top of page

Cybersecurity analysts needed a way to access enrichment data and execute response actions during investigations. As the lead designer, I was tasked with creating entity panels and admin integrations marketplace that would tie into our new architecture that would unify third-party data access and streamline threat response capabilities.

Product | UX
Research
UI

Building tools for investigative success

scroll down to view the project

Disclaimer: Due to confidentiality agreements, the materials involved in this project are limited. I'd be glad to walk-through my process in more detail on a call.

  • My Role

    Primary UX Designer

    Team

    1 UX Designer (Myself)

    1 Project Manager

    2 Dev

    Design Timeline

    1 week for entity panels

    4 weeks for admin marketplace

Threat.png

This is an image of an entity panel and a response action inside the panel architecture

Security analysts faced significant challenges accessing contextual data and executing response actions during investigations, forcing them to constantly switch between multiple tools, coding their own integrations, or using other platforms.

When investigating potential threats, analysts needed immediate access to enrichment data from various third-party sources while maintaining the ability to quickly respond to security events. The existing workflow was fragmented, increasing investigation time and analyst cognitive load.

How might we help security analysts access enriched threat data and execute responses without disrupting their investigation flow?

Prior approaches to entity enrichment and responses focused on data integration capabilities but lacked a unified, analyst-centric interface that seamlessly integrated enrichment data and response actions into case. Our innovative panel architecture offered an opportunity to transform this workflow, but we needed to deeply understand which third-party integrations and response capabilities would be most valuable to analysts while working within technical constraints.

  • Security analysts struggle with disconnected workflows that don't match their mental models during investigations, with critical threat data scattered across multiple views. They need a solution that consolidates enrichment data and response capabilities while maintaining investigation context, supported by an admin marketplace for managing third-party integrations.

    Core Objectives

    • Design a unified entity panel system that aligns with natural investigation patterns

    • Create an admin marketplace for enrichment, response, and future collection APIs

    • Build a scalable foundation that supports multiple integration types and future entity panels

    Project Stakeholders

    Internal

    • Security Analysts

    • Product & Engineering Teams

    • Integration Specialist

    • SOC Managers

    External

    • Security Analysts

    • SOC Managers

    • Platform Administrators

Screenshot 2024-12-19 152643.png

This is a view of frames created for the admin-facing integrations marketplace

This project was more than just a technical integration - it was a fundamental rethinking of how security analysts interact with threat data and execute their investigations. The focus was on aligning tools with analysts' mental models and natural workflow patterns to reduce cognitive load and improve investigation efficiency.​

Core Problem Areas

Workflow Disconnection (Analyst-facing)

  • Scattered threat data and constant context switching

  • Misaligned interface with investigation patterns

  • High cognitive load during investigations

Integration Management (Admin-facing)

  • Need for a centralized marketplace for managing third-party integrations

  • Three key integration types:

Enrichment APIs (for contextual data)

Response APIs (for threat mitigation)

Collection APIs (planned for future)

  • Required administrative interface for discovering, configuring, and managing these integrations

User Experience Gaps

  • Analysts: Natural workflow alignment needed

  • Admins: Needed easier way to manage, add, and monitor integrations

  • Both: Required better visibility into integration health and status

What LogRhythm needed

  • Make security workflows feel natural and intuitive for analysts by aligning with their investigation patterns, mental models, while reducing context switching and cognitive load during investigations

  • Build a centralized admin marketplace for discovering, configuring and managing third-party integrations across enrichment, response, and future collection APIs, with robust health monitoring and status visibility

  • Present more contextual threat data through unified entity panels while highlighting critical signals, patterns and relationships, enabling direct response actions to streamline the analyst experience and improve investigation accuracy

Design Process

Working on this project, we truly started to see how the analyst workflow came together in the panel architecture – it's about creating a reliable foundation where enrichment capabilities and analyst workflows come together to serve complex investigation and mitigation needs.

  • Thorough research into analyst mental models and investigation patterns before proposing solutions, ensuring our entity panels matched how analysts naturally work

  • Close collaboration between design, product, and integration specialists to build a scalable marketplace architecture while preventing scope creep

  • Rapid iteration on both analyst and admin experiences balanced with careful attention to API integration requirements

  • Continuous feedback loops with security analysts and SOC managers through interactive prototypes and workflow simulations

  • Strong design system foundations to ensure consistent data presentation and reusable components across entity types

This methodology proved particularly effective when developing our entity panel architecture and integration marketplace, where each stage built upon analyst insights while maintaining a scalable foundation for future integration types.

Takeaways

Success came from turning the diverse stakeholder ecosystem - from analysts to integration specialists - into a strength, with each perspective helping refine our entity enrichment system while keeping investigation workflows central.

Despite the project being cut short due to company changes, these challenges pushed me to create innovative solutions like the unified entity panel architecture and integration marketplace that could have made a real difference in how security teams discover, enrich, and respond to threats. Through this project, I learned that thoughtful design can bring clarity to complex security operations by aligning with analyst mental models while building scalable foundations for future growth.

Areas impacted in platform

Screens designed

Resuable components created

Want to see more?

I am happy to talk through my research and design work for LogRhythm during a scheduled call, as this work is confidential and cannot be showcased publicly.

User-Centered Approach

bottom of page