Stay organized with collections
Save and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated by
threat detectors when they detect
a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
Data exfiltration from Cloud SQL is detected by examining audit
logs for two scenarios:
Live instance data exported to a Cloud Storage bucket outside
the organization.
Live instance data exported to a Cloud Storage bucket that is
owned by the organization and is publicly accessible.
All Cloud SQL instance types are supported.
For project-level activations of the Security Command Center Premium tier,
this finding is available only if the Standard tier is enabled in the
parent organization.
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
Open an Exfiltration: Cloud SQL Data Exfiltration finding, as directed
in Reviewing findings. The details panel for the
finding opens to the Summary tab.
On the Summary tab, review the information in the following sections:
What was detected, especially the following fields:
Principal email : the account used to exfiltrate the data.
Exfiltration sources: details about the Cloud SQL
instance whose data was exfiltrated.
Exfiltration targets: details about the Cloud Storage
bucket the data was exported to.
Affected resource, especially the following fields:
Resource full name: the resource name of the Cloud SQL
whose data was exfiltrated.
Project full name: the Google Cloud project that
contains the source Cloud SQL data.
Related links, including:
Cloud Logging URI: link to Logging entries.
MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
Related findings: links to any related findings.
Click the JSON tab.
In the JSON for the finding, note the following fields:
sourceProperties:
evidence:
sourceLogId:
projectId: the Google Cloud project that
contains the source Cloud SQL instance.
properties
bucketAccess: whether the Cloud Storage bucket is publicly
accessible or external to the organization
exportScope: how much of the data was exported, such as,
the whole instance, one or more databases, one or more tables,
or a subset specified by a query)
If necessary, select the project of the instance listed in the
projectId field in the finding JSON (from Step 1).
On the page that appears, in the Filter box, enter the email address
listed on the Principal email row in the Summary tab of the
finding details (from Step 1). Check what
permissions are assigned to the account.
Step 3: Check logs
In the Google Cloud console, go to Logs Explorer by clicking
the link in Cloud Logging URI (from Step 1).
The Logs Explorer page includes all logs related to the relevant
Cloud SQL instance.
Review related findings by clicking the link on the Related findings
row that was described in Step 1). Related
findings have the same finding type on the same Cloud SQL
instance.
To develop a response plan, combine your investigation results with MITRE
research.
Step 5: Implement your response
The following response plan might be appropriate for this finding, but might also impact operations.
Carefully evaluate the information you gather in your investigation to determine the best way to
resolve findings.
Contact the owner of the project with exfiltrated data.
Consider revoking permissions for access.principalEmail
until the investigation is completed.
To stop further exfiltration, add restrictive IAM policies to
the impacted Cloud SQL instances.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n\nData exfiltration from Cloud SQL is detected by examining audit\nlogs for two scenarios:\n\n- Live instance data exported to a Cloud Storage bucket outside the organization.\n- Live instance data exported to a Cloud Storage bucket that is owned by the organization and is publicly accessible.\n\nAll Cloud SQL instance types are supported.\n\n\nFor project-level activations of the Security Command Center Premium tier,\nthis finding is available only if the Standard tier is enabled in the\nparent organization.\n\nHow to respond\n\nTo respond to this finding, do the following:\n\nStep 1: Review finding details\n\n1. Open an `Exfiltration: Cloud SQL Data Exfiltration` finding, as directed in [Reviewing findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings). The details panel for the finding opens to the **Summary** tab.\n2. On the **Summary** tab, review the information in the following sections:\n\n - **What was detected** , especially the following fields:\n - **Principal email** : the account used to exfiltrate the data.\n - **Exfiltration sources**: details about the Cloud SQL instance whose data was exfiltrated.\n - **Exfiltration targets**: details about the Cloud Storage bucket the data was exported to.\n - **Affected resource** , especially the following fields:\n - **Resource full name**: the resource name of the Cloud SQL whose data was exfiltrated.\n - **Project full name**: the Google Cloud project that contains the source Cloud SQL data.\n - **Related links** , including:\n - **Cloud Logging URI**: link to Logging entries.\n - **MITRE ATT\\&CK method**: link to the MITRE ATT\\&CK documentation.\n - **Related findings**: links to any related findings.\n3. Click the **JSON** tab.\n\n4. In the JSON for the finding, note the following fields:\n\n - `sourceProperties`:\n - `evidence`:\n - `sourceLogId`:\n - `projectId`: the Google Cloud project that contains the source Cloud SQL instance.\n - `properties`\n - `bucketAccess`: whether the Cloud Storage bucket is publicly accessible or external to the organization\n - `exportScope`: how much of the data was exported, such as, the whole instance, one or more databases, one or more tables, or a subset specified by a query)\n\nStep 2: Review permissions and settings\n\n1. In the Google Cloud console, go to the **IAM** page.\n\n \u003cbr /\u003e\n\n [Go to IAM](https://console.cloud.google.com/iam-admin/iam)\n\n \u003cbr /\u003e\n\n2. If necessary, select the project of the instance listed in the\n `projectId` field in the finding JSON (from [Step 1](#cloudsql_findings)).\n\n3. On the page that appears, in the **Filter** box, enter the email address\n listed on the **Principal email** row in the **Summary** tab of the\n finding details (from [Step 1](#cloudsql_findings)). Check what\n permissions are assigned to the account.\n\nStep 3: Check logs\n\n1. In the Google Cloud console, go to **Logs Explorer** by clicking the link in **Cloud Logging URI** (from [Step 1](#cloudsql_findings)). The **Logs Explorer** page includes all logs related to the relevant Cloud SQL instance.\n\nStep 4: Research attack and response methods\n\n1. Review the MITRE ATT\\&CK framework entry for this finding type: [Exfiltration Over Web Service: Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002/).\n2. Review related findings by clicking the link on the **Related findings** row that was described in [Step 1](#cloudsql_findings)). Related findings have the same finding type on the same Cloud SQL instance.\n3. To develop a response plan, combine your investigation results with MITRE research.\n\nStep 5: Implement your response\n\n\nThe following response plan might be appropriate for this finding, but might also impact operations.\nCarefully evaluate the information you gather in your investigation to determine the best way to\nresolve findings.\n\n- Contact the owner of the project with exfiltrated data.\n- Consider [revoking permissions](/iam/docs/granting-changing-revoking-access#revoking-console) for `access.principalEmail` until the investigation is completed.\n- To stop further exfiltration, add restrictive IAM policies to the impacted Cloud SQL instances.\n - [MySQL](/sql/docs/mysql/instance-access-control)\n - [PostgreSQL](/sql/docs/postgres/instance-access-control)\n - [SQL Server](/sql/docs/sqlserver/instance-access-control)\n- To limit access to and export from the Cloud SQL Admin API, [use\n VPC Service Controls](/vpc-service-controls/docs/overview).\n- To identify and fix overly permissive roles, use [IAM\n Recommender](/iam/docs/recommender-overview).\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
