Detection: DLP Re-identify Content
Overview
Detect when GCP DLP content was re-identified. Re-identification of sensitive content can expose private data or violate data privacy regulations. Monitoring such actions helps maintain compliance, protect sensitive data, and prevent unauthorized disclosures.
References:
Usage
Run the detection in your terminal:
powerpipe detection run gcp_audit_log_detections.detection.dlp_reidentify_contentSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run gcp_audit_log_detections.detection.dlp_reidentify_content --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,method_name as operation,resource_name as resource,authentication_info.principal_email as actor,tp_source_ip as source_ip,tp_index as project,tp_id as source_id,-- Create new aliases to preserve original row data*
from gcp_audit_logwhere method_name ilike 'google.privacy.dlp.v%.dlpservice.reidentifycontent' and severity != 'Error'-- TODO: Do we need to check operation?-- and (operation_src is null or operation_src.last = true)
order by timestamp desc;