Elastic
Detections

01 Overview

Reducing complexity and unifying rule management

Elastic's detection capabilities had expanded significantly over time. Alongside this growth came increasing complexity in how rules were structured, discovered, and managed. Different rule types lived across separate areas of the product, creating fragmentation and inconsistency in the user experience.

Users struggled not only with discovering relevant rules, but also with understanding where different rule types existed and how they related to each other.

The goal was threefold: reduce friction and cognitive load in rule discovery, unify all rule types into a single coherent experience, and introduce AI-driven guidance to help users automatically surface the right rules for their environment without requiring deep prior expertise.

By consolidating rule management into one centralised location, redesigning how rules were surfaced and explored, and embedding an AI copilot to intelligently recommend relevant rules, we aimed to lower the technical barrier to entry and help users reach value faster.

02 The Problem

Fragmentation and cognitive overload

As Elastic evolved, its rule ecosystem expanded across multiple types and surfaces. This created four core challenges:

• Discoverability: Users struggled to locate relevant rules within a large and growing catalogue, with no intelligent assistance to guide them.
• Fragmentation: Different rule types were accessed and managed in separate areas, leading to confusion and inconsistent workflows.
• Cognitive overload: Dense metadata, technical terminology, and extensive filtering options created decision fatigue.
• Expertise dependency: Selecting the right rules required significant domain knowledge of data sources, detection logic, and system architecture — knowledge many users simply did not have.

Research and stakeholder interviews revealed that users were investing significant time simply understanding what rules were available, where to find them, and which were appropriate for their environment.

The experience assumed deep technical expertise and prior product familiarity. In practice, many users needed clearer structure, contextual guidance, and intelligent assistance to help them make the right decisions without having to know the right answers in advance.

The underlying issue was not capability. It was complexity without cohesion, and discovery without intelligence.

03 My Role

Design Lead

I led the end-to-end design process, from problem framing and discovery through to final interaction design and delivery.

• Reframing rule discovery as a unified, AI-assisted experience rather than separate technical surfaces
• Defining a scalable structure capable of housing multiple rule types
• Designing an AI copilot experience to automatically surface relevant rules based on user context and environment
• Reducing cognitive load without oversimplifying technical depth
• Aligning the solution with activation and engagement goals

Working closely with product, engineering, and security stakeholders, I translated a fragmented system into a cohesive framework that balanced usability with the sophistication expected in a security platform.

04 Process

From fragmented systems to a unified framework

The process began with mapping the full rule ecosystem across the product. I conducted stakeholder interviews, analysed user behaviour, and reviewed support data to understand how users navigated between different rule types.

Journey mapping revealed key friction points:

• Users were unsure where certain rule types lived
• Switching contexts between rule systems created workflow disruption
• Technical filtering required high prior knowledge
• The mental model of the rule ecosystem was unclear

From these insights, I developed a unified architecture that centralised all rule types into a single, discoverable location, introduced consistent interaction patterns across rule categories, applied progressive disclosure to manage technical depth, and improved categorisation and filtering based on user intent rather than internal system structure.

A key design decision was the introduction of an AI copilot layer — an intelligent recommendation engine embedded directly into the rule discovery flow. Rather than requiring users to manually search and filter across hundreds of rules, the AI copilot analysed their environment, data sources, and use case context to automatically surface the most relevant rules for their setup. This shifted the experience from exploration to guided decision-making, dramatically reducing the expertise barrier for less technical users.

Through iterative prototyping and collaboration with engineering, we validated the scalability of the new framework and ensured it could support future rule expansion without reintroducing fragmentation.

The design principle was clarity through cohesion.

05 Results

Impact and measurable outcomes

The redesigned and unified rule experience, powered by an AI copilot that intelligently recommended the right rules for each user's environment, focused on measurable behavioural change, not just interface improvement.