Key SIEM use cases: brute force detection (multiple failed logins), lateral movement (unusual authentication between internal hosts), privilege escalation (unexpected admin activities), data exfiltration (unusual outbound transfers).
SIEM is only as good as its tuning. Start with high-fidelity use cases (low false positives). Use MITRE ATT&CK to map detection coverage. Review alerts regularly — alert fatigue from unchecked SIEM destroys its value.