Manage toxic combinations

This page provides instructions for working with toxic combination cases in the Security Operations console.

Before you begin

To ensure that the detection of toxic combinations is accurate, ensure that the security operations component software is up to date, your high-value resources are designated accurately, and that you have the proper IAM permissions.

Obtain the required permissions

To work with toxic combination findings and cases across both the Google Cloud console and the Security Operations console you need permissions granted to you in both consoles.

Google Cloud console IAM roles

Make sure that you have the following role or roles on the organization:

Security Center Admin Viewer (roles/securitycenter.adminViewer), to view assets, findings, and attack paths in Security Command Center.
Security Center Assets Viewer (roles/securitycenter.assetsViewer), to view only resources.
Security Center Attack Paths Reader (roles/securitycenter.attackPathsViewer), to view only attack paths.
Security Center Findings Editor (roles/securitycenter.findingsEditor), to view, mute, and edit findings.
Security Center Findings Mute Setter (roles/securitycenter.findingsMuteSetter), to mute findings only.
Security Center Findings Viewer (roles/securitycenter.findingsViewer), to view only findings.

Check for the roles

In the Google Cloud console, go to the IAM page.
Go to IAM
Select the organization.
In the Principal column, find the row that has your email address.

If your email address isn't in that column, then you do not have any roles.
In the Role column for the row with your email address, check whether the list of roles includes the required roles.

Grant the roles

In the Google Cloud console, go to the IAM page.
Go to IAM
Select the organization.
Click Grant access.
In the New principals field, enter your email address.
In the Select a role list, select a role.
To grant additional roles, click Add another role and add each additional role.
Click Save.

For more information about Security Command Center roles and permissions, see IAM for organization-level activations.

Security Operations console roles

To work with toxic combination findings and cases in the Security Operations console, you need any one of the following roles:

Chronicle SOAR Vulnerability Manager
Chronicle SOAR Threat Manager
Chronicle SOAR Admin

For information about granting the role to a user, see Map and authorize users using IAM.

Install the latest security operations use case

The toxic combination feature requires the June 25, 2024 or later release of the SCC Enterprise – Cloud Orchestration and Remediation use case.

For information about installing the use case, see Update Enterprise use case, June 2024.

Specify which of your resources are high-value

You don't need to enable the detection of toxic combinations—it's always on—but you do need to specify which of your cloud resources are high-value resources.

Until you specify which of your resources are high-value resource, Risk Engine detects toxic combinations that expose a default high-value resource set.

Toxic combination findings generated based on the default high-value resource set are unlikely to accurately reflect your security priorities.

To specify which of your resources are high-value resources, you create resource value configurations. For instructions, see Define and manage your high-value resource set.

View toxic combination cases

You can see an overview of all of the toxic combination cases and see the details of each case in the Security Operations console.

View an overview of all toxic combination cases

On the Posture Overview page, several widgets provide you with a quick overview of the toxic combination cases in your cloud environment. You can find the following information:

Open Toxic Combination Cases: The number of open toxic combination cases at each priority level. Click the bar for a given priority to open a list view of the cases.
Top Toxic Combination cases: The top toxic combination cases sorted by attack exposure score. Click the case ID to open a case.
Toxic Combination cases exceeding SLA: The toxic combination cases sorted by the time left in their service level agreement (SLA). Click the case ID to open a case.

You can finding the Posture Overview page at the following URL:

https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/overview

Replace CUSTOMER_SUBDOMAIN with your customer-specific identifier.

View the details of a toxic combination case

In any list view of toxic combination cases, you can open the case details by clicking the ID of the case.

In Security Operations console, go to Cases.
```
https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/cases
```
Replace CUSTOMER_SUBDOMAIN with your customer-specific identifier.

The Cases page opens with the Side-by-Side view selected.
At the top of the list of cases, click the filter icon, , to open the filter panel. The Case queue filter panel opens.
In the Case queue filter, specify the following:
1. In the Time Frame field, specify time period in which the case is active.
2. Set Logical operator to AND.
3. For the first value under Logical operator, select Tags from the menu.
4. For the second value, select Toxic combinations.
5. Specify other value pairs as needed to find the particular case that you need to see.
6. Click Apply. The cases in the case queue are updated to show only the cases that match the filter you specified.
From the case queue, select the case you need to see. The case information displays, including the following tabbed views:
- Case overview tab () provides information about the toxic combination case, including a simplified attack path diagram, a list of related findings, a list of similar cases, alerts, an entities graph, and more.
- Case wall tab () contains a record of actions, status changes, tasks, comments, and more.
- Finding alert tab provides more detailed information about the toxic combination, including the following:
  - Under Overview, a description of the toxic combination and next steps that you can take to remediate the toxic combination.
  - Under Events, a listing of finding properties.
  - Under Playbooks, a listing of associated playbooks.

Prioritize toxic combination cases

To prioritize a toxic combination case relative to other posture cases, compare their attack exposure scores.

Generally, prioritize the remediation of a toxic combination case over the remediation of cases for other posture finding categories, unless the attack exposure score on the case for another finding category is significantly higher than the score of the toxic combination case.

Toxic combination cases should be prioritized higher because toxic combinations represent a complete path that, if a determined attacker were to gain access to your cloud environment, the attacker could reasonably follow from the public internet to one or more of your high-value resources.

In the Security Operations console, you can see the toxic combination cases that have the highest attack exposure scores in the Top Toxic Combination cases widget on the Overview page under Posture.

You can sort all toxic combination cases by attack exposure score on the Cases page. For more information about viewing, filtering, and sorting toxic combination cases, see View toxic combination cases.

Remediate a toxic combination

You can find guidance for remediating a toxic combination finding in the case that is opened for the finding in the Security Operations console, or in the finding record itself.

View remediation guidance in a case

To view remediation guidance in a toxic combination case, follow these steps:

Go to the Cases page in the Security Operations console.
```
https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/cases
```
Replace CUSTOMER_SUBDOMAIN with your customer-specific identifier.
Open the case for the toxic combination that you need to remediate.
Click either the Case tab or the Alert tab.
Review the Next steps section in one of the following widgets:
- If you clicked the Case tab, the Case summary widget.
- If you clicked the Alert tab, the Finding summary widget.
If necessary, scroll past the Finding description to see the Next steps.

View remediation guidance in a toxic combination finding

To view the remediation guidance in a finding record, follow these steps:

In the Security Operations console, go to Posture > Findings.
```
https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/findings
```
Replace CUSTOMER_SUBDOMAIN with your customer-specific identifier.
Find the toxic combination finding by either selecting Quick Filters or editing the finding query.
Click the finding category name to open the finding details. The finding details page opens.
On the finding details page in the Next steps section of the Summary tab, review the remediation guidance.

Review the findings in a toxic combination case

Usually, a toxic combination includes one or more findings of a software vulnerability or a misconfiguration. For each of these findings, Security Command Center automatically opens a separate case and runs the associated playbooks. You can review the cases for these findings, and ask the ticket owners to prioritize their remediation to resolve the toxic combination.

To review the findings in a toxic combination, follow these steps:

In Security Operations console, go to Cases.
```
https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/cases
```
Replace CUSTOMER_SUBDOMAIN with your customer-specific identifier.
Locate and open the toxic combination case.
Select the case overview tab ().
In the Findings section of the case overview tab, review the listed findings.
Click a finding to display summary information about the finding, include the case ID, the attack exposure score, and any ticket ID for the finding.
- Click the case ID of the finding to open the case and view its status, assigned owner, and other case information.
- Click the attack exposure score to review the attack path for the finding.
- Click the ticket ID to open the ticket for the finding.

Close a toxic combination case

You can close a case for a toxic combination by either remediating the underlying toxic combination or by muting the toxic combination finding in the Google Cloud console.

Close a case by remediating a toxic combination

After you remediate one or more of the security issues that make up a toxic combination, so that it no longer exposes any high-value resources, Risk Engine closes the toxic combination case automatically during the next attack path simulation, which runs every six hours, approximately.

To remediate a toxic combination, follow the guidance provided in the toxic combination case under Next steps.

For more information, see How to remediate a toxic combination.

Close a case by muting the finding

If the risk that is posed by the toxic combination is acceptable to your business or you can't remediate the toxic combination, you can close the case by muting the toxic combination finding.

To mute a toxic combination finding, follow these steps:

In Security Operations console, go to Cases.
```
https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/cases
```
Replace CUSTOMER_SUBDOMAIN with your customer-specific identifier.
Locate and open the toxic combination case.
Select the finding alert tab.
In the lower right corner of the Finding summary widget, click Explore. The toxic combination finding opens.
Use the Mute options in the upper right corner of the finding details page to mute the finding.

You can also mute findings in the Google Cloud console. For more information, see Mute an individual finding.

Viewing closed toxic combination cases

When a case in the Security Operations console is closed, Security Command Center removes it from the Cases page.

To view a closed toxic combination case, follow these steps:

In Security Operations console, go to the SOAR Search page.
```
https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/sp-search
```
Replace CUSTOMER_SUBDOMAIN with your customer-specific identifier.
On the left side of the page, under Status, specify Closed.
Under Tags, specify Toxic combination.
Click Apply. Any closed toxic combination cases are displayed in the search results.