Every blue team should have a Chris Hansen for catching penetration testers! We surveyed multiple penetration testers and security professionals to collect the best and most useful SIEM detection use cases. The goal of the use cases are to detect a penetration tester/external attacker in a typical enterprise environment. The top use cases will be reviewed. This talk is designed to help blue teams mature their detection and SIEM programs.