Elastic
Product Designer
Designing flexible rule management to help SOC analysts streamline security operations
Problem
Generic rules lack flexibility. The SIEM tool comes with prebuilt rules that determine when users are alerted on various activities. However, these rules are not always perfect for every unique organization and use case.
Goal
Allow users to add exceptions to to Elastic prebuilt rules in order to fine tune their detection engine and reduce false positives.
User Persona: The First Responder
Security Operations Center (SOC) Analysts are the first responders. They likely have an IT or tech background but may be beginners to the security field.
🧑🎓
Entry level analyst, new to security
🥲
Often overworked and under stress
🔊
Dealing with noise and alert fatigue
01: User Research
Exploratory Research: Identifying customer pain points
I started with customer interviews. We discussed current pain points, use cases, and each customers "ideal solution."
User Testing
With interviews findings and insights in mind, I created wireframes and ran user testing sessions.
Insights
01
Users need the ability to easily switch between AND and OR queries
02
Users need a less complex query builder in order to respond quickly
03
Users need a single page view so they do not need to open more tabs
Opportunity
How can we allow for flexible query building without overwhelming users who want to make simple changes?
02: Designs
User Story
A SOC Analyst discovers 10,000 alerts regarding an unfamiliar file-sharing application in a small city's security center. Upon investigation, it is determined to be caused by an update of a known program used on city servers.
0
The analyst does not want employees running this application on their personal computers; however, some of these alerts are generated from certain servers that need to run the software.
0
From the alert details, the analyst selects ‘Add an exception’ and identifies the field, the operator, and the value that they would like to allow in the case of this rule.
0
Now, when the detection engine determines that the file sharing software is coming from an acceptable host, it will not fire an alert. After the exception is created, it can be viewed on the detail page of the rule.
Impact
90%
Decrease in indcident response time
100+ hours
of customer support time saved per month
4x
more incidents that can be solved without a call to support
