heroui logo

GCP Pub/Sub Topic Deletion

Elastic Detection Rules

View Source
Summary
This detection rule identifies the deletion of topics in Google Cloud Platform's (GCP) Pub/Sub service. Pub/Sub is a messaging service that allows decoupled systems to communicate through asynchronous message publishing. Deleting a topic can cause disruptions in message flow and potentially be leveraged by adversaries to evade defenses or mask their activities. The rule operates by monitoring audit logs for specific actions (i.e., `google.pubsub.v*.Publisher.DeleteTopic`) indicating successful topic deletions. Investigations into such deletions should include reviewing the audit log for timestamp and user information, analyzing related GCP audit logs for anomalies, and assessing the legitimacy of the user or service account's permissions. The rule considers potential false positives from legitimate administrative actions, automated scripts, and routine maintenance, allowing for the creation of exceptions when necessary. The recommended response for a detected deletion includes assessing impact, restoring the topic if possible, and implementing stricter access controls to prevent future unauthorized deletions.
Categories
  • Cloud
Data Sources
  • Group
  • Cloud Service
ATT&CK Techniques
  • T1562
Created: 2020-09-18