Publish data profiles to Security Command Center

This page provides a high-level overview of the actions that you must take if you want data profiles to generate findings in Security Command Center. This page also provides example queries that you can use to find the generated findings.

You can configure Cloud DLP to automatically generate profiles about BigQuery data across an organization, folder, or project. Data profiles contain metrics and metadata about your tables and help you determine where sensitive and high-risk data reside. Cloud DLP reports these metrics at the project, table, and column levels. For more information, see Data profiles for BigQuery data.

Security Command Center is the centralized vulnerability and threat reporting service of Google Cloud. Security Command Center helps you strengthen your security posture by identifying misconfigurations, vulnerabilities, observations, and threats. It also provides recommendations for investigating and remediating the findings.

Data profiles can generate observation findings in Security Command Center that show the calculated sensitivity and data risk levels of your BigQuery data. You can use these findings to inform your response when you encounter threats and vulnerabilities related to BigQuery data.

Generated Security Command Center findings

When you configure the discovery service to publish data profiles to Security Command Center, each table data profile generates the following Security Command Center findings:

Data sensitivity
An indication of the sensitivity level of the data in a particular table. Data is sensitive if it contains PII or other elements that might require additional control or management. The severity of the finding is the sensitivity level that Cloud DLP calculated when generating the data profile.
Data risk
The risk associated with the data in its current state. When calculating data risk, Cloud DLP considers the sensitivity level of the data in the table and the presence of access controls to protect that data. The severity of the finding is the data risk level that Cloud DLP calculated when generating the data profile.

Send data profiles to Security Command Center

The following is a high-level workflow for publishing data profiles to Security Command Center.

  1. Check the activation level of Security Command Center for your organization. To send data profiles to Security Command Center, you must have Security Command Center activated at the organization level in the Standard or Premium tier.

    If Security Command Center is activated at the project level only, findings from Cloud DLP won't appear in Security Command Center.

  2. If Security Command Center isn't activated for your organization, you must activate it. For more information, see Activate Security Command Center for an organization.

  3. Add Cloud Data Loss Prevention as an integrated service. For more information, see Add a Google Cloud integrated service.

    Enable Cloud DLP in Security Command Center
  4. When you configure data profiling for an organization or folder or project, turn on the Publish to Security Command Center option. You can also edit existing discovery scan configurations to turn on this option.

    Location of the Publish to Security Command Center option

    To start creating or editing a scan configuration, go to the Discovery page in the Google Cloud console.

    Go to Discovery

Query for Security Command Center findings related to data profiles

The following are example queries that you can use to find relevant Data sensitivity and Data risk findings in Security Command Center. You can enter these queries in the Query editor field. For more information about the query editor, see Edit a findings query in the Security Command Center dashboard.

List all Data sensitivity and Data risk findings for a particular table

This query is useful, for example, if Security Command Center detects an event where a BigQuery table was saved to a different project. In this case, an Exfiltration: BigQuery Data Exfiltration finding is generated, and it contains the full display name of the table that was exfiltrated. You can search for any Data sensitivity and Data risk findings related to the table. View the calculated sensitivity and data risk levels for the table and plan your response accordingly.

state="ACTIVE"
AND NOT mute="MUTED"
AND category="DATA_RISK" OR category="DATA_SENSITIVITY"
AND resource.display_name="PROJECT_ID:DATASET_ID.TABLE_ID"

Replace the following:

  • PROJECT_ID: the ID of the project that contains the BigQuery table
  • DATASET_ID: the dataset ID of the table
  • TABLE_ID: the ID of the table

List all Data risk and Data sensitivity findings with a High severity level

state="ACTIVE"
AND NOT mute="MUTED"
AND category="DATA_RISK" OR category="DATA_SENSITIVITY"
AND severity="HIGH"