This section describes how to specify actions that you want Sensitive Data Protection to take after profiling a resource. These actions are useful if you want to send insights gathered from data profiles to other Google Cloud services.
To enable discovery actions, create or edit a discovery scan configuration. The following sections describe the different actions that you can enable in the Add actions section of the scan configuration.Not all actions on this page are available for each discovery type. For example, you can't attach tags to resources if you are configuring discovery for resources from another cloud provider. For more information, see Supported actions on this page.
For more information about sensitive data discovery, see Data profiles.
Publish to Google Security Operations
Metrics gathered from data profiles can add context to your Google Security Operations findings. The added context can help you determine the most important security issues to address.
For example, if you're investigating a particular service agent, Google Security Operations can determine what resources the service agent accessed and whether any of those resources have high-sensitivity data.
To send your data profiles to your Google Security Operations instance, turn on Publish to Google Security Operations.
If you don't have a Google Security Operations instance enabled for your organization—through the standalone product or through Security Command Center Enterprise—turning on this option has no effect.
Publish to Security Command Center
Findings from data profiles provide context when you triage and develop response plans for your vulnerability and threat findings in Security Command Center.
Before you can use this action, Security Command Center must be activated at the organization level. Turning on Security Command Center at the organization level enables the flow of findings from integrated services like Sensitive Data Protection. Sensitive Data Protection works with Security Command Center in all service tiers.If Security Command Center isn't activated at the organization level, Sensitive Data Protection findings won't appear in Security Command Center. For more information, see Check the activation level of Security Command Center.
To send the results of your data profiles to Security Command Center, make sure the Publish to Security Command Center option is turned on.
For more information, see Publish data profiles to Security Command Center.
Save data profile copies to BigQuery
Sensitive Data Protection saves a copy of each generated data profile
in a BigQuery table. If you don't provide the details of your
preferred table, Sensitive Data Protection creates a dataset and table in the
service agent container.
By default, the dataset is named sensitive_data_protection_discovery and
the table is named discovery_profiles.
This action lets you keep a history of all of your generated profiles. This history can be useful for creating audit reports and visualizing data profiles. You can also load this information into other systems.
Also, this option lets you see all of your data profiles in a single view, regardless of which region your data resides in. Although you can also view the data profiles through the Google Cloud console, the console displays the profiles in only one region at a time.
When Sensitive Data Protection fails to profile a resource, it periodically retries. To minimize noise in the exported data, Sensitive Data Protection exports only the successfully generated profiles to BigQuery.
Sensitive Data Protection starts exporting profiles from the time you turn on this option. Profiles that were generated before you turned on exporting aren't saved to BigQuery.
For example queries that you can use when analyzing data profiles, see Analyze data profiles.
Save sample discovery findings to BigQuery
Sensitive Data Protection can add sample findings to a BigQuery table of your choice. Sample findings represent a subset of all findings and might not represent all infoTypes that were discovered. Normally, the system generates around 10 sample findings per resource, but this number can vary for each discovery run.
Each finding includes the actual string (also called quote) that was detected and its exact location.
This action is useful if you want to evaluate whether your inspection configuration is correctly matching the type of information that you want to flag as sensitive. Using the exported data profiles and the exported sample findings, you can run queries to get more information about the specific items that were flagged, the infoTypes they matched, their exact locations, their calculated sensitivity levels, and other details.
Example query: Show sample findings related to file store data profiles
This example requires both Save data profile copies to BigQuery and Save sample discovery findings to BigQuery to be enabled.
The following query uses an INNER JOIN operation on both
the table of exported data profiles and the table of exported sample findings. In the resulting
table, each record shows the finding's quote, the infoType that it matched, the resource that
contains the finding, and the calculated sensitivity level of the resource.
SELECT findings_table.quote, findings_table.infotype.name, findings_table.location.container_name, profiles_table.file_store_profile.file_store_path as bucket_name, profiles_table.file_store_profile.sensitivity_score as bucket_sensitivity_score FROM `FINDINGS_TABLE_PROJECT_ID.FINDINGS_TABLE_DATASET_ID.FINDINGS_TABLE_ID_latest_v1` AS findings_table INNER JOIN `PROFILES_TABLE_PROJECT_ID.PROFILES_TABLE_DATASET_ID.PROFILES_TABLE_ID_latest_v1` AS profiles_table ON findings_table.data_profile_resource_name=profiles_table.file_store_profile.name
Example query: Show sample findings related to table data profiles
This example requires both Save data profile copies to BigQuery and Save sample discovery findings to BigQuery to be enabled.
The following query uses an INNER JOIN operation on both
the table of exported data profiles and the table of exported sample findings. In the resulting
table, each record shows the finding's quote, the infoType that it matched, the resource that
contains the finding, and the calculated sensitivity level of the resource.
SELECT findings_table.quote, findings_table.infotype.name, findings_table.location.container_name, findings_table.location.data_profile_finding_record_location.field.name AS field_name, profiles_table.table_profile.dataset_project_id AS project_id, profiles_table.table_profile.dataset_id AS dataset_id, profiles_table.table_profile.table_id AS table_id, profiles_table.table_profile.sensitivity_score AS table_sensitivity_score FROM `FINDINGS_TABLE_PROJECT_ID.FINDINGS_TABLE_DATASET_ID.FINDINGS_TABLE_ID_latest_v1` AS findings_table INNER JOIN `PROFILES_TABLE_PROJECT_ID.PROFILES_TABLE_DATASET_ID.PROFILES_TABLE_ID_latest_v1` AS profiles_table ON findings_table.data_profile_resource_name=profiles_table.table_profile.name
To save sample findings to a BigQuery table, follow these steps:
Turn on Save sample discovery findings to BigQuery.
Enter the details of the BigQuery table where you want to save the sample findings.
The table that you specify for this action must be different from the table used for the Save data profile copies to BigQuery action.
For Project ID, enter the ID of an existing project where you want to export the findings to.
For Dataset ID, enter the name of an existing dataset in the project.
For Table ID, enter the name of the BigQuery table where want to save the findings to. If this table doesn't exist, Sensitive Data Protection automatically creates it for you using the name that you provide.
For information about the contents of each finding that is saved in the
BigQuery table, see
DataProfileFinding.
Attach tags to resources
Turning on Attach tags to resources instructs Sensitive Data Protection to automatically tag your data according to its calculated sensitivity level. This section requires you to first complete the tasks in Control IAM access to resources based on data sensitivity.
To automatically tag a resource according to its calculated sensitivity level, follow these steps:
- Turn on the Tag resources option.
For each sensitivity level (high, moderate, low, and unknown), enter the path of the tag value that you created for the given sensitivity level.
If you skip a sensitivity level, no tag is attached for it.
To automatically lower the data risk level of a resource when the sensitivity level tag is present, select When a tag is applied to a resource, lower the data risk of its profile to LOW. This option helps you measure the improvement in your data security and privacy posture.
Select one or both of the following options:
- Tag a resource when it is profiled for the first time.
Tag a resource when its profile is updated. Select this option if you want Sensitive Data Protection to overwrite the sensitivity level tag value on succeeding discovery runs. Consequently, a principal's access to a resource changes automatically as the calculated data sensitivity level for that resource increases or decreases.
Don't select this option if you plan to manually update the sensitivity level tag values that the discovery service attached to your resources. If you select this option, Sensitive Data Protection can overwrite your manual updates.
Publish to Pub/Sub
Turning on Publish to Pub/Sub lets you take programmatic actions based on profiling results. You can use Pub/Sub notifications to develop a workflow for catching and remediating findings with significant data risk or sensitivity.
To send notifications to a Pub/Sub topic, follow these steps:
Turn on Publish to Pub/Sub.
A list of options appears. Each option describes an event that causes Sensitive Data Protection to send a notification to Pub/Sub.
Select the events that should trigger a Pub/Sub notification.
If you select Send a Pub/Sub notification each time a profile is updated, Sensitive Data Protection sends a notification when there's a change in the sensitivity level, data risk level, detected infoTypes, public access, and other important metrics in the profile.
For each event you select, follow these steps:
Enter the name of the topic. The name must be in the following format:
projects/PROJECT_ID/topics/TOPIC_IDReplace the following:
- PROJECT_ID: the ID of the project associated with the Pub/Sub topic.
- TOPIC_ID: the ID of the Pub/Sub topic.
Specify whether to include the full resource profile in the notification, or just the full resource name of the resource that was profiled.
Set the minimum data risk and sensitivity levels that must be met for Sensitive Data Protection to send a notification.
Specify whether only one or both of the data risk and sensitivity conditions must be met. For example, if you choose
AND, then both the data risk and the sensitivity conditions must be met before Sensitive Data Protection sends a notification.
Send to Dataplex as tags
This feature is deprecated.
This action lets you create tags in Dataplex based on insights from data profiles. This action is only applied to new and updated profiles. Existing profiles that aren't updated aren't sent to Dataplex.
Dataplex is a Google Cloud service that unifies distributed data and automates data management and governance for that data. When you enable this action, tables that you profile are automatically tagged in Dataplex according to insights gathered from the data profiles. You can then search your organization and projects for tables with specific tag values.
To send the data profiles to Dataplex, make sure that the Send to Dataplex as tags option is turned on.
For more information, see Tag tables in Dataplex based on insights from data profiles.
Send to Dataplex Catalog as aspects
This action lets you add Dataplex Catalog aspects to profiled resources based on insights from data profiles. This action is only applied to new and updated profiles. Existing profiles that aren't updated aren't sent to Dataplex.
When you enable this action, Sensitive Data Protection attaches the
Sensitive Data Protection profile aspect to the Dataplex
entry for each new or updated
resource that you profile. The generated aspects contain insights gathered
from the data profiles. You can then search your organization and projects for
entries with specific Sensitive Data Protection profile aspect values.
To send the data profiles to Dataplex, make sure that the Send to Dataplex Catalog as aspects option is turned on.
For more information, see Add Dataplex Catalog aspects based on insights from data profiles.
Supported actions
The following table shows which actions are supported for each discovery type.
| Publish to Google Security Operations | Publish to Security Command Center | Save data profile copies to BigQuery | Save sample discovery findings to BigQuery | Attach tags to resources | Publish to Pub/Sub | Send to Dataplex as tags | Send to Dataplex Catalog as aspects | |
|---|---|---|---|---|---|---|---|---|
| Amazon S3 | ✓ | ✓ | ✓ | ✓ | ✓ | |||
| Azure Blob Storage | ✓ | ✓ | ✓ | ✓ | ✓ | |||
| BigQuery | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Cloud SQL | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| Cloud Storage | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Vertex AI | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
What's next
- Learn how to use context data from data profiles in Google Security Operations.
- Learn about the findings that Sensitive Data Protection can generate in Security Command Center.
- Learn how to analyze data profiles in BigQuery and Looker Studio.
- Learn how to control IAM access to resources based on data sensitivity.
- Learn how to receive and parse Pub/Sub messages about data profiles.
- Learn how to add Dataplex Catalog aspects based on insights
from data profiles.