Source URL: https://cloud.google.com/blog/products/identity-security/introducing-abuse-event-logging-for-automated-incident-remediation/
Source: Cloud Blog
Title: Introducing Google Cloud Abuse Event Logging to enable automated incident remediation
Feedly Summary: At Google Cloud, we are deeply committed to partnering with our customers to help achieve stronger security outcomes.
As a part of this commitment, we’re excited to announce that Google Cloud customers can now track Cloud Abuse Events using Cloud Logging. These events can include leaked service account keys, crypto mining incidents, and malware.
When we identify one of these abuse issues that’s affecting your cloud resources, you’ll now receive two detailed notifications: one in a structured log format, and an email notification.
Cloud Abuse Event Logging is focused on providing a more efficient and effective method for customers to receive important abuse and security notifications. Previously, notifications were sent to customers only in an email, which at times created challenges around consistency, automation, and continuity.
aside_block
In response to customer feedback, we developed Cloud Abuse Event Logging to help supplement email notifications. By leveraging these log notifications, customers can consume these logs and develop consistent automated processes to resolve abuse and security issues more efficiently and effectively. Here are few benefits:
Direct access in Cloud Logging: These notifications are readily available as logs in Cloud Logging, making them easier to find and manage.
Enhanced automation: The structured log format allows you to integrate these notifications into your existing security monitoring and incident response systems, which can help reduce the time it takes to address potential threats.
Historical trend analysis: Gain insights into past abuse events to identify patterns and proactively strengthen your security measures.
Dashboard built on top of Cloud Abuse Event logs using Cloud Logging.
A Cloud Abuse Event log in Logs Explorer for CRYPTO_MINING.
This new logging system reinforces our commitment to our customers, aligns with our shared fate model, and makes Google Cloud more secure. Cloud Abuse Events are provided on a best-effort basis to assist you in identifying potential abuse and we encourage you to combine these notifications with your own security practices for comprehensive protection.
Monitoring and dashboarding
This new integration of Cloud Abuse Events with Cloud Logging helps you strengthen your security with automated and timely notifications. You can use Cloud Monitoring to observe trends in your logs and notify you when specific conditions are met, such as receiving important types of abuse events. For example, based on the logs provided via Cloud Abuse Events, you can configure an alerting policy to notify you whenever we’ve become aware that your service account key has been leaked to the public.
You can also set up custom dashboards for your logs to get insights into the overall health and security of your environment. Cloud Abuse Events in Cloud Logging gives you many flexible options to effectively manage your security and monitoring. For example, if you’d like to aggregate the logs from each project in one place, an aggregate sink at the organization level may be useful. Additionally, you can use Log Analytics to run queries that analyze your log data, which allows you to easily chart and query results and can help uncover patterns and trends in your logs.
Automate response to abuse events
There are several ways to detect and respond to Cloud Logging events in real-time. For example, if you would like to configure automated deprovisioning of a VM after cryptomining has been detected on the instance, you can follow these steps:
Create a Logging sink to direct crypto mining related Abuse Events to your business logic. You can use the following filters to isolate these logs:
resource.type=”abuseevent.googleapis.com/Location"
jsonPayload.detectionType="CRYPTO_MINING"
Create a Pub/Sub topic. The Logging sink will route the filtered Abuse Events to this topic. It initiates Cloud Functions asynchronously based on the Abuse Events via a Pub/Sub message.
Set up a Cloud Function that uses either compute.instances.stop or compute.instances.suspend to shut down or temporarily suspend the VM. You can populate the parameters required for the HTTP request using the data from the AbuseEvent jsonPayload. Alternatively, you can have the Pub/Sub topic trigger the Cloud Scheduler to shut down the VM instance.
You can ingest Cloud Abuse Event logs into Google Security Operations which lets you store, search, and examine aggregated security information for your enterprise. If you prefer to export your abuse logs to an external security information and event management system (SIEM) for further analysis or custom automation, you’ll need to route your logs to a supported destination, such as a Google Cloud Storage bucket or a Pub/Sub topic that can provide support for third-party integrations.
You can learn more about responding to abuse notifications and warnings by visiting our documentation. For technical information about our Cloud Abuse Event log payload format, please click here.
AI Summary and Description: Yes
**Summary:**
The text discusses Google Cloud’s new feature, Cloud Abuse Event Logging, which allows customers to track and manage security incidents such as leaked service account keys, crypto mining, and malware through structured notifications. This feature enhances automation and monitoring capabilities for cloud security, addressing challenges with previous notification methods.
**Detailed Description:**
The introduction of Cloud Abuse Event Logging by Google Cloud represents a significant advancement in how customers can monitor and respond to security incidents within their cloud environments. This feature is designed to provide timely and structured notifications that enhance security management and automate responses to potential threats.
**Key points include:**
– **Cloud Abuse Event Logging Introduction:**
– Customers can now track Cloud Abuse Events via Cloud Logging.
– Events recorded include incidents like leaked service account keys, crypto mining activities, and malware detection.
– **Notification Improvements:**
– Previously, alerts were sent only via email, which posed challenges in consistency and automation.
– Customers now receive notifications in two formats: structured log format in Cloud Logging and email notifications.
– **Benefits of Cloud Abuse Event Logging:**
– **Direct Accessibility:** Notifications are directly available in Cloud Logging, making it easier for security teams to manage them.
– **Enhanced Automation:** The structured format allows integration with existing security monitoring and incident response systems, promoting quicker threat resolution.
– **Pattern Analysis:** Historical data can help identify trends and improve overall security measures.
– **Integration with Other Tools:**
– **Cloud Monitoring:** Users can set up alerts for specific abuse events, enhancing proactive monitoring.
– **Custom Dashboards:** Security teams can create dashboards for real-time insights into the security posture of their cloud environment.
– **Automated Response Mechanisms:**
– Users can configure automated deprovisioning of instances detected for crypto mining using Google Cloud’s tools, facilitating immediate threat response.
– Details on creating logging filters, Pub/Sub topics, and Cloud Functions for automated responses are provided.
– **Support for External Tools:**
– Logs can be directed to external SIEM systems for further analysis, enhancing security operations in cloud environments.
Overall, the creation of Cloud Abuse Event Logging underscores Google Cloud’s commitment to security and customer collaboration, fostering a safer cloud usage experience. This development is particularly relevant for security professionals needing effective tools to monitor and mitigate risks in cloud infrastructures.