FireEye Endpoint Triage Summary Redesign

Boosting Cyber Defense with FireEye’s Optimized Triage Summary

Project Overview

FireEye’s Endpoint (HX) product empowers security operation centers (SOCs) to monitor hosts for cyber threats, isolate compromised devices, and investigate alerts through a triage package logging events before, during, and after a potential attack.

As Lead UX Designer, I led the redesign of the Triage Summary interface to address inefficiencies in the investigation workflow, enabling analysts to respond to threats faster and with greater precision.

Problem Statement

Cybersecurity analysts needed to quickly assess whether an attack was successful, identify its methodology, and determine its scope (e.g., command-and-control activity, data exfiltration, or affected hosts). The existing Triage Summary required excessive navigation, forcing analysts to leave the investigation context to query external tools or other application sections, leading to prolonged investigation times and a cumbersome user experience.

Objectives

• Reduce investigation time: Minimize steps to confirm attack success and methodology
• Maintain context: Keep analysts within the Triage Summary for most tasks
• Enhance insights and actions: Provide richer data and actionable tools directly in the interface

Design Process

1. Research

I conducted interviews with 15 SOC analysts during FireEye’s Cyber Defense Summit, leveraging their expertise to identify workflow bottlenecks. I also observed live investigations to understand pain points.

Primary Goals

• Confirm attack success
• Identify command-and-control activity
• Distinguish automated vs. human-driven attacks
• Detect data exfiltration
• Assess the attack’s scope across hosts

Pain Points

• Excessive time spent leaving the app for external intel (e.g., IP or domain data)
• Lack of host context (e.g., OS, location)
• Non-intuitive process relationships (no parent-child hierarchy)
• Overly complex event timelines

Legacy FireEye Triage Viewer

2. Ideation

I facilitated brainstorming sessions with analysts and the design team sketching initial concepts. We explored two key visualization improvements:

• Single Timeline: Replaced fragmented swimlanes with a linear timeline to align with analysts’ mental models of attack chains
• Tree-Based Process View: Visualized parent-child process relationships in a hierarchical tree for clarity

Wireframes were created to test layout variations, including a reoriented interface placing the timeline and process tree side-by-side for easier correlation. Contextual popups were prototyped to deliver in-app insights, reducing reliance on external tools.

Sketching for fast iterations of ideas

3. Design

The final design introduced a streamlined, intuitive interface with actionable features.

Intuitive UI

• Tree Visualization: Replaced flat process lists with a hierarchical tree, using clear labels and indentation
• Event Iconography: Added distinct icons for event types (e.g., file execution, network activity) for faster recognition
• Single Timeline: Unified events into a linear timeline with color-coded, clickable elements to highlight critical actions
• Navigation Breadcrumbs: Added a “back” link to maintain workflow continuity

Enhanced Insights

• Host Context: Displayed OS, location, and network details directly in the Triage Summary
• Inline Contextual Data: Embedded attacker and attack method details within the timeline
• Insight Popups: Provided rich, actionable data (e.g., known threat actor IPs) without leaving the interface

Actionable Tools

• Global Search: Enabled one-click searches for similar events across hosts, prepopulating query parameters
• Note-Taking: Added in-app note creation and sharing for team collaboration
• Query Popups: Allowed analysts to launch preconfigured queries from event popups

High-fidelity mockups were created in Figma and refined based on feedback from in-house cybersecurity SMEs.

Wireframes showing alternate layouts

4. Validation

Due to the sensitive nature of the subject matter, formal user testing was not feasible. Instead, I gathered anecdotal feedback from 10 in-house cybersecurity SMEs through iterative design reviews. Feedback focused on timeline readability, popup information density, and ease of accessing contextual data. Iterations addressed concerns like simplifying popup content and enhancing icon clarity. SME feedback indicated a significant reduction in time to confirm attack success compared to the legacy interface.

Results

The redesigned Triage Summary transformed the analyst experience, based on SME feedback and internal evaluations.

• ~40% faster investigations: Reduced time to confirm attack success and methodology
• ~80% reduction in external tool usage: Contextual popups and in-app search kept analysts in the workflow
• Improved accuracy: Hierarchical process views and clear iconography reduced misinterpretations
• Enhanced collaboration: Note-taking and sharing features streamlined team communication
• Positive feedback: SMEs reported the interface as “significantly more intuitive” during reviews

Mockup of final design

Key Learnings

Close collaboration with cybersecurity Subject Matter Experts (SMEs) proved critical, ensuring design requirements met specialized needs. The project leveraged context-driven in-app insights to minimize workflow disruptions and drive efficiency. Finally, an iterative feedback loop with SMEs was highly effective, allowing for the refinement of complex visualizations even in the absence of formal testing.

Conclusion

The Triage Summary redesign empowered FireEye’s SOC analysts to respond to cyber threats faster and with greater confidence. By addressing key pain points—reducing navigation, enhancing insights, and enabling in-app actions—the new interface strengthened FireEye’s Endpoint product, helping customers protect against increasingly sophisticated attacks.