Sap the Silicon

Why a spreadsheet of use cases isn't a use case program

Sap the Silicon

A field-grade essay on the quiet diagnostic that separates senior detection engineers from earnest ones.

I have advised many Managed Security Service Providers over two decades. I have encountered upwards of four hundred and fifty correlation rules in production. On one such instance, a new customer arrived with their own list — another three hundred and fifty — laid out in an Excel spreadsheet, asking to have them “implemented as use cases.”

The spreadsheet looked like a mismanaged firewall rule base. A threshold here, a source IP there, an action over there. Each row a self-contained statement, none aware of the others, none anchored to a business priority, none surfaced through any risk lens. Every row demanded equal attention; together they demanded none.

The customer thought they were sending a use case program. What they sent was a rules library.

That conflation is the quiet diagnostic that separates senior detection engineers from earnest ones. It has been the diagnostic for nineteen years, and I keep watching organizations spend large on platforms they then operate at a fraction of the value they paid for.

There is a name for the cure. I learned it running ArcSight Professional Services for the Western US and APAC regions from 2006 to 2008, and various other MSSP delivery programs based on Splunk, QRadar, and others along the way. Sap the silicon for all that it’s worth.

That is an instruction, not a slogan. And it begins with knowing what a use case actually is.

What a Rule Is. What a Use Case Is.

A correlation rule is a sentence. “If five failed authentications occur within ten minutes from the same source IP, generate an alert.”

A use case is a paragraph. With structure. With context. With consequence.

A use case begins with a business problem. It identifies the owner of the problem, the sponsor who can assign resources, and the customer who benefits when this is solved. It declares its discrete objectives — the actionable tasks, ordered by priority, that turn the problem statement into testable detection logic.

Only then does it specify the data sources required to support each objective: which logs, which devices, which connectors. Then it describes the data stream analysis — what events look like in their native form, which fields are required, whether the events are sufficient to support the detection.

Then — and only then — it describes the content build: the correlation rules, dashboards, reports, analyst views, enrichment linkages, and playbooks that operationalize the detection. Each has an owner. Each is testable.

Finally, the use case specifies test, verify, and refine logic. How will we know the content is correct? Did the content actually support the use case in production? Who owns maintenance, and at what frequency?

That paragraph is the shape of a real use case. It does not fit on a row of an Excel sheet because it is not a row of an Excel sheet. It is an engineered system.

The Four Phases

A use case is engineered through four phases. They are not optional, and you cannot reorder them.

Phase I — Identify

What is the issue to the business? Not what the firewall log shows. What is the business risk this detection serves? Who owns it? Who sponsors it? Who is the customer of the eventual alert? If you cannot answer those four questions, you do not yet have a use case. You have a tactic in search of a strategy.

Phase II — Dissect

Analyses the problem from what to how. The ‘what’ is the issue. The ‘how’ is the chain of observable events that, in combination, indicate the issue is occurring. This is where senior engineers spend disproportionate time. An inadequately dissected problem produces fragile rules.

Phase III — Detect

Now, and only now, do you build content. The implementation is platform specific. The content rollout — the discipline of stitching these elements together so they form a coherent decision-support layer — is platform-agnostic. ArcSight, QRadar, Sentinel, Splunk; the platforms vary, the discipline doesn’t.

Phase IV — Alert and Respond

This is where the SOC’s video wall earns its keep. Where does the alert appear, and with what visual urgency? Does it route to the on-call analyst, escalate, or open a case? What outcome metrics are captured to feed the next iteration?

The mature SOC operates all four phases in deliberate sequence. The immature SOC starts at Phase III, ships, and wonders why its analysts are exhausted.

Sap the Silicon

The phrase came from the field. Customer after customer would invest seven or eight figures in a SIEM and operate it as a rules library — fire-and-forget configurations, vendor-shipped templates lightly customised, dashboards nobody watched.

I would tell them: Sap the silicon for all that it’s worth.

Get the last dollar of value out of what you bought. Turn the SIEM from a license line into a decision-support engine. Demand that every rule trace upward to a use case, and every use case trace upward to a business problem. Demand that every alert reaching an analyst has earned its place by passing through the discipline of evidence — not just the threshold of detection.

The AI Use Case Trap

Watch the next twelve months carefully. “AI use case” is about to become exactly what “SIEM use case” became — a phrase diluted into meaninglessness by people who cannot yet tell the difference between a rule, a tactic, and a strategy.

The mature practitioner asks the same Phase I questions. What is the business risk that AI in this slot serves? Who owns it? What is the discrete objective this AI capability advances? Sap the silicon applies to AI as cleanly as it ever applied to SIEM.

The names change. The discipline doesn’t.

Closing

A SOC that ships use cases produces fewer alerts and earns more trust. A SOC that ships rules produces more alerts and erodes its own standing. The platforms cannot tell the difference. The analysts can. The boards can.

The next time someone hands you a three-hundred-and-fifty-row Excel sheet labelled “use cases,” return it. Ask them to name the business problem each row serves. Watch what happens.

That is the test. It separates the senior from the earnest, the platforms from the practices, the rules-libraries from the engineering disciplines.

— Damanjit Singh Uberoi · Founder, CyberSecure Vertex

← Back to all Field Notes