Case Study 03 — Cloud SIEM
Enter password
Carlos Diaz
Senior Product Designer
Work About
Case Study 03 — Cloud SIEM

Signal Side Panel

Redesigning the core entry point for security triage — making it actionable, structured, and trustworthy for analysts at every level.

42%Faster triage
88%Clarity on next step
Workflow usage
29%Fewer tickets
01Context

A security signal is a moment of decision: escalate, suppress, or investigate further. The Signal Side Panel is where that decision gets made — and it wasn't built for deciding.

SOC analysts review dozens of signals per shift. For each one they need to understand what happened, determine severity, take ownership, and move the signal to the right state — fast. The panel is the primary surface for all of that.

But the panel had grown without a plan. What started as a simple alert viewer became a wall of raw data — every field, every log, every related entity given equal visual weight in a single unbroken scroll. There was no hierarchy. No opinion about what to look at first. The signal lifecycle had no states, so analysts couldn't tell if a signal was actively being worked or silently stale.

The panel was showing analysts everything and guiding them toward nothing. New hires were hit hardest — they didn't know where to look, what to click, or how to move forward.

RoleDesign Lead
TimelineQ1 2024 (3 months)
Shipped toCloud SIEM, ASM, CSM
TeamsDetection, Security, Platform
Add image
02The Problem

After shadowing SOC analysts through live triage shifts, the same pattern emerged every time: they were fighting the panel, not using it.

0

Signal lifecycle states

No signal had a status. There was no concept of Open, In Review, or Closed — analysts couldn't tell if a signal was being worked, already resolved, or quietly stale. Every signal looked the same regardless of its state.

3

Products, no shared pattern

SIEM, ASM, and CSM each had their own panel layout. Analysts who moved between products had to relearn the interface every time — same concept, three different implementations, zero shared foundation.

4

Places actions were scattered

The three most critical triage actions — Add to Case, Run Workflow, Archive — were split across the header, footer, an overflow menu, and a secondary drawer. Most analysts never found them. The default became leaving signals perpetually Open.

Add image
03Process

Three months. We introduced a signal state model, reorganized content around triage decisions, and shipped to three security products.

Month 1

Research + Audit

Shadowed SOC analysts through live shifts and logged every scroll, every detour, every action that never got clicked. The data was consistent: scroll depth was extreme, action completion was near zero, and first-week analysts had no path forward. Audited the panel across SIEM, CSM, and ASM — three products, three divergent layouts, zero shared components.

Month 2

Signal Lifecycle Model

The layout wasn't the core problem — the missing state model was. Before reorganizing content, we needed to define what states a signal could be in. Introduced Open → In Review → Closed → Archived with auto-ownership assignment. Once the model existed, content hierarchy followed naturally: What Happened → Take Action → Deep Details. Co-designed signal states with detection, security, and workflow engineering.

Month 3

Prototype + Ship

Built Figma flows for side panel and full-page modes, testing the dynamic CTA model against the new lifecycle states. Ran async reviews with engineering and product, then shipped to Cloud SIEM. ASM and CSM followed using the shared component set — four weeks later, all three products were on the same panel foundation.

Add image
04Solution

The old panel showed data. The new one drives decisions. Five design moves that made triage feel guided instead of guessed.

Signal Lifecycle

Before the lifecycle existed, every signal looked the same regardless of its actual state. The new model introduced four explicit states — Open, In Review, Closed, Archived — with a primary CTA that changes to match. "Start Review" when untouched. "Escalate" or "Close" once claimed. Auto-ownership assignment means nothing sits at Open indefinitely.

Lifecycle states

Triage-First Layout

The original panel ordered content by what was easiest to pull — logs at top, entity details buried in the middle, actions at the bottom. We flipped the model: What Happened first, Detection Rule context second, Take Action third. Deep details collapse below. The order isn't historical — it's the order of a triage decision.

Structured layout

Centralized Action Hub

Every critical action — suppress, escalate, link to case, run workflow — was pulled from wherever it lived into a single Take Action surface above the fold. Always visible, always contextual. No more hunting. Usage of "Add to Case" and "Run Workflow" tripled within the first month after launch.

Action hub

Playbooks + Investigator

Experienced analysts know what to do with a brute-force signal. New hires don't. Playbooks add attack-specific investigation procedures — not a generic checklist, but steps tuned to the signal type. Investigator gives every analyst a quick entity graph showing IP, Host, and User activity, with one-click access to deeper dashboards. First-week analyst ramp dropped by approximately 2 days.

Playbooks

Full-Page Investigation

The side panel handles most signals quickly. Complex incidents need room. Full-page mode adds a signal timeline, linked case history, and related signals grouped by correlated attributes or detection rule. Analysts who needed deep investigation had been leaving the panel to find another tool — now they don't have to.

Full-page view
05Outcomes

Shipped to Cloud SIEM in Q1 2024. ASM and CSM followed within four weeks. Zero panel inconsistencies across all three products since.

42%

Faster Triage

Average time-to-triage dropped 42% in moderated testing. Panel scroll depth decreased 35% — analysts found what they needed sooner.

88%

Clear Next Step

Users reported feeling clear on what to do next in 88% of sessions. "Mark as Closed" and "Add to Case" used in 64% of reviews.

Workflow Adoption

Workflow usage tripled, especially among Tier 1 analysts. 70% of reviewed signals were directly linked to incidents or cases.

4.2/5

Novice Confidence

New analyst self-reported confidence rose from 3.6 to 4.2 out of 5. First-week ramp-up time reduced by approximately 2 days.

85%+

Component Reuse

Over 85% of core panel components shared across SIEM, ASM, and CSM. Internal audits found zero CTA placement inconsistencies.

+60%

Deep Investigation

Full-page view adoption increased 60%. Signal timeline MVP launched just 4 weeks after the panel update shipped.

Add image
← Search Suggestions NextContent Packs →