The analytics rule builder used to define cybersecurity rules, threats, and triggers was powerful but difficult to understand, leading to inefficient workflows, inconsistent rule creation, and low confidence in outputs. The problem space was loosely defined, with limited visibility into how users actually created, managed, and interpreted rules.

I led an exploratory research effort to better define the problem, combining user interviews, in-product surveys, and workflow analysis to uncover gaps in usability, mental models, and system structure. These insights revealed that users struggled not just with the interface, but with understanding how rules were constructed and interacted across the system.

Based on these findings, I redesigned the rule building experience to better support user workflows, simplify complex logic, and improve clarity at each step. The final solution introduced a more structured, scalable interface that reduced friction, improved usability across screen sizes, and enabled users to complete key tasks with greater confidence.

The analytics rule builder is a critical part of a cybersecurity platform, enabling users to define how and when incoming data triggers alerts. However, users reported friction when creating and managing rules, often leading to errors, inefficiencies, and lack of trust in what they were building. Initially, this feedback was fragmented, and there was limited understanding of how users actually approached rule creation across different contexts. This made it difficult to prioritize improvements or identify where the experience was breaking down, and became one of the primary objectives of this work.

To better understand the problem space, I conducted interviews with several security analysts and platform administrators and deployed an in-product survey targeting the analytics rule grid. Rather than validating specific ideas, the goal was to uncover how users approached rule creation, where breakdowns occurred, and how the system aligned (or didn't) with their mental models. In addition to this research, I mapped the end-to-end rule creation workflow to better understand how users moved through the rule building process - from rule ideation to creation to validation. This helped identify key breakdowns between steps, particularly where users lost visibility into how rules were constructed and executed.

Sample of some findings and example recommendations:

  • Users lacked a clear mental model of how rules were structured and executed -> Add a plain language explanation of the rules a user was building, add a testing feature so users could test their rules in real-time before deploying
  • Important actions were inconsistently surfaced, creating confusion between single and bulk workflows -> Consolidate grid row actions to be consistent across single and bulk action options
  • Users didn't have an easy way to understand overall system rule coverage -> Have option to export rules grid to integrate with third party software to help with reporting and understanding coverage
  • Current UI limited complex rule creation and mapping -> Allow users to map fields between rule blocks in the analytics rule builder to expand use case coverage and complexity
  • Small screens cut off rule building content -> Improve filter query UI to be easier to edit and view in the rule builder, especially for small screens and long queries
whiteboarding of user flows
Screenshot of the analytics research report. See full report here

Based on the above research findings, I knew that users struggled to understand what they were creating, needed more guidance, and had issues when working on small screen sizes in the current design. In order to address these issues, I focused on the following:

  • Use space more efficiently
  • Help users understand what they are building
  • Simplify group bys and complex logic between rule blocks
MVP design
MVP for analytics rule builder and identified usability issues

I began may process with sketching out some general ideas for improved layouts and workflows that would help utilize space better and avoid displaying redundant information. This included considering the structure of the page, a user's order of operations when building a rule, and ways to reduce unnecessary clicks.

sketches of rule builder improvements
Initial sketches of the analytics rule builder improvements

After sketching, I moved into Figma to create more detailed UI mockups and iterate on designs based on feedback from the project PM, engineers, and other designers.

UI ideas for rule builder improvements
UI ideas for rule builder improvements

While working on the analytics rule builder UI, there were several constraints to consider:

  • Time and resource constraints - we were asked to get improvements implemented quickly, limiting the time we had for design and development. I opted to prioritize higher-impact changes that won't take as long to implement compared to ones that may make a bigger impact but take more time or engineering resources
  • Technical limitations - in order to not lose all the work previously done, we needed to work within the existing interface configuration and backend logic already configured
  • Flexibility vs Help - I needed to balance providing enough flexibility for power users while also offering helpful guidance for new users. The solution needed to limit cognitive load and prevent errors for all users when possible.
  • Scalability - I needed to ensure the solution could handle more complex rule logic that might be added in the future. This included more rule block types, advanced rule block linking logic, and playbook features.

I landed on a final design that simplified the workflow and better utilized space through expandable cards and a more vertical-based layout. This scaled better for smaller screens while still keeping relevant information visible and allowed for additional testing and guidance features in the builder to reduce the rate of errors and cognitive load. The redesign improved task success in usability testing (100% completion) and reduced confusion around rule structure. Additionally, the research findings directly informed roadmap prioritization, aligning product and engineering teams around a clearer set of user-driven improvements.

final design of analytics rule builder
Final design of the analytics rule builder

While we were able to land on a final design, there is always more work to be done. If I had more time, I would continue to explore ways to better support collaboration and rule governance across platform users, further simplify advanced logic handling for less technical users, and work on enabling a more robust test environment for users.