Vendors Google Cloud Platform Security Command Center SCC Toxic Combination Findings

SCC Toxic Combination Findings

Attack path combinations

Toxic combination findings from Google Cloud Security Command Center Security Graph, identifying groups of security issues that together create attack paths to high-value resources.

attack-path toxic-combination risk-assessment security-graph gcp

JSON Format 7 Fields Low Frequency Generator

Preview Sample View Schema

Overview

Toxic combination findings identify groups of security issues that, when they occur together, create a path to one or more of your high-value resources that a determined attacker could potentially use to reach and compromise those resources.

When Generated:

Service account with Owner role has public IP access
Bucket with public read access contains sensitive data classification
Compute instance with external IP has overly permissive firewall rules
IAM binding grants multiple high-privilege roles to same principal
Network allows unrestricted egress with sensitive data access

Security Relevance:

Critical

Compliance:

NIST 800-53 (AC-3, SC-7) ISO 27001 (A.9.1.2, A.13.1.1) CIS GCP Foundation 2.0 SOC 2 (CC6.1)

Frequency Notes:

Toxic combination findings are generated by Security Graph analysis when multiple security issues combine to create attack paths. Frequency is lower than individual findings but represents higher risk scenarios. These findings require immediate attention as they indicate exploitable attack paths.

Resources

Documentation

Finding Classes - Toxic Combination official
Toxic Combinations and Chokepoints Overview official
Security Graph official

Generation Configuration

Base Frequency: 5 events/hour

Time Patterns:

business_hours night_hours weekend

Business Hours Multiplier: 1.2x

Night Hours Multiplier: 0.9x

Weekend Multiplier: 0.7x

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name	Type	Required	Format	Description	Example	Possible Values
name Source: Constructed with 'toxic-' prefix	String	Required	`organizations/{org_id}/sources/{source_id}/locations/global/findings/toxic-{finding_id}`	Full resource name of the toxic combination finding	`organizations/123456789/sources/9732761411165682985/locations/global/findings/toxic-abc123...`	—
category	String	Required	—	Toxic combination category	`TOXIC_IAM_COMBINATION`	`TOXIC_IAM_COMBINATION` — IAM permissions combine to create attack path `TOXIC_NETWORK_COMBINATION` — Network configurations combine to create attack path `TOXIC_STORAGE_COMBINATION` — Storage configurations combine to create attack path `TOXIC_COMPUTE_COMBINATION` — Compute configurations combine to create attack path
sourceProperties.toxicCombination Source: Object with description, combinationType, riskScore, components, and remediationGuidance	Object	Required	—	Toxic combination details	—	—
sourceProperties.toxicCombination.components Source: Array of component objects with type, resource, and finding references	Array	Required	—	Array of security issues that combine to create the attack path	—	—
sourceProperties.toxicCombination.riskScore Source: random_choice([7, 8, 9, 10])	Integer	Required	—	Risk score for the toxic combination (0-10)	`9`	—
severity Source: random_weighted favoring HIGH (50%)	String	Required	—	Toxic combination severity level	`CRITICAL`	`CRITICAL` — Critical toxic combination `HIGH` — High severity toxic combination `MEDIUM` — Medium severity toxic combination
findingClass Source: Static 'TOXIC_COMBINATION'	String	Required	—	Finding class identifier	`TOXIC_COMBINATION`	—

Details

Fields

Low

Frequency

Feedback

No ratings yet