Carbon Black Case Study
Carbon Black, Alerts Product Design Lead
The Carbon Black Alerts Revamp Project aimed to revolutionize the user experience for enterprise corporate security analysts by enhancing the Alerts section, the cornerstone of the CB endpoint protection software. This initiative was integral to improving early endpoint threat detection and mitigation capabilities. By leveraging agile methodology and fostering cross-functional collaboration, the project focused on creating a more intuitive, efficient, and user-centric alerts interface. The comprehensive redesign included developing new alert detail views, grouping threat IDs, and introducing an auto-close alerts rule library, all while maintaining stringent quality and design standards.
Alert Auto-Close Rules/Manager UX
Addressing Auto-Closed Alert Rule Management for CB Customers
- Carbon Black is a leading endpoint security platform that leverages advanced analytics and real-time threat intelligence to detect, prevent, and respond to cyberattacks, ensuring comprehensive protection for businesses
- In my role as Lead UX Designer for Carbon Black Alerts, I collaborated closely with a UX content writer and UX researcher. My UX team, consisting of 26 members, included UX designers alongside a dedicated content writer and researcher, ensuring a comprehensive and user-centered approach to design.
Product Owner Raised customer Issue
Customers complained about disappearance of auto-closed alert rules into an inaccessible black box.
Project Background
CB Alerts: Existing UI Challenges
In the CB Alert Feed, customers could identify auto-closed alerts; however, there was limited visibility into which auto-close rule was driving the alert closure process. This lack of transparency created confusion and hindered user trust in the system’s automation. From a customer-centric perspective, the need for a Rule Manager to provide clarity and control over these processes became evident.
Product Owner Raised customer Issue
Customers were dissatisfied with no capability of editing or auditing alert auto-close rules.
Project Background
CB Alerts: Existing UI Challenges
Above you see a depiction of "Close Alert Modal" which allows user to set an auto-close rule. But customers are not happy that there is no way to audit or edit these rules, trusting the service less.
Product Owner Raised customer Need
Customers wanted to edit and audit alert auto-close rules.
Project Background
CB Alerts: Existing Organizational Challenges
Problem
The UX team questioned whether auto-closing alerts was the optimal solution. It was suggested that this feature might be better addressed at the organizational alert policy level, rather than through the current implementation.
Approach
To address this tension, I organized two design workshops aimed at resolving the conflict between these priorities.
Research
I meticulously reviewed existing research highlighting customer pain points related to alert fatigue and multi-alert management. Key data was presented in design workshops to UX leadership to emphasize the urgency of resolving these issues, especially considering potential dependencies on platform architecture that was not yet ready for implementation.
Research Objective:
Validate existing research and understand current customer needs after recent feature improvements in the alert section and CB policy area.
- Method: Requested additional research; UXR team recommended roundtable interviews.
- Participants: Conducted 3 roundtables with internal CB Go-To-Market (GTM) teams.
Key Takeaways:
- Customer Pain Points: Identified persistent issues despite feature improvements.
- Validation: Confirmed the relevance of previous research findings.
- Direction: Gathered feedback to guide the next steps in addressing alert management needs.
Project Background
CB customers have consistently complained about the disappearance of auto-closed alert rules into an inaccessible black box. These rules, created during alert closure, cannot be accessed or managed, leading to significant user frustration. Despite being a known issue, the product team faced challenges implementing the necessary enhancements.
Design Process
User task flows, wire flows
Armed with the knowledge that our customers still require clear visibility and management of auto-closed alerts, and recognizing the immediate need for auto-close alerts, I began the workflow and story mapping process. I meticulously mapped out all potential use cases and scenarios that customers might encounter during the alert closure process.
This exercise provided a clear direction on where we could potentially introduce the auto-close rule manager, though its final placement—whether in the alerts section or within policy tuning—remains to be determined. Additionally, it highlighted several workflow issues, such as how users would access the auto-close rule manager and how it integrates with the overall alert closure workflow. These insights are guiding the next steps in refining the user experience.
After completing the workflow exercise, which I shared with the product owner during our weekly alerts meeting, I proceeded to develop detailed wireframes for the auto-close feature. These wireframes were instrumental in the UX validation research and served as the foundation for the testing prototype. The prototype not only validated the features we had collectively decided to include in this epic but also addressed the critical question of where our customers envisioned the auto-close rule management would reside—whether in alerts or within the policy settings.
Audit of existing workflows
This exercise provided a clear direction on where we could potentially introduce the auto-close rule manager, though its final placement—whether in the alerts section or within policy tuning—remains to be determined.
Design Process
Auto-close rule manager entry points
- Conducted feedback sessions with super users to identify optimal entry points for the Auto-Close Rule Manager.
- Proposed integrating the rule manager into the main alert action menu:
- If no auto-close rule exists: Display an empty manager screen confirming its absence.
- If a rule exists: Present the manager pre-filtered to the specific alert and its related alerts (via threat ID group), showing associated auto-close settings.
- This design ensures users gain immediate visibility into relevant rules directly within their alert workflow, enhancing efficiency and context awareness.
Proposed integrating the rule manager into the main alert action menu
Design Process
UX LEADERSHIP REVIEW
I created an interactive prototype for the alert auto-close rule creation and management, which I presented to the UX leadership.
The goal was twofold:
- Secure approval for moving forward with addressing this customer pain point
- Validate the design direction with the leadership team. This presentation ensured alignment on both the strategic approach and the proposed user experience
INTERACTIVE PROTOTYPE
Design Process
Usability testing
Next I collaborated with the UXR team to organize usability testing and validate the design direction for the auto-close alerts with customers.
Study goals:
- Validate autoclosure workflow
- Do users know how to auto close alerts?
- Do users understand how auto-closed alerts are defined?
- Validate understandability of Rules Manager
- Where do users go to access the Rules Manager?
- What information are they looking for in the Rules Manager?
Study outcomes:
The study confirmed the utility of key features, such as rule deletion, rule creation details (including who created it, when, and on which endpoints). The findings indicated that users preferred to see the rule manager in the policy section, particularly associated with a group of endpoints—a feature recently released for Carbon Black that has been well-received by customers.
Customer design feedback
“ …it actually should be on the screen is the number of times that this rule was hit in the last pick a day, 24 hours, one week, one month, give people an option. Keep a counter… So I think give people an option and a choice of what the time frame is. But then say how many times was this rule hit in that time frame? It's also got benefits the other direction, not just that things were not heard, but if something was hit 50,000 times, well, we shouldn't be relying on a rule to tidy that we should be fixing root cause and that will be a really good indication of, hey, we need to go and find out what root cause is for this one.”
-P10
Design Process
Design iteration, user stories, planning
Incorporated customer feedback from usability.
We chose to build the auto-close manager as a standalone functionality, independent of its location (whether in alerts or policy), allowing for seamless integration after the policy revamp.
The next step involved breaking down the work to user functional development stories, enabling us to accurately size the overall effort required for implementation.
User stories and planning
Each quarter we planned work the Auto-close epic was story refined and planned with the UI dev team to T-shirt size the effort.
Project outcomes
Project results
CustomerTrust
Auto-close alerts is elevated to a complete workflow where the user can manage, view and edit an auto-close rule. No more incomplete functionality in the product.
Team Alignment
Resolved underlying discord, resulting in 100% alignment on project goals.
Organizational Impact
Unified priorities across the organization, enhancing collaboration and reducing goal differentiation.
User stories and planning
Each quarter we planned work the Auto-close epic was story refined and planned with the UI dev team to T-shirt size the effort.