Impact: Google Cloud Backup and DR remove plan

This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.

Overview

Security Command Center examines audit logs to detect the anomalous deletion of a Backup and DR Service backup plan used to apply backup policies to an application.

Event Threat Detection is the source of this finding.

How to respond

To respond to this finding, do the following:

Step 1: Review finding details

  1. Open the Impact: Google Cloud Backup and DR remove plan finding, as detailed in Reviewing findings. The details panel for the finding opens to the Summary tab.
  2. On the Summary tab, review the information in the following sections:
    • What was detected, especially the following fields:
      • Application name: the name of a database or VM connected to Backup and DR
      • Profile name: specifies the storage target for backups of application and VM data
      • Template name: the name for a set of policies that define backup frequency, schedule, and retention time
    • Affected resource
      • Resource display name: the project in which the plan was deleted
    • Related links, especially the following fields:
      • MITRE ATTACK method: link to the MITRE ATT&CK documentation
      • Logging URI: link to open the Logs Explorer

Step 2: Research attack and response methods

Contact the owner of the service account in the Principal email field. Confirm whether the legitimate owner conducted the action.

Step 3: Implement your response

  1. In the project where the action was taken, navigate to the management console.
  2. In the App Manager tab, find the affected applications that are no longer protected and review backup policies for each.

What's next