A SecOps team running Dock for security operations does not let an agent close alerts on its own. The agent reads the Splunk search, the CrowdStrike detection, and the Datadog Security signal, then drafts a triage brief into a Dock row. A named analyst escalates to incident or closes as benign. The platforms keep the raw telemetry. Dock keeps the interpretation, the analyst's call, and the timestamp.
The architectural split
Splunk, CrowdStrike Falcon, and Datadog Security stay the system of record for the raw data. Dock is the system of record for what the agent interprets. Each Dock row carries a pointer back to the platform record, agent identity, decision, reviewer, and timestamp. The agent re-fetches platform data via fresh API reads when it needs current state.
The triage queue
One Dock table, sec-alert-triage, with the agent-drafted brief in the row body.
| Alert ID | Source | Asset | Agent finding | Severity draft | Analyst decision | Reviewer | Closed |
|---|---|---|---|---|---|---|---|
| CS-88421 | CrowdStrike | api-prod-07 | Known-good admin tool flagged by ML; signed binary, expected parent | Low | Closed benign | nina.r | 2026-05-30 09:14 |
| SPL-30119 | Splunk | bastion-2 | 4 failed SSH then success from new ASN; no MFA event in window | High | Escalated to IR | tom.k | 2026-05-30 09:41 |
| DD-77204 | Datadog Sec | checkout-svc | Egress to new IP, low volume, matches vendor allowlist proposal | Medium | Hold, await vendor confirm | nina.r | open |
Each row links to the Splunk search permalink, the CrowdStrike detection ID, and the Datadog Security signal. The agent that drafted the brief is named in the row's audit trail, the same identity model covered in agent identity.
The worked workflow
A CrowdStrike detection fires on api-prod-07. The agent pulls the detection JSON, runs a Splunk search for the same host over a sixty-minute window, and queries Datadog Security for correlated network signals. It writes a brief into a new row: parent process, signer, prior occurrences, asset owner from the CMDB, and a proposed severity. The row appears in the analyst's queue with the platform links inline. Nina opens it, re-runs the Splunk search to confirm current state, and closes the row as benign with a one-line reason. The next time the same binary fires, the agent's brief cites the prior closure. The agent never closes an alert itself. Containment actions stay under the dangerous ops contract.
Why it matters
Analyst fatigue comes from re-doing the same context lookups, not from the decisions. The agent does the lookups and proposes a read. The analyst keeps the decision and the name on it. NIST SP 800-61 Rev. 2 frames detection and analysis as the phase where most time is lost, and recommends durable records of who decided what (NIST CSRC). The SANS Incident Handler's Handbook makes the same point for the identification phase (SANS). Dock makes both records first-class. The same pattern carries into agent audit and compliance reviews and into adjacent surfaces like Dock for compliance and Dock for IT operations.
Start a triage queue this week. One table, three platform links per row, one named reviewer per close.
FAQ
Does the agent ever close an alert on its own? No. The agent drafts the brief and proposes a severity. A named analyst closes or escalates. The decision row records who.
What if Splunk, CrowdStrike, and Datadog Security disagree? The agent surfaces the conflict in the brief and holds the row at the proposed severity. The analyst resolves it. The row keeps each platform's raw link so the disagreement is auditable.
How does Dock avoid going stale against the platforms? Dock stores the interpretation, not the telemetry. When the agent or the analyst opens a row, the agent re-fetches the Splunk search, the CrowdStrike detection, and the Datadog signal so the current platform state is on screen.
Can the agent take a containment action like isolating a host? Only through a dangerous-ops contract with an explicit approver. The agent can propose isolation in the brief. The action runs under a named analyst's approval and lands as its own audited row.
