To identify and alert on a repetitive sequence of brute force SSH login attempts on a Compute Engine image that did not result in successful login, while minimizing ingestion quota impact. Which log type should you ingest into SecOps?

Spotting a pattern of repeated SSH connection attempts through the network interface is the key idea here. VPC Flow Logs capture metadata about every network flow to and from a VM, including source and destination IPs, ports, protocol, and whether the flow was allowed or denied by firewall rules. This makes it possible to detect a burst of connections to SSH (port 22) that don’t lead to a successful login, by observing many connection attempts from the same or multiple sources without successful authentication. Since you can filter these logs to SSH traffic and to flows that were denied or did not complete, you can alert on brute-force patterns while keeping ingestion lightweight. Cloud IDS logs provide intrusion detections but can be more data-heavy and broad in scope for this specific pattern. Cloud Audit Logs focus on API activity rather than in-guest login attempts, and SCC Premium findings are a consolidated posture view rather than a raw log stream for this scenario.