How Doctolib Built an In-House SOC with Elastic Security, Cutting False Positives by 50%
Doctolib, Europe’s leading e-health platform connecting 90 million patients with 400,000 healthcare professionals, replaced an outsourced OpenSearch-based SOC with an in-house security operations center built on Elastic Security. The migration cut false positives by 50%, extended data retention from one month to one year, and enabled Doctolib to manage 12 times more log data while reducing cost per terabyte by 83%.
Impact
50%
Reduction in false positives
12x
Increase in data managed
1 month to 1 year
Data retention period extended
83%
Reduction in cost per terabyte
Challenge
Doctolib’s outsourced SOC on OpenSearch generated frequent false positives, limited data retention to one month, and couldn’t scale cost-effectively with the platform’s growth—leaving a 90-million-patient e-health platform underprotected and analysts overloaded with noise.
Solution
Elastic Security was deployed as Doctolib’s in-house SIEM, centralizing log collection across all data sources, applying machine learning for automated threat detection, and running on AWS to enable elastic scaling of both data volume and retention period.
Tools & Technologies
What Leaders Say
“Elastic didn’t just enhance our security, it gave us the tools to scale efficiently and maintain high standards.”
“By using Elastic, we cut false positives by 50%, so our team could focus on real threats.”
“Elastic gave us the visibility we needed to respond to incidents and upgrade our security posture quickly, so that we could stay on top of healthcare tech.”
Sign up to read complete case studies, access detailed metrics, and unlock all use cases.
Full Story
Doctolib operates as the dominant digital health platform in Europe, serving 90 million patients and 400,000 healthcare professionals across France, Germany, Italy, and the Netherlands. As a platform handling sensitive patient data under strict healthcare regulations, the security demands are acute—and the consequences of a breach extend beyond financial loss into patient safety.
For years, Doctolib’s security operations relied on an outsourced SOC built on OpenSearch. The arrangement created structural problems: frequent false positives consumed analyst capacity, response times were slow, and data retention was limited to one month—insufficient for meaningful forensic investigation. The platform’s rapid growth, particularly through the COVID-19 pandemic, exposed just how brittle this model was at scale.
Doctolib moved its security operations in-house by deploying Elastic Security as the core of its SIEM environment. The team centralized logging, monitoring, and alerting across Google Drive, Jira, and internal applications into a single platform running on AWS. Machine learning capabilities within Elastic took over the routine alerting workload, filtering noise before it reached analysts.
The results were immediate and measurable. False positives dropped by 50%, allowing the security team to redirect attention from alert triage to genuine threat investigation. Data retention grew from one month to one year—Doctolib now ingests 2TB of logs per day, managing 12 times its previous data volume. While total costs doubled, the cost per terabyte fell by 83%, making the expanded scale economically viable. Mean time to detect fell due to automated ML alerting, while the team’s focus shifted to reducing mean time to investigate and resolve incidents.
Elastic also extended beyond the security function—Doctolib’s development teams gained access to their own application logs for the first time, accelerating debugging and improving cross-team visibility. Looking ahead, Doctolib plans to deepen its use of Elastic’s AI capabilities to move from reactive threat detection to proactive threat prevention.