Skip to main content
← All controls
SI-4 / AU-6 / RA-3 NIST SP 800-53 Rev 5

Use-case engineering / detection coverage

Demonstrate that security monitoring capabilities are engineered through documented use cases that provide measurable detection coverage across relevant threat scenarios and adversary behaviors, with evidence of ongoing validation and gap remediation.

Description

What this control does

Use-case engineering and detection coverage is the systematic process of translating threat intelligence, adversary behaviors, and business-critical attack scenarios into specific detection logic within security monitoring tools (SIEM, EDR, NDR). Each use case defines what to detect, how to detect it, alert thresholds, and mapping to MITRE ATT&CK tactics and techniques. Mature programs maintain a use-case library with documented coverage across the cyber kill chain, regularly validated against emerging threats and tested through purple team exercises. This ensures the organization's detection capabilities are intentionally designed, measurable, and aligned to real adversary tradecraft rather than relying on default vendor signatures alone.

Control objective

What auditing this proves

Demonstrate that security monitoring capabilities are engineered through documented use cases that provide measurable detection coverage across relevant threat scenarios and adversary behaviors, with evidence of ongoing validation and gap remediation.

Associated risks

Risks this control addresses

  • Adversaries successfully execute known attack techniques (e.g., credential dumping, lateral movement, data exfiltration) without triggering alerts due to detection blind spots
  • Security operations teams respond reactively to vendor-provided signatures without tailoring detection logic to organization-specific threat landscape and critical assets
  • Duplicate, conflicting, or poorly-tuned detection rules create alert fatigue, causing analysts to miss genuine compromise indicators amid false positives
  • Detection gaps for MITRE ATT&CK techniques used by threat actors targeting the organization's industry vertical remain unknown until post-incident forensics
  • Compliance-driven logging without corresponding detection use cases results in data collection without actionable threat identification capability
  • Changes to infrastructure, cloud adoption, or business processes create new attack surfaces without corresponding updates to detection coverage
  • Lack of use-case ownership, documentation, and maintenance leads to degraded detection effectiveness as tools and environments evolve

Testing procedure

How an auditor verifies this control

  1. Obtain the organization's use-case library or detection engineering documentation, including the inventory of all active detection rules across SIEM, EDR, NDR, and other monitoring platforms.
  2. Review the methodology for use-case development, including how threat intelligence, risk assessments, and MITRE ATT&CK framework inform prioritization and design of detection logic.
  3. Select a representative sample of 10-15 use cases spanning different kill-chain phases and select the corresponding detection rules in the SIEM or monitoring tool for detailed examination.
  4. Verify each sampled use case includes required elements: threat description, detection logic/query, data sources, MITRE ATT&CK technique mapping, alert severity, escalation procedure, and documented owner.
  5. Generate a MITRE ATT&CK heatmap or coverage matrix showing which techniques have detection coverage, identifying gaps in critical threat scenarios relevant to the organization's risk profile.
  6. Review evidence of use-case testing, including purple team exercise results, detection simulation outputs (e.g., Atomic Red Team, AttackIQ), or tabletop validation records from the past 12 months.
  7. Examine change management records showing how use cases are updated in response to new threats, infrastructure changes, false positive tuning, or post-incident lessons learned.
  8. Interview detection engineering or threat detection personnel to assess their understanding of coverage gaps, tuning processes, and how use-case effectiveness metrics inform prioritization decisions.
Evidence required Collect the complete use-case library or detection rule inventory with metadata (owner, MITRE ATT&CK mappings, last review date); exports of detection logic from SIEM/EDR platforms for sampled use cases; MITRE ATT&CK coverage heatmaps or gap analysis reports; purple team or detection simulation test results demonstrating validation of specific use cases; change tickets or tuning documentation showing rule modifications based on false positives, infrastructure changes, or new threat intelligence; metrics dashboards showing use-case performance (true positive rate, coverage percentage, time-to-detect benchmarks); interview notes or process documentation describing the use-case development lifecycle.
Pass criteria The organization maintains a documented use-case library covering critical MITRE ATT&CK techniques relevant to its threat profile, each use case includes essential metadata and is mapped to active detection rules, evidence demonstrates testing and validation within the past 12 months, and a formal process exists for identifying and remediating coverage gaps.

Where this control is tested

Audit programs including this control

SOC Maturity Quick Check

Whether you run a SOC in-house or use an MSSP — a quick check on coverage, tooling, response…

7 controls · v1.0