Security teams often face challenges such as analyst fatigue and visibility gaps due to false positives in Security Information and Event Management (SIEM) systems. Elastic's InfoSec team addresses these issues by automating SIEM alert investigations using tools like Tines, which allows them to streamline workflows and focus on genuine threats. By automating the initial investigation of alerts, the team can close false positives and escalate suspicious activities. This involves running Elasticsearch queries to determine if activities originate from trusted sources, such as managed workstations or known network zones. If the queries find trusted sources, alerts are closed; otherwise, they are escalated for further investigation. The integration with a Security Orchestration, Automation, and Response (SOAR) system enables the automation of these processes, significantly reducing the workload on security analysts. With this system, Elastic's automated workflow processes over 3,000 alerts daily, saving substantial human resources and enhancing overall security posture. The use of Tines allows for easy creation and modification of automation tasks without a dedicated development team, improving efficiency and detection capabilities in Elastic's security operations.