GCP Pub/Sub Subscription Creation
This rule detects the creation of a subscription in Google Cloud Platform (GCP) Pub/Sub, which could indicate unauthorized access to data streams by adversaries attempting to intercept or exfiltrate sensitive information.
This detection rule identifies the creation of a subscription within Google Cloud Platform's (GCP) Pub/Sub service. Pub/Sub is a messaging service that facilitates asynchronous communication between applications, decoupling event producers and consumers. A subscription represents a named resource that directs a stream of messages to a subscribing application. The rule focuses on detecting potentially malicious activity where an attacker creates an unauthorized subscription to intercept or exfiltrate sensitive data. The original Elastic detection rule was created in 2020 and updated in April 2026. This activity is relevant because unauthorized subscriptions can lead to significant data breaches and compromise of sensitive information within cloud environments.
Attack Chain
- An attacker gains unauthorized access to a GCP account, potentially through compromised credentials or a misconfigured IAM role.
- The attacker leverages the gcloud CLI or the GCP console to interact with the Pub/Sub service.
- The attacker crafts a request to create a new Pub/Sub subscription. This request includes specifying the topic to subscribe to and configuring the subscription's settings.
- The attacker executes the subscription creation request, which is logged as a
google.pubsub.v*.Subscriber.CreateSubscriptionevent in the GCP audit logs. - The newly created subscription begins receiving messages published to the specified topic.
- The attacker configures the subscription to forward messages to an external endpoint or stores them in a cloud storage bucket under their control.
- The attacker exfiltrates the collected data from the external endpoint or storage bucket.
- The attacker attempts to cover their tracks by deleting logs or modifying audit configurations (not covered by this specific rule).
Impact
Successful exploitation can lead to the exfiltration of sensitive data transmitted through the Pub/Sub service. This includes potentially confidential business data, customer information, or internal communications. The number of victims depends on the scope of the compromised GCP environment and the sensitivity of the data handled by the affected Pub/Sub topics. Financial losses, reputational damage, and legal ramifications are all potential consequences of a successful attack.
Recommendation
- Deploy the Sigma rule "GCP Pub/Sub Subscription Creation Detected" to your SIEM and tune for your environment to detect suspicious subscription creation activities.
- Review the permissions and roles assigned to users and service accounts involved in subscription creation activities to ensure they adhere to the principle of least privilege (reference the overview section).
- Enable and monitor GCP audit logs to capture all subscription creation events (reference the rule description).
- Investigate any alerts generated by the Sigma rule by checking the associated project and topic details to ensure they align with expected configurations (reference the rule's investigation guide).
Detection coverage 2
GCP Pub/Sub Subscription Creation Detected
lowDetects the creation of a Pub/Sub subscription in GCP, which could indicate unauthorized data access.
GCP Pub/Sub Subscription Creation by Unusual Identity
mediumDetects GCP Pub/Sub subscription creation by unusual or high-risk identities.
Detection queries are available on the platform. Get full rules →