This rule aims to identify instances of subscription creation in Google Cloud Platform's Pub/Sub messaging service. Pub/Sub allows asynchronous messaging between event producers and consumers; creating a subscription represents a stream of messages directed to subscribing applications. Since adversaries might exploit this mechanism to intercept or exfiltrate sensitive information, monitoring audit logs for successful subscription creation events is critical to detect any unauthorized actions. The rule specifically triggers when the audit logs show a successful creation of a subscription via the defined data fields. Investigations stemming from this detection should assess the legitimacy of the subscription, verify user permissions, and distinguish between routine administrative actions and suspicious behaviors. Special attention should be given to any unfamiliar users or service accounts responsible for these actions, as their presence may indicate potential misuse or an ongoing security incident. The rule recommends maintaining a whitelist of trusted service accounts to minimize false positives arising from system administrators or automated tools, ensuring that legitimate operational needs are not hindered.