
Alert Grouping
Reducing SOC alert fatigue with suppression that groups repetitive alerts into a single, investigable event.
Finding the signal in thousands of alerts
Security Operations Center (SOC) analysts are responsible for detecting and responding to threats before they become incidents, working through a constant stream of alerts generated by detection rules across endpoints, users, networks, and cloud environments. The job isn't reviewing alerts one by one: it's deciding, under time pressure, which ones represent a real attack and which are noise.
The problem was that a single detection rule rarely produced a single alert. A brute-force attempt against 200 endpoints, for example, could generate 200 nearly identical alerts for the same incident, each appearing as its own investigation. Analysts spent a disproportionate share of their shift comparing duplicates and manually deciding whether alerts belonged together, rather than investigating the incidents that mattered. As environments generate more telemetry, this problem compounds. Detection quality alone stops being enough; triage efficiency has to scale with it.
I designed Elastic Security's alert suppression feature to group related events into a single representative alert, cutting volume without hiding any of the underlying evidence analysts rely on to investigate with confidence.
Senior Product Designer
As the senior designer on this feature, I owned the end-to-end experience, from defining the interaction model through shipping across rule creation, alert investigation, and Timeline, working alongside a junior designer, product management, and engineering. I worked closely with the team to make sure the design held up against real detection-engine constraints, not just idealized workflows. I also mentored the junior designer on the team: they owned the Timeline drill-down states under my direction, and through weekly critiques they got to the point of defending that work in engineering reviews on their own. The feature entered the product as a technical preview in Elastic Security 8.6 (January 2023) and rolled out incrementally to more rule types in the releases that followed.
- Led UX strategy and interaction design from concept to release.
- Defined the end-to-end experience across rule creation, alert investigation, and Timeline.
- Facilitated design discussions and aligned stakeholders across Product, Engineering, and Design.
- Mentored a junior designer, delegating the Timeline drill-down states and coaching them through engineering reviews.
- Designed for multiple rule types, including threshold-based and machine-learning detections.
- Balanced analyst flexibility against technical constraints from the detection engine.
When every alert looks important, nothing does
Security teams rely on detection rules to surface suspicious activity as fast as possible. The challenge is that many rules don't generate one alert. They generate hundreds or thousands of nearly identical ones for the same underlying incident. Each appeared in the queue as a separate investigation, even though they all pointed to the same event.
For analysts, this created a constant cycle of repetitive triage: reviewing duplicates, comparing alerts by hand, and deciding whether they represented the same incident, instead of investigating actual threats. As alert volume grew, so did the cognitive load required to figure out what deserved attention at all.
The issue was never detection. Elastic already surfaced suspicious activity effectively. The real challenge was helping analysts quickly understand what deserved their attention while preserving the evidence they relied on to investigate with confidence.
Duplicate alerts overwhelmed the queue, making it hard to tell which investigations actually needed attention.
Analysts had no way to configure grouping themselves. Every noisy rule required an engineering change rather than a self-serve setting.
Earlier grouping prototypes hid underlying events entirely, risking a real signal being suppressed along with the noise. Any reduction in alert volume had to preserve full transparency.
Machine-learning detection rules identify anomalous patterns across thousands of events, where suppression logic is far less intuitive than for simple threshold rules. The solution had to hold up for both.
Building understanding before designing the fix
Before designing any grouping logic, I ran secondary research into existing alert-fatigue patterns and detection engineering practices, then led nine qualitative interviews across SOC analysts, SOC managers, and a detection engineer, the three roles closest to the problem, each with a different stake in how alerts get triaged and tuned.
This research shaped not just the design but how we'd measure whether it worked. Before designing the grouping experience, we defined four KPIs to track: average investigation time per incident (analyst effort), number of alerts opened per investigation (noise reduction), time to first meaningful action (prioritization), and percentage of grouped alerts expanded (whether analysts engaged with the grouping instead of bypassing it).
Analysts spent more time deciding what to investigate than actually investigating: scanning through alerts and relying on severity, source, or intuition because there wasn't enough context to prioritize with confidence.
Understanding whether alerts were related meant jumping across flyouts, Timeline, and host or user pages, often repeating the same investigation steps for alerts that turned out to be part of the same incident.
Analysts rarely acted on a single alert in isolation. They actively looked for supporting evidence before escalating or dismissing a case, which meant the product needed to show the pattern, not just the individual event.
From insight to a configuration analysts could trust
The design attacks noise at two distinct layers, and keeping them distinct was itself a design decision. Grouping in the alerts table works at view time: analysts collapse the queue by rule, host, or user to read it as incidents, without changing any data. Suppression works at write time: the rule itself consolidates duplicate events into one representative alert as they're created. They solve the same fatigue problem with very different trust implications, one is reversible with a click, the other decides what enters the queue at all, so each needed its own transparency model.
Alert suppression needed to be powerful enough for expert analysts, but never opaque. One of the biggest design questions wasn't how to group alerts, but how much of that grouping should be automated. A simpler approach would have hidden duplicate alerts entirely, creating a cleaner queue but making it difficult for analysts to understand what had been suppressed.
Research consistently showed that analysts valued transparency over automation, so rather than hiding grouped events, I designed the experience to surface suppression counts, preserve one-click access to every underlying event, and make the grouping logic configurable. The result reduced noise without asking analysts to blindly trust the system.
The alert detail view surfaces the suppression count, the representative event, and a one-click drill-down to every underlying event, so the investigation pathway stays intact even when hundreds of alerts collapse into a single row. The shipped product surfaces suppression through the flyout's Correlations panel; the concept shown here pushes that further, giving suppression a dedicated summary at the top of the alert details.
The designed system
Screen designs across the journey
Process & flows
Designing around the model
Alert suppression is AI-adjacent: the same feature powers ML-based detection rules that identify anomalous patterns across thousands of events, where suppression works differently than it does for standard threshold or query-based rules.
ML rules could only suppress on anomaly-result fields rather than source event fields, since ML alerts don't carry the same underlying event data. They also supported fewer suppression fields than standard rules, and every alert carried an anomaly score analysts could use to judge how strong the deviation was. I designed the suppression UI to communicate these constraints and signals clearly, rather than presenting ML and standard rules as if they worked identically.
Every suppressed alert keeps a visible, one-click path back to the full event list, so trust in the grouping never depends on blind faith.
Impact
Consolidating duplicate alerts into a single representative event meant analysts spent less time re-establishing context they'd already seen.
Fewer near-identical alerts reaching the queue individually reduced the raw number an analyst had to open and dismiss per incident.
Surfacing the representative event and suppression count up front let analysts prioritize without manually comparing alerts first.
Group expansion rose while alerts opened per investigation fell: analysts spot-checked a group's evidence in one click instead of triaging near-identical alerts one by one. Verification got cheaper, so it happened more.
Alert suppression let SOC teams work a smaller, higher-signal queue instead of triaging duplicate alerts one by one. Based on the KPIs defined during discovery, internal metrics tracked after launch pointed to meaningful gains across investigation effort, prioritization speed, and analyst trust in the grouped view.
Numbers reflect internal metrics tracked against the KPIs defined during discovery, to the best of my recollection following the project.
Learnings & key takeaways
Working on Alert Grouping reinforced that the hardest design problems rarely have a single correct solution. Every decision meant balancing competing needs: reducing noise without hiding evidence, simplifying workflows without limiting flexibility, introducing automation without reducing analyst control. Rather than optimizing for one outcome, I learned to make those tradeoffs explicit and use them as a framework for every design decision that followed.
The most valuable conversations with engineering and product were never about interface components. They were about which competing need mattered more in a given case. Framing the work around tensions, rather than features, kept the team aligned on shared goals instead of arguing over UI details.
The feature succeeded not because it grouped alerts, but because it let analysts focus on higher-value investigation work while keeping them in control of the decisions that mattered.
Enterprise experiences are shaped by how workflows connect, not by any single screen. Designing across the full investigation journey, rule creation through alert detail through drill-down, created a more cohesive, trustworthy experience than optimizing individual views in isolation.
We defined the KPIs before designing, but the telemetry to track them arrived only around launch, so the earliest reads leaned on interviews. Wiring up expansion and re-opening signals from the first technical preview would have let us tune suppression defaults on evidence instead of instinct, a full release cycle sooner.