Stay organized with collections
Save and categorize content based on your preferences.
The Enterprise tier of Security Command Center lets you apply curated detection rules,
detect threats on other cloud platforms, and use cases to manage your
investigations.
The curated rules enable you to identify patterns in Google Cloud, AWS, and Azure data.
These features extend Security Command Center Enterprise threat detection to let you
identify more threat patterns in additional cloud environments.
See Overview of Cloud Threats Category
for information about available curated detections for AWS data and the required data for each rule set.
For information about how to ingest data required by these rule sets, see the following:
If you purchased Mandiant Threat Defense as an add-on to Security Command Center Enterprise tier,
Mandiant will provision access to the Mandiant documentation
portal where you can find onboarding steps in the
Getting Started Guide for Mandiant Threat Defense for Google Security Operations.
If you have not purchased Mandiant Threat Defense and are interested in learning more
about this offering, see Mandiant Threat Defense
or contact your account team.
If you are working with AWS data, do the following:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Investigate threats with curated detections\n\n| Enterprise [service tier](/security-command-center/docs/service-tiers)\n\nThe Enterprise tier of Security Command Center lets you apply curated detection rules,\ndetect threats on other cloud platforms, and use cases to manage your\ninvestigations.\n\nThe curated rules enable you to identify patterns in Google Cloud, AWS, and Azure data.\nThese features extend Security Command Center Enterprise threat detection to let you\nidentify more threat patterns in additional cloud environments.\n\nFor general information about how to use curated detections, see\n[Getting started with curated detections](/chronicle/docs/detection/use-curated-detections).\n\nCurated detections for AWS data\n-------------------------------\n\nSee [Overview of Cloud Threats Category](/chronicle/docs/detection/cloud-threats-category)\nfor information about available curated detections for AWS data and the required data for each rule set.\nFor information about how to ingest data required by these rule sets, see the following:\n\n- [Ingest AWS data](/chronicle/docs/ingestion/ingest-aws-logs-into-chronicle)\n- Google Cloud data: You configured the Google Cloud data ingestion during the [Security Command Center Enterprise tier activation process](/security-command-center/docs/activate-enterprise-tier). To change the configuration of Google Cloud data ingestion, see [Ingest Google Cloud data](/chronicle/docs/ingestion/cloud/ingest-gcp-logs).\n\nCurated detections for Microsoft Azure data\n-------------------------------------------\n\n|\n| **Preview**\n|\n|\n| This product or feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA products and features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nSee [Curated detections for Microsoft Azure and Microsoft Entra ID data](/chronicle/docs/detection/cloud-threats-category#azure-curated-detections)\nfor information about available rule sets and the required Azure data.\n\nFor information about how to ingest Azure and Microsoft Entra ID data required by these rule sets, see the following:\n\n- [Supported devices and required log types](/chronicle/docs/detection/cloud-threats-category#azure-supported-devices).\n- [Ingest Azure and Microsoft Entra ID data](/chronicle/docs/detection/cloud-threats-category#ingest-azure).\n\nWhat's next\n-----------\n\n- If you purchased Mandiant Threat Defense as an add-on to Security Command Center Enterprise tier,\n Mandiant will provision access to the Mandiant documentation\n portal where you can find onboarding steps in the\n [Getting Started Guide for Mandiant Threat Defense for Google Security Operations](https://docs.mandiant.com/mh-hunt-getting-started).\n If you have not purchased Mandiant Threat Defense and are interested in learning more\n about this offering, see [Mandiant Threat Defense](/security/products/mandiant-managed-threat-hunting)\n or contact your account team.\n\n- If you are working with AWS data, do the following:\n\n - Review the rule sets for AWS data in the [Cloud Threats category](/chronicle/docs/detection/cloud-threats-category).\n - [Ingest AWS data](/chronicle/docs/ingestion/ingest-aws-logs-into-chronicle) to the Google Security Operations component.\n- If you are working with Microsoft Azure and Microsoft Entra ID data, do the following:\n\n - Review the [Curated detections for Azure data](/chronicle/docs/detection/cloud-threats-category#azure-curated-detections).\n - Ingest [Azure and Microsoft Entra ID data](/chronicle/docs/detection/cloud-threats-category#ingest-azure) to the Google Security Operations component."]]
