Stay organized with collections
Save and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated by
threat detectors when they detect
a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
Data exfiltration from BigQuery is detected by examining audit
logs for two scenarios:
A resource is saved to a Cloud Storage bucket outside of your organization.
A resource is saved to a publicly accessible Cloud Storage bucket owned by your organization.
For project-level activations of the Security Command Center Premium tier,
this finding is available only if the Standard tier is enabled in the
parent organization.
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
Open an Exfiltration: BigQuery Data Extraction finding, as directed in
Reviewing findings. The details panel for the finding
opens to the Summary tab.
On the Summary tab of the finding details panel, review the
listed values in the following sections:
What was detected:
Principal email: the account used to exfiltrate the data.
Exfiltration sources: details about the tables from which data
was exfiltrated.
Exfiltration targets: details about the tables where exfiltrated
data was stored.
Affected resource:
Resource full name: the name of the BigQuery
resource whose data was exfiltrated.
Project full name: the Google Cloud project that
contains the source BigQuery dataset.
Related links:
Cloud Logging URI: link to Logging entries.
MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
Related findings: links to any related findings.
In the finding details panel, click the JSON tab.
In the JSON, note the following fields.
sourceProperties:
evidence:
sourceLogId:
projectId: the Google Cloud project that
contains the source BigQuery dataset.
properties:
extractionAttempt:
jobLink: the link to the BigQuery job that
exfiltrated data
If necessary, select the project listed in the projectId field in the
finding JSON (from Step 1).
On the page that appears, in the Filter box, enter the email address
listed in Principal email (from Step 1)
and check what permissions are assigned to the account.
Step 3: Check logs
On the Summary tab of the finding details panel, click the
Cloud Logging URI link to open the Logs Explorer.
Find admin activity logs related to BigQuery jobs by using
the following filters:
Review related findings by clicking the link
on the Related findings row in the Summary tab of the
finding details.
Related findings are the same finding type on the same instance and network.
To develop a response plan, combine your investigation results with MITRE
research.
Step 5: Implement your response
The following response plan might be appropriate for this finding, but might also impact operations.
Carefully evaluate the information you gather in your investigation to determine the best way to
resolve findings.
Contact the owner of the project with exfiltrated data.
Consider revoking permissions
for the principal that listed on the Principal email row in the
Summary tab of the finding details until the investigation is completed.
To stop further exfiltration,
add restrictive IAM policies
to the impacted BigQuery datasets that are identified
in the Exfiltration sources field on the Summary tab of the
finding details.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n\nData exfiltration from BigQuery is detected by examining audit\nlogs for two scenarios:\n\n- A resource is saved to a Cloud Storage bucket outside of your organization.\n- A resource is saved to a publicly accessible Cloud Storage bucket owned by your organization.\n\n\nFor project-level activations of the Security Command Center Premium tier,\nthis finding is available only if the Standard tier is enabled in the\nparent organization.\n\nHow to respond\n\nTo respond to this finding, do the following:\n\nStep 1: Review finding details\n\n1. Open an `Exfiltration: BigQuery Data Extraction` finding, as directed in [Reviewing findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings). The details panel for the finding opens to the **Summary** tab.\n2. On the **Summary** tab of the finding details panel, review the\n listed values in the following sections:\n\n - **What was detected** :\n - **Principal email**: the account used to exfiltrate the data.\n - **Exfiltration sources**: details about the tables from which data was exfiltrated.\n - **Exfiltration targets**: details about the tables where exfiltrated data was stored.\n - **Affected resource** :\n - **Resource full name**: the name of the BigQuery resource whose data was exfiltrated.\n - **Project full name**: the Google Cloud project that contains the source BigQuery dataset.\n - **Related links** :\n - **Cloud Logging URI**: link to Logging entries.\n - **MITRE ATT\\&CK method**: link to the MITRE ATT\\&CK documentation.\n - **Related findings**: links to any related findings.\n3. In the finding details panel, click the **JSON** tab.\n\n4. In the JSON, note the following fields.\n\n - `sourceProperties`:\n - `evidence`:\n - `sourceLogId`:\n - `projectId`: the Google Cloud project that contains the source BigQuery dataset.\n - `properties`:\n - `extractionAttempt`:\n - `jobLink`: the link to the BigQuery job that exfiltrated data\n\nStep 2: Review permissions and settings\n\n1. In the Google Cloud console, go to the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/iam-admin/iam)\n2. If necessary, select the project listed in the `projectId` field in the\n finding JSON (from [Step 1](#biqquery_extraction_findings)).\n\n3. On the page that appears, in the **Filter** box, enter the email address\n listed in **Principal email** (from [Step 1](#biqquery_extraction_findings))\n and check what permissions are assigned to the account.\n\nStep 3: Check logs\n\n1. On the **Summary tab** of the finding details panel, click the **Cloud Logging URI** link to open the **Logs Explorer**.\n2. Find admin activity logs related to BigQuery jobs by using the following filters:\n - `protoPayload.methodName=\"Jobservice.insert\"`\n - `protoPayload.methodName=\"google.cloud.bigquery.v2.JobService.InsertJob\"`\n\nStep 4: Research attack and response methods\n\n1. Review the MITRE ATT\\&CK framework entry for this finding type: [Exfiltration Over Web Service: Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002/).\n2. Review related findings by clicking the link on the **Related findings** row in the **Summary** tab of the finding details. Related findings are the same finding type on the same instance and network.\n3. To develop a response plan, combine your investigation results with MITRE research.\n\nStep 5: Implement your response\n\n\nThe following response plan might be appropriate for this finding, but might also impact operations.\nCarefully evaluate the information you gather in your investigation to determine the best way to\nresolve findings.\n\n- Contact the owner of the project with exfiltrated data.\n- Consider [revoking permissions](/iam/docs/granting-changing-revoking-access#revoking-console) for the principal that listed on the **Principal email** row in the **Summary** tab of the finding details until the investigation is completed.\n- To stop further exfiltration, [add restrictive IAM policies](/bigquery/docs/dataset-access-controls) to the impacted BigQuery datasets that are identified in the **Exfiltration sources** field on the **Summary** tab of the finding details.\n- To scan impacted datasets for sensitive information, [use\n Sensitive Data Protection](/bigquery/docs/scan-with-dlp). You can also [send\n Sensitive Data Protection data to Security Command Center](/sensitive-data-protection/docs/sending-results-to-scc). Depending on the quantity of information, Sensitive Data Protection costs can be significant. Follow best practices for [keeping Sensitive Data Protection costs\n under control](/sensitive-data-protection/docs/best-practices-costs).\n- To limit access to the BigQuery API, [use\n VPC Service Controls](/vpc-service-controls/docs/overview).\n- If you are the owner of the bucket, consider [revoking public\n access permissions](/storage/docs/access-control/making-data-public).\n- To identify and fix overly permissive roles, use [IAM\n Recommender](/iam/docs/recommender-overview).\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
