# Use Case and Detection Engineering Lifecycle One-sentence definition: A repeatable path from hypothesis to reliable alert with continuous tuning. ## Key Facts - Steps: hypothesis → data mapping → rule/build → test → deploy → tune → measure. - Map to ATT&CK techniques and required telemetry. - Add context/enrichment (asset criticality, user risk) for fidelity. - Measure precision/recall; retire low-value rules. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose lifecycle to justify alert quality and maintenance. **Mnemonic:** “**Think → Build → Prove → Improve**.” ## Mini Scenario Q: Alert noisy on service accounts—improvement? A: Exempt patterns or add conditions (interactive logons only). ## Revision Checklist - List lifecycle steps. - Telemetry mapping. - Metric to track. ## Related [[Logging Strategy and SIEM Use Cases]] · [[MITRE ATT&CK Mapping for Testing]] · [[Playbooks and SOAR Automation]] · [[Threat Hunting Program Basics]] · [[Operational Metrics and KPIs (MTTD MTTR Coverage)]] · [[Domain 7 - Index]]