Manage toxic combinations and chokepoints

This page provides instructions for identifying and responding to toxic combinations and chokepoints (Preview) by using issues (Preview), cases, or findings.

Before you begin

To ensure that the detection of toxic combinations and chokepoints are accurate, check that the security operations component software is up to date, your high-value resource set is designated accurately, and that you have the proper IAM permissions.

Obtain the required permissions

To work with toxic combination and chokepoints across both the Google Cloud console and the Security Operations console, you need permissions granted to you in both consoles.

Google Cloud console IAM roles

Make sure that you have the following role or roles on the organization:

  • Security Center Admin Viewer (roles/securitycenter.adminViewer), to view assets, findings, and attack paths in Security Command Center.
  • Security Center Assets Viewer (roles/securitycenter.assetsViewer), to view only resources.
  • Security Center Attack Paths Reader (roles/securitycenter.attackPathsViewer), to view only attack paths.
  • Security Center Findings Editor (roles/securitycenter.findingsEditor), to view, mute, and edit findings.
  • Security Center Findings Mute Setter (roles/securitycenter.findingsMuteSetter), to mute findings only.
  • Security Center Findings Viewer (roles/securitycenter.findingsViewer), to view only findings.

Check for the roles

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM
  2. Select the organization.

  3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

  4. For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.

Grant the roles

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM
  2. Select the organization.
  3. Click Grant access.

  4. In the New principals field, enter your user identifier. This is typically the email address for a Google Account.

  5. In the Select a role list, select a role.
  6. To grant additional roles, click Add another role and add each additional role.
  7. Click Save.

For more information about Security Command Center roles and permissions, see IAM for organization-level activations.

Security Operations console roles

To work with toxic combinations and cases in the Security Operations console, you need any one of the following roles:

  • Chronicle SOAR Vulnerability Manager
  • Chronicle SOAR Threat Manager
  • Chronicle SOAR Admin

For information about granting the role to a user, see Map and authorize users using IAM.

Install the latest security operations use case

The toxic combination feature requires the June 25, 2024 or later release of the SCC Enterprise – Cloud Orchestration and Remediation use case.

For information about installing the use case, see Update Enterprise use case, June 2024.

Specify your high-value resource set

You don't need to enable the detection of toxic combinations and chokepoints—it's always on. Risk Engine automatically detects toxic combinations and chokepoints that expose a default high-value resource set.

Toxic combination and chokepoint findings generated based on the default high-value resource set are unlikely to accurately reflect your security priorities. To specify which resources are part of your high-value resource set, you create resource value configurations in the Google Cloud console. For instructions, see Define and manage your high-value resource set.

Remediate toxic combination and chokepoints

Toxic combinations and chokepoints can expose many high-value resources to potential attackers. You should remediate them before other risks in your cloud environments.

You can prioritize the order in which you remediate toxic combinations and chokepoints based on their attack exposure score. How you do this changes depending on where you view toxic combinations and chokepoints.

Issues (Preview)

The highest risk toxic combinations and chokepoints are displayed as issues on the Risk > Overview page of the Security Operations console.

All toxic combinations and chokepoints can be viewed on the Risk > Issues page.

To remediate an issue, complete the following instructions:

  1. To view all issues in the Security Operations console, go to Issues:

    https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/security-command-center/issues

    Replace CUSTOMER_SUBDOMAIN with your customer-specific identifier.

  2. By default, grouped issues are ranked by severity. Within the group, the issues are ranked by attack exposure score. To sort all issues by attack exposure score instead, disable Group by detections.

  3. Select an issue.

  4. Review the issue's description and evidence.

  5. If there are related findings, view their details.

  6. If multiple critical issues are found on a primary resource in a toxic combination or chokepoint (Preview), a message displays after the Evidence diagram. To optimize your remediation efforts, click Filter issues for this primary resource in this message to focus on resolving issues for that specific resource. Click the back arrow near Open filter panel Add filter when you want to remove the filter.

  7. Click Explore full attack paths in the Evidence diagram for an in-depth understanding of the issue, and how the attack paths expose high-value resources.

  8. Click How to fix, and follow the guidance to help mitigate the risk.

Cases

You can view all toxic combination cases by going to the Cases page. Chokepoints don't automatically generate a case, and should be viewed on the Issues page.

To find toxic combinations in cases, complete the following instructions:

  1. In the Security Operations console, go to Cases.

    https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/cases

    Replace CUSTOMER_SUBDOMAIN with your customer-specific identifier.

    The Cases page opens with the Side-by-Side view selected.

  2. In the list of cases, click Open filter panel Cases filter to open the filter panel. The Case queue filter panel opens.

  3. In the Case queue filter, specify the following:

    1. In the Time frame field, specify time period in which the case is active.
    2. Set Logical operator to AND.
    3. In the filter key list box, select Tags.
    4. Set the equality operator to is.
    5. In the filter value list box, select Toxic combination.
    6. Click Apply. The cases in the case queue are updated to show only the cases that match the filter you specified.

  4. Click Sort next to Open filter panel Cases filter, and select Sort by attack exposure (high to low).

  5. From the case queue, click the case you want to see. If you are viewing cases in List view, click the case ID instead. The case information displays.

  6. Click Case Case overview.

  7. In the Case summary section, follow the Next steps guidance.

Usually, a toxic combination includes one or more findings of a software vulnerability or a misconfiguration. For each of these findings, Security Command Center automatically opens a separate case and runs the associated playbooks. You can review the cases for these findings, and ask the ticket owners to prioritize their remediation to help resolve the toxic combination.

To review the related findings in a toxic combination, follow these steps:

  1. From the Case Case overview tab of a case, go to the Findings section.
  2. In the Findings section, review the listed findings.
    • Click the case ID of the finding to open the case and view its status, assigned owner, and other case information.
    • Click the attack exposure score to review the attack path for the finding.
    • If the finding has a ticket ID, click it to open the ticket.

Alternatively, you can view related findings in their own alert tabs in the case.

Findings

A toxic combination or chokepoint finding is the initial record that Risk Engine generates when it detects a toxic combination or chokepoint in your cloud environment.

You can view toxic combination and chokepoint findings in the following places:

  • The Findings page in the Google Cloud console.

  • The Findings page in the Security Operations console.

Google Cloud console

To remediate toxic combination and chokepoint findings in the Google Cloud console, complete the following steps:

  1. Go to the Findings page.

    Go to Findings

  2. Select your Google Cloud organization.

  3. In the Finding class section of the Quick filters panel, select Toxic combination or Chokepoint. The Findings query results panel updates to show only toxic combination or chokepoint findings.

  4. To sort the findings by severity, click the Toxic combination score or Attack Exposure Score column heading until the scores are in descending order.

  5. Click a finding category to open the finding details panel. Go to the Next steps section, and follow its guidance to help remediate the security issue.

Security Operations console

To remediate toxic combination and chokepoint findings in the Security Operations console, complete the following steps:

  1. Go to Risk > Findings.

    https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/security-command-center/findings

    Replace CUSTOMER_SUBDOMAIN with your customer-specific identifier.

  2. In the Aggregations section, expand Finding class, and then select Toxic combination and Chokepoint.

  3. Click the Attack exposure score until the scores are in descending order.

  4. Click a finding category to open the finding details panel. Go to the Next steps section, and follow its guidance to help remediate the security issue.

Close toxic combinations cases

You can close a case for a toxic combination by either remediating the underlying toxic combination, or by muting the related finding in the Google Cloud console.

Close a case by remediating a toxic combination

After you remediate the security issues that make up a toxic combination, and they no longer expose any resources in your high-value resource set, Risk Engine closes the case automatically during the next attack path simulation, which runs approximately every six hours.

Close a case by muting the finding

If the risk that is posed by the toxic combination is acceptable to your business or you can't remediate the toxic combination, you can close the case by muting the related finding.

To mute a toxic combination finding, follow these steps:

  1. In Security Operations console, go to Cases.

    https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/cases

    Replace CUSTOMER_SUBDOMAIN with your customer-specific identifier.

  2. Locate and open the toxic combination or chokepoint case.

  3. Click the related alert tab.

  4. In the Finding summary widget, click Explore findings in SCC. The related finding opens.

  5. Use the Mute options on the finding details page to mute the finding.

You can also mute findings in the Google Cloud console. For more information, see Mute an individual finding.

View closed toxic combination cases

When a case in the Security Operations console is closed, Security Command Center removes it from the Cases page.

To view a closed toxic combination case, follow these steps:

  1. In Security Operations console, go to the SOAR Search page.

    https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/sp-search

    Replace CUSTOMER_SUBDOMAIN with your customer-specific identifier.

  2. Expand the Status section, and then select Closed.

  3. Expand the Tags section, and then select Toxic combination.

  4. Click Apply. Closed toxic combination cases are displayed in the search results.