Stay organized with collectionsSave and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated bythreat detectorswhen they detect
a potential threat in your cloud resources. For a full list of available threat findings, seeThreat findings index.
Overview
Event Threat Detection examines audit logs to detect whether a backup stored in a backup vault has been deleted.
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
Open theImpact: Deleted Google Cloud Backup and DR Backupfinding, as detailed inReviewing findings. The
details panel for the finding opens to theSummarytab.
On theSummarytab, review the information in the following sections:
What was detected, especially the following fields:
Description: information about the detection.
Principal subject: a user or service account that has successfully
executed an action.
Affected resource
Resource display name: the project in which the backup frequency
was reduced.
Related links, especially the following fields:
MITRE ATTACK method: link to the MITRE ATT&CK documentation.
Logging URI: link to open theLogs Explorer.
Step 2: Research attack and response methods
Contact the owner of the service account in thePrincipal subjectfield and
confirm whether they conducted the action.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n\nEvent Threat Detection examines audit logs to detect whether a backup stored in a backup vault has been deleted.\n\nHow to respond\n\nTo respond to this finding, do the following:\n\nStep 1: Review finding details\n\n1. Open the `Impact: Deleted Google Cloud Backup and DR Backup` finding, as detailed in [Reviewing findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings). The details panel for the finding opens to the **Summary** tab.\n2. On the **Summary** tab, review the information in the following sections:\n - **What was detected** , especially the following fields:\n - **Description**: information about the detection.\n - **Principal subject**: a user or service account that has successfully executed an action.\n - **Affected resource**\n - **Resource display name**: the project in which the backup frequency was reduced.\n - **Related links** , especially the following fields:\n - **MITRE ATTACK method**: link to the MITRE ATT\\&CK documentation.\n - **Logging URI** : link to open the **Logs Explorer**.\n\nStep 2: Research attack and response methods\n\nContact the owner of the service account in the **Principal subject** field and\nconfirm whether they conducted the action.\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
