This page provides a high-level overview of the actions that you must take if you want data profiles to generate findings in Security Command Center. This page also provides example queries that you can use to find the generated findings.
You can configure Sensitive Data Protection to automatically generate profiles about data across an organization, folder, or project. Data profiles contain metrics and metadata about your data and help you determine where sensitive and high-risk data reside. Sensitive Data Protection reports these metrics at various levels of detail. For information about the types of data you can profile, see Supported resources.
Security Command Center is the centralized vulnerability and threat reporting service of Google Cloud. Security Command Center helps you strengthen your security posture by identifying misconfigurations, vulnerabilities, observations, and threats. It also provides recommendations for investigating and remediating the findings.
Data profiles can generate observation findings in Security Command Center that show the calculated sensitivity and data risk levels of your data. You can use these findings to inform your response when you encounter threats and vulnerabilities related to your data.
Generated Security Command Center findings
When you configure the discovery service to publish data profiles to Security Command Center, each table data profile generates the following Security Command Center findings:
- An indication of the sensitivity level of the data in a particular table. Data is sensitive if it contains PII or other elements that might require additional control or management. The severity of the finding is the sensitivity level that Sensitive Data Protection calculated when generating the data profile.
- The risk associated with the data in its current state. When calculating data risk, Sensitive Data Protection considers the sensitivity level of the data in the table and the presence of access controls to protect that data. The severity of the finding is the data risk level that Sensitive Data Protection calculated when generating the data profile.
Finding generation latency
From the time Sensitive Data Protection generates the data profiles, it can
take up to six hours for the associated
Data sensitivity and
findings to appear in Security Command Center.
Send data profiles to Security Command Center
The following is a high-level workflow for publishing data profiles to Security Command Center.
Check the activation level of Security Command Center for your organization. To send data profiles to Security Command Center, you must have Security Command Center activated at the organization level in the Standard or Premium tier.
If Security Command Center is activated at the project level only, findings from Sensitive Data Protection won't appear in Security Command Center.
If Security Command Center isn't activated for your organization, you must activate it. For more information, see Activate Security Command Center for an organization.
Add Sensitive Data Protection as an integrated service. For more information, see Add a Google Cloud integrated service.
When you configure data profiling for an organization or folder or project, turn on the Publish to Security Command Center option. You can also edit existing discovery scan configurations to turn on this option.
To start creating or editing a scan configuration, go to the Discovery page in the Google Cloud console.
Query for Security Command Center findings related to data profiles
The following are example queries that you can use to find relevant
Data risk findings in Security Command Center. You can enter these
queries in the Query editor field. For more information about the
query editor, see Edit a findings query in the Security Command Center
Data sensitivity and
Data risk findings for a particular BigQuery table
This query is useful, for example, if Security Command Center detects an event where
a BigQuery table was saved to a different project. In this case,
Exfiltration: BigQuery Data
finding is generated, and it contains the full display name of the table that
was exfiltrated. You can search for any
Data sensitivity and
findings related to the table. View the calculated sensitivity and data risk
levels for the table and plan your response accordingly.
state="ACTIVE" AND NOT mute="MUTED" AND category="DATA_RISK" OR category="DATA_SENSITIVITY" AND resource.display_name="PROJECT_ID:DATASET_ID.TABLE_ID"
Replace the following:
- PROJECT_ID: the ID of the project that contains the BigQuery table
- DATASET_ID: the dataset ID of the table
- TABLE_ID: the ID of the table
Data risk and
Data sensitivity findings with a
High severity level
state="ACTIVE" AND NOT mute="MUTED" AND category="DATA_RISK" OR category="DATA_SENSITIVITY" AND severity="HIGH"