Redesigning the core entry point for security triage — making it actionable, structured, and trustworthy for analysts at every level.
When Cloud SIEM detects suspicious activity, it generates a signal. The Signal Side Panel is where a security analyst decides what to do about it.
That decision matters. An analyst might need to escalate to incident response, suppress a false positive, or link the signal to an ongoing case — and they need to make that call fast, often across dozens of signals per shift.
But the panel had grown organically as SIEM expanded. What started as a simple alert viewer had become a wall of raw data — every field, every log, every related entity dumped into a single scrollable view with no hierarchy or opinion about what matters most.
Analysts were spending more time interpreting the panel than investigating the threat. New hires were especially lost — they didn't know where to look, what to click, or how to move a signal forward.
I shadowed SOC analysts reviewing signals. The panel wasn't supporting triage — it was obstructing it.
"Add to Case," "Run Workflow," "Archive" — the three most critical actions were buried in menus or required scrolling past raw data to find. Analysts had to remember where things were instead of being guided to them.
Signal severity, entity context, related alerts, raw logs — everything was given equal visual weight. There was no hierarchy telling analysts "look here first." Scroll depth was excessive, and most users never reached the bottom.
The panel in SIEM, CSM, and ASM each followed different structures. Analysts switching between products lost context and momentum — they had to relearn the interface every time.
Three months. One panel. Three security products. Shipped to Cloud SIEM first, then ASM and CSM within weeks.
Shadowed SOC analysts during live triage sessions. Recorded where they scrolled, what they skipped, and where they got stuck. Audited panel divergence across SIEM, CSM, and ASM — cataloguing every layout, action placement, and content ordering difference.
Introduced a signal lifecycle model (Open → In Review → Closed → Archived) to give every signal a clear status and next step. Reorganized content around a triage-first hierarchy: What Happened → Take Action → Deep Details. Co-designed with detection, security, and workflow teams.
Built Figma flows for both quick-view (side panel) and full-page modes. Validated the dynamic CTA model — the primary button changes based on signal state. Ran async reviews with engineering, design, and product. Shipped to Cloud SIEM with panel deployed to ASM and CSM within one month.
The old panel showed data. The new one drives decisions. Five design moves that made triage feel guided instead of guessed.
Every signal now has a clear state: Open → In Review → Closed → Archived. The primary CTA changes to match — if a signal is Open, the button says "Start Review." If it's In Review, it says "Close" or "Escalate." Ownership gets auto-assigned so nothing falls through the cracks.
We reorganized content to match how analysts actually think: What Happened first, then Detection Rule context, then Entity details, then Related Signals. Collapsible sections let experienced analysts skip to what they need. The order isn't alphabetical — it's the order of decision-making.
Previously, actions were scattered across the panel — some in headers, some in footers, some in context menus. We consolidated everything into a single "Take Action" surface: suppress, escalate, link to case, run workflow. Always visible, always contextual. No more hunting for the right button.
New analysts don't know what to do with a signal — they need guided steps. Signal Playbooks provide investigation procedures specific to each attack type. Investigator graph previews show related entity activity at a glance, with one-click access to IP, Host, and User dashboards for deeper analysis.
Not every signal resolves in the side panel. Complex incidents need more room. Full-page mode adds a signal timeline and detailed history, with related signals grouped by correlated attributes or detection rule — helping analysts spot patterns across multiple alerts without losing context.
Shipped to Cloud SIEM, then deployed across ASM and CSM within one month. Zero inconsistencies across all three products.
Average time-to-triage dropped from 2m24s to 1m24s. Panel scroll depth decreased 35% — analysts found what they needed sooner.
Users reported feeling clear on what to do next in 88% of sessions. "Mark as Closed" and "Add to Case" used in 64% of reviews.
Workflow usage tripled, especially among Tier 1 analysts. 70% of reviewed signals were directly linked to incidents or cases.
New analyst self-reported confidence rose from 3.1 to 4.2 out of 5. First-week ramp-up time reduced by approximately 2 days.
Over 85% of core panel components shared across SIEM, ASM, and CSM. Internal audits found zero CTA placement inconsistencies.
Full-page view adoption increased 60%. Signal timeline MVP launched just 4 weeks after the panel update shipped.