GCP BigQuery data exfiltration
Description
AlphaSOC detected a large BigQuery SELECT query processing substantial data
volumes that may indicate exfiltration. This is identified through the
jobservice.insert action where a SELECT statement processes significant data.
While large queries are common in analytics workflows, threat actors with
compromised credentials can execute SELECT queries to extract entire datasets,
customer records, or proprietary data. This detection uses anomaly analysis to
identify queries processing large data volumes that represent new or unusual
behavior for the environment.
Impact
Large BigQuery SELECT queries can enable threat actors to exfiltrate sensitive data at scale, accessing entire datasets containing customer information, financial records, personally identifiable information, intellectual property, or business-critical analytics. Organizations may face data breaches, regulatory violations, or competitive disadvantage from exposed business intelligence.
Severity
| Severity | Condition |
|---|---|
Medium | GCP BigQuery data exfiltration |
Investigation and Remediation
Review GCP audit logs for the jobservice.insert event and examine BigQuery job
details including SQL query, tables accessed, and data volume processed. Verify
the principal that executed the query and check source IP address, user agent,
and location against authorized infrastructure. Examine query destination for
external storage buckets, unauthorized projects, or external system transfers.
Review frequency of similar queries to determine if isolated or sustained
campaign.
If the activity appears malicious, disable compromised credentials and rotate service account keys. Assess data exposure scope by reviewing query results and destinations. Check for related activities by the same principal.
Known False Positives
- Legitimate data analytics operations, business intelligence reporting, or data science workflows that process large datasets
- Scheduled data export jobs for backup, archival, or migration to other systems