From c81b26a9dff409ad0a05012da7f96261f9738c4d Mon Sep 17 00:00:00 2001
From: tiffb <tbergeron@mitre.org>
Date: Thu, 9 Nov 2023 17:03:22 -0600
Subject: [PATCH] Update use cases

---
 docs/use_cases.rst | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/docs/use_cases.rst b/docs/use_cases.rst
index 55e8ffc..756c832 100644
--- a/docs/use_cases.rst
+++ b/docs/use_cases.rst
@@ -43,26 +43,42 @@ Understanding Current Visibility
 
 - Understand which techniques you have visibility into given current set of tools and capabilities.
 
+<img src="./docs/_static/visibility.png" width="900px">
+
 Filling Defensive Gaps
 ^^^^^^^^^^^^^^^^^^^^^^
 *If I were to add Tool X, how does that coverage change?*
 
 - Identify tools and capabilities to acquire or enable in order to fill gaps.
 
+<img src="./docs/_static/gaps.png" width="900px">
+
 Find Potential Threats
 ^^^^^^^^^^^^^^^^^^^^^^
 *I'm concerned about a recent threat report. Can I see it if it were to happen in my environment and where do I look?*
 
 - Determine which tools and capabilities to use to find adversary behaviors.
 
+<img src="./docs/_static/threats.png" width="900px">
+
 User Stories
 ------------
 
 This section describes user stories associated with organizational detection processes and 
 procedures, based on the roles and usage identified above.
 
-<img src="./docs/_static/visibility.png" width="900px">
+1. As an IR, I want to ensure I have complete visibility of an active security incident.  
 
-<img src="./docs/_static/gaps.png" width="900px">
+   Use the mappings to take the observed adversary behaviors as described in ATT&CK to understand current visibility of potential suspicious activities and tie in actionable intelligence from CTI reporting. 
+
+2. As a CISO or ISSO, I need to align defensive posture with the real-world threats targeting my industry.  
+
+   Use the mappings to understand which of tools and capabilities provide visibility into specific real-world adversary techniques and where gaps may lie. 
+
+3. As a SOC Analyst, I need visibility into threats launched against my organization.  
+
+   Use the mappings for identified Data Sources associated with adversary techniques used to identify areas to look for additional indicators of potential suspicious activities. 
+
+4. As a SE, I want to detect entire classes of adversarial behavior.  
 
-<img src="./docs/_static/threats.png" width="900px">
\ No newline at end of file
+   Build in defensive countermeasures for specific adversary TTPs, using the mappings to identify areas and fill in defensive coverage gaps by reconfiguring existing or adding additional tools or capabilities.