[New Rule] GCP Pub/Sub Topic Deletion

[bm11100]

Issue(s)

resolves #259

Description

Identifies the deletion of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples services that produce events from services that process events. A publisher application creates and sends messages to a topic. Deleting a topic can interrupt message flow in the Pub/Sub pipeline.

Checklists

Use strikethroughs to remove items which are not applicable to this issue.

For submitter

• Verify all query fields co-exist in a single event source (beats) or annotated otherwise
  -- Query field process.name.text doesn't currently exist in endgame- eventing data, but does exist for winlogbeats, and is case insensitive.
• Verify all query fields co-exist within a single ECS version and annotated the minimum version
  -- 1.4.0
• Verified the query detects the intended event(s)
  • detonate
  • search in discover
  • trigger as a custom signal
• Create rule using create-rule
• Verify and convert to standard linting (toml-lint -f <rule-file>)
• Run tests using pytest -x -v unit_tests or make test
• Internal search to determine noise and FP

For reviewers

• Verify existing rule for activity doesn't exist as a siem or endpoint rule (unless intentionally specified in issue)
• Verify all query fields co-exist in a single event source (*beats) or annotated otherwise
• Verify all query fields co-exist within a single ECS version and annotated the minimum version
• Internal search to determine noise and FP
• Verify metadata accuracy and spelling

[brokensound77]

One recommendation on description, then LGTM 👍

[threat-punter]

LGTM. Consider adding "defense_evasion" to the file name if you feel like it fits under that tactic.