNOWN_CATEGORY.
Else, if security_result.category_mapping log field value is equal to CRYPTO_MINING then, the security_result.category UDM field is set to EXPLOIT.
Else, if security_result.category_mapping log field value is equal to LEAKED_CREDENTIALS then, the security_result.category UDM field is set to PHISHING.
Else, if security_result.category_mapping log field value is equal to PHISHING then, the security_result.category UDM field is set to PHISHING.
Else, if security_result.category_mapping log field value is equal to MALWARE then, the security_result.category UDM field is set to SOFTWARE_MALICIOUS.
Else, if security_result.category_mapping log field value is equal to NO_ABUSE then, the security_result.category UDM field is set to POLICY_VIOLATION.
jsonPayload.reason security_result.description
security_result.action If the jsonPayload.action log field value is equal to ACTION_TYPE_UNSPECIFIED then, the security_result.action UDM field is set to UNKNOWN_ACTION.
Else, if the jsonPayload.action log field value is equal to NOTIFY then, the security_result.action UDM field is set to ALLOW.
Else, if the jsonPayload.action log field value is equal to PROJECT_SUSPENSION then, the security_result.action UDM field is set to BLOCK.
Else, if the jsonPayload.action log field value is equal to REINSTATE then, the security_result.action UDM field is set to ALLOW.
Else, if the jsonPayload.action log field value is equal to WARN then, the security_result.action UDM field is set to ALLOW.
Else, if the jsonPayload.action log field value is equal to RESOURCE_SUSPENSION then, the security_result.action UDM field is set to BLOCK.
labels.abuseevent.googleapis.com/vm_resource principal.resource.name
principal.resource.resource_type If the event_type.crypto_mining_event.vm_resource log field value is not empty then, the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.
jsonPayload.cryptoMiningEvent.detectedMiningStartTime security_result.detection_fields[detected_mining_start_time]
jsonPayload.cryptoMiningEvent.detectedMiningEndTime security_result.detection_fields[detected_mining_end_time]
jsonPayload.cryptoMiningEvent.vmIp principal.ip
jsonPayload.leaked_credential_event.credential_type.service_account_credential.service_account.service_account principal.user.userid
jsonPayload.leaked_credential_event.credential_type.service_account_credential.service_account.key_id principal.user.attribute.labels[service_account_key_id]
jsonPayload.leakedCredentialEvent.apiKeyCredential.apiKey principal.user.attribute.labels[api_key_credential_api_key]
jsonPayload.leakedCredentialEvent.detectedUri security_result.about.url
jsonPayload.harmfulContentEvent.uri security_result.detection_fields[harmful_content_event_uri]
jsonPayload.remediationLink security_result.detection_fields[remediation_link]
jsonPayload.@type security_result.detection_fields[jsonPayload_type]
resource.labels.resource_container principal.resource.attribute.labels[resource_container]

後續步驟

還有其他問題嗎?向社群成員和 Google SecOps 專業人員尋求答案。