Exabeam’s Design System : Matcha
Rule & Query Builder
Streamlining and contributing new design components to the design system for new query/condition builder.
Role
Product Designer, UX auditor
Company
Exabeam
Collaborations
Design team, PM team, Engineering
Duration
4 weeks
Project Overview
Meeting the Demands of Security Analysts: The Need for Advanced Rule Builders
Exabeam’s end users are security analysts, CISOs etc who need to detect and investigate potential security threats by analysing behaviors. So there’s constantly a need to add rule builders for:
Analyzing logs
Collecting specific types of logs containing keywords or activities
Applying conditions like if else for triggering a case
Enriching with certain values in the context of analyzing customer logs
The rule builder component can be implemented in various contexts, because the if else condition and operators like AND, OR, NOT, are common in all the use cases.
Enhanced Log Analysis:
Rule builders enable security analysts to efficiently analyze and categorize logs, improving the detection of potential threats by filtering and aggregating specific log types and activities.
Dynamic Condition Application:
The ability to apply complex conditions such as IF/ELSE statements enhances the precision of threat detection, allowing for more nuanced case triggers and better handling of varied security scenarios.
Contextual Enrichment:
Rule builders support the enrichment of logs with contextual values, which aids in deeper analysis and more accurate identification of security threats, tailored to customer-specific needs and log details.
SOC Personas
Security Operation Center (SOC) teams operate within a structured workflow with distinct roles: three levels of security analysts, security engineers, and a manager. Some organizations also have specialized insider threat teams focusing on employee activity. Each role targets specific security aspects, but seamless communication and collaboration are critical to the team’s success in detecting and responding to threats effectively.
Tim
Tier 1 Analysts are the frontline defenders, monitoring systems and alerts to detect potential security incidents. They perform initial assessments and escalate confirmed threats to Tier 2.
Esteban
Security Engineers design and implement the organization's security infrastructure. They develop security measures to protect systems against attacks, conduct regular security assessments, and are involved in the development and fine-tuning of automated security solutions.
Ivy
Tier 2 Analysts delve deeper into the escalated alerts, conducting thorough investigations to understand the scope and impact. They may also initiate containment measures.
Corri
The SOC Manager oversees the entire SOC team, ensuring that security procedures are followed, and goals are met. They coordinate incident response efforts, manage the team's budget and resources,
Hunter
Tier 3 Analysts are the most experienced and handle the most complex investigations. They develop threat hunting strategies to identify hidden threats and work on complex incident response and remediation.
Insider threat team, India
This specialized team focuses on identifying and mitigating risks posed by insiders. They monitor user behaviors, conduct risk assessments, and investigate suspicious activities to protect against internal threats.
Starting with the code:
What is a query/ conditional statement we are referring to here?
The specific criteria or logical expressions used within queries or rules to define the parameters of a search or action. Conditions determine when a rule is applied or when a query returns results, such as "IF a user logs in from a new location AND fails authentication three times, THEN trigger an alert."
User needs & Objectives
Challenges that prompted the development of the Rule/Query Builder components:
Rule builders and event builders were used across various modules of the platform but lacked a unified design, resulting in inconsistent user experiences.
1. Implementation
2. Drive Customer Satisfaction
3. Common Logic Requirements
4. For Standardization and Scalability
Research and Internal audit
Streamlining Security Operations: Research and Internal Audit for Exabeam’s Query Builder
Conducted user research to understand security analysts' needs, audited internal design systems for missing components, and analyzed competitive products. Ensured the Query Builder aligned with user requirements, enhanced scalability, and maintained design consistency.
Various use cases & scenarios it was used in: Almost every module needed a rule builder or adding conditions on top
Contributing to Design system
Building components
Design systems often organize components into smaller building blocks such as "atoms" and "molecules." This approach is inspired by Atomic Design principles, where:
Atoms are the smallest, most fundamental building blocks, like buttons or input fields.
Molecules are combinations of atoms working together as functional units, like a search bar.
Here’s a breakdown of parts of a design system based on atoms and molecules.
Query builder
Organisms
Condition builder : AND groups
Organisms
Condition builder : OR groups
Organisms
Documentaion
Internal presentation
& Confluence document
For the Query Builder and Rule Builder component, we conducted an internal presentation and created a Confluence document.
The presentation covered goals, user flows, light and dark modes, design choices, and feedback. The document provides design specs, usage guidelines, code snippets, and a feedback loop for continuous improvement.
Conclusion
Key Reflections from the Design Process:
User-Centric Design:
Regular feedback loops were invaluable in refining the component, keeping user needs at the forefront of our decisions.
Cross-Functional Collaboration:
Close collaboration with engineering and stakeholders ensured design feasibility and alignment across teams.
Continuous Improvement:
Iterative testing and revisions helped us enhance functionality, ensuring a consistent and scalable design system.