Action

A task to execute on the completion of a job. See https://cloud.google.com/dlp/docs/concepts-actions to learn more.

JSON representation
{

  // Union field action can be only one of the following:
  "saveFindings": {
    object (SaveFindings)
  },
  "pubSub": {
    object (PublishToPubSub)
  },
  "publishSummaryToCscc": {
    object (PublishSummaryToCscc)
  },
  "publishFindingsToCloudDataCatalog": {
    object (PublishFindingsToCloudDataCatalog)
  },
  "jobNotificationEmails": {
    object (JobNotificationEmails)
  },
  "publishToStackdriver": {
    object (PublishToStackdriver)
  }
  // End of list of possible types for union field action.
}
Fields

Union field action.

action can be only one of the following:

saveFindings

object (SaveFindings)

Save resulting findings in a provided location.

pubSub

object (PublishToPubSub)

Publish a notification to a pubsub topic.

publishSummaryToCscc

object (PublishSummaryToCscc)

Publish summary to Cloud Security Command Center (Alpha).

publishFindingsToCloudDataCatalog

object (PublishFindingsToCloudDataCatalog)

Publish findings to Cloud Datahub.

jobNotificationEmails

object (JobNotificationEmails)

Enable email notification for project owners and editors on job's completion/failure.

publishToStackdriver

object (PublishToStackdriver)

Enable Stackdriver metric dlp.googleapis.com/findingCount.

SaveFindings

If set, the detailed findings will be persisted to the specified OutputStorageConfig. Only a single instance of this action can be specified. Compatible with: Inspect, Risk

JSON representation
{
  "outputConfig": {
    object (OutputStorageConfig)
  }
}
Fields
outputConfig

object (OutputStorageConfig)

Location to store findings outside of DLP.

OutputStorageConfig

Cloud repository for storing output.

JSON representation
{
  "outputSchema": enum (OutputSchema),
  "table": {
    object (BigQueryTable)
  }
}
Fields
outputSchema

enum (OutputSchema)

Schema used for writing the findings for Inspect jobs. This field is only used for Inspect and must be unspecified for Risk jobs. Columns are derived from the Finding object. If appending to an existing table, any columns from the predefined schema that are missing will be added. No columns in the existing table will be deleted.

If unspecified, then all available columns will be used for a new table or an (existing) table with no schema, and no changes will be made to an existing table that has a schema. Only for use with external storage.

table

object (BigQueryTable)

Store findings in an existing table or a new table in an existing dataset. If tableId is not set a new one will be generated for you with the following format: dlp_googleapis_yyyy_mm_dd_[dlp_job_id]. Pacific timezone will be used for generating the date details.

For Inspect, each column in an existing output table must have the same name, type, and mode of a field in the Finding object.

For Risk, an existing output table should be the output of a previous Risk analysis job run on the same source table, with the same privacy metric and quasi-identifiers. Risk jobs that analyze the same table but compute a different privacy metric, or use different sets of quasi-identifiers, cannot store their results in the same table.

OutputSchema

Predefined schemas for storing findings. Only for use with external storage.

Enums
OUTPUT_SCHEMA_UNSPECIFIED Unused.
BASIC_COLUMNS Basic schema including only infoType, quote, certainty, and timestamp.
GCS_COLUMNS Schema tailored to findings from scanning Google Cloud Storage.
DATASTORE_COLUMNS Schema tailored to findings from scanning Google Datastore.
BIG_QUERY_COLUMNS Schema tailored to findings from scanning Google BigQuery.
ALL_COLUMNS Schema containing all columns.

PublishToPubSub

Publish a message into given Pub/Sub topic when DlpJob has completed. The message contains a single field, DlpJobName, which is equal to the finished job's DlpJob.name. Compatible with: Inspect, Risk

JSON representation
{
  "topic": string
}
Fields
topic

string

Cloud Pub/Sub topic to send notifications to. The topic must have given publishing access rights to the DLP API service account executing the long running DlpJob sending the notifications. Format is projects/{project}/topics/{topic}.

PublishSummaryToCscc

Publish the result summary of a DlpJob to the Cloud Security Command Center (CSCC Alpha). This action is only available for projects which are parts of an organization and whitelisted for the alpha Cloud Security Command Center. The action will publish count of finding instances and their info types. The summary of findings will be persisted in CSCC and are governed by CSCC service-specific policy, see https://cloud.google.com/terms/service-terms Only a single instance of this action can be specified. Compatible with: Inspect

PublishFindingsToCloudDataCatalog

Publish findings of a DlpJob to Cloud Data Catalog. Labels summarizing the results of the DlpJob will be applied to the entry for the resource scanned in Cloud Data Catalog. Any labels previously written by another DlpJob will be deleted. InfoType naming patterns are strictly enforced when using this feature. Note that the findings will be persisted in Cloud Data Catalog storage and are governed by Data Catalog service-specific policy, see https://cloud.google.com/terms/service-terms Only a single instance of this action can be specified and only allowed if all resources being scanned are BigQuery tables. Compatible with: Inspect

JobNotificationEmails

Enable email notification to project owners and editors on jobs's completion/failure.

PublishToStackdriver

Enable Stackdriver metric dlp.googleapis.com/findingCount. This will publish a metric to stack driver on each infotype requested and how many findings were found for it. CustomDetectors will be bucketed as 'Custom' under the Stackdriver label 'infoType'.