Building a Pragmatic SOC with Elastic & Tines
IP Performance have been invited to present at Elastic{on} London 2026. Our presentation is called Building a Pragmatic SOC with Elastic and Tines.
We’re sharing our journey of building a security operations centre (SOC) that evolved under real constraints: high levels of data ingestion, legacy tooling, and growing alert fatigue.
We discuss how our Swarm-SecOps managed SOC implemented the ingestion of high-volume security telemetry and enabled centralised visibility using Elastic Security. We will also detail how we developed processes for AI-assisted automated alert triage and incident focused case management using the Tines Automation platform.
Dealing with High-Volume Security Telemetry
We collect data from hundreds of customer sites using distributed network sensors, generating hundreds of gigabytes of logs per day. Our legacy MySQL-based SIEM created operational drag – searches could take up to 30 minutes to complete. That delay directly impacted detection and response.
We needed scale, speed, and sustainable retention. With Elastic, ingestion became seamless, retention became reliable, and searches dropped to under a minute. The shift wasn’t incremental – it was transformational. Analysts could finally investigate in real time rather than queueing queries and waiting.
Ensuring Centralised Visibility
Centralised, searchable visibility is foundational to a pragmatic SOC. Using Elastic Discover, we gained fast, flexible search across all ingested telemetry. By normalising data through the Elastic Common Schema (ECS), we eliminated inconsistency and improved correlation across environments.
With alerting enabled through the Elastic Security app in Kibana, we moved from passive log storage to proactive detection—turning raw data into actionable intelligence.
Moving from Manual to AI-Assisted Alert Triage
Previously, alerts generated noisy, email-based tickets with no baseline context. By leveraging Elastic’s security dashboards, prebuilt rules, and tuned exceptions, we established meaningful detection baselines.
Through API integration with Tines, we built full alert automation – enrichment, de-duplication, and cross-tool correlation. Automated workflows now drive rapid containment actions, while AI-assisted triage ensures analysts focus on true threats, not false positives.
Security-Focused Case Management
Finally, we replaced a repurposed network ticketing system with structured case management in Tines. Investigations are now aligned to incident response principles, timeline-driven, and fully reportable.
Join us at ElastiCON to see how Swarm-SecOps delivers pragmatic cyber security – driven by people, amplified by automation:
📍Where To Find Us – 26th Feb Agenda
- Keynote Session – Building a Pragmatic SOC with Elastic and Tines, 11:20 – 11:30 | Grand Hall 2
- Deep Dive Session – Building a Pragmatic SOC with Elastic and Tines, 15:55 – 16:25 | Grand Hall 2
-
‘It was a thoroughly enjoyable and informative experience. Phil was fantastic throughout the entire day, and I have to say, though usually these kinds of events can be a bit tiresome, this was certainly an exception as it was a much more interesting and fun experience and was delivered brilliantly. (+ quite the interesting setting!)
I have certainly gained many key points that I believe I can take away and begin looking into applying to my own organisation, and the ones we support.’Brecon Smith,
Assured Digital
