This page provides instructions for identifying and responding to toxic combinations by using cases and findings.
Before you begin
To ensure that the detection of toxic combinations is accurate, ensure that the security operations component software is up to date, your high-value resource set is designated accurately, and that you have the proper IAM permissions.
Obtain the required permissions
To work with toxic combination findings and cases across both the Google Cloud console and the Security Operations console you need permissions granted to you in both consoles.
Google Cloud console IAM roles
Make sure that you have the following role or roles on the organization:
-
Security Center Admin Viewer
(
roles/securitycenter.adminViewer
), to view assets, findings, and attack paths in Security Command Center. -
Security Center Assets Viewer
(
roles/securitycenter.assetsViewer
), to view only resources. -
Security Center Attack Paths Reader
(
roles/securitycenter.attackPathsViewer
), to view only attack paths. -
Security Center Findings Editor
(
roles/securitycenter.findingsEditor
), to view, mute, and edit findings. -
Security Center Findings Mute Setter
(
roles/securitycenter.findingsMuteSetter
), to mute findings only. -
Security Center Findings Viewer
(
roles/securitycenter.findingsViewer
), to view only findings.
Check for the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the organization.
-
In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.
- For all rows that specify or include you, check the Role colunn to see whether the list of roles includes the required roles.
Grant the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the organization.
- Click Grant access.
-
In the New principals field, enter your user identifier. This is typically the email address for a Google Account.
- In the Select a role list, select a role.
- To grant additional roles, click Add another role and add each additional role.
- Click Save.
For more information about Security Command Center roles and permissions, see IAM for organization-level activations.
Security Operations console roles
To work with toxic combination findings and cases in the Security Operations console, you need any one of the following roles:
- Chronicle SOAR Vulnerability Manager
- Chronicle SOAR Threat Manager
- Chronicle SOAR Admin
For information about granting the role to a user, see Map and authorize users using IAM.
Install the latest security operations use case
The toxic combination feature requires the June 25, 2024 or later release of the SCC Enterprise – Cloud Orchestration and Remediation use case.
For information about installing the use case, see Update Enterprise use case, June 2024.
Specify your high-value resource set
You don't need to enable the detection of toxic combinations—it's always on. Risk Engine automatically detects toxic combinations that expose a default high-value resource set.
Toxic combination findings generated based on the default high-value resource set are unlikely to accurately reflect your security priorities. Therefore, we recommend that you specify the resources in your high-value resource set.
To specify which resources are part of your high-value resource set, you create resource value configurations in the Google Cloud console. For instructions, see Define and manage your high-value resource set.
View toxic combination cases
You can see an overview of all of the toxic combination cases and see the details of each case in the Security Operations console.
View an overview of all toxic combination cases
On the Posture Overview page, several widgets provide you with a quick overview of the toxic combination cases in your Google Cloud and Amazon Web Services (AWS) (Preview) cloud environments. You can find the following information:
All Open Posture Cases or Open Toxic Combination Cases: To view open toxic combination cases, select Toxic Combinations from the selector. The widget displays the number of open toxic combination cases at each priority level. Click the bar for a given priority to open a list view of the cases.
Toxic Combination Cases TTR and Trend: The trends for open and closed toxic combination cases for a specific time range. Hold the pointer over the trend lines to see the specific number of open and closed cases for a given data point in the time range. This widget also provides a time to remediation (TTR) value that indicates the average amount of time taken to resolve a toxic combination case based on the given time range.
Top Toxic Combination cases: The top toxic combination cases sorted by attack exposure score. Click the case ID to open a case.
Toxic Combination cases exceeding SLA: The toxic combination cases sorted by the time left in their service level agreement (SLA). Click the case ID to open a case.
You can find the Posture Overview page at the following URL:
https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/overview
Replace CUSTOMER_SUBDOMAIN
with your customer-specific
identifier.
View the details of a toxic combination case
In any list view of toxic combination cases, you can open the case details by clicking the ID of the case.
In Security Operations console, go to Cases.
https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/cases
Replace
CUSTOMER_SUBDOMAIN
with your customer-specific identifier.The Cases page opens with the Side-by-Side view selected.
In the list of cases, click Cases filter to open the filter panel. The Case queue filter panel opens.
In the Case queue filter, specify the following:
- In the Time frame field, specify time period in which the case is active.
- Set Logical operator to AND.
- For the first value in the Logical operator section, select Tags from the menu.
- For the second value, select Toxic combination.
- Specify other value pairs as needed to find the particular case that you need to see.
- Click Apply. The cases in the case queue are updated to show only the cases that match the filter you specified.
From the case queue, select the case you need to see. The case information displays, including the following tabbed views:
- Case overview tab (): provides information about the toxic combination case, including a simplified attack path diagram, a list of related findings, a list of impacted resources, a list of similar cases, alerts, an entities graph, and more.
- Case wall tab (): contains a record of actions, status changes, tasks, comments, and more.
Related alert tab: provides more detailed information about the related individual findings. Information is displayed in the following tabs:
- Overview: a description of the individual finding and next steps that you can take to remediate it.
- Events: a listing of finding properties.
- Playbooks: a listing of associated playbooks.
Prioritize toxic combination cases
By default, toxic combinations are classified as critical severity findings and critical priority cases. Therefore, they should be prioritized over the remediation of cases for other posture finding categories. Toxic combinations represent a complete path that, if a determined attacker were to gain access to your cloud environment, the attacker could reasonably follow from the public internet to one or more resources in your high-value resource set.
Compare the toxic combination scores on the Findings page of the Google Cloud console to help you prioritize between toxic combination cases. In the Security Operations console, you can see the toxic combination cases that have the highest attack exposure scores in the Top Toxic Combination cases widget on the Overview page in Posture.
You can sort all toxic combination cases by attack exposure score on the Cases page. For more information about viewing, filtering, and sorting toxic combination cases, see View toxic combination cases.
Remediate a toxic combination
You can find guidance for remediating a toxic combination finding in the case that is opened for the finding in the Security Operations console, or in the finding record itself.
View remediation guidance in a case
To view remediation guidance in a toxic combination case, follow these steps:
Go to the Cases page in the Security Operations console.
https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/cases
Replace
CUSTOMER_SUBDOMAIN
with your customer-specific identifier.Open the case for the toxic combination that you need to remediate.
Click either the Case tab or the Alert tab.
Review the Next steps section in one of the following widgets:
- If you clicked the Case tab, the Case summary widget.
- If you clicked the Alert tab, the Finding summary widget.
If necessary, scroll past the Finding description to see the Next steps.
View remediation guidance in a toxic combination finding
To view the remediation guidance in a finding record, follow these steps:
In the Security Operations console, go to Posture > Findings.
https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/findings
Replace
CUSTOMER_SUBDOMAIN
with your customer-specific identifier.Find the toxic combination finding by either selecting Quick Filters or editing the finding query.
Click the finding category name to open the finding details. The finding details page opens.
On the finding details page in the Next steps section of the Summary tab, review the remediation guidance.
Review the findings in a toxic combination case
Usually, a toxic combination includes one or more findings of a software vulnerability or a misconfiguration. For each of these findings, Security Command Center automatically opens a separate case and runs the associated playbooks. You can review the cases for these findings, and ask the ticket owners to prioritize their remediation to resolve the toxic combination.
To review the findings in a toxic combination, follow these steps:
In Security Operations console, go to Cases.
https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/cases
Replace
CUSTOMER_SUBDOMAIN
with your customer-specific identifier.Locate and open the toxic combination case.
Select the case overview tab ():
In the Findings section of the case overview tab, review the listed findings.
Click a finding to display summary information about the finding, include the case ID, the attack exposure score, and any ticket ID for the finding.
- Click the case ID of the finding to open the case and view its status, assigned owner, and other case information.
- Click the attack exposure score to review the attack path for the finding.
- Click the ticket ID to open the ticket for the finding.
Close a toxic combination case
You can close a case for a toxic combination by either remediating the underlying toxic combination or by muting the toxic combination finding in the Google Cloud console.
Close a case by remediating a toxic combination
After you remediate one or more of the security issues that make up a toxic combination, so that it no longer exposes any resources in your high-value resource set, Risk Engine closes the toxic combination case automatically during the next attack path simulation, which runs every six hours, approximately.
To remediate a toxic combination, follow the guidance provided in the toxic combination case in Next steps.
For more information, see How to remediate a toxic combination.
Close a case by muting the finding
If the risk that is posed by the toxic combination is acceptable to your business or you can't remediate the toxic combination, you can close the case by muting the toxic combination finding.
To mute a toxic combination finding, follow these steps:
In Security Operations console, go to Cases.
https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/cases
Replace
CUSTOMER_SUBDOMAIN
with your customer-specific identifier.Locate and open the toxic combination case.
Click the related alert tab.
In the Finding summary widget, click Explore findings in SCC. The toxic combination finding opens.
Use the Mute options on the finding details page to mute the finding.
You can also mute findings in the Google Cloud console. For more information, see Mute an individual finding.
Viewing closed toxic combination cases
When a case in the Security Operations console is closed, Security Command Center removes it from the Cases page.
To view a closed toxic combination case, follow these steps:
In Security Operations console, go to the SOAR Search page.
https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/sp-search
Replace
CUSTOMER_SUBDOMAIN
with your customer-specific identifier.Expand the Status section, and then select Closed.
Expand the Tags section, and then select Toxic combination.
Click Apply. Any closed toxic combination cases are displayed in the search results.
View toxic combination findings
A toxic combination finding is the initial record that Risk Engine issues when it detects a toxic combination in your cloud environment. Security Command Center automatically opens a case for each toxic combination finding that Risk Engine issues.
You can view toxic combination findings directly in the Google Cloud console on either the Risk overview page or on the Findings page.
On the Risk overview page, the toxic combination findings that have the highest attack exposure scores are displayed. Each finding is listed with a link to its corresponding case in the Security Operations console.
To view toxic combination findings, follow these steps:
In the Google Cloud console, go to the Security Command Center Findings page.
If necessary, select your Google Cloud organization.
In the Finding class section of the Quick filters panel, select Toxic combination. The Findings query results panel updates to show only toxic combination findings.
To prioritize the toxic combination findings, sort the findings in descending order by score, by clicking the Toxic combination score column heading.