Suspicious GCP API calls indicating Pub/Sub topic deletion
Description
AlphaSOC detected the deletion of a Google Cloud Pub/Sub topic. Pub/Sub topics are used for asynchronous messaging between services, including security-related functions like log forwarding. Attackers may delete topics to disrupt services or interfere with logging and monitoring pipelines.
Impact
Deleting Pub/Sub topics can disrupt critical business operations and break integrations between services. When topics used for log forwarding are deleted, security monitoring may be impaired, allowing malicious activity to go undetected. Topic deletion may also cause data loss for messages that were pending delivery.
Severity
| Severity | Condition |
|---|---|
Informational | Pub/Sub topic deleted |
Low | Pub/Sub topic deleted with anomalous behavioral patterns |
Medium | Pub/Sub topic deleted in suspicious context |
Investigation and Remediation
Review GCP audit logs for the google.pubsub.v1.Publisher.DeleteTopic action to
identify who deleted the topic and which topic was affected. Determine whether
the topic was used for logging or other security-critical functions.
If unauthorized, investigate the scope of the compromise and identify any gaps in logging or monitoring that resulted from the deletion. Recreate the topic and restore subscriptions to resume normal operations.
Known False Positives
- Cleanup of unused or deprecated topics
- Infrastructure changes during migration