Console
Start free

Enable discovery actions

This section describes how to specify actions that you want Sensitive Data Protection to take after profiling a resource. These actions are useful if you want to send insights gathered from data profiles to other Google Cloud services.

To enable discovery actions, create or edit a discovery scan configuration. The following sections describe the different actions that you can enable in the Add actions section of the scan configuration.

Not all actions on this page are available for each discovery type. For example, you can't attach tags to resources if you are configuring discovery for resources from another cloud provider. For more information, see Supported actions on this page.

For more information about sensitive data discovery, see Data profiles.

Inspection and risk analysis operations have a different set of actions. For more information, see Enable inspection or risk analysis actions.

Publish to Google Security Operations

Metrics gathered from data profiles can add context to your Google Security Operations findings. The added context can help you determine the most important security issues to address.

For example, if you're investigating a particular service agent, Google Security Operations can determine what resources the service agent accessed and whether any of those resources have high-sensitivity data.

To send your data profiles to your Google Security Operations instance, turn on Publish to Google Security Operations.

If you don't have a Google Security Operations instance enabled for your organization—through the standalone product or through Security Command Center Enterprise—turning on this option has no effect.

Publish to Security Command Center

Findings from data profiles provide context when you triage and develop response plans for your vulnerability and threat findings in Security Command Center.

Before you can use this action, Security Command Center must be activated at the organization level. Turning on Security Command Center at the organization level enables the flow of findings from integrated services like Sensitive Data Protection. Sensitive Data Protection works with Security Command Center in all service tiers.

If Security Command Center isn't activated at the organization level, Sensitive Data Protection findings won't appear in Security Command Center. For more information, see Check the activation level of Security Command Center.

To send the results of your data profiles to Security Command Center, make sure the Publish to Security Command Center option is turned on.

For more information, see Publish data profiles to Security Command Center.

Save data profile copies to BigQuery

Sensitive Data Protection saves a copy of each generated data profile in a BigQuery table. If you don't provide the details of your preferred table, Sensitive Data Protection creates a dataset and table in the service agent container. By default, the dataset is named sensitive_data_protection_discovery and the table is named discovery_profiles.

This action lets you keep a history of all of your generated profiles. This history can be useful for creating audit reports and visualizing data profiles. You can also load this information into other systems.

Also, this option lets you see all of your data profiles in a single view, regardless of which region your data resides in. Although you can also view the data profiles through the Google Cloud console, the console displays the profiles in only one region at a time.

When Sensitive Data Protection fails to profile a resource, it periodically retries. To minimize noise in the exported data, Sensitive Data Protection exports only the successfully generated profiles to BigQuery.

Sensitive Data Protection starts exporting profiles from the time you turn on this option. Profiles that were generated before you turned on exporting aren't saved to BigQuery.

For example queries that you can use when analyzing data profiles, see Analyze data profiles.

Save sample discovery findings to BigQuery

Sensitive Data Protection can add sample findings to a BigQuery table of your choice. Sample findings represent a subset of all findings and might not represent all infoTypes that were discovered. Normally, the system generates around 10 sample findings per resource, but this number can vary for each discovery run.

Each finding includes the actual string (also called quote) that was detected and its exact location.

This action is useful if you want to evaluate whether your inspection configuration is correctly matching the type of information that you want to flag as sensitive. Using the exported data profiles and the exported sample findings, you can run queries to get more information about the specific items that were flagged, the infoTypes they matched, their exact locations, their calculated sensitivity levels, and other details.

This example requires both Save data profile copies to BigQuery and Save sample discovery findings to BigQuery to be enabled.

The following query uses an INNER JOIN operation on both the table of exported data profiles and the table of exported sample findings. In the resulting table, each record shows the finding's quote, the infoType that it matched, the resource that contains the finding, and the calculated sensitivity level of the resource. 

SELECT
 findings_table.quote,
 findings_table.infotype.name,
 findings_table.location.container_name,
 profiles_table.file_store_profile.file_store_path as bucket_name,
 profiles_table.file_store_profile.sensitivity_score as bucket_sensitivity_score
FROM
 `FINDINGS_TABLE_PROJECT_ID.FINDINGS_TABLE_DATASET_ID.FINDINGS_TABLE_ID_latest_v1` AS findings_table
INNER JOIN
 `PROFILES_TABLE_PROJECT_ID.PROFILES_TABLE_DATASET_ID.PROFILES_TABLE_ID_latest_v1` AS profiles_table
ON
 findings_table.data_profile_resource_name=profiles_table.file_store_profile.name

This example requires both Save data profile copies to BigQuery and Save sample discovery findings to BigQuery to be enabled.

The following query uses an INNER JOIN operation on both the table of exported data profiles and the table of exported sample findings. In the resulting table, each record shows the finding's quote, the infoType that it matched, the resource that contains the finding, and the calculated sensitivity level of the resource. 

SELECT
 findings_table.quote,
 findings_table.infotype.name,
 findings_table.location.container_name,
 findings_table.location.data_profile_finding_record_location.field.name AS field_name,
 profiles_table.table_profile.dataset_project_id AS project_id,
 profiles_table.table_profile.dataset_id AS dataset_id,
 profiles_table.table_profile.table_id AS table_id,
 profiles_table.table_profile.sensitivity_score AS table_sensitivity_score
 FROM
 `FINDINGS_TABLE_PROJECT_ID.FINDINGS_TABLE_DATASET_ID.FINDINGS_TABLE_ID_latest_v1` AS findings_table
INNER JOIN
 `PROFILES_TABLE_PROJECT_ID.PROFILES_TABLE_DATASET_ID.PROFILES_TABLE_ID_latest_v1` AS profiles_table
ON
 findings_table.data_profile_resource_name=profiles_table.table_profile.name

To save sample findings to a BigQuery table, follow these steps:

  1. Turn on Save sample discovery findings to BigQuery.

  2. Enter the details of the BigQuery table where you want to save the sample findings.

    The table that you specify for this action must be different from the table used for the Save data profile copies to BigQuery action.

For information about the contents of each finding that is saved in the BigQuery table, see DataProfileFinding.

Attach tags to resources

Turning on Attach tags to resources instructs Sensitive Data Protection to automatically tag your data according to its calculated sensitivity level. This section requires you to first complete the tasks in Control IAM access to resources based on data sensitivity.

To automatically tag a resource according to its calculated sensitivity level, follow these steps:

  1. Turn on the Tag resources option.

  2. For each sensitivity level (high, moderate, low, and unknown), enter the path of the tag value that you created for the given sensitivity level.

    If you skip a sensitivity level, no tag is attached for it.

  3. To automatically lower the data risk level of a resource when the sensitivity level tag is present, select When a tag is applied to a resource, lower the data risk of its profile to LOW. This option helps you measure the improvement in your data security and privacy posture.

  4. Select one or both of the following options:

Publish to Pub/Sub

Turning on Publish to Pub/Sub lets you take programmatic actions based on profiling results. You can use Pub/Sub notifications to develop a workflow for catching and remediating findings with significant data risk or sensitivity.

To send notifications to a Pub/Sub topic, follow these steps:

  1. Turn on Publish to Pub/Sub.

    A list of options appears. Each option describes an event that causes Sensitive Data Protection to send a notification to Pub/Sub.

  2. Select the events that should trigger a Pub/Sub notification.

    If you select Send a Pub/Sub notification each time a profile is updated, Sensitive Data Protection sends a notification when there's a change in the sensitivity level, data risk level, detected infoTypes, public access, and other important metrics in the profile.

  3. For each event you select, follow these steps:

    1. Enter the name of the topic. The name must be in the following format:

      projects/PROJECT_ID/topics/TOPIC_ID

      Replace the following:

      • PROJECT_ID: the ID of the project associated with the Pub/Sub topic.
      • TOPIC_ID: the ID of the Pub/Sub topic.

    2. Specify whether to include the full resource profile in the notification, or just the full resource name of the resource that was profiled.

    3. Set the minimum data risk and sensitivity levels that must be met for Sensitive Data Protection to send a notification.

    4. Specify whether only one or both of the data risk and sensitivity conditions must be met. For example, if you choose AND, then both the data risk and the sensitivity conditions must be met before Sensitive Data Protection sends a notification.

Send to Data Catalog as tags

This feature is deprecated.

This action lets you create Data Catalog tags in Knowledge Catalog based on insights from data profiles. This action is only applied to new and updated profiles. Existing profiles that aren't updated aren't sent to Knowledge Catalog.

Data Catalog is a fully managed, scalable metadata management service. When you enable this action, tables that you profile are automatically tagged in Data Catalog according to insights gathered from the data profiles. You can then use Knowledge Catalog to search your organization and projects for tables with specific tag values.

To send the data profiles to Knowledge Catalog as Data Catalog tags, make sure that the Send to Dataplex as tags option is turned on.

For more information, see Tag tables in Data Catalog based on insights from data profiles.

Send to Knowledge Catalog as aspects

This action lets you add Knowledge Catalog aspects to profiled resources based on insights from data profiles. This action is only applied to new and updated profiles. Existing profiles that aren't updated aren't sent to Knowledge Catalog.

When you enable this action, Sensitive Data Protection attaches the Sensitive Data Protection profile aspect to the Knowledge Catalog entry for each new or updated resource that you profile. The generated aspects contain insights gathered from the data profiles. You can then search your organization and projects for entries with specific Sensitive Data Protection profile aspect values.

To send the data profiles to Knowledge Catalog, make sure that the Send to Dataplex Catalog as aspects option is turned on.

For more information, see Add Knowledge Catalog aspects based on insights from data profiles.

Supported actions

The following table shows which actions are supported for each discovery type.

Publish to Google Security Operations Publish to Security Command Center Save data profile copies to BigQuery Save sample discovery findings to BigQuery Attach tags to resources Publish to Pub/Sub Send to Knowledge Catalog as Data Catalog tags (Deprecated) Send to Knowledge Catalog as aspects
Amazon S3
Azure Blob Storage
BigQuery
Cloud SQL
Cloud Storage
Vertex AI

What's next

  • Learn how to use context data from data profiles in Google Security Operations.
  • Learn about the findings that Sensitive Data Protection can generate in Security Command Center.
  • Learn how to analyze data profiles in BigQuery and Data Studio.
  • Learn how to control IAM access to resources based on data sensitivity.
  • Learn how to receive and parse Pub/Sub messages about data profiles.
    • Learn how to add Knowledge Catalog aspects based on insights from data profiles.