GCP Pub/Sub Topic Creation
Identifies the creation of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A topic is used to forward messages from publishers to subscribers.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/23"
3integration = ["gcp"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the creation of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship
11(Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A topic is
12used to forward messages from publishers to subscribers.
13"""
14false_positives = [
15 """
16 Topic creations may be done by a system or network administrator. Verify whether the user email, resource name,
17 and/or hostname should be making changes in your environment. Topic creations by unfamiliar users or hosts should be
18 investigated. If known behavior is causing false positives, it can be exempted from the rule.
19 """,
20]
21index = ["filebeat-*", "logs-gcp*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "GCP Pub/Sub Topic Creation"
25note = """## Triage and analysis
26
27> **Disclaimer**:
28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
29
30### Investigating GCP Pub/Sub Topic Creation
31
32Google Cloud Pub/Sub is a messaging service that enables asynchronous communication between independent applications. It uses topics to route messages from publishers to subscribers. Adversaries might exploit this by creating unauthorized topics to exfiltrate data or disrupt services. The detection rule monitors successful topic creation events, helping identify potential misuse by flagging unexpected or suspicious activity.
33
34### Possible investigation steps
35
36- Review the event details to confirm the presence of the event.action field with the value google.pubsub.v*.Publisher.CreateTopic and ensure the event.outcome is success.
37- Identify the user or service account associated with the topic creation by examining the actor information in the event logs.
38- Check the project and resource details to determine the context and environment where the topic was created, including the project ID and resource name.
39- Investigate the purpose and necessity of the newly created topic by consulting with relevant stakeholders or reviewing documentation related to the project.
40- Analyze historical logs to identify any unusual patterns or anomalies in topic creation activities by the same user or within the same project.
41- Assess the permissions and roles assigned to the user or service account to ensure they align with the principle of least privilege.
42- If suspicious activity is confirmed, consider implementing additional monitoring or access controls to prevent unauthorized topic creation in the future.
43
44### False positive analysis
45
46- Routine topic creation by automated processes or scripts can trigger false positives. Identify and document these processes to create exceptions in the monitoring system.
47- Development and testing environments often involve frequent topic creation. Exclude these environments from alerts by using environment-specific tags or labels.
48- Scheduled maintenance or updates by cloud administrators may result in legitimate topic creation. Coordinate with the operations team to whitelist these activities during known maintenance windows.
49- Third-party integrations or services that rely on Pub/Sub for communication might create topics as part of their normal operation. Review and approve these integrations to prevent unnecessary alerts.
50- Internal applications with dynamic topic creation as part of their workflow should be assessed and, if deemed non-threatening, added to an exception list to reduce noise.
51
52### Response and remediation
53
54- Immediately review the audit logs to confirm the unauthorized creation of the Pub/Sub topic and identify the user or service account responsible for the action.
55- Revoke or limit permissions for the identified user or service account to prevent further unauthorized actions, ensuring that only necessary permissions are granted.
56- Delete the unauthorized Pub/Sub topic to prevent any potential data exfiltration or disruption of services.
57- Conduct a thorough review of other Pub/Sub topics and related resources to ensure no additional unauthorized topics have been created.
58- Notify the security team and relevant stakeholders about the incident for further investigation and to assess potential impacts on the organization.
59- Implement additional monitoring and alerting for Pub/Sub topic creation events to detect and respond to similar threats more quickly in the future.
60- Consider enabling organization-wide policies that restrict who can create Pub/Sub topics to reduce the risk of unauthorized actions.
61
62## Setup
63
64The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
65references = ["https://cloud.google.com/pubsub/docs/admin"]
66risk_score = 21
67rule_id = "a10d3d9d-0f65-48f1-8b25-af175e2594f5"
68severity = "low"
69tags = [
70 "Domain: Cloud",
71 "Data Source: GCP",
72 "Data Source: Google Cloud Platform",
73 "Use Case: Log Auditing",
74 "Tactic: Collection",
75 "Resources: Investigation Guide",
76]
77timestamp_override = "event.ingested"
78type = "query"
79
80query = '''
81event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success
82'''
83
84
85[[rule.threat]]
86framework = "MITRE ATT&CK"
87[[rule.threat.technique]]
88id = "T1530"
89name = "Data from Cloud Storage"
90reference = "https://attack.mitre.org/techniques/T1530/"
91
92
93[rule.threat.tactic]
94id = "TA0009"
95name = "Collection"
96reference = "https://attack.mitre.org/tactics/TA0009/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating GCP Pub/Sub Topic Creation
Google Cloud Pub/Sub is a messaging service that enables asynchronous communication between independent applications. It uses topics to route messages from publishers to subscribers. Adversaries might exploit this by creating unauthorized topics to exfiltrate data or disrupt services. The detection rule monitors successful topic creation events, helping identify potential misuse by flagging unexpected or suspicious activity.
Possible investigation steps
- Review the event details to confirm the presence of the event.action field with the value google.pubsub.v*.Publisher.CreateTopic and ensure the event.outcome is success.
- Identify the user or service account associated with the topic creation by examining the actor information in the event logs.
- Check the project and resource details to determine the context and environment where the topic was created, including the project ID and resource name.
- Investigate the purpose and necessity of the newly created topic by consulting with relevant stakeholders or reviewing documentation related to the project.
- Analyze historical logs to identify any unusual patterns or anomalies in topic creation activities by the same user or within the same project.
- Assess the permissions and roles assigned to the user or service account to ensure they align with the principle of least privilege.
- If suspicious activity is confirmed, consider implementing additional monitoring or access controls to prevent unauthorized topic creation in the future.
False positive analysis
- Routine topic creation by automated processes or scripts can trigger false positives. Identify and document these processes to create exceptions in the monitoring system.
- Development and testing environments often involve frequent topic creation. Exclude these environments from alerts by using environment-specific tags or labels.
- Scheduled maintenance or updates by cloud administrators may result in legitimate topic creation. Coordinate with the operations team to whitelist these activities during known maintenance windows.
- Third-party integrations or services that rely on Pub/Sub for communication might create topics as part of their normal operation. Review and approve these integrations to prevent unnecessary alerts.
- Internal applications with dynamic topic creation as part of their workflow should be assessed and, if deemed non-threatening, added to an exception list to reduce noise.
Response and remediation
- Immediately review the audit logs to confirm the unauthorized creation of the Pub/Sub topic and identify the user or service account responsible for the action.
- Revoke or limit permissions for the identified user or service account to prevent further unauthorized actions, ensuring that only necessary permissions are granted.
- Delete the unauthorized Pub/Sub topic to prevent any potential data exfiltration or disruption of services.
- Conduct a thorough review of other Pub/Sub topics and related resources to ensure no additional unauthorized topics have been created.
- Notify the security team and relevant stakeholders about the incident for further investigation and to assess potential impacts on the organization.
- Implement additional monitoring and alerting for Pub/Sub topic creation events to detect and respond to similar threats more quickly in the future.
- Consider enabling organization-wide policies that restrict who can create Pub/Sub topics to reduce the risk of unauthorized actions.
Setup
The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- GCP Pub/Sub Subscription Creation
- GCP Logging Bucket Deletion
- GCP Logging Sink Deletion
- GCP Logging Sink Modification
- GCP Pub/Sub Subscription Deletion