Stay organized with collections
Save and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated by
threat detectors when they detect
a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
Findings that are returned by the Exfiltration: BigQuery
Data Exfiltration contain one of two possible subrules. Each subrule has a
different severity:
Subrule exfil_to_external_table with severity = HIGH:
A resource was saved outside of your organization or project.
Subrule vpc_perimeter_violation with severity = LOW:
VPC Service Controls blocked a copy operation or an attempt to access
BigQuery resources.
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
Open the Exfiltration: BigQuery Data Exfiltration finding, as directed in
Reviewing findings.
On the Summary tab of the finding details panel, review the
listed values in the following sections:
What was detected:
Severity: the severity is either HIGH for subrule
exfil_to_external_table or LOW for subrule
vpc_perimeter_violation.
Principal email: the account used to exfiltrate the data.
Exfiltration sources: details about the tables from which data
was exfiltrated.
Exfiltration targets: details about the tables where exfiltrated
data was stored.
Affected resource:
Resource full name: the full resource name of the project,
folder, or organization from which data was exfiltrated.
Related links:
Cloud Logging URI: link to Logging entries.
MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
Related findings: links to any related findings.
Click the Source Properties tab and review the fields shown,
especially:
detectionCategory:
subRuleName: either exfil_to_external_table or
vpc_perimeter_violation.
evidence:
sourceLogId:
projectId: the Google Cloud project that
contains the source BigQuery dataset.
properties
dataExfiltrationAttempt
jobLink: the link to the BigQuery job that
exfiltrated data.
query: the SQL query run on the BigQuery dataset.
Optionally, click the JSON tab for the complete listing of the
JSON properties of the finding.
Review related findings by clicking the link on the Related findings
on the Related findings row in the Summary tab of the
finding details.
Related findings are the same finding type on the same instance and network.
To develop a response plan, combine your investigation results with MITRE
research.
Step 5: Implement your response
The following response plan might be appropriate for this finding, but might also impact operations.
Carefully evaluate the information you gather in your investigation to determine the best way to
resolve findings.
Contact the owner of the project with exfiltrated data.
Consider revoking permissions for userEmail
until the investigation is completed.
To stop further exfiltration, add restrictive IAM policies to the impacted
BigQuery datasets (exfiltration.sources and
exfiltration.targets).
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n\nFindings that are returned by the `Exfiltration: BigQuery\nData Exfiltration` contain one of two possible subrules. Each subrule has a\ndifferent severity:\n\n- Subrule `exfil_to_external_table` with severity = `HIGH`:\n - A resource was saved outside of your organization or project.\n- Subrule `vpc_perimeter_violation` with severity = `LOW`:\n - VPC Service Controls blocked a copy operation or an attempt to access BigQuery resources.\n\nHow to respond\n\nTo respond to this finding, do the following:\n\nStep 1: Review finding details\n\n1. Open the `Exfiltration: BigQuery Data Exfiltration` finding, as directed in [Reviewing findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings).\n2. On the **Summary** tab of the finding details panel, review the\n listed values in the following sections:\n\n - **What was detected** :\n - **Severity** : the severity is either `HIGH` for subrule `exfil_to_external_table` or `LOW` for subrule `vpc_perimeter_violation`.\n - **Principal email**: the account used to exfiltrate the data.\n - **Exfiltration sources**: details about the tables from which data was exfiltrated.\n - **Exfiltration targets**: details about the tables where exfiltrated data was stored.\n - **Affected resource** :\n - **Resource full name**: the full resource name of the project, folder, or organization from which data was exfiltrated.\n - **Related links** :\n - **Cloud Logging URI**: link to Logging entries.\n - **MITRE ATT\\&CK method**: link to the MITRE ATT\\&CK documentation.\n - **Related findings**: links to any related findings.\n3. Click the **Source Properties** tab and review the fields shown,\n especially:\n\n - `detectionCategory`:\n - `subRuleName`: either `exfil_to_external_table` or `vpc_perimeter_violation`.\n - `evidence`:\n - `sourceLogId`:\n - `projectId`: the Google Cloud project that contains the source BigQuery dataset.\n - `properties`\n - `dataExfiltrationAttempt`\n - `jobLink`: the link to the BigQuery job that exfiltrated data.\n - `query`: the SQL query run on the BigQuery dataset.\n4. Optionally, click the **JSON** tab for the complete listing of the\n JSON properties of the finding.\n\nStep 2: Review permissions and settings\n\n1. In the Google Cloud console, go to the **IAM** page.\n\n \u003cbr /\u003e\n\n [Go to IAM](https://console.cloud.google.com/iam-admin/iam)\n\n \u003cbr /\u003e\n\n2. If necessary, select the project listed in the `projectId` field in the\n finding JSON.\n\n3. On the page that appears, in the **Filter** box, enter the email address\n listed in **Principal email** and check what permissions are assigned to the account.\n\nStep 3: Check logs\n\n1. On the **Summary tab** of the finding details panel, click the **Cloud Logging URI** link to open the **Logs Explorer**.\n2. Find admin activity logs related to BigQuery jobs by using\n the following filters:\n\n - `protoPayload.methodName=\"Jobservice.insert\"`\n - `protoPayload.methodName=\"google.cloud.bigquery.v2.JobService.InsertJob\"`\n\nStep 4: Research attack and response methods\n\n1. Review the MITRE ATT\\&CK framework entry for this finding type: [Exfiltration Over Web Service: Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002/).\n2. Review related findings by clicking the link on the **Related findings** on the **Related findings** row in the **Summary** tab of the finding details. Related findings are the same finding type on the same instance and network.\n3. To develop a response plan, combine your investigation results with MITRE research.\n\nStep 5: Implement your response\n\n\nThe following response plan might be appropriate for this finding, but might also impact operations.\nCarefully evaluate the information you gather in your investigation to determine the best way to\nresolve findings.\n\n- Contact the owner of the project with exfiltrated data.\n- Consider [revoking permissions](/iam/docs/granting-changing-revoking-access#revoking-console) for `userEmail` until the investigation is completed.\n- To stop further exfiltration, [add restrictive IAM policies](/bigquery/docs/dataset-access-controls) to the impacted BigQuery datasets (`exfiltration.sources` and `exfiltration.targets`).\n- To scan impacted datasets for sensitive information, [use\n Sensitive Data Protection](/bigquery/docs/scan-with-dlp). You can also [send\n Sensitive Data Protection data to Security Command Center](/sensitive-data-protection/docs/sending-results-to-scc). Depending on the quantity of information, Sensitive Data Protection costs can be significant. Follow best practices for [keeping Sensitive Data Protection costs\n under control](/sensitive-data-protection/docs/best-practices-costs).\n- To limit access to the BigQuery API, [use\n VPC Service Controls](/vpc-service-controls/docs/overview).\n- To identify and fix overly permissive roles, use [IAM\n Recommender](/iam/docs/recommender-overview).\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
