Impact: Google Cloud Backup and DR reduced backup frequency
Stay organized with collections
Save and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated by
threat detectors when they detect
a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
Event Threat Detection examines audit logs to detect whether the backup plan has
been modified to reduce backup frequency.
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
Open the Impact: Google Cloud Backup and DR reduced backup frequency
finding, as detailed in Reviewing findings. The
details panel for the finding opens to the Summary tab.
On the Summary tab, review the information in the following sections:
What was detected, especially the following fields:
Description: information about the detection
Principal subject: a user or service account that has successfully
executed an action
Affected resource
Resource display name: the project in which the backup frequency
was reduced.
Related links, especially the following fields:
MITRE ATTACK method: link to the MITRE ATT&CK documentation.
Logging URI: link to open the Logs Explorer.
Step 2: Research attack and response methods
Contact the owner of the service account in the Principal subject field.
Confirm whether the legitimate owner conducted the action.
Step 3: Implement your response
The following response plan might be appropriate for this finding, but might also impact operations.
Carefully evaluate the information you gather in your investigation to determine the best way to
resolve findings.
In the project where the action was taken, navigate to the management console.
In the App Manager tab, find the affected application for which backup
frequency was reduced and verify that the change was intended by the
principal.
To initiate a new backup of the application, select
Manage Backup Configurations to create an on-demand backup or to
schedule a new backup.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n\nEvent Threat Detection examines audit logs to detect whether the backup plan has\nbeen modified to reduce backup frequency.\n\nHow to respond\n\nTo respond to this finding, do the following:\n\nStep 1: Review finding details\n\n1. Open the `Impact: Google Cloud Backup and DR reduced backup frequency` finding, as detailed in [Reviewing findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings). The details panel for the finding opens to the **Summary** tab.\n2. On the **Summary** tab, review the information in the following sections:\n - **What was detected** , especially the following fields:\n - **Description**: information about the detection\n - **Principal subject**: a user or service account that has successfully executed an action\n - **Affected resource**\n - **Resource display name**: the project in which the backup frequency was reduced.\n - **Related links** , especially the following fields:\n - **MITRE ATTACK method**: link to the MITRE ATT\\&CK documentation.\n - **Logging URI** : link to open the **Logs Explorer**.\n\nStep 2: Research attack and response methods\n\nContact the owner of the service account in the **Principal subject** field.\nConfirm whether the legitimate owner conducted the action.\n\nStep 3: Implement your response\n\n\nThe following response plan might be appropriate for this finding, but might also impact operations.\nCarefully evaluate the information you gather in your investigation to determine the best way to\nresolve findings.\n\n1. In the project where the action was taken, navigate to the management console.\n2. In the **App Manager** tab, find the affected application for which backup frequency was reduced and verify that the change was intended by the principal.\n3. To initiate a new backup of the application, select **Manage Backup Configurations** to create an on-demand backup or to schedule a new backup.\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
