Use CasesGet Started with Threat Detection, Investigation, and Response (TDIR) Use Case Packages

Table of Contents

Threat Detection, Investigation, and Response (TDIR) Use Case Packages Hierarchy

Understand the overall structure of the TDIR Use Case Package framework: use case packages, use cases, and scenarios.

The TDIR Use Case Packages framework organizes threats in a hierarchy, from a broad category down to specific detection insights:

The hierarchy of use case packages using the Compromised Insiders and Malicious Insiders use case packages.
  • Use Case Package – A collection of related use cases; for example, Compromised Insiders.

  • Use Case – A specific problem a set of functionalities across Exabeam products are aligned to solve; for example, Lateral Movement.

  • Scenario – A high-value detection insight within a use case; for example, Pass the Hash.

In most cases, you tackle a specific use case, but you may find it helpful to break down use cases into scenarios.

Use Case Packages

A use case package is a collection of related use cases.

In the Threat Detection, Investigation, and Response (TDIR) Use Packages hierarchy, use case packages are a top-level classification that organizes and groups use cases into three general types:

For example, the Compromised Insiders use case package contains the Compromised Credentials, Lateral Movement, Privilege Escalation, Privileged Activity, Account Manipulation, and other use cases.

Use Cases

A use case is a specific problem Exabeam products are aligned to solve.

A use case represents a threat you can detect, investigate, hunt, and respond to using a set of functionalities across Exabeam products. These functionalities ensure that you deliver measurable outcomes using repeatable procedures.

In the Threat Detection, Investigation, and Response (TDIR) Use Case Packages hierarchy, all use cases are categorized under a use case package: Compromised Insiders, Malicious Insiders, or External Threats. For example, the Lateral Movement use case is categorized under the Compromised Insiders use case package. Some use cases further break down into scenarios.

Scenarios

A scenario is a high-value detection insight within a use case.

A scenario typically describes an Indicator of Compromise (IOC) or a method an attacker uses to create the threat the use case describes.

In the Threat Detection, Investigation, and Response (TDIR) Use Case Packages hierarchy, each scenario falls under a specific use case. For example, the Lateral Movement use case contains the Abnormal Network Connection, Abnormal Remote Access, Pass the Hash, and Pass the Ticket scenarios.

Not all use cases contain scenarios; for example, the External Threats use cases don't have scenarios.