Categorizing rules related to usecases

I have few usecases for monitoring Suricata in wazuh.

  1. DDoS Attack
  2. Unauthorised Access
  3. Malware communication
  4. Data exfiltration
  5. SQL Injection
  6. Abnormal user privilege escalation
  7. Credential dumping
  8. Ransomware indicators
  9. Brute force attack
    Etc…

To create custom rules for this usecases, which all parameters i can take?
Which will be the common tag?