Automatic Migration hero
11,000+Rules translated since launch
87%Ran on the Elastic Managed LLM
2 SIEMsSplunk & QRadar supported
ShippedLive in production today
04Elastic Security · Germany

Automatic Migration

Context

The moment a customer decides to switch

Security teams do not leave their SIEM lightly. Years of tuned detection rules, saved dashboards, and institutional knowledge live inside Splunk or QRadar, and rewriting all of it by hand is the single biggest reason migrations stall or never start.

Automatic Migration is the LLM powered tool I designed to remove that barrier: it ingests a team's existing detection rules and dashboards, translates them to Elastic's query language, maps them to prebuilt Elastic rules where an equivalent already exists, and generates custom rules for the rest, all behind a wizard that keeps the analyst in control of what activates. Unlike the Onboarding System proposal it later inspired, this one shipped and is live in production today.

Scope & Ownership

Senior Product Designer

Role: Senior Product DesignerTimeline: 2024 to 2026Team: Cross functional security pod

When I picked up this work, migration wasn't a product yet: it lived as a step buried inside Get Started. A usability test on that flow surfaced a finding that reframed everything: discoverability was the product's real bottleneck. Teams that couldn't see that migration existed never weighed Elastic as a serious alternative to their current SIEM, so every discoverability miss was a lost customer, not a lost click. I made the case that migration deserved to be its own entry point rather than a sub step of someone else's flow, and that reframing became Automatic Migration. From there I owned the experience end to end, from the first upload flyout to the five state results table, partnering closely with ML engineers to turn what the translation model could and could not guarantee into honest UI states. When post launch telemetry raised the stakes on the AI connector placement, I built both variants as functional prototypes and designed the usability study that settled the debate with evidence. The feature shipped and is live in production today.

Responsibilities
  • Reframed migration from a buried Get Started step into a standalone product with its own entry point, after usability testing exposed discoverability as the adoption bottleneck.
  • Led UX from concept through production release across upload, translation, review, and activation.
  • Defined the five state results model that made partial success a first class outcome instead of a flat pass or fail.
  • Designed the guided upload flow covering rules, dashboards, macros, and lookup table dependencies.
  • Partnered with ML engineering to translate model behavior and limitations into honest interface states.
  • Built functional EUI prototypes of both connector variants and ran the counterbalanced usability study.
  • Handed off a telemetry backed redesign direction for the connector step before leaving.
The Challenge

Months of manual rewriting, or nothing

Before this feature, migrating to Elastic Security meant a services engagement or a spreadsheet: export every rule, read every query, rewrite it by hand, test it, and hope nothing was lost in translation. For a mature SOC that is hundreds of rules and weeks to months of expert time.

Design opportunity 01 · EffortHow might we compress months of expert rule rewriting into a reviewable afternoon?

The translation work was mechanical enough to automate but risky enough that nobody trusted full automation.

Design opportunity 02 · TrustHow might we make an AI translated detection rule something an analyst will actually activate in production?

A mistranslated detection rule fails silently: the alert that never fires. Confidence had to be visible, not assumed.

Design opportunity 03 · CoverageHow might we show teams what still needs attention after translation, instead of pretending everything mapped cleanly?

Some rules depend on data sources or integrations the new environment does not have yet. Hiding those gaps would break trust immediately.

Solution

Translate, flag, review, activate

The flow starts with a choice between migrating rules or dashboards (rules from Splunk or QRadar, dashboards from Splunk), then an upload of the team's exported artifacts. The LLM translates each rule to ES|QL, the Elasticsearch Query Language, first checking it against Elastic's 1,300+ prebuilt detection rules so teams inherit maintained rules instead of custom translations wherever possible.

Every result lands in a review table with an explicit status: installed, translated, partially translated, not translated, or failed. Partial and failed rows can be sent back through the AI for another pass, and rules that depend on missing integrations point directly at what needs to be installed. Nothing activates without the analyst's say so.

Key features designed

The designed system

Mockups

Screen designs

01 · The migration app · click through it
Workflow maps

Process & flows

Research

Settling a placement debate with evidence

The first release put the AI connector choice and the "match to prebuilt rules" toggle in a modal that appeared after clicking Translate. Post launch telemetry raised the stakes on that decision: over 1,400 customers reached the connector step, the widest exposure of any point in the flow, and the team was split, engineering favoring the modal, design believing the settings belonged inline as a fourth step of the upload flyout. Instead of arguing, I built both variants as a functional prototype in Elastic's EUI design system and designed a counterbalanced, task based usability study around them, piloting it with five simulated user archetypes before recruiting real participants. The pilot favored the inline variant four to one: the modal read as an interruption, while the inline step gave analysts a sense of control before committing. That evidence resolved the debate and set the redesign direction I handed off.

Research prototype

Two variants, one decision

AI Framing

Designing for a fallible translator

An LLM translating detection logic will sometimes be wrong, and in security the cost of a silent mistranslation is an attack nobody sees. The design treats the model as a fast but fallible junior analyst whose work is always reviewed.

Flag uncertainty, do not hide it

Partial and failed translations are first class statuses in the results table, not footnotes. Analysts see exactly which rules need human eyes before anything goes live.

Prefer maintained over generated

Matching to Elastic prebuilt rules always wins over generating a custom translation, so migrated teams inherit rules that keep getting updated instead of frozen snapshots.

The analyst activates, not the AI

Translation and activation are deliberately separate steps. The AI proposes; the analyst reviews, reprocesses what fell short, and decides what runs in production.

Outcomes

What shipped

11,000+Rules translated since launch
87%Of migrations ran on the Elastic Managed LLM
~300Migrations completed
2 SIEMsSplunk & QRadar migration paths
Outcome

Automatic Migration shipped and is live in production today, turning the biggest blocker to SIEM migration, months of manual rule rewriting, into a guided, reviewable flow. Adoption confirmed the core design bet: most teams stayed on the recommended managed connector instead of configuring their own model. It became the foundation for the unified Onboarding System proposal, and the error telemetry pointed at the next round of work I had scoped before leaving: checking prerequisites before translation starts, surfacing model startup timeouts honestly, and recovering migrations that were aborted midway.

Adoption figures are rounded from internal telemetry through mid 2026, to the best of my recollection following the project.

Reflections

Learnings & key takeaways

Automatic Migration taught me that trust in an AI product is built by the workflow around the model, not by the model itself. The riskiest moments were never the visible failures, a failed translation announces itself and invites a retry. The dangerous ones were silent: a mistranslated detection rule that looks fine and never fires. Most of the design work was about making sure nothing important could stay silent.

Discoverability decides adoption before usability does.

The best migration flow in the world is worthless inside a step users never open. Testing revealed that teams simply didn't know migration existed, and moving it out of Get Started into its own entry point did more for adoption than any interaction refinement could have. Since then, I check where a feature lives before polishing how it works.

Partial success is a design surface.

The easiest version of the results screen was pass or fail. The honest version needed five states, each with its own next action. Designing for the messy middle, partially translated, not translated, missing an integration, is what made the feature usable on real rule sets instead of demo data.

Defaults are product strategy.

87% of migrations ran on the Elastic Managed LLM, the connector we made the default. The most consequential AI decision in the product wasn't a model choice users made; it was the one we made for them, and designing that default to be trustworthy mattered more than any configuration screen.

Prototype the disagreement.

When design and engineering split on the connector placement, arguing had no end state. Building both variants and testing them did. Evidence turned a stalemate into a decision, and the study cost less than the meetings it replaced.

What I would do differently: design for failure recovery from day one.

The error telemetry pointed at prerequisite checks, model startup timeouts, and migrations aborted midway, exactly the unglamorous paths that got scoped as fast follows. I had that next round of work defined before leaving; starting there would have saved real users real frustration a cycle earlier.