Elastic Security
2020
overview
Elastic's information and event management (SIEM) tool is used to drive security operations and threat hunting.
methods
User Research, UX/UI Design
problem
The SIEM tool comes with prebuilt rules that determine when users are alerted on various activities. However, these rules are not always perfect for every unique organization and use case.
opportunity
Allow users to add exceptions to to Elastic prebuilt rules in order to fine tune their detection engine and reduce false positives.
USER PERSONA
Security Operations Center (SOC) Analysts are the first responders. They likely have an IT or tech background but may be beginners to the security field. They prioritize and investigate events rapidly utilizing triage and response guidelines.
research round 1: interviews
I started with customer interviews. We discussed current pain points, use cases, and each customers "ideal solution."
research round 2: testing
With interviews findings and insights in mind, I created wireframes and ran user testing sessions.
INSIGHTS
01 Users need the ability to easily switch between AND and OR queries
02 Users need a less complex query builder in order to respond quickly
03 Users need a single page view so they do not need to open more tabs
final designs
A SOC Analyst discovers 10,000 alerts regarding an unfamiliar file-sharing application in a small city's security center. Upon investigation, it is determined to be caused by an update of a known program used on city servers.
The analyst does not want employees running this application on their personal computers; however, some of these alerts are generated from certain servers that need to run the software.
From the alert details, the analyst selects ‘Add an exception’ and identifies the field, the operator, and the value that they would like to allow in the case of this rule.
Now, when the detection engine determines that the file sharing software is coming from an acceptable host, it will not fire an alert. After the exception is created, it can be viewed on the detail page of the rule.
