A Splunk correlation search fires. An agent pulls the event, drafts a triage brief, and routes it to a tier-1 analyst. The analyst confirms, escalates, or suppresses. Dock records who decided, when, and why. The SIEM keeps events. Dock keeps interpretation. This works for security operations teams on Splunk ES or Datadog Cloud SIEM who want agent leverage without losing analyst accountability.
Splunk and Datadog Security stay the system of record for the raw data. Dock is the system of record for what the AGENT INTERPRETS. Each Dock row carries a pointer back to the platform record, agent identity, decision, reviewer, and timestamp. The agent re-fetches platform data via fresh API reads when it needs current state.
The Alert Triage table
| splunk_sid | rule | severity | agent_verdict | analyst_decision | reviewer | decided_at |
|---|---|---|---|---|---|---|
| 1717023841.4421 | Impossible Travel - SSO | high | likely true positive: same user, two countries, 14 min apart | escalate to tier 2 | mei.k@acme | 2026-05-30 09:14 |
| 1717024003.4502 | Outbound DNS to known C2 | critical | true positive: host matches recent IOC feed | contain endpoint | r.diaz@acme | 2026-05-30 09:22 |
| 1717024188.4517 | Brute force SMB - lab subnet | medium | likely false positive: scheduled pentest window | suppress 24h | mei.k@acme | 2026-05-30 09:31 |
The agent drafts agent_verdict with citations to the Splunk search ID and any enrichment it pulled. The analyst writes analyst_decision. The reviewer column captures the human signature. Neither column overwrites the other.
One worked workflow
A Datadog Security Signal fires at 09:22 for outbound DNS to a flagged C2 domain. The triage agent reads the signal via the Datadog API, cross-checks the destination against the team threat-intel feed, and finds a 48-hour match. It opens a Dock row with verdict "true positive" and recommends endpoint containment. Containment is gated by a dangerous-ops contract, so the agent does not act. The on-call analyst reads the brief, agrees, and clicks Contain. Dock writes analyst_decision, the analyst's email, and the timestamp. The containment API call carries both identities in its audit log, which matters for agent audit and compliance reviews.
Why it matters
SOC tier-1 work is mostly reading, summarizing, and routing. Splunk's SOC guidance describes tier-1 analysts as first responders who judge urgency and decide what to escalate (Splunk, "What's a SOC?"). Agents draft that summary faster than a human. But NIST 800-61 requires incident records traceable to a responsible handler, and Rev 3 did not relax that (NIST SP 800-61 Rev 2). If your agent closes a ticket without a named reviewer, you have an unsigned decision in your incident record. Dock makes reviewer a required column on every triage row, the same pattern IT operations teams use for change tickets.
Agent identity also rotates. The Splunk service principal reading events last week may not be the same one reading today, and your agent identity lifecycle needs to survive a key roll without breaking the audit trail. Storing the agent identity on the row keeps that history intact.
CTA
If you run a SOC on Splunk or Datadog Security and you want agent leverage with named analyst sign-off, talk to us about a triage pilot.
FAQ
Does Dock replace Splunk Enterprise Security or Datadog Cloud SIEM? No. Splunk and Datadog stay the SIEM. Dock holds the agent triage brief and the analyst decision. The raw events, correlation searches, and detection rules live in the SIEM.
What happens if the agent and the analyst disagree? The analyst decision wins and is recorded as the closing verdict. The agent's draft stays on the row as context. Disagreement frequency is a useful signal for tuning the agent prompt or the detection rule.
How does this map to compliance frameworks like SOC 2 or ISO 27001? Auditors want a named handler per incident and a retained decision record. The reviewer column and timestamp give you both. See Dock for compliance for the control mapping.
Can the agent take containment or isolation actions on its own? Only inside a dangerous-ops contract with pre-approved scopes. Most teams gate containment behind a human click. The contract pattern is covered separately.
