Suspicious GCP API calls indicating Pub/Sub subscription deletion
Description
AlphaSOC detected the deletion of a Google Cloud Pub/Sub subscription via
google.pubsub.v1.Subscriber.DeleteSubscription. Adversaries may delete
subscriptions as a defense evasion technique or to disrupt legitimate
operations.
Impact
Deleting Pub/Sub subscriptions can disrupt message delivery to dependent services and applications. When used as a defense evasion technique, attackers may remove subscriptions that feed security monitoring or logging systems, creating blind spots and reducing visibility.
Severity
| Severity | Condition |
|---|---|
Informational | GCP API calls indicating Pub/Sub subscription deletion |
Low | Unexpected GCP API calls indicating Pub/Sub subscription deletion |
Medium | Suspicious GCP API calls indicating Pub/Sub subscription deletion |
Investigation and Remediation
Review the deleted subscription details and identify which services relied on it. Verify the identity of the user who deleted the subscription and confirm the action was authorized. Determine if the subscription was part of security monitoring or logging infrastructure. If unauthorized, recreate the subscription and investigate the user's account for signs of compromise.