Stay organized with collections
Save and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated by
threat detectors when they detect
a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
Data exfiltration from BigQuery is detected by examining audit
logs for the following scenario:
A resource is saved to a Google Drive folder.
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
Open an Exfiltration: BigQuery Data to Google Drive finding, as
directed in Reviewing findings.
On the Summary tab of the finding details panel, review the
information in the following sections:
What was detected, including:
Principal email: the account used to exfiltrate the data.
Exfiltration sources: details about the BigQuery
table from which data was exfiltrated.
Exfiltration targets: details about the destination in Google Drive.
Affected resource, including:
Resource full name: the name of the BigQuery resource whose data was
exfiltrated.
Project full name: the Google Cloud project that
contains the source BigQuery dataset.
Related links, including:
Cloud Logging URI: link to Logging entries.
MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
Related findings: links to any related findings.
For additional information, click the JSON tab.
In the JSON, note the following fields.
sourceProperties:
evidence:
sourceLogId:
projectId: the Google Cloud project that
contains the source BigQuery dataset.
properties:
extractionAttempt:
jobLink: the link to the BigQuery job that exfiltrated
data
If necessary, select the project listed in the projectId field in the
finding JSON (from Step 1).
On the page that appears, in the Filter box, enter the email address
listed in access.principalEmail (from Step 1)
and check what permissions are assigned to the account.
Step 3: Check logs
On the Summary tab of the finding details panel, click the
Cloud Logging URI link to open the Logs Explorer.
Find admin activity logs related to BigQuery jobs by using
the following filters:
Review related findings by clicking the link on the Related findings
on the Related findings row in the Summary tab of the
finding details.
Related findings are the same finding type on the same instance and network.
To develop a response plan, combine your investigation results with MITRE
research.
Step 5: Implement your response
The following response plan might be appropriate for this finding, but might also impact operations.
Carefully evaluate the information you gather in your investigation to determine the best way to
resolve findings.
Contact the owner of the project with exfiltrated data.
Consider revoking permissions for the
principal in the access.principalEmail field until the investigation is completed.
To stop further exfiltration, add restrictive IAM policies to the impacted
BigQuery datasets (exfiltration.sources).
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Exfiltration: BigQuery Data to Google Drive\n\n| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n--------\n\nData exfiltration from BigQuery is detected by examining audit\nlogs for the following scenario:\n\n- A resource is saved to a Google Drive folder.\n\nHow to respond\n--------------\n\nTo respond to this finding, do the following:\n\n### Step 1: Review finding details\n\n1. Open an `Exfiltration: BigQuery Data to Google Drive` finding, as directed in [Reviewing findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings).\n2. On the **Summary** tab of the finding details panel, review the\n information in the following sections:\n\n - **What was detected** , including:\n - **Principal email**: the account used to exfiltrate the data.\n - **Exfiltration sources**: details about the BigQuery table from which data was exfiltrated.\n - **Exfiltration targets**: details about the destination in Google Drive.\n - **Affected resource** , including:\n - **Resource full name**: the name of the BigQuery resource whose data was exfiltrated.\n - **Project full name**: the Google Cloud project that contains the source BigQuery dataset.\n - **Related links** , including:\n - **Cloud Logging URI**: link to Logging entries.\n - **MITRE ATT\\&CK method**: link to the MITRE ATT\\&CK documentation.\n - **Related findings**: links to any related findings.\n3. For additional information, click the **JSON** tab.\n\n4. In the JSON, note the following fields.\n\n - `sourceProperties`:\n - `evidence`:\n - `sourceLogId`:\n - `projectId`: the Google Cloud project that contains the source BigQuery dataset.\n - `properties`:\n - `extractionAttempt`:\n - `jobLink`: the link to the BigQuery job that exfiltrated data\n\n### Step 2: Review permissions and settings\n\n1. In the Google Cloud console, go to the **IAM** page.\n\n \u003cbr /\u003e\n\n [Go to IAM](https://console.cloud.google.com/iam-admin/iam)\n\n \u003cbr /\u003e\n\n2. If necessary, select the project listed in the `projectId` field in the\n finding JSON (from [Step 1](#biqquery_drive_findings)).\n\n3. On the page that appears, in the **Filter** box, enter the email address\n listed in `access.principalEmail` (from [Step 1](#biqquery_drive_findings))\n and check what permissions are assigned to the account.\n\n### Step 3: Check logs\n\n1. On the **Summary tab** of the finding details panel, click the **Cloud Logging URI** link to open the **Logs Explorer**.\n2. Find admin activity logs related to BigQuery jobs by using the following filters:\n - `protoPayload.methodName=\"Jobservice.insert\"`\n - `protoPayload.methodName=\"google.cloud.bigquery.v2.JobService.InsertJob\"`\n\n### Step 4: Research attack and response methods\n\n1. Review the MITRE ATT\\&CK framework entry for this finding type: [Exfiltration Over Web Service: Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002/).\n2. Review related findings by clicking the link on the **Related findings** on the **Related findings** row in the **Summary** tab of the finding details. Related findings are the same finding type on the same instance and network.\n3. To develop a response plan, combine your investigation results with MITRE research.\n\n### Step 5: Implement your response\n\n\nThe following response plan might be appropriate for this finding, but might also impact operations.\nCarefully evaluate the information you gather in your investigation to determine the best way to\nresolve findings.\n\n- Contact the owner of the project with exfiltrated data.\n- Consider [revoking permissions](/iam/docs/granting-changing-revoking-access#revoking-console) for the principal in the `access.principalEmail` field until the investigation is completed.\n- To stop further exfiltration, [add restrictive IAM policies](/bigquery/docs/dataset-access-controls) to the impacted BigQuery datasets (`exfiltration.sources`).\n- To scan impacted datasets for sensitive information, [use\n Sensitive Data Protection](/bigquery/docs/scan-with-dlp). You can also [send\n Sensitive Data Protection data to Security Command Center](/sensitive-data-protection/docs/sending-results-to-scc). Depending on the quantity of information, Sensitive Data Protection costs can be significant. Follow best practices for [keeping Sensitive Data Protection costs\n under control](/sensitive-data-protection/docs/best-practices-costs).\n- To limit access to the BigQuery API, [use\n VPC Service Controls](/vpc-service-controls/docs/overview).\n- To identify and fix overly permissive roles, use [IAM\n Recommender](/iam/docs/recommender-overview).\n\nWhat's next\n-----------\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
