Secureworks

Tactic Graph Detector

Tactic Graph™ Detector is a type of security detector that fires alerts when suspicious events from data sources enter the system.

The Background / What is Tactic Graph?

It is a type of security detector under the security SaaS product named Taegis XDR. Taegis XDR is the best-selling product under the company called Secureworks. Tactic Graph detector’s purpose was to surface group pattern UIs on an alert page per its tactics and criterias.

My Role
Principle Product Designer

Project span
3~ 6 months

Stakeholders
Product Managers,
Front-end Engineers,
Backend Engineers,
UX Researchers.

Target users
Security Analysts

The Problem / Overview

Most users take a whole day investigating alerts. Their job is to review hundreds of alerts a day, to find potential threats for their clients. To do so, one needs to inspect events in an alert, to find its pattern or similarities to define if an alert is valid or not, and report it. With the help of Tactic Graph, hopefully we can show patterns of grouped events to ease investigation time.

The Problem / Problem Statement

How might we reduce users’ investigation time by showing them patterns of grouped activities in one glance?

The Solution / Design Sprint

When the project was first handed to me, the only ask was “Make this better”. There was a lack of project requirements, nor a clear understanding of what Tactic Graph does and can do. I struggled to find direction to its product vision and requirements. The ask was to have the design ready 3 months ahead of the development timeline. After kicking around not having a unified direction from stakeholders, I decided to facilitate a design sprint/workshop, to find my answers.

Participants: 6 participants in total: Tech lead (1), UX designers(2), UI developers(2), PM(1)

Through the design sprint, I learned more about the overall structure of it:

  1. Observation: Grouping of alerts/events.

  2. Alert: A composite of events that met the criteria of a potential threat.

  3. Event: Multiple occurrences that happen across time.

  4. Tactic Graph Criterias: Tactics and conditions that were written to scan incoming data.

The Solution / Features born from Design Sprint

The following features were born from the design sprint workshop:

The Testing / Usability Testing

Even though we had a design that came out from the design sprint and tested with three users on the last day, I struggled to find consistent positive feedback for some of the features. Hence, I and another UX researcher did two more rounds of usability testing with fine-tuning the design in between, hoping to find positive feedback patterns.

The Testing / Usability Testing Results

What we find out through two rounds of usability testings were:

Pinning: This was removed, as we found out more than half of the users do not understand what this does and its purpose. Instead, we moved Description to the top by default as we found almost all users look at this meta data.

Timeline: Design was updated to showing grouped and single off alerts/events across time. Basing on the type of tactics was found to be inaccurate as tactics are dynamic and evergrowing.

Table: The design of showing grouping of events/alerts(observation) within the table was positively received by all users.

Criteria panel: The ability to show criteria conditions and original JSON files was well received. This was also approved by the legal team, which makes it successful into the product.

Before and After design

Top: The original UI
Bottom: The new design

The Success Matrix / Rating

Before I wrap this project up in this phase, I wanted to know how much of an impact this can be. Hence, a survey was sent out to ask users what score would they rate the new design versus the old, based on its efficiency in helping to investigate an alert.

Results: The new design was well received, with a high average score of 8 out of 10 per 16 users.

Thank you for reading!