This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
Audit logs are examined to detect the deletion of a policy. A policy defines how a backup is taken and where it is stored.
Event Threat Detection is the source of this finding.
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
- Open the
Impact: Google Cloud Backup and DR delete policyfinding, as detailed in Reviewing findings. The details panel for the finding opens to the Summary tab. - On the Summary tab, review the information in the following sections:
- What was detected, especially the following fields:
- Policy name: the name for a single policy, which defines backup frequency, schedule, and retention time
- Principal subject: a user that has successfully executed an action
- Affected resource
- Resource display name: the project in which the policy was deleted
- Related links, especially the following fields:
- MITRE ATTACK method: link to the MITRE ATT&CK documentation
- Logging URI: link to open the Logs Explorer.
- What was detected, especially the following fields:
Step 2: Research attack and response methods
Contact the owner of the service account in the Principal email field. Confirm whether the legitimate owner conducted the action.
Step 3: Implement your response
- In the project where the action was taken, navigate to the management console.
- In the App Manager tab, select the affected application and review the Policy settings applied to that application.
What's next
- Learn how to work with threat findings in Security Command Center.
- Refer to the Threat findings index.
- Learn how to review a finding through the Google Cloud console.
- Learn about the services that generate threat findings.