Cloud Data Loss Prevention (Cloud DLP) is now a part of Sensitive Data Protection. The API name remains the same: Cloud Data Loss Prevention API (DLP API). For information about the services that make up Sensitive Data Protection, see Sensitive Data Protection overview.

Publish data profiles to Security Command Center

This page provides a high-level overview of the actions that you must take if you want data profiles to generate findings in Security Command Center. This page also provides example queries that you can use to find the generated findings.

You can configure Sensitive Data Protection to automatically generate profiles about data across an organization, folder, or project. Data profiles contain metrics and metadata about your data and help you determine where sensitive and high-risk data reside. Sensitive Data Protection reports these metrics at various levels of detail. For information about the types of data you can profile, see Supported resources.

Security Command Center is the centralized vulnerability and threat reporting service of Google Cloud. Security Command Center helps you strengthen your security posture by identifying misconfigurations, vulnerabilities, observations, and threats. It also provides recommendations for investigating and remediating the findings.

Benefits of publishing data profiles to Security Command Center

Sensitive Data Protection can generate observation findings in Security Command Center based on your data profiles. The findings show the calculated sensitivity and data risk levels of your data. This feature offers the following benefits in Security Command Center:

You can use these findings to inform your response when you encounter threats and vulnerabilities related to your data.
You can configure Security Command Center to prioritize resources for the attack path simulation feature automatically according to the sensitivity of the data that the resources contain. For more information, see Set resource priority values automatically by data sensitivity.

Generated Security Command Center findings

When you configure the discovery service to publish data profiles to Security Command Center, each table data profile generates the following Security Command Center findings:

Data sensitivity: An indication of the sensitivity level of the data in a particular table. Data is sensitive if it contains PII or other elements that might require additional control or management. The severity of the finding is the sensitivity level that Sensitive Data Protection calculated when generating the data profile.
Data risk: The risk associated with the data in its current state. When calculating data risk, Sensitive Data Protection considers the sensitivity level of the data in the table and the presence of access controls to protect that data. The severity of the finding is the data risk level that Sensitive Data Protection calculated when generating the data profile.

Finding generation latency

From the time Sensitive Data Protection generates the data profiles, it can take up to six hours for the associated Data sensitivity and Data risk findings to appear in Security Command Center.

Send data profiles to Security Command Center

The following is a high-level workflow for publishing data profiles to Security Command Center.

Check the activation level of Security Command Center for your organization. To send data profiles to Security Command Center, you must have Security Command Center activated at the organization level, at any service tier.

If Security Command Center is activated at the project level only, findings from Sensitive Data Protection won't appear in Security Command Center.
If Security Command Center isn't activated for your organization, you must activate it. For more information, see one of the following, depending on your Security Command Center service tier:
- Activate the Security Command Center Standard tier or Premium tier for an organization
- Activate the Security Command Center Enterprise tier
Add Sensitive Data Protection as an integrated service. For more information, see Add a Google Cloud integrated service.
When you configure data profiling for an organization or folder or project, turn on the Publish to Security Command Center option. You can also edit existing discovery scan configurations to turn on this option.

To start creating or editing a scan configuration, go to the Scan configurations page in the Google Cloud console.

Go to Scan configurations

Enable publishing to Security Command Center in an existing configuration

If you have an existing discovery scan configuration that is not set to publish discovery results to Security Command Center, follow these steps:

Open the scan configuration for editing.
In the Actions section, enable Publish to Security Command Center.
Click Save.

Query for Security Command Center findings related to data profiles

The following are example queries that you can use to find relevant Data sensitivity and Data risk findings in Security Command Center. You can enter these queries in the Query editor field. For more information about the query editor, see Edit a findings query in the Security Command Center dashboard.

List all `Data sensitivity` and `Data risk` findings for a particular BigQuery table

This query is useful, for example, if Security Command Center detects an event where a BigQuery table was saved to a different project. In this case, an Exfiltration: BigQuery Data Exfiltration finding is generated, and it contains the full display name of the table that was exfiltrated. You can search for any Data sensitivity and Data risk findings related to the table. View the calculated sensitivity and data risk levels for the table and plan your response accordingly.

state="ACTIVE"
AND NOT mute="MUTED"
AND category="DATA_RISK" OR category="DATA_SENSITIVITY"
AND resource.display_name="PROJECT_ID:DATASET_ID.TABLE_ID"

Replace the following:

PROJECT_ID: the ID of the project that contains the BigQuery table
DATASET_ID: the dataset ID of the table
TABLE_ID: the ID of the table

List all `Data sensitivity` and `Data risk` findings for a particular Cloud SQL instance

This query is useful, for example, if Security Command Center detects an event where live Cloud SQL instance data was exported to a Cloud Storage bucket outside of the organization. In this case, an Exfiltration: Cloud SQL Data Exfiltration finding is generated, and it contains the full resource name of the instance that was exfiltrated. You can search for any Data sensitivity and Data risk findings related to the instance. View the calculated sensitivity and data risk levels for the instance and plan your response accordingly.

state="ACTIVE"
AND NOT mute="MUTED"
AND category="DATA_RISK" OR category="DATA_SENSITIVITY"
AND resource.name:"INSTANCE_NAME"