Elastic

Product Designer

Designing flexible rule management to help SOC analysts streamline security operations

01 User Research

01 User Research

02 Designs

02 Designs

Problem

Generic rules lack flexibility. The SIEM tool comes with prebuilt rules that determine when users are alerted on various activities. However, these rules are not always perfect for every unique organization and use case.

Goal

Allow users to add exceptions to to Elastic prebuilt rules in order to fine tune their detection engine and reduce false positives.

User Persona: The First Responder

Security Operations Center (SOC) Analysts are the first responders. They likely have an IT or tech background but may be beginners to the security field.

🧑‍🎓

Entry level analyst, new to security

🥲

Often overworked and under stress

🔊

Dealing with noise and alert fatigue

01: User Research

Exploratory Research: Identifying customer pain points

I started with customer interviews. We discussed current pain points, use cases, and each customers "ideal solution."

User Testing

With interviews findings and insights in mind, I created wireframes and ran user testing sessions.

Insights

01

Users need the ability to easily switch between AND and OR queries

02

Users need a less complex query builder in order to respond quickly

03

Users need a single page view so they do not need to open more tabs

Opportunity

How can we allow for flexible query building without overwhelming users who want to make simple changes?

Insights

01

Users need the ability to easily switch between AND and OR queries

02

Users need a less complex query builder in order to respond quickly

03

Users need a single page view so they do not need to open more tabs

Opportunity

How can we allow for flexible query building without overwhelming users who want to make simple changes?
02: Designs

User Story

A SOC Analyst discovers 10,000 alerts regarding an unfamiliar file-sharing application in a small city's security center. Upon investigation, it is determined to be caused by an update of a known program used on city servers.

User Story

A SOC Analyst discovers 10,000 alerts regarding an unfamiliar file-sharing application in a small city's security center. Upon investigation, it is determined to be caused by an update of a known program used on city servers.

User Story

A SOC Analyst discovers 10,000 alerts regarding an unfamiliar file-sharing application in a small city's security center. Upon investigation, it is determined to be caused by an update of a known program used on city servers.

User Story

A SOC Analyst discovers 10,000 alerts regarding an unfamiliar file-sharing application in a small city's security center. Upon investigation, it is determined to be caused by an update of a known program used on city servers.

0

The analyst does not want employees running this application on their personal computers; however, some of these alerts are generated from certain servers that need to run the software.


0

The analyst does not want employees running this application on their personal computers; however, some of these alerts are generated from certain servers that need to run the software.


0

The analyst does not want employees running this application on their personal computers; however, some of these alerts are generated from certain servers that need to run the software.


0

The analyst does not want employees running this application on their personal computers; however, some of these alerts are generated from certain servers that need to run the software.


0

From the alert details, the analyst selects ‘Add an exception’ and identifies the field, the operator, and the value that they would like to allow in the case of this rule.

0

From the alert details, the analyst selects ‘Add an exception’ and identifies the field, the operator, and the value that they would like to allow in the case of this rule.

0

From the alert details, the analyst selects ‘Add an exception’ and identifies the field, the operator, and the value that they would like to allow in the case of this rule.

0

From the alert details, the analyst selects ‘Add an exception’ and identifies the field, the operator, and the value that they would like to allow in the case of this rule.

0

Now, when the detection engine determines that the file sharing software is coming from an acceptable host, it will not fire an alert. After the exception is created, it can be viewed on the detail page of the rule.


0

Now, when the detection engine determines that the file sharing software is coming from an acceptable host, it will not fire an alert. After the exception is created, it can be viewed on the detail page of the rule.


0

Now, when the detection engine determines that the file sharing software is coming from an acceptable host, it will not fire an alert. After the exception is created, it can be viewed on the detail page of the rule.


0

Now, when the detection engine determines that the file sharing software is coming from an acceptable host, it will not fire an alert. After the exception is created, it can be viewed on the detail page of the rule.


Impact

90%
Decrease in indcident response time
100+ hours
of customer support time saved per month
4x
more incidents that can be solved without a call to support

Work

About

Contact

© 2025 Marra Sherrier

Work

About

Contact

© 2025 Marra Sherrier

Work

About

Contact

© 2025 Marra Sherrier

Work

About

Contact

© 2025 Marra Sherrier