Update use cases

center-for-threat-informed-defense · Nov 9, 2023 · c81b26a · c81b26a
1 parent 2e81791
commit c81b26a
Showing 1 changed file with 19 additions and 3 deletions.
diff --git a/docs/use_cases.rst b/docs/use_cases.rst
@@ -43,26 +43,42 @@ Understanding Current Visibility
 
 - Understand which techniques you have visibility into given current set of tools and capabilities.
 
+<img src="./docs/_static/visibility.png" width="900px">
+
 Filling Defensive Gaps
 ^^^^^^^^^^^^^^^^^^^^^^
 *If I were to add Tool X, how does that coverage change?*
 
 - Identify tools and capabilities to acquire or enable in order to fill gaps.
 
+<img src="./docs/_static/gaps.png" width="900px">
+
 Find Potential Threats
 ^^^^^^^^^^^^^^^^^^^^^^
 *I'm concerned about a recent threat report. Can I see it if it were to happen in my environment and where do I look?*
 
 - Determine which tools and capabilities to use to find adversary behaviors.
 
+<img src="./docs/_static/threats.png" width="900px">
+
 User Stories
 ------------
 
 This section describes user stories associated with organizational detection processes and 
 procedures, based on the roles and usage identified above.
 
-<img src="./docs/_static/visibility.png" width="900px">
+1. As an IR, I want to ensure I have complete visibility of an active security incident.  
 
-<img src="./docs/_static/gaps.png" width="900px">
+   Use the mappings to take the observed adversary behaviors as described in ATT&CK to understand current visibility of potential suspicious activities and tie in actionable intelligence from CTI reporting. 
+
+2. As a CISO or ISSO, I need to align defensive posture with the real-world threats targeting my industry.  
+
+   Use the mappings to understand which of tools and capabilities provide visibility into specific real-world adversary techniques and where gaps may lie. 
+
+3. As a SOC Analyst, I need visibility into threats launched against my organization.  
+
+   Use the mappings for identified Data Sources associated with adversary techniques used to identify areas to look for additional indicators of potential suspicious activities. 
+
+4. As a SE, I want to detect entire classes of adversarial behavior.  
 
-<img src="./docs/_static/threats.png" width="900px">
+   Build in defensive countermeasures for specific adversary TTPs, using the mappings to identify areas and fill in defensive coverage gaps by reconfiguring existing or adding additional tools or capabilities.