GCP Pub/Sub Subscription Deletion

Identifies the deletion of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/23"
 3integration = ["gcp"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies the deletion of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship
11(Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A
12subscription is a named resource representing the stream of messages to be delivered to the subscribing application.
13"""
14false_positives = [
15    """
16    Subscription deletions may be done by a system or network administrator. Verify whether the user email, resource
17    name, and/or hostname should be making changes in your environment. Subscription deletions by unfamiliar users or
18    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
19    """,
20]
21index = ["filebeat-*", "logs-gcp*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "GCP Pub/Sub Subscription Deletion"
25note = """## Triage and analysis
26
27> **Disclaimer**:
28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
29
30### Investigating GCP Pub/Sub Subscription Deletion
31
32Google Cloud Pub/Sub is a messaging service that enables asynchronous communication between event producers and consumers. Subscriptions in Pub/Sub are crucial for message delivery to applications. Adversaries may delete subscriptions to disrupt communication, evade detection, or impair defenses. The detection rule monitors audit logs for successful subscription deletions, flagging potential defense evasion activities.
33
34### Possible investigation steps
35
36- Review the audit logs for the specific event.action: google.pubsub.v*.Subscriber.DeleteSubscription to identify the user or service account responsible for the deletion.
37- Check the event.dataset:gcp.audit logs for any preceding or subsequent actions by the same user or service account to determine if there is a pattern of suspicious activity.
38- Investigate the context of the deleted subscription by examining the associated project and any related resources to understand the potential impact on the application or service.
39- Verify if the deletion aligns with any recent changes or maintenance activities within the organization to rule out legitimate actions.
40- Assess the permissions and roles assigned to the user or service account to ensure they are appropriate and not overly permissive, which could indicate a security risk.
41- Consult with the relevant application or service owners to confirm whether the subscription deletion was authorized and necessary.
42
43### False positive analysis
44
45- Routine maintenance activities by administrators may lead to subscription deletions that are not malicious. To manage this, create exceptions for known maintenance windows or specific admin accounts.
46- Automated scripts or tools used for managing Pub/Sub resources might delete subscriptions as part of their normal operation. Identify these scripts and exclude their actions from triggering alerts by using service account identifiers.
47- Development and testing environments often involve frequent creation and deletion of subscriptions. Exclude these environments from alerts by filtering based on project IDs or environment tags.
48- Subscription deletions as part of a resource cleanup process can be non-threatening. Document and exclude these processes by identifying patterns in the audit logs, such as specific user agents or IP addresses associated with cleanup operations.
49
50### Response and remediation
51
52- Immediately verify the legitimacy of the subscription deletion by contacting the responsible team or individual to confirm if the action was authorized.
53- If unauthorized, revoke access for the user or service account involved in the deletion to prevent further unauthorized actions.
54- Restore the deleted subscription from backup or recreate it if necessary, ensuring that message delivery to the application is resumed.
55- Conduct a thorough review of audit logs to identify any other suspicious activities or patterns that may indicate further compromise.
56- Implement additional access controls and monitoring for Pub/Sub resources to prevent unauthorized deletions in the future.
57- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data were affected.
58- Update incident response plans and playbooks to include specific procedures for handling Pub/Sub subscription deletions and similar threats.
59
60## Setup
61
62The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
63references = ["https://cloud.google.com/pubsub/docs/overview"]
64risk_score = 21
65rule_id = "cc89312d-6f47-48e4-a87c-4977bd4633c3"
66severity = "low"
67tags = [
68    "Domain: Cloud",
69    "Data Source: GCP",
70    "Data Source: Google Cloud Platform",
71    "Use Case: Log Auditing",
72    "Tactic: Defense Evasion",
73    "Resources: Investigation Guide",
74]
75timestamp_override = "event.ingested"
76type = "query"
77
78query = '''
79event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success
80'''
81
82
83[[rule.threat]]
84framework = "MITRE ATT&CK"
85[[rule.threat.technique]]
86id = "T1562"
87name = "Impair Defenses"
88reference = "https://attack.mitre.org/techniques/T1562/"
89
90
91[rule.threat.tactic]
92id = "TA0005"
93name = "Defense Evasion"
94reference = "https://attack.mitre.org/tactics/TA0005/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Google Cloud Pub/Sub is a messaging service that enables asynchronous communication between event producers and consumers. Subscriptions in Pub/Sub are crucial for message delivery to applications. Adversaries may delete subscriptions to disrupt communication, evade detection, or impair defenses. The detection rule monitors audit logs for successful subscription deletions, flagging potential defense evasion activities.

  • Review the audit logs for the specific event.action: google.pubsub.v*.Subscriber.DeleteSubscription to identify the user or service account responsible for the deletion.
  • Check the event.dataset:gcp.audit logs for any preceding or subsequent actions by the same user or service account to determine if there is a pattern of suspicious activity.
  • Investigate the context of the deleted subscription by examining the associated project and any related resources to understand the potential impact on the application or service.
  • Verify if the deletion aligns with any recent changes or maintenance activities within the organization to rule out legitimate actions.
  • Assess the permissions and roles assigned to the user or service account to ensure they are appropriate and not overly permissive, which could indicate a security risk.
  • Consult with the relevant application or service owners to confirm whether the subscription deletion was authorized and necessary.
  • Routine maintenance activities by administrators may lead to subscription deletions that are not malicious. To manage this, create exceptions for known maintenance windows or specific admin accounts.
  • Automated scripts or tools used for managing Pub/Sub resources might delete subscriptions as part of their normal operation. Identify these scripts and exclude their actions from triggering alerts by using service account identifiers.
  • Development and testing environments often involve frequent creation and deletion of subscriptions. Exclude these environments from alerts by filtering based on project IDs or environment tags.
  • Subscription deletions as part of a resource cleanup process can be non-threatening. Document and exclude these processes by identifying patterns in the audit logs, such as specific user agents or IP addresses associated with cleanup operations.
  • Immediately verify the legitimacy of the subscription deletion by contacting the responsible team or individual to confirm if the action was authorized.
  • If unauthorized, revoke access for the user or service account involved in the deletion to prevent further unauthorized actions.
  • Restore the deleted subscription from backup or recreate it if necessary, ensuring that message delivery to the application is resumed.
  • Conduct a thorough review of audit logs to identify any other suspicious activities or patterns that may indicate further compromise.
  • Implement additional access controls and monitoring for Pub/Sub resources to prevent unauthorized deletions in the future.
  • Escalate the incident to the security operations team for further investigation and to determine if additional systems or data were affected.
  • Update incident response plans and playbooks to include specific procedures for handling Pub/Sub subscription deletions and similar threats.

The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top