Identifies the deletion of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A publisher application creates and sends messages to a topic. Deleting a topic can interrupt message flow in the Pub/Sub pipeline.
Rule type: query
Risk score: 21
Runs every: 5 minutes
Maximum alerts per execution: 100
- Continuous Monitoring
- Log Auditing
Version: 3 (version history)
Added (Elastic Stack release): 7.10.0
Last modified (Elastic Stack release): 7.11.2
Rule authors: Elastic
Rule license: Elastic License
Topic deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
The GCP Filebeat module must be enabled to use this rule.
event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success
Framework: MITRE ATT&CKTM
- Version 3 (7.11.2 release)
- Formatting only
- Version 2 (7.11.0 release)
Updated query, changed from:
event.dataset:googlecloud.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success