Overview
Your SIEM is only as good as the detection rules running on it. This use case library provides pre-built detection use cases organized by MITRE ATT&CK tactic, complete with the log sources needed, correlation logic, suggested severity, and tuning recommendations. Use it to accelerate your detection coverage, identify gaps, and build a systematic approach to detection engineering.
Use Case Categories
- Authentication anomalies: brute force, credential stuffing, impossible travel
- Privilege escalation: unauthorized admin actions, privilege abuse, role manipulation
- Lateral movement: unusual RDP, PsExec, WMI, or SSH activity between hosts
- Data exfiltration: large outbound transfers, cloud upload anomalies, DNS tunneling
- Malware indicators: known malicious hashes, C2 communication patterns, beacon detection
- Persistence mechanisms: new scheduled tasks, registry autorun modifications, service installation
- Cloud security: IAM policy changes, public bucket exposure, unauthorized API calls
- Insider threat: mass file access, off-hours data movement, account sharing indicators
Use Case Template
| Field | Description |
|---|---|
| Use case ID | Unique identifier for tracking and reference |
| Name | Descriptive name of the detection |
| Description | What the rule detects and why it matters |
| MITRE ATT&CK mapping | Tactic, technique, and sub-technique IDs |
| Log sources | Required data sources for the rule to function |
| Correlation logic | Query or rule logic in pseudo-code or SIEM syntax |
| Severity | Critical, High, Medium, or Low |
| False positive scenarios | Known benign behaviors that may trigger the rule |
| Tuning recommendations | Allowlists, thresholds, and timing adjustments |
| Response playbook | Link to the corresponding incident response procedure |
Building Detection Coverage
Map your current detection rules against the MITRE ATT&CK matrix to identify coverage gaps. Focus first on the techniques most commonly used in real-world attacks against your industry. The ATT&CK navigator tool lets you visualize which techniques you can detect and where you have blind spots. Prioritize detections for techniques that appear in the initial access, execution, persistence, and credential access tactics since these represent the early stages of an attack where detection has the most value.
Tuning for Effectiveness
A detection rule with a 90% false positive rate is worse than useless because it trains analysts to ignore it. After deploying each use case, monitor the false positive rate for two weeks. Build allowlists for known-good behaviors: scheduled tasks from your deployment tools, legitimate large file transfers between backup servers, admin activity from approved jump hosts. Adjust thresholds based on your environment: a rule that fires on 5 failed login attempts might be too noisy at a company with 10,000 employees. Document every tuning change so future analysts understand why the rule looks the way it does.
Metrics and Maturity
- Track total use case count and map to ATT&CK coverage percentage
- Measure mean time from use case creation to production deployment
- Monitor true positive rate per use case to identify high-value detections
- Track false positive rate and time spent on tuning per rule
- Review which use cases have never fired and assess whether the data source is missing or the threshold is wrong
- Set quarterly goals for new use case development aligned with threat intelligence priorities
Frequently Asked Questions
How many SIEM use cases does a mature SOC need?
There is no magic number, but most mature SOCs run 200 to 400 active use cases. Quality matters more than quantity. A well-tuned use case that fires accurately is far more valuable than 50 noisy rules that analysts ignore.
Should we buy vendor-provided use cases or build custom ones?
Start with vendor-provided content packs and industry-standard detections such as Sigma rules. Then customize them for your environment and build custom rules for organization-specific threats. A mix of both is ideal.
How do we handle use cases that require log sources we do not have yet?
Document the use case and identify it as blocked by a log source gap. Use this as evidence in business cases for new data source onboarding. Prioritize log source investments based on the number of high-value use cases they would enable.
What is the Sigma rule format?
Sigma is a vendor-agnostic detection rule format that can be converted to queries for most major SIEM platforms. Writing rules in Sigma allows you to share detections across teams and tools without rewriting them for each platform.
How do we measure detection effectiveness?
Run purple team exercises where the red team executes known techniques and evaluate whether your use cases detect them. Track the detection rate by ATT&CK technique. This tells you not just how many rules you have but whether they actually work.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.