A Datadog Security signal is a detection, not a decision. The decision is what the analyst writes next: severity, scope, MITRE technique, containment, who to page. That decision belongs in a system of record that survives the on-call rotation. This sub-essay shows how an agent drafts the finding brief from the raw signal, cross-references Splunk for prior context, and hands a named analyst the sign-off row in Dock.
Datadog Security stays the system of record for the raw data. Dock is the system of record for what the AGENT INTERPRETS. Each Dock row carries a pointer back to the platform record, agent identity, decision, reviewer, and timestamp. The agent re-fetches platform data via fresh API reads when it needs current state.
The Findings table
| finding_id | dd_signal_id | splunk_search | mitre_technique | severity | blast_radius | recommended_action | drafted_by | analyst_signoff | signed_at |
|---|---|---|---|---|---|---|---|---|---|
| FND-2041 | dd-sig-9c2a | spl-7711 | T1078.004 Valid Accounts: Cloud | high | 3 prod IAM roles | rotate keys, revoke session | argus@dock | sarah.chen | 2026-05-30 09:14 |
| FND-2042 | dd-sig-9c2f | spl-7714 | T1110.003 Password Spraying | medium | 1 staging tenant | force MFA reset, no containment | argus@dock | pending | — |
| FND-2043 | dd-sig-9c31 | spl-7720 | T1190 Exploit Public-Facing App | critical | edge gateway | isolate pod, page IR | argus@dock | r.okafor | 2026-05-30 10:02 |
Each row points back to the Datadog signal and the Splunk search that backs it. drafted_by is the agent. analyst_signoff is a person. No containment fires until the row is signed.
One workflow: signal to signed finding
Argus subscribes to the Datadog Security signals stream. A high-severity signal fires on an unusual sts:AssumeRole pattern. Argus opens a Findings row, copies the signal id, and pulls the last 30 days of related auth logs from Splunk using the saved search. It tags the MITRE ATT&CK technique it best matches, summarizes blast radius from the assumed roles, and writes a recommended action. The row routes to the on-call analyst named in the rotation doc. The analyst reads the brief, opens the linked Datadog signal to confirm, and signs. Only after sign-off does Argus call the containment tool, which is itself gated by the dangerous-ops contract.
Why this matters
Security teams already have detection. What they lack is a durable, attributed record of analyst judgment that auditors can read a year later. Putting the interpretation layer in Dock gives security operations a row per finding with a named human on the signoff line, which is what compliance reviewers actually ask for. The agent never closes a finding on its own. It drafts; a person signs. That separation is the whole point of agent audit and compliance work, and it pairs cleanly with the DevOps Dock surface when a containment action touches production infrastructure.
If you run incident response and want the analyst signoff trail without a new SIEM seat, start with one detection rule and one Findings table.
Open the security operations pillar.
FAQ
Does Dock replace Datadog Security or Splunk? No. Datadog detects. Splunk searches history. Dock holds the agent draft and the analyst signoff. The signals and logs stay in their platforms.
What if the Datadog signal updates after the row is signed? Argus re-fetches the signal on every read and appends a delta to the row. The original signoff stays; a new row is opened if the change is material. This is how audit trails stay honest.
Can the agent auto-contain critical findings? Only through a gated tool with a second human key, per the dangerous-ops pattern. Drafting is unlimited; acting is bounded.
How do you tag MITRE ATT&CK techniques? Argus suggests the technique id from signal metadata. The analyst confirms or overrides during signoff. The chosen id is stored on the row so the table is queryable by tactic.