Maintain the lifecycle of the use case.
Maintain the change history of the use case.
Perform regular review of use cases.
- Is the use case still needed?
- Is the volume of alerts/results in a low-fidelity alert/query acceptable compared to the time taken to investigate?
- Do the content and components align with the objectives, analysis, and recommended actions? Or should a new use case be created?
- When was the last time the high-fidelity components provided alerts/results? When were they last tested?
- Does the Analysis section adequately explain how to analyze the alerts/results?
- Is there sufficient data in alerts/results/analysis steps to allow determining whether the occurrence was a true or false positive?
- Are there any opportunities to improve the true/false positive ratio without significant loss in visiblity?
- Do all the fields included provide helpful context?
- Would it be helpful to display results differently (e.g. table, different graph, aggregation)?
- Would it be helpful to apply additional logic?
- Are there any analysis steps or response actions that could be automated?