Use Cases

A Use Case groups one or more Security Assets around a common goal: a threat scenario, an attack technique, a compliance requirement, or an internal operational objective. It is where detection engineers document the why, how, and what to do of a detection, and where the team discusses it.

A Use Case can span multiple instances and multiple Security Asset types.

Create a Use Case

1. Open the workspace.
2. Go to Factory > Use Cases.
3. Click the + button on the top right of the list.
4. Enter a title for the Use Case.
5. Select a template to start from, or pick No template for a blank Use Case.
6. Click Create.

The new Use Case opens on its detail view. Description, MITRE ATT&CK mapping, labels, and linked Security Assets are added from there.

Documentation

The main panel of a Use Case is a free-form Documentation editor. It uses the Editor and supports headings, lists, tables, code blocks, images, file attachments, and markdown paste. Use it to capture the detection's intent, scope, false positives, validation steps, and response runbook.

Changes are saved automatically.

Related Security Assets

The Related Security Assets card is where a Use Case is tied to the actual detection content that implements it. Each row shows one linked Security Asset: the integration it lives on, the asset type, the title, its lifecycle status, and any labels attached to it.

The Use Case header rolls these rows up into a quick at-a-glance summary: N assets, followed by counters for active, inactive, and orphaned assets when any exist. Use the counters to spot Use Cases whose detection content is no longer in production.

Many-to-many by design

A Use Case can link any number of Security Assets, across any combination of types and integrations (for example, an EDR rule on one instance and a SIEM query on another). Conversely, a Security Asset can belong to zero, one, or several Use Cases at the same time. The two concepts are deliberately independent, so the same piece of detection content can support several distinct goals.

To link a Security Asset:

1. Open the Use Case.
2. In the Related Security Assets card, click Add.
3. Select one or more Security Assets from the workspace.
4. Click Save.

To remove the link, use the row action menu and choose Remove. The Security Asset itself is not deleted; it stays in the workspace and can be linked to other Use Cases.

MITRE ATT&CK mapping

A Use Case can be mapped to any combination of MITRE ATT&CK objects: tactics, techniques, sub-techniques, detection strategies, analytics, and data components. The mapping captures the intent of the Use Case: the parts of the framework you want this scenario to cover, at whatever level of granularity makes sense for the team.

The mapping is set from the right-hand properties panel:

1. Open the Use Case.
2. In the properties panel, find the MITRE ATT&CK section.
3. Click the pencil icon to open the mapping drawer.
4. Select the MITRE ATT&CK objects relevant to the Use Case.
5. Close the drawer to save.

Coverage: intent versus reality

The Coverage card is where the Use Case meets reality. It contrasts what the Use Case declares it covers with what the linked Security Assets actually cover, and classifies every MITRE object on the page into three states:

• Covered (green): the object is declared on the Use Case and at least one linked Security Asset also targets it. Intent and detection are aligned.
• Gap (red): the object is declared on the Use Case but no linked Security Asset targets it. The scenario claims this technique, yet nothing in the workspace is wired to catch it.
• Undeclared (blue): the object appears on a linked Security Asset but was never declared on the Use Case. The detection exists, but the scenario does not officially own it.

The Gap count is the single most important signal on the page. A non-zero gap means the Use Case is, at best, partially implemented. Closing a gap means either linking (or building) a Security Asset that targets the missing technique, or revising the Use Case to drop a technique that is out of scope.

Labels

Labels organize Use Cases by topic, owner, or any other axis defined for the workspace. From the right-hand properties panel, open the Labels section, click +, and select one or more labels. Labels are defined under Settings > Labels (see Labels).

Activity

Every Use Case has an Activity card at the bottom of the detail view. It combines two streams:

• Events: a chronological log of changes (description edited, Security Asset linked, MITRE mapping updated, label added, and so on), grouped to keep the timeline readable.
• Comments: a threaded discussion where team members can reply, react with emoji, mention other members, and attach files.

Use the Activity card to capture decisions, ask questions, and keep the context next to the detection itself.

Delete a Use Case

1. Go to Factory > Use Cases.
2. Open the row action menu and choose Delete, or open the Use Case and use the delete action.
3. Confirm.

Deleting a Use Case removes the Use Case and its description, comments, and MITRE mappings from the workspace. Linked Security Assets are not deleted; they remain in the workspace and can be linked to other Use Cases.