Stay organized with collectionsSave and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated bythreat detectorswhen they detect
a potential threat in your cloud resources. For a full list of available threat findings, seeThreat findings index.
Overview
A potentially malicious actor has requested to delete a backup image.
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
Open theInhibit System Recovery: Google Cloud Backup and DR expire imagefinding, as detailed inReviewing findings. The details panel for the finding opens to theSummarytab.
On theSummarytab, review the information in the following sections:
What was detected, especially the following fields:
Policy name: the name for a single policy, which defines backup frequency, schedule, and retention time
Template name: the name for a set of policies that define backup frequency, schedule, and retention time
Profile name: specifies the storage target for backups of application and VM data
Principal subject: a user that has successfully executed an action
Affected resource
Resource display name: the project in which the backup image was deleted
Relatedlinks, especially the following fields:
MITRE ATTACK method: link to the MITRE ATT&CK documentation
Logging URI: link to open theLogs Explorer
Step 2: Research attack and response methods
Contact the owner of the service account in thePrincipal emailfield. Confirm whether the legitimate owner conducted the action.
Step 3: Implement your response
In the project where the action was taken, navigate to the
management console.
Navigate to theMonitortab and selectJobsto review the status of the
delete backup job.
If a delete job is not authorized, navigate to IAM permissions
to review users with access to backup data.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n\nA potentially malicious actor has requested to delete a backup image.\n\nHow to respond\n\nTo respond to this finding, do the following:\n\nStep 1: Review finding details\n\n1. Open the `Inhibit System Recovery: Google Cloud Backup and DR expire image` finding, as detailed in [Reviewing findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings). The details panel for the finding opens to the **Summary** tab.\n2. On the **Summary** tab, review the information in the following sections:\n - **What was detected** , especially the following fields:\n - **Policy name**: the name for a single policy, which defines backup frequency, schedule, and retention time\n - **Template name**: the name for a set of policies that define backup frequency, schedule, and retention time\n - **Profile name**: specifies the storage target for backups of application and VM data\n - **Principal subject**: a user that has successfully executed an action\n - **Affected resource**\n - **Resource display name**: the project in which the backup image was deleted\n - **Related** links, especially the following fields:\n - **MITRE ATTACK method**: link to the MITRE ATT\\&CK documentation\n - **Logging URI** : link to open the **Logs Explorer**\n\nStep 2: Research attack and response methods\n\nContact the owner of the service account in the **Principal email** field. Confirm whether the legitimate owner conducted the action.\n\nStep 3: Implement your response\n\n1. In the project where the action was taken, navigate to the management console.\n2. Navigate to the **Monitor** tab and select **Jobs** to review the status of the delete backup job.\n3. If a delete job is not authorized, navigate to IAM permissions to review users with access to backup data.\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
