Stay organized with collections
Save and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated by
threat detectors when they detect
a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
Audit logs are examined to detect the deletion of a policy. A policy defines how a backup is taken and where it is stored.
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
Open the Impact: Google Cloud Backup and DR delete policy
finding, as detailed in Reviewing findings. The details
panel for the finding opens to the Summary tab.
On the Summary tab, review the information in the following sections:
What was detected, especially the following fields:
Policy name: the name for a single policy, which defines backup
frequency, schedule, and retention time
Principal subject: a user that has successfully executed an action
Affected resource
Resource display name: the project in which the policy was deleted
Related links, especially the following fields:
MITRE ATTACK method: link to the MITRE ATT&CK documentation
Logging URI: link to open the Logs Explorer.
Step 2: Research attack and response methods
Contact the owner of the service account in the Principal email field. Confirm whether the legitimate owner conducted the action.
Step 3: Implement your response
In the project where the action was taken, navigate to the
management console.
In the App Manager tab, select the affected application and review the
Policy settings applied to that application.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Impact: Google Cloud Backup and DR delete policy\n\n| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n--------\n\nAudit logs are examined to detect the deletion of a policy. A policy defines how a backup is taken and where it is stored.\n\nHow to respond\n--------------\n\nTo respond to this finding, do the following:\n\n### Step 1: Review finding details\n\n1. Open the `Impact: Google Cloud Backup and DR delete policy` finding, as detailed in [Reviewing findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings). The details panel for the finding opens to the **Summary** tab.\n2. On the **Summary** tab, review the information in the following sections:\n - **What was detected** , especially the following fields:\n - **Policy name**: the name for a single policy, which defines backup frequency, schedule, and retention time\n - **Principal subject**: a user that has successfully executed an action\n - **Affected resource**\n - **Resource display name**: the project in which the policy was deleted\n - **Related** links, especially the following fields:\n - **MITRE ATTACK method**: link to the MITRE ATT\\&CK documentation\n - **Logging URI** : link to open the **Logs Explorer**.\n\n### Step 2: Research attack and response methods\n\nContact the owner of the service account in the **Principal email** field. Confirm whether the legitimate owner conducted the action.\n\n### Step 3: Implement your response\n\n1. In the project where the action was taken, navigate to the management console.\n2. In the **App Manager** tab, select the affected application and review the **Policy** settings applied to that application.\n\nWhat's next\n-----------\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
