Wednesday 25th February 2026

Building a Pragmatic SOC with Elastic & Tines

IP Performance have been invited to present at Elastic{on} London 2026. Our presentation is called Building a Pragmatic SOC with Elastic and Tines.

We’re sharing our journey of building a security operations centre (SOC) that evolved under real constraints: high levels of data ingestion, legacy tooling, and growing alert fatigue.

We discuss how our Swarm-SecOps managed SOC implemented the ingestion of high-volume security telemetry and enabled centralised visibility using Elastic Security. We will also detail how we developed processes for AI-assisted automated alert triage and incident focused case management using the Tines Automation platform.

Dealing with High-Volume Security Telemetry

We collect data from hundreds of customer sites using distributed network sensors, generating hundreds of gigabytes of logs per day. Our legacy MySQL-based SIEM created operational drag – searches could take up to 30 minutes to complete. That delay directly impacted detection and response.

We needed scale, speed, and sustainable retention. With Elastic, ingestion became seamless, retention became reliable, and searches dropped to under a minute. The shift wasn’t incremental – it was transformational. Analysts could finally investigate in real time rather than queueing queries and waiting.

Ensuring Centralised Visibility

Centralised, searchable visibility is foundational to a pragmatic SOC. Using Elastic Discover, we gained fast, flexible search across all ingested telemetry. By normalising data through the Elastic Common Schema (ECS), we eliminated inconsistency and improved correlation across environments.

With alerting enabled through the Elastic Security app in Kibana, we moved from passive log storage to proactive detection—turning raw data into actionable intelligence.

Moving from Manual to AI-Assisted Alert Triage

Previously, alerts generated noisy, email-based tickets with no baseline context. By leveraging Elastic’s security dashboards, prebuilt rules, and tuned exceptions, we established meaningful detection baselines.

Through API integration with Tines, we built full alert automation – enrichment, de-duplication, and cross-tool correlation. Automated workflows now drive rapid containment actions, while AI-assisted triage ensures analysts focus on true threats, not false positives.

Security-Focused Case Management

Finally, we replaced a repurposed network ticketing system with structured case management in Tines. Investigations are now aligned to incident response principles, timeline-driven, and fully reportable.

Join us at ElastiCON to see how Swarm-SecOps delivers pragmatic cyber security – driven by people, amplified by automation:

📍Where To Find Us – 26th Feb Agenda

  • Keynote SessionBuilding a Pragmatic SOC with Elastic and Tines, 11:20 – 11:30 | Grand Hall 2
  • Deep Dive SessionBuilding a Pragmatic SOC with Elastic and Tines, 15:55 – 16:25 | Grand Hall 2

  • ‘Really helpful reminder of the new requirements update. Knowledgeable engaging trainer. ‘

    Tracey McKim,
    Newport City Council