top of page

Recognizing the critical challenge of alert fatigue in security operations on Axon, LogRhythm brought me on as lead UX designer to revolutionize their notification system through an intuitive rules builder, enabling security teams to create sophisticated alert workflows that ensure critical security events reach the right stakeholders at the right time.

Product | UX
Research
UI

Rethinking security alert management

scroll down to view the project

Disclaimer: Due to confidentiality agreements, the materials involved in this project are limited. I'd be glad to walk-through my process in more detail on a call.

  • My Role

    Primary UX Designer

    Team

    1 UX Designer (Myself)

    1 Project Manager

    2 Dev

    Design Timeline

    4 weeks

Notifications Area Concept.jpg

This image shows two viable options in low-fidelity that were a base for user testing

Security teams were overwhelmed with constant alerts, while critical notifications often got lost in the noise. A lack of notification routing and inconsistent escalation paths made it difficult for teams to manage their alert workflows effectively.

Teams were struggling to ensure the right people and customers, for MSSPs, received the right alerts at the right time due to a lack of a customizable notification systems and fragmented communication channels. When I joined the notification system project, I saw an opportunity to transform how security teams handle critical alerts.

How might we help security teams manage notifications effectively while reducing alert fatigue?

What is important for notification setup?

SIEM notification systems were built with a minimal viable approach that prioritized quick release over usability, resulting in complex and unclear alert routing configurations. While both SOCs and MSSPs use this administrative area, MSSPs interact with it more frequently due to managing multiple client deployments. However, for both user types, once notification rules are configured, they rarely need adjustment - making an intuitive setup experience crucial despite infrequent usage.

For administrators configuring notifications, several critical factors need consideration: which teams or individuals should receive specific types of alerts, what notification methods (email, SMS, Slack) are appropriate for different severity levels, and how escalations should be handled if alerts go unacknowledged. Understanding these notification paths and ensuring proper setup is essential for maintaining security response effectiveness.

  • Security teams face alert fatigue from overwhelming notifications while critical alerts risk being missed. Current notification systems lack intelligent routing and flexible configuration options, leading to either information overload or missed security events. We needed a solution that would help teams create sophisticated notification rules while keeping the setup process intuitive.

    Core Objectives

    • Design an intuitive rules builder that balances power with usability

    • Enable precise control over notification routing and escalation

    • Create a scalable solution that works for both SOC and MSSP workflows

    Project Stakeholders

    Internal

    • Security Analysts

    • Product & Engineering Teams

    External

    • Security Analysts

    • SOC Managers

    • Platform Administrators

User-Centered Approach

FINAL SOLUTION: A Hybrid Approach

Our research findings led us to develop a hybrid approach that leveraged our panel architecture to create a two-area design. This solution:

  • Maintained the intuitive workflow users preferred

  • Reduced technical complexity

  • Preserved critical functionality

  • Shortened implementation timeline by one sprint

Design Approach

The project reinforced three core principles for administrative tool design:

  • Deep understanding of both regular (SOC) and multi-client (MSSP) user workflows

  • Strategic compromise between user experience, technical feasibility, and business needs

  • Simplified complexity - making infrequent but critical tasks intuitive

Through close collaboration with engineering and security teams, we created a solution that balanced sophisticated notification capabilities with an intuitive setup experience, a win-win from the original two concepts. Most importantly, we validated that even infrequently used administrative tools deserve careful attention to user experience, as their proper configuration is crucial for security operations.

Notification systems require a delicate balance between precise control and reliable alert delivery - one wrong configuration could mean critical alerts never reach their team.

Takeaways

Success in the notification rules project came from finding the sweet spot between powerful customization and intuitive setup - delivering a solution that both SOCs and MSSPs could confidently configure despite infrequent usage. The hybrid approach proved that thoughtful design can simplify complex administrative tasks without sacrificing functionality.

Through this project, we proved that creative architectural compromises and strong user validation can simplify complex administrative workflows while maintaining the robust functionality security teams require.

Plaform areas impacted

Screens designed

Want to see more?

I am happy to talk through my research and design work for LogRhythm during a scheduled call, as this work is confidential and cannot be showcased publicly.

User Research.png

This research synthesis in Dovetail provided key insights for strategy and development

OPTION 02: Rule Builder Workflow

  • A traditional SIEM-style rule builder approach used by other platforms

  • Split functionality across rules, distribution profiles, and creation areas

  • Faster to implement with existing architecture

  • Users found it disjointed and difficult to navigate

  • Context-switching created cognitive burden

Initial Design Process

Creating an efficient notification system required us to rethink how administrators configure alert routing. The challenge wasn't just about managing notifications - it was about designing an intuitive experience for a critical but infrequently used administrative tool that would serve both SOC teams and MSSPs managing multiple client deployments.

Through initial research, we discovered two distinct approaches that we did extensive user testing with:

OPTION 01: Cards Workflow

  • A unified single-area solution with a more visual, card-based interface

  • Users strongly preferred having all notification management in one cohesive space

  • Provided clearer context and easier rule creation through visual representation

  • Required longer implementation timeline

  • Technical complexity raised concerns about delivery schedule

bottom of page