Cloud Data Loss Prevention (Cloud DLP) is now a part of Sensitive Data Protection. The API name remains the same: Cloud Data Loss Prevention API (DLP API). For information about the services that make up Sensitive Data Protection, see Sensitive Data Protection overview.

Publish data profiles to Security Command Center

This page provides a high-level overview of the actions that you must take if you want data profiles to generate findings in Security Command Center. This page also provides example queries that you can use to find the generated findings.

You can configure Sensitive Data Protection to automatically generate profiles about data across an organization, folder, or project. Data profiles contain metrics and metadata about your data and help you determine where sensitive and high-risk data reside. Sensitive Data Protection reports these metrics at various levels of detail. For information about the types of data you can profile, see Supported resources.

Security Command Center is the centralized vulnerability and threat reporting service of Google Cloud. Security Command Center helps you strengthen your security posture by identifying misconfigurations, vulnerabilities, observations, and threats. It also provides recommendations for investigating and remediating the findings.

Data profiles can generate observation findings in Security Command Center that show the calculated sensitivity and data risk levels of your data. You can use these findings to inform your response when you encounter threats and vulnerabilities related to your data.

Generated Security Command Center findings

When you configure the discovery service to publish data profiles to Security Command Center, each table data profile generates the following Security Command Center findings:

Data sensitivity: An indication of the sensitivity level of the data in a particular table. Data is sensitive if it contains PII or other elements that might require additional control or management. The severity of the finding is the sensitivity level that Sensitive Data Protection calculated when generating the data profile.
Data risk: The risk associated with the data in its current state. When calculating data risk, Sensitive Data Protection considers the sensitivity level of the data in the table and the presence of access controls to protect that data. The severity of the finding is the data risk level that Sensitive Data Protection calculated when generating the data profile.

Finding generation latency

From the time Sensitive Data Protection generates the data profiles, it can take up to six hours for the associated Data sensitivity and Data risk findings to appear in Security Command Center.

Send data profiles to Security Command Center

The following is a high-level workflow for publishing data profiles to Security Command Center.

Check the activation level of Security Command Center for your organization. To send data profiles to Security Command Center, you must have Security Command Center activated at the organization level in the Standard or Premium tier.

If Security Command Center is activated at the project level only, findings from Sensitive Data Protection won't appear in Security Command Center.
If Security Command Center isn't activated for your organization, you must activate it. For more information, see Activate Security Command Center for an organization.
Add Sensitive Data Protection as an integrated service. For more information, see Add a Google Cloud integrated service.
When you configure data profiling for an organization or folder or project, turn on the Publish to Security Command Center option. You can also edit existing discovery scan configurations to turn on this option.

To start creating or editing a scan configuration, go to the Discovery page in the Google Cloud console.

Go to Discovery

Query for Security Command Center findings related to data profiles

The following are example queries that you can use to find relevant Data sensitivity and Data risk findings in Security Command Center. You can enter these queries in the Query editor field. For more information about the query editor, see Edit a findings query in the Security Command Center dashboard.

List all `Data sensitivity` and `Data risk` findings for a particular BigQuery table

This query is useful, for example, if Security Command Center detects an event where a BigQuery table was saved to a different project. In this case, an Exfiltration: BigQuery Data Exfiltration finding is generated, and it contains the full display name of the table that was exfiltrated. You can search for any Data sensitivity and Data risk findings related to the table. View the calculated sensitivity and data risk levels for the table and plan your response accordingly.

state="ACTIVE"
AND NOT mute="MUTED"
AND category="DATA_RISK" OR category="DATA_SENSITIVITY"
AND resource.display_name="PROJECT_ID:DATASET_ID.TABLE_ID"

Replace the following:

PROJECT_ID: the ID of the project that contains the BigQuery table
DATASET_ID: the dataset ID of the table
TABLE_ID: the ID of the table

List all `Data risk` and `Data sensitivity` findings with a `High` severity level

state="ACTIVE"
AND NOT mute="MUTED"
AND category="DATA_RISK" OR category="DATA_SENSITIVITY"
AND severity="HIGH"