SOC Use Case Library
Document ID: DET-UC-001
Version: 1.0
Last Updated: 2026-04-26
Owner: SOC Lead / Detection Engineer
Purpose
Define a practical use case library for prioritizing, implementing, and measuring SOC detections. Use this document to decide which detections to build first, what telemetry is required, which playbook should handle the alert, and how to measure operational value.
Use Case Selection Flow
graph TD
A[Identify Business Risk] --> B[Map to Threat Scenario]
B --> C[Confirm Log Sources]
C --> D{Telemetry Ready?}
D -->|Yes| E[Select Sigma or YARA Rule]
D -->|No| F[Onboard Required Logs]
F --> C
E --> G[Map to Playbook]
G --> H[Test and Tune]
H --> I[Measure KPI and Review]
1. Use Case Tiers
| Tier |
Maturity |
Goal |
Example Use Cases |
| Tier 1 |
Foundational |
Detect common attacks with high analyst confidence |
Phishing, brute force, malware execution, suspicious PowerShell |
| Tier 2 |
Operational |
Detect attack progression across identity, endpoint, network, and cloud |
Lateral movement, privilege escalation, impossible travel, data exfiltration |
| Tier 3 |
Advanced |
Detect low-signal, high-impact, or business-specific threats |
Insider threat, supply chain compromise, AI abuse, cloud cryptojacking |
2. Foundational Use Cases
| Use Case |
Primary Logs |
Detection Rule |
Playbook |
KPI |
| Phishing attachment or link execution |
Email, endpoint process, DNS, proxy |
proc_office_spawn_powershell.yml |
PB-01 Phishing |
Time from report to containment |
| Ransomware file activity |
Endpoint, file audit, EDR telemetry |
file_bulk_renaming_ransomware.yml |
PB-02 Ransomware |
Hosts isolated within SLA |
| Malware execution from user-writable paths |
Endpoint process, file creation |
proc_temp_folder_execution.yml |
PB-03 Malware Infection |
True positive rate |
| Multiple failed logins |
Identity provider, Windows security logs, VPN |
win_multiple_failed_logins.yml |
PB-04 Brute Force |
False positive rate |
| Suspicious script execution |
Endpoint process, command line, script block logs |
proc_powershell_encoded.yml |
PB-11 Suspicious Script |
Alert-to-triage time |
3. Operational Use Cases
| Use Case |
Primary Logs |
Detection Rule |
Playbook |
KPI |
| Impossible travel or anomalous login |
Identity provider, VPN, cloud audit |
cloud_impossible_travel.yml |
PB-06 Impossible Travel |
Account containment time |
| Privilege escalation |
Directory audit, admin group changes |
win_domain_admin_group_add.yml |
PB-07 Privilege Escalation |
Unauthorized admin changes reversed |
| Data exfiltration |
Proxy, firewall, DLP, file audit |
net_large_upload.yml |
PB-08 Data Exfiltration |
Exfiltration volume confirmed |
| Lateral movement over admin shares |
Windows security, endpoint, network flow |
win_admin_share_access.yml |
PB-12 Lateral Movement |
Affected hosts identified |
| C2 beaconing |
DNS, proxy, firewall, network flow |
net_beaconing.yml |
PB-13 C2 Communication |
Beacon dwell time |
| Cloud storage exposure |
Cloud audit, storage access logs |
cloud_storage_public_access.yml |
PB-27 Cloud Storage Exposure |
Public exposure duration |
4. Advanced Use Cases
| Use Case |
Primary Logs |
Detection Rule |
Playbook |
KPI |
| Insider data staging |
File audit, DLP, proxy, HR risk signals |
win_data_collection_staging.yml |
PB-14 Insider Threat |
Confirmed risk cases reviewed |
| Supply chain compromise |
CI/CD, package manager, cloud audit |
cloud_supply_chain_compromise.yml |
PB-32 Supply Chain Attack |
Affected dependencies identified |
| Cloud cryptojacking |
Cloud billing, instance inventory, audit logs |
cloud_cryptojacking.yml |
PB-47 Cloud Cryptojacking |
Cost spike contained |
| Deepfake social engineering |
Email, collaboration, ticketing, financial workflow |
net_deepfake_social.yml |
PB-48 Deepfake Social Engineering |
High-risk requests verified |
| AI prompt injection |
Application logs, AI gateway logs, tool execution logs |
ai_prompt_injection.yml |
PB-51 AI Prompt Injection |
Unsafe tool calls blocked |
| LLM data poisoning |
Data pipeline, RAG index, model evaluation logs |
ai_data_poisoning.yml |
PB-52 LLM Data Poisoning |
Poisoned records removed |
| AI model theft |
API logs, repository audit, storage access logs |
ai_model_theft.yml |
PB-53 AI Model Theft |
Unauthorized extraction stopped |
5. Intake Checklist
6. Prioritization Model
Score each candidate use case from 1 to 5.
| Factor |
Question |
Weight |
| Business Impact |
Would failure affect critical operations, regulated data, or executive risk? |
30% |
| Threat Likelihood |
Is the threat common in the sector or current threat landscape? |
25% |
| Telemetry Readiness |
Are the required logs available and reliable? |
20% |
| Response Readiness |
Does a tested playbook and owner exist? |
15% |
| Tuning Cost |
Can the team handle expected alert volume? |
10% |
Use cases scoring 4.0+ should be implemented first. Use cases below 3.0 should be deferred unless required by compliance, audit, or executive direction.
7. Review Cadence
| Cadence |
Activity |
Owner |
| Weekly |
Review noisy alerts and false positives |
Detection Engineer |
| Monthly |
Compare use cases against incident trends and threat intelligence |
SOC Lead |
| Quarterly |
Update MITRE coverage, retired rules, and control mappings |
SOC Manager |
| Annually |
Re-score all use cases against business risk |
CISO / Risk Owner |
References