Back to work

Elastic
Detections

RoleDesign Lead
CompanyElastic
ToolsFigma, Cursor, Research
StatusShipped
Elastic Rule Libraries interface

01 Overview

Reducing complexity and unifying rule management

Elastic's rule ecosystem had grown into a fragmented system split across multiple surfaces. Discovery was painful, configuration assumed expertise users didn't have, and no intelligence existed to close the gap. I led the redesign that unified everything — and added an AI copilot to do the discovery work for users who didn't know where to start.

02 My Role

Design Lead

Figma Cursor User Research Prototyping Design Systems

03 The Problem

Fragmentation and cognitive overload

Discoverability

No intelligent assistance

Users struggled to locate relevant rules within a large and growing catalogue with no guidance to help them navigate it.

Fragmentation

Split across multiple surfaces

Different rule types were accessed and managed in separate areas, creating confusion and inconsistent workflows.

Cognitive overload

Dense, technical decision fatigue

Dense metadata, technical terminology, and extensive filtering created decision fatigue at every step.

Expertise dependency

Assumed prior knowledge

Selecting the right rules required deep domain knowledge many users simply did not have.

The underlying issue wasn't capability — it was complexity without cohesion, and discovery without intelligence.

UX success criteria

04 Process

From fragmented systems to a unified framework

Step 01

Discover & Empathize

Step 02

Assumption Mapping

Step 03

Define & Frame

Step 04

Design & Validate

Step 01 — Discover & Empathize

Full rule ecosystem audit + stakeholder interviews across product, engineering, and security. Three friction spikes mapped: orientation confusion on landing, inability to assess rule relevance, and configuration steps that assumed expertise users didn't have.

LAND ON RULES BROWSE CATALOGUE ASSESS RELEVANCE CONFIGURE RULE VALIDATE ACTIVATE HIGHMIDLOW "Where do I even start?" "Is this rule right for me?" "I don't know what these fields mean" "Finally active — took 40 mins" Current experience Redesigned experience
Analyst journey map — rule discovery and activation · Current vs redesigned experience · Composite from 15+ interviews

Built on 25+ prior user interviews: Figma-based Workflow artefacts now used company-wide at Elastic, capturing JTBD, personas, data sources, and live issues per security role.

Elastic Security Workflow artefacts — Alerts, Continuous Onboarding, Assets and Entity Analytics
Figma-based Workflow artefacts — built from 25+ user interviews · Used company-wide across the Elastic Security design team

User research — 15+ sessions

Two research rounds — open discovery first, then concept validation. 15+ analysts across enterprise and mid-market, varying expertise levels.

15+
Security professionals interviewed across discovery and validation rounds
2
Research rounds — open discovery, then concept validation with prototypes
Mixed
Enterprise and mid-market accounts, varying technical expertise levels

I know the rules I need exist somewhere. I just spend 20 minutes trying to find them every time.

Senior Detection Engineer · Enterprise

The filtering is powerful but I need to already know what I'm looking for. If I don't, I'm lost.

SOC Analyst · Mid-market

I've got prebuilt rules, custom rules, shared rules, all in different places. I can never remember which surface to go to.

Security Engineer · Enterprise

If the AI could just look at my data sources and tell me what to enable, that would change everything for my junior analysts.

Head of Security · Scale-up

Step 02 — Assumption Mapping

Key disproved assumption: fragmentation was a navigation problem. Research showed it was a mental model problem — users had no coherent picture of the rule landscape, so navigation improvements alone would have failed.

Assumption map — importance vs confidence
Assumption map — importance vs. confidence · Used to prioritise research questions before design work began

The most important disproved assumption was that fragmentation was a navigation problem. Research made clear it was a mental model problem — users had no coherent picture of what the rule landscape looked like, so they couldn't navigate it regardless of how we structured the menus. This reframed the entire design challenge.

Step 03 — Define & Frame

Activation

Time to First Rule

Reduction in time from session start to first rule enabled. Target: meaningful improvement vs baseline.

Discovery

Search Refinement Cycles

Reduction in the number of filter and search iterations needed to find a relevant rule.

Adoption

Multi-rule-type Usage

Increase in accounts using more than one rule type — a signal that unification is working.

Confidence

Rule Management Satisfaction

Improvement in satisfaction scores specifically tied to rule management across all skill levels.

Step 04 — Design & Validate

Architecture first — a unified rule library organised by intent, not internal structure. Progressive disclosure handled expert depth. I mapped three user journeys before any wireframes, using them as a research artefact in stakeholder and user sessions.

Detection Rules — Proposed User Journeys user journey map · research artefact · 3 entry paths to rule discovery New integration New threat intel Monitoring alert Shared / converged flow AI copilot step TRIGGER / ENTRY POINT New data integration User installs a new Elastic Agent integration (e.g. AWS, Endpoint) → New data source now active New threat intelligence Security team receives new threat intel or CVE advisory → What rules cover this? Monitoring activity Rule executes with false positives or shows execution failure → Rule needs finding & fixing INITIAL ACTION Navigate to Detection Rules via nav or integration prompt Search rules by technique / CVE tag direct search or MITRE filter Open alert / execution failure notification from AutoDEX feed or inbox AI COPILOT INTERCEPT ✦ Copilot detects 12 rules match your new data source → AI ✦ Copilot finds 4 rules covering this technique — 2 inactive → ✦ Copilot diagnoses FP pattern — proposes exception or tuning → all paths converge UNIFIED RULES LIBRARY Detection Rules — Unified Library All rule types · Intent-based filters · AI copilot recommendations inline Progressive disclosure · Single source of truth REVIEW & DECIDE Assess rule Relevance · Severity MITRE coverage Read AI reasoning Copilot explains why this rule is suggested Configure rule Exceptions · Thresholds Data source confirm OUTCOME Enable rule Rule active · logged coverage gap closed Tune existing rule Exception applied noise reduced Escalate / skip Flagged for review feedback to copilot previously: 3+ surfaces no single view Elastic Detections · Proposed user journeys · Research artefact used in stakeholder alignment & user interviews · AN 2024
Proposed user journeys — 3 entry paths converging into the unified rules library · Used as a research artefact in stakeholder sessions and user interviews
Detection Rules — Unified Library wireframe · lo-fi · stakeholder review Filters Rule type ☑ Prebuilt ☑ Custom Coverage ☑ MITRE ATT&CK ☑ CIS ☐ Custom tags Data source ☑ Endpoint ☑ Network ☑ Cloud AI copilot filter assist ✦ Based on your environment → 🔍 Search rules... All rules My rules Suggested 1,247 rules RULE NAME TYPE SEVERITY STATUS ACTIONS Unusual Network Destination Domain Name Endpoint · Threat detection Prebuilt High Active Edit Potential PowerShell HackTool Script by Author Windows · Execution Prebuilt Critical Inactive Enable Linux Restricted Shell Breakout via env Linux · Privilege escalation Prebuilt High Active Edit AWS CloudTrail: Privilege Escalation via IAM Policy Cloud · IAM · AWS Custom Critical Inactive Enable ✦ AI Copilot — Recommended for your environment Based on your installed integrations (Endpoint v8.12, AWS, Windows), 12 rules are not enabled that match your data sources. The highest-priority gap is lateral movement coverage on Windows. View 12 rules → Dismiss Showing 1–25 of 1,247 rules Load more AI panel inline rule type colour bar unified table all types Detection Rules Unified Library · lo-fi wireframe · AN 2024
Lo-fi wireframe — unified rules library with AI copilot panel · Used in stakeholder alignment sessions before high-fidelity work began

One key debate: persistent copilot panel vs. inline dismissible card. Research settled it — guidance without noise. Built a Cursor prototype to test the copilot interaction model; static mocks couldn't answer whether recommendations felt helpful or overwhelming.

Final designs — unified rule library
Final designs — unified rule library with AI copilot recommendation layer

Prototype testing confirmed it. Less experienced users described the copilot as the first time they'd felt capable of setting up detection without expert help.

05 Results

Impact across activation, discovery, and adoption

1

Reduced Time to First Value

  • 32% reduction in time to first rule activation
  • 24% increase in first-session rule enablement

2

Increased Rule Discovery Success

  • 40% reduction in search refinement cycles
  • 18% increase in successful rule enablement after browsing
  • Measurable decrease in support tickets related to rule discovery

3

Lower Cognitive Load and Broader Adoption

  • 15% growth in multi-rule-type usage per account
  • Increased rule adoption among less experienced users
  • Improved satisfaction scores specifically tied to rule management
32%Faster rule activation
40%Fewer search cycles
15%More multi-type usage

Signing Off

Key takeaways

Next Project

Eggplant AI Test