Stay organized with collectionsSave and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated bythreat detectorswhen they detect
a potential threat in your cloud resources. For a full list of available threat findings, seeThreat findings index.
Overview
Security Command Center examines audit logs to detect the anomalous deletion of a
Backup and DR Service backup plan used to apply backup policies to an application.
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
Open theImpact: Google Cloud Backup and DR remove planfinding, as detailed inReviewing findings. The details
panel for the finding opens to theSummarytab.
On theSummarytab, review the information in the following sections:
What was detected, especially the following fields:
Application name: the name of a database or VM connected to Backup and DR
Profile name: specifies the storage target for backups of application and VM data
Template name: the name for a set of policies that define backup frequency, schedule, and retention time
Affected resource
Resource display name: the project in which the plan was deleted
Relatedlinks, especially the following fields:
MITRE ATTACK method: link to the MITRE ATT&CK documentation
Logging URI: link to open theLogs Explorer
Step 2: Research attack and response methods
Contact the owner of the service account in thePrincipal emailfield.
Confirm whether the legitimate owner conducted the action.
Step 3: Implement your response
In the project where the action was taken, navigate to the management console.
In theApp Managertab, find the affected applications that are no longer
protected and review backup policies for each.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n\nSecurity Command Center examines audit logs to detect the anomalous deletion of a\nBackup and DR Service backup plan used to apply backup policies to an application.\n\nHow to respond\n\nTo respond to this finding, do the following:\n\nStep 1: Review finding details\n\n1. Open the `Impact: Google Cloud Backup and DR remove plan` finding, as detailed in [Reviewing findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings). The details panel for the finding opens to the **Summary** tab.\n2. On the **Summary** tab, review the information in the following sections:\n - **What was detected** , especially the following fields:\n - **Application name**: the name of a database or VM connected to Backup and DR\n - **Profile name**: specifies the storage target for backups of application and VM data\n - **Template name**: the name for a set of policies that define backup frequency, schedule, and retention time\n - **Affected resource**\n - **Resource display name**: the project in which the plan was deleted\n - **Related** links, especially the following fields:\n - **MITRE ATTACK method**: link to the MITRE ATT\\&CK documentation\n - **Logging URI** : link to open the **Logs Explorer**\n\nStep 2: Research attack and response methods\n\nContact the owner of the service account in the **Principal email** field.\nConfirm whether the legitimate owner conducted the action.\n\nStep 3: Implement your response\n\n1. In the project where the action was taken, navigate to the management console.\n2. In the **App Manager** tab, find the affected applications that are no longer protected and review backup policies for each.\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
