dashboard
WEEK_4 · DAY_22 · 1 HOUR
Use Case Engineering
From threat hypothesis to production correlation search
Learning Objectives
- ›Translate a threat into a use case
- ›Document data sources, logic, FPs, response
- ›Build, test, tune, and ship
- ›Track use case lifecycle (proposed → tuning → production → retired)
Module 1 — Use Case Template
Name. Threat. ATT&CK. Data sources. Logic (SPL). False positive scenarios. Response (runbook). Owner. Status.
Module 2 — Lifecycle
Proposed → Drafted → Tested (shadow mode) → Production → Tuning → Retired.
Detection-as-code: store use cases in Git, deploy via CI/CD.
Module 3 — False Positive Discipline
Always document FP scenarios upfront. Without it, alerts get muted and detection coverage rots.
SPL Queries
Scheduled task persistence
index=sysmon EventCode=1 Image="*\\schtasks.exe" CommandLine="*/create*" CommandLine!="*\\Windows\\System32\\*" | stats count by Computer, User, CommandLine
// T1053.005 — non-system schtasks creation = persistence.
Lab 22 — Author a Use Case
- Pick a threat: 'Adversary uses scheduled tasks for persistence (T1053.005)'.
- Fill the template: data sources, logic (use SPL above), FP list, response.
- Build the search; mark as shadow (notable disabled) for a week.
- Document tuning plan.
Key Takeaways
- ✓Use cases are the unit of SOC delivery
- ✓Document FPs upfront or detection coverage rots
- ✓Shadow mode before production — always