- Capabilities
- Getting started
- Architecture center
- Platform updates
Create Match Actions
Match actions allow Sensitive Data Scanner to perform an automatic action on your behalf on a dataset that is detected as a match. There are three types of match actions:
- "Apply Markings" Match Action: Instructs Sensitive Data Scanner to apply markings on the datasets that matched any of the specified match conditions.
- "Create Issues" Match Action: Instructs Sensitive Data Scanner to create an issue on the columns with match any of the specified match conditions.
- "Obfuscate Data" Match Actions: Instructs Sensitive Data Scanner to encrypt or hash the matched data using Cipher.
If your sensitive data scan covers a large number of datasets, we recommend that you test the match conditions before proceeding further since misconfigured match conditions can produce false positives in the form of unwanted issues or Markings on datasets.
You can test the match conditions by selecting No Match Actions for your scan. Once you have verified that the match condition matches the expected format of data, you can then select one of the other Match actions for future one-time scans or Recurring Scans.
Similar to creating match conditions, there are two ways to start creating match actions — either from the Sensitive Data Scanner landing page, or while creating an sensitive data scan.
From the landing page, select Add above the Available match actions listed in the match actions sidebar.
While creating a sensitive data scan, on the Select match actions page, you can also create an match action by clicking Create match action and immediately use that in your scan.
Both of these starting points open the same match action creation process. From there you can choose whether to create an Add markings match action, or a Create issues match action.
Create an “Apply Markings” Match Action
This is an example of the creation process for an "Apply markings" match action. In this example, the PII Marking will be applied on matching datasets.
Additionally, the Reapply markings that have been manually removed option is unselected, meaning that if the marking was previously applied by Sensitive Data Scanner (for example, during a previous scan), and was manually removed by the user, the marking will not be re-applied. Enabling the option allows the marking to be re-applied.
Create a “Create Issues” Match Action
This is an example of the creation process for a Create issues match action. Here, you will notice that two users have been selected as Assignees of the issues that Sensitive Data Scanner will create upon highlighting a match — “Governance admin” and “Data control officer”.
Additionally, there are advanced configurations available for “Create Issues” match actions:
- Issue text: You can customize the text that the issue will have in it when the match action is performed.
- Issue label: You can select one of the issue labels available to your space to facilitate effective triaging of issues.
- Issue severity: You can set the priority of the issue, depending on the scan you would like to run.
- Notify dataset creator about the issue: If checked, the user that created the dataset will be informed that sensitive data was found in the dataset that they created.
- Do not open new issue if:
- Archived — If checked, Sensitive Data Scanner will not create a new issue if a previous scan created an issue that was then manually archived.
- Closed — If checked, Sensitive Data Scanner will not create a new issue if a previous scan created an issue that was then manually closed.
Create an "Obfuscate Data" Match Action
Obfuscate Data Match Actions allow you to automatically encrypt or hash matched data using Cipher. For each scanned resource, Sensitive Data Scanner will create an output dataset containing the obfuscated data.
To create a new Obfuscate Data Match Action, you can open the Create Match Action dialog and select Obfuscate data.
You will need a Cipher Channel and a Cipher License. If you do not have those already, you can create them in Cipher.
The Cipher Channel specifies the cryptographic algorithm used for the obfuscation. Sensitive Data Scanner supports:
- Probabilistic encryption: AES GCM SIV
- Deterministic encryption: AES SIV
- Hashing: SHA512 and SHA256
Note that Visual obfuscation channels are not supported in Sensitive Data Scanner.
A Cipher License grants a set of permissions to interact with a Cipher channel. Sensitive Data Scanner requires an Admin License, as it requires cryptographic key access to perform the obfuscation.
Once you made sure you have a Cipher License available, you can select it in the Create Match Action dialog.
The Match Action can only be applied on scanned resources that are located in the same project as the Cipher license.
An Obfuscate Data Action will create an output dataset for every scanned dataset. Depending on the number of scanned resources, this can lead to a large amount of created output datasets. We recommend running this scan on a small amount of data.
Obfuscate Data Actions are not reversible through the Sensitive Data Scanner. Any datasets created by Sensitive Data Scanner must be deleted manually.
Obfuscation modes
Select the Show advanced configuration panel to expand a set of four different options to customize the obfuscation mode. This defines what specific data will be obfuscated in case of a match:
- Entire column (default): Obfuscate the entire column if a match is found.
- Entire row: Obfuscate the entire row if a match is found.
- Matched cell only: Obfuscate only the cells in which a match is found.
- Matched segments only: Obfuscate only the text segments that match the match condition.