This page provides a high-level overview of the actions that you must take if you want data profiles to generate findings in Security Command Center. This page also provides example queries that you can use to find the generated findings.
You can configure Sensitive Data Protection to automatically generate profiles about data across an organization, folder, or project. Data profiles contain metrics and metadata about your data and help you determine where sensitive and high-risk data reside. Sensitive Data Protection reports these metrics at various levels of detail. For information about the types of data you can profile, see Supported resources.
Security Command Center is the centralized vulnerability and threat reporting service of Google Cloud. Security Command Center helps you strengthen your security posture by identifying misconfigurations, vulnerabilities, observations, and threats. It also provides recommendations for investigating and remediating the findings.
Benefits of publishing data profiles to Security Command Center
Sensitive Data Protection can generate observation findings in Security Command Center based on your data profiles. The findings show the calculated sensitivity and data risk levels of your data. This feature offers the following benefits in Security Command Center:
You can use these findings to inform your response when you encounter threats and vulnerabilities related to your data.
You can configure Security Command Center to prioritize resources for the attack path simulation feature automatically according to the sensitivity of the data that the resources contain. For more information, see Set resource priority values automatically by data sensitivity.
Generated Security Command Center findings
When you configure the discovery service to publish data profiles to Security Command Center, each table data profile generates the following Security Command Center findings:
Data sensitivity
- An indication of the sensitivity level of the data in a particular table. Data is sensitive if it contains PII or other elements that might require additional control or management. The severity of the finding is the sensitivity level that Sensitive Data Protection calculated when generating the data profile.
Data risk
- The risk associated with the data in its current state. When calculating data risk, Sensitive Data Protection considers the sensitivity level of the data in the table and the presence of access controls to protect that data. The severity of the finding is the data risk level that Sensitive Data Protection calculated when generating the data profile.
Finding generation latency
From the time Sensitive Data Protection generates the data profiles, it can
take up to six hours for the associated Data sensitivity
and Data risk
findings to appear in Security Command Center.
Send data profiles to Security Command Center
The following is a high-level workflow for publishing data profiles to Security Command Center.
Check the activation level of Security Command Center for your organization. To send data profiles to Security Command Center, you must have Security Command Center activated at the organization level, at any service tier.
If Security Command Center is activated at the project level only, findings from Sensitive Data Protection won't appear in Security Command Center.
If Security Command Center isn't activated for your organization, you must activate it. For more information, see one of the following, depending on your Security Command Center service tier:
Add Sensitive Data Protection as an integrated service. For more information, see Add a Google Cloud integrated service.
When you configure data profiling for an organization or folder or project, turn on the Publish to Security Command Center option. You can also edit existing discovery scan configurations to turn on this option.
To start creating or editing a scan configuration, go to the Scan configurations page in the Google Cloud console.
Enable publishing to Security Command Center in an existing configuration
If you have an existing discovery scan configuration that is not set to publish discovery results to Security Command Center, follow these steps:
In the Actions section, enable Publish to Security Command Center.
Click Save.
Query for Security Command Center findings related to data profiles
The following are example queries that you can use to find relevant Data
sensitivity
and Data risk
findings in Security Command Center. You can enter these
queries in the Query editor field. For more information about the
query editor, see Edit a findings query in the Security Command Center
dashboard.
List all Data sensitivity
and Data risk
findings for a particular BigQuery table
This query is useful, for example, if Security Command Center detects an event where
a BigQuery table was saved to a different project. In this case,
an Exfiltration: BigQuery Data
Exfiltration
finding is generated, and it contains the full display name of the table that
was exfiltrated. You can search for any Data sensitivity
and Data risk
findings related to the table. View the calculated sensitivity and data risk
levels for the table and plan your response accordingly.
state="ACTIVE"
AND NOT mute="MUTED"
AND category="DATA_RISK" OR category="DATA_SENSITIVITY"
AND resource.display_name="PROJECT_ID:DATASET_ID.TABLE_ID"
Replace the following:
- PROJECT_ID: the ID of the project that contains the BigQuery table
- DATASET_ID: the dataset ID of the table
- TABLE_ID: the ID of the table
List all Data sensitivity
and Data risk
findings for a particular Cloud SQL instance
This query is useful, for example, if Security Command Center detects an event where
live Cloud SQL instance data was exported to a Cloud Storage bucket
outside of the organization. In this case, an Exfiltration: Cloud SQL Data
Exfiltration
finding is generated, and it contains the full resource name of the instance
that was exfiltrated. You can search for any Data sensitivity
and Data risk
findings related to the instance. View the calculated sensitivity and data risk
levels for the instance and plan your response accordingly.
state="ACTIVE"
AND NOT mute="MUTED"
AND category="DATA_RISK" OR category="DATA_SENSITIVITY"
AND resource.name:"INSTANCE_NAME"
Replace the following:
- INSTANCE_NAME: a portion of the name of the Cloud SQL instance
List all Data risk
and Data sensitivity
findings with a High
severity level
state="ACTIVE"
AND NOT mute="MUTED"
AND category="DATA_RISK" OR category="DATA_SENSITIVITY"
AND severity="HIGH"
What's next
- Learn about how to Set resource priority values automatically by data sensitivity in Security Command Center.
- Learn how to report the presence of secrets in environment variables to
Security Command Center.