Signatures should be mapped to use cases based on grouping that makes sense. This mapping allows the investigator to review recommended response actions. A good start would be using MITRE ATT&CK framework Tactics as Use Cases for signatures.
These less-technical use cases should also be considered for addition into your use case library:
- The mouse and/or keyboard start moving/typing on their own. (https://attack.mitre.org/techniques/T1021/)
- A device performs unexpected functions on its own (like a gate opening or closing unexpectedly).
- An endpoint computer fails to boot up properly.
- A ransomware message is displayed. (https://attack.mitre.org/techniques/T1486/)
- A caller claims to be the helpdesk or other member of IT Staff. (https://attack.mitre.org/techniques/T1656)
- An unidentified peripheral (like a USB) is found connected to a system. (https://attack.mitre.org/techniques/T1091/)
- An email or document suggests calling a provided phone number for support (e.g. Microsoft). (https://attack.mitre.org/techniques/T1566/)
- Historic events are seemingly deleted or otherwise no longer available. (https://attack.mitre.org/techniques/T1070/)
- Unauthorized changes appear to have been made to a device's logic code/configuration. (https://attack.mitre.org/techniques/T0845/)
- A secure location shows clear signs of breaking and entering.
- An unauthorized person is found in a location.
- An antivirus/antimalware product presents a detection alert.