This detection rule identifies the deletion of subscriptions in Google Cloud Platform's Pub/Sub messaging service. A subscription represents the stream of messages for an application, and unauthorized deletion can disrupt communication and hinder data processing. The rule monitors GCP audit logs for successful subscription deletion events (event.action: google.pubsub.v*.Subscriber.DeleteSubscription) to flag potential malicious activities that might aim to impair defenses or evade detection. Possible investigative steps include reviewing logs for the responsible user or service account, identifying patterns of activity, and assessing permissions and roles to determine if the action was legitimate or if it signifies a security risk. The risk score is low (21), but the impact could be significant if unauthorized actions lead to message delivery disruptions. The rule requires setup through the GCP Fleet integration and Filebeat module for effective monitoring.