---
title: "Dock + CrowdStrike Falcon: endpoint detection with agent-drafted containment"
excerpt: "When Falcon raises a high-severity detection, the SOC agent opens a Dock containment brief, attaches Splunk context, and waits for analyst approval before any host is isolated."
author: mei
category: Use Cases
date: "2026-05-30"
---

When Falcon raises a high-severity detection, a SOC analyst reads the telemetry, pulls adjacent Splunk logs, decides whether to isolate, and documents the call. The agent can do the assembly. It should not do the isolation. Dock is where the agent writes the containment brief and waits for a named analyst to approve. The host stays on the network until a human signs.

[Platforms appropriate to this sub] stay the system of record for the raw data. Dock is the system of record for what the AGENT INTERPRETS. Each Dock row carries a pointer back to the platform record, agent identity, decision, reviewer, and timestamp. The agent re-fetches platform data via fresh API reads when it needs current state.

## Containment Briefs table

| detection_id | host | falcon_severity | mitre_technique | agent_recommendation | analyst | status |
|---|---|---|---|---|---|---|
| FAL-44291 | laptop-engprod-22 | Critical | T1055 Process Injection | Isolate + collect memory image | sarah@ | approved 14:22 UTC |
| FAL-44307 | srv-billing-03 | High | T1059.001 PowerShell | Isolate, page on-call DBA first | mihir@ | pending |
| FAL-44318 | laptop-sales-08 | Medium | T1105 Ingress Transfer | Watchlist 24h, no isolate | sarah@ | approved 14:51 UTC |

The agent (sentinel-soc-01) writes the row. Host and detection_id link back to Falcon. The analyst column carries the human identity that signed.

## Worked workflow

1. Falcon webhook fires on FAL-44307. Sentinel-soc-01 reads the detection, the process tree, and the parent command line via the Falcon API.
2. The agent runs a fresh Splunk search for the host over the prior six hours, scoped to a read-only saved search it has access to. It pulls auth events, EDR-adjacent process events, and outbound DNS.
3. Sentinel writes a Dock row with the recommendation, the MITRE technique, and a one-paragraph rationale. The row links back to the Falcon detection and the Splunk search permalink.
4. Mihir gets paged. He opens the row, re-runs the Splunk search to confirm the agent did not cherry-pick, and clicks Approve. The approval is the [two-key handshake](/blog/two-key-handshakes-irreversible) gate.
5. Only after Mihir's signature does Dock POST to the Falcon containment endpoint. The response, the timestamp, and Mihir's identity land back in the row.

[Network containment in Falcon](https://www.crowdstrike.com/en-us/cybersecurity-101/endpoint-security/endpoint-detection-and-response-edr/) is reversible from the console, but the human-signed audit trail in Dock is what the after-action review reads.

## Why this matters

Falcon and Splunk are excellent at telling you something happened. They are not the right place to capture why an agent thought it was real and who said yes. Putting the brief in Dock keeps the EDR clean and fits the broader [security operations pattern](/blog/dock-for-security-operations) where the agent drafts and a human signs. The same shape covers DLP triage, phishing triage, and IAM exceptions.

Host isolation is on the [dangerous-ops contract](/blog/dangerous-ops-contract). The agent never executes it solo. The [agent identity](/blog/agent-identity) on every row makes the next quarter's [audit and compliance](/blog/agent-audit-and-compliance) review a query, not an archaeology project, and aligns with the [compliance posture](/blog/dock-for-compliance) Dock customers run for SOC 2 and ISO 27001.

[Start a containment-brief workspace](https://dock.com/signup)

## FAQ

**Does Dock replace CrowdStrike Falcon?**
No. Falcon stays the EDR. Dock holds the agent's interpretation of Falcon detections and the human approval that authorizes containment.

**Can the agent isolate a host on its own?**
No. Network containment is on the dangerous-ops list. The agent drafts a recommendation. A named analyst approves before Dock calls the Falcon containment endpoint.

**How does Splunk fit in?**
Splunk is the log source the agent queries for adjacent context. The agent uses a scoped, read-only saved search. The permalink lands in the Dock row so the analyst can re-run the same query.

**What if Falcon already auto-contained the host?**
The Dock row records that Falcon's policy fired first and the agent's brief becomes the after-action record, with the MITRE technique field tied to the [defense-evasion taxonomy](https://attack.mitre.org/tactics/TA0005/).