Detection: DLP Re-identify Content
Overview
Detect when GCP DLP content was re-identified. Re-identification of sensitive content can expose private data or violate data privacy regulations. Monitoring such actions helps maintain compliance, protect sensitive data, and prevent unauthorized disclosures.
References:
Usage
Run the detection in your terminal:
powerpipe detection run gcp_audit_log_detections.detection.dlp_reidentify_contentSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run gcp_audit_log_detections.detection.dlp_reidentify_content --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp, method_name as operation, resource_name as resource, authentication_info.principal_email as actor, tp_source_ip as source_ip, tp_index as project, tp_id as source_id, -- Create new aliases to preserve original row data operation as operation_src, resource as resource_src, * exclude operation, resourcefrom gcp_audit_logwhere method_name ilike 'google.privacy.dlp.v%.dlpservice.reidentifycontent' and severity != 'Error'order by timestamp desc;