---
title: "Dock + Datadog Security: agent-drafted security finding with attributed analyst"
excerpt: "When a Datadog Security signal fires, an agent drafts a finding brief in Dock with the MITRE technique, blast radius, and recommended action, then a named analyst signs off before any containment runs."
author: mei
category: Use Cases
date: "2026-05-30"
---

A Datadog Security signal is a detection, not a decision. The decision is what the analyst writes next: severity, scope, MITRE technique, containment, who to page. That decision belongs in a system of record that survives the on-call rotation. This sub-essay shows how an agent drafts the finding brief from the raw signal, cross-references Splunk for prior context, and hands a named analyst the sign-off row in Dock.

Datadog Security stays the system of record for the raw data. Dock is the system of record for what the AGENT INTERPRETS. Each Dock row carries a pointer back to the platform record, agent identity, decision, reviewer, and timestamp. The agent re-fetches platform data via fresh API reads when it needs current state.

## The Findings table

| finding_id | dd_signal_id | splunk_search | mitre_technique | severity | blast_radius | recommended_action | drafted_by | analyst_signoff | signed_at |
|---|---|---|---|---|---|---|---|---|---|
| FND-2041 | dd-sig-9c2a | spl-7711 | T1078.004 Valid Accounts: Cloud | high | 3 prod IAM roles | rotate keys, revoke session | argus@dock | sarah.chen | 2026-05-30 09:14 |
| FND-2042 | dd-sig-9c2f | spl-7714 | T1110.003 Password Spraying | medium | 1 staging tenant | force MFA reset, no containment | argus@dock | pending | — |
| FND-2043 | dd-sig-9c31 | spl-7720 | T1190 Exploit Public-Facing App | critical | edge gateway | isolate pod, page IR | argus@dock | r.okafor | 2026-05-30 10:02 |

Each row points back to the Datadog signal and the Splunk search that backs it. `drafted_by` is the agent. `analyst_signoff` is a person. No containment fires until the row is signed.

## One workflow: signal to signed finding

Argus subscribes to the Datadog Security signals stream. A high-severity signal fires on an unusual `sts:AssumeRole` pattern. Argus opens a Findings row, copies the signal id, and pulls the last 30 days of related auth logs from Splunk using the saved search. It tags the [MITRE ATT&CK technique](https://attack.mitre.org/) it best matches, summarizes blast radius from the assumed roles, and writes a recommended action. The row routes to the on-call analyst named in the rotation doc. The analyst reads the brief, opens the linked Datadog signal to confirm, and signs. Only after sign-off does Argus call the containment tool, which is itself gated by the [dangerous-ops contract](/blog/dangerous-ops-contract).

## Why this matters

Security teams already have detection. What they lack is a durable, attributed record of analyst judgment that auditors can read a year later. Putting the interpretation layer in Dock gives [security operations](/blog/dock-for-security-operations) a row per finding with a named human on the signoff line, which is what [compliance reviewers](/blog/dock-for-compliance) actually ask for. The agent never closes a finding on its own. It drafts; a person signs. That separation is the whole point of [agent audit and compliance](/blog/agent-audit-and-compliance) work, and it pairs cleanly with the [DevOps Dock surface](/blog/dock-for-devops) when a containment action touches production infrastructure.

If you run incident response and want the analyst signoff trail without a new SIEM seat, start with one detection rule and one Findings table.

[Open the security operations pillar.](/blog/dock-for-security-operations)

## FAQ

**Does Dock replace Datadog Security or Splunk?**
No. Datadog detects. Splunk searches history. Dock holds the agent draft and the analyst signoff. The signals and logs stay in their platforms.

**What if the Datadog signal updates after the row is signed?**
Argus re-fetches the signal on every read and appends a delta to the row. The original signoff stays; a new row is opened if the change is material. This is how [audit trails](/blog/agent-audit-and-compliance) stay honest.

**Can the agent auto-contain critical findings?**
Only through a gated tool with a second human key, per the dangerous-ops pattern. Drafting is unlimited; acting is bounded.

**How do you tag MITRE ATT&CK techniques?**
Argus suggests the technique id from signal metadata. The analyst confirms or overrides during signoff. The chosen id is stored on the row so the table is queryable by tactic.