GCP Pub/Sub Subscription Creation
Identifies the creation of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/23"
3integration = ["gcp"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the creation of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship
11(Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A
12subscription is a named resource representing the stream of messages to be delivered to the subscribing application.
13"""
14false_positives = [
15 """
16 Subscription creations may be done by a system or network administrator. Verify whether the user email, resource
17 name, and/or hostname should be making changes in your environment. Subscription creations by unfamiliar users or
18 hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
19 """,
20]
21index = ["filebeat-*", "logs-gcp*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "GCP Pub/Sub Subscription Creation"
25note = """## Triage and analysis
26
27> **Disclaimer**:
28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
29
30### Investigating GCP Pub/Sub Subscription Creation
31
32Google Cloud Pub/Sub is a messaging service that enables asynchronous communication between applications by decoupling event producers and consumers. Adversaries might exploit this by creating unauthorized subscriptions to intercept or exfiltrate sensitive data streams. The detection rule monitors audit logs for successful subscription creation events, helping identify potential misuse by flagging unexpected or suspicious activity.
33
34### Possible investigation steps
35
36- Review the audit log entry associated with the alert to identify the user or service account responsible for the subscription creation by examining the `event.dataset` and `event.action` fields.
37- Verify the legitimacy of the subscription by checking the associated project and topic details to ensure they align with expected configurations and business needs.
38- Investigate the history of the user or service account involved in the subscription creation to identify any unusual or unauthorized activities, focusing on recent changes or access patterns.
39- Assess the permissions and roles assigned to the user or service account to determine if they have the necessary privileges for subscription creation and whether these permissions are appropriate.
40- Consult with relevant stakeholders or application owners to confirm whether the subscription creation was authorized and necessary for operational purposes.
41
42### False positive analysis
43
44- Routine subscription creation by automated deployment tools or scripts can trigger false positives. Identify and whitelist these tools by excluding their service accounts from the detection rule.
45- Development and testing environments often create and delete subscriptions frequently. Exclude these environments by filtering out specific project IDs associated with non-production use.
46- Scheduled maintenance or updates might involve creating new subscriptions temporarily. Coordinate with the operations team to understand regular maintenance schedules and adjust the rule to ignore these activities during known maintenance windows.
47- Internal monitoring or logging services that create subscriptions for legitimate data collection purposes can be excluded by identifying their specific patterns or naming conventions and adding them to an exception list.
48
49### Response and remediation
50
51- Immediately review the audit logs to confirm the unauthorized subscription creation and identify the source, including the user or service account responsible for the action.
52- Revoke access for the identified user or service account to prevent further unauthorized actions. Ensure that the principle of least privilege is enforced.
53- Delete the unauthorized subscription to stop any potential data interception or exfiltration.
54- Conduct a thorough review of all existing subscriptions to ensure no other unauthorized subscriptions exist.
55- Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
56- Implement additional monitoring and alerting for subscription creation events to detect similar activities in the future.
57- If applicable, report the incident to Google Cloud support for further assistance and to understand if there are any broader implications or vulnerabilities.
58
59## Setup
60
61The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
62references = ["https://cloud.google.com/pubsub/docs/overview"]
63risk_score = 21
64rule_id = "d62b64a8-a7c9-43e5-aee3-15a725a794e7"
65severity = "low"
66tags = [
67 "Domain: Cloud",
68 "Data Source: GCP",
69 "Data Source: Google Cloud Platform",
70 "Use Case: Log Auditing",
71 "Tactic: Collection",
72 "Resources: Investigation Guide",
73]
74timestamp_override = "event.ingested"
75type = "query"
76
77query = '''
78event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success
79'''
80
81
82[[rule.threat]]
83framework = "MITRE ATT&CK"
84[[rule.threat.technique]]
85id = "T1530"
86name = "Data from Cloud Storage"
87reference = "https://attack.mitre.org/techniques/T1530/"
88
89
90[rule.threat.tactic]
91id = "TA0009"
92name = "Collection"
93reference = "https://attack.mitre.org/tactics/TA0009/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating GCP Pub/Sub Subscription Creation
Google Cloud Pub/Sub is a messaging service that enables asynchronous communication between applications by decoupling event producers and consumers. Adversaries might exploit this by creating unauthorized subscriptions to intercept or exfiltrate sensitive data streams. The detection rule monitors audit logs for successful subscription creation events, helping identify potential misuse by flagging unexpected or suspicious activity.
Possible investigation steps
- Review the audit log entry associated with the alert to identify the user or service account responsible for the subscription creation by examining the
event.dataset
andevent.action
fields. - Verify the legitimacy of the subscription by checking the associated project and topic details to ensure they align with expected configurations and business needs.
- Investigate the history of the user or service account involved in the subscription creation to identify any unusual or unauthorized activities, focusing on recent changes or access patterns.
- Assess the permissions and roles assigned to the user or service account to determine if they have the necessary privileges for subscription creation and whether these permissions are appropriate.
- Consult with relevant stakeholders or application owners to confirm whether the subscription creation was authorized and necessary for operational purposes.
False positive analysis
- Routine subscription creation by automated deployment tools or scripts can trigger false positives. Identify and whitelist these tools by excluding their service accounts from the detection rule.
- Development and testing environments often create and delete subscriptions frequently. Exclude these environments by filtering out specific project IDs associated with non-production use.
- Scheduled maintenance or updates might involve creating new subscriptions temporarily. Coordinate with the operations team to understand regular maintenance schedules and adjust the rule to ignore these activities during known maintenance windows.
- Internal monitoring or logging services that create subscriptions for legitimate data collection purposes can be excluded by identifying their specific patterns or naming conventions and adding them to an exception list.
Response and remediation
- Immediately review the audit logs to confirm the unauthorized subscription creation and identify the source, including the user or service account responsible for the action.
- Revoke access for the identified user or service account to prevent further unauthorized actions. Ensure that the principle of least privilege is enforced.
- Delete the unauthorized subscription to stop any potential data interception or exfiltration.
- Conduct a thorough review of all existing subscriptions to ensure no other unauthorized subscriptions exist.
- Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
- Implement additional monitoring and alerting for subscription creation events to detect similar activities in the future.
- If applicable, report the incident to Google Cloud support for further assistance and to understand if there are any broader implications or vulnerabilities.
Setup
The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- GCP Pub/Sub Topic Creation
- GCP Logging Bucket Deletion
- GCP Logging Sink Deletion
- GCP Logging Sink Modification
- GCP Pub/Sub Subscription Deletion