This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
Event Threat Detection examines audit logs to detect whether a backup stored in a backup vault has been deleted.
Event Threat Detection is the source of this finding.
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
- Open the
Impact: Deleted Google Cloud Backup and DR Backupfinding, as detailed in Reviewing findings. The details panel for the finding opens to the Summary tab. - On the Summary tab, review the information in the following sections:
- What was detected, especially the following fields:
- Description: information about the detection.
- Principal subject: a user or service account that has successfully executed an action.
- Affected resource
- Resource display name: the project in which the backup frequency was reduced.
- Related links, especially the following fields:
- MITRE ATTACK method: link to the MITRE ATT&CK documentation.
- Logging URI: link to open the Logs Explorer.
- What was detected, especially the following fields:
Step 2: Research attack and response methods
Contact the owner of the service account in the Principal subject field and confirm whether they conducted the action.
What's next
- Learn how to work with threat findings in Security Command Center.
- Refer to the Threat findings index.
- Learn how to review a finding through the Google Cloud console.
- Learn about the services that generate threat findings.