Add SpoofSentry integration

spoofsentry/README.md

@@ -0,0 +1,61 @@
+## Overview
+
+SpoofSentry by DomainSeal monitors your domains for email spoofing, DMARC failures, lookalike domain abuse, and phishing campaigns. This integration sends domain security events to Datadog for centralized logging, analysis, and alerting.
+
+Events include:
+- DMARC authentication failures with sender details
+- Spoofing campaign detections with IP attribution
+- Lookalike domain threats with risk scores
+- DNS enforcement changes (SPF, DKIM, DMARC policy)
+- Takedown orchestration lifecycle (created, dispatched, escalated, resolved)
+
+## Setup
+
+### In SpoofSentry
+
+1. Log in to [SpoofSentry](https://spoofsentry.com)
+2. Go to **Settings > Integrations > SIEM**
+3. Select **Datadog**
+4. Enter your **Datadog API key** (from Datadog > Organization Settings > API Keys)
+5. Select your **Datadog site** (US: `datadoghq.com`, EU: `datadoghq.eu`)
+6. Click **Test Connection** to verify
+
+### In Datadog
+
+Events appear automatically in **Logs** with `source:spoofsentry`. The pre-built dashboard is installed with this integration.
+
+### Log Pipeline
+
+A log pipeline is included that:
+- Maps `eventType` to `evt.name`
+- Maps `severity` to log status
+- Maps `domain` to `network.destination.domain`
+- Categorizes severity levels
+
+## Data Collected
+
+### Logs
+
+SpoofSentry sends domain security events as JSON logs via the Datadog Logs API.
+
+| Field | Description |
+|-------|-------------|
+| `eventType` | Event classification (e.g., `SPOOF_THREAT_DETECTED`) |
+| `severity` | `critical`, `high`, `medium`, `low`, `info` |
+| `domain` | Target domain |
+| `tenantId` | Customer tenant identifier |
+| `message` | Human-readable event summary |
+
+### Tags
+
+All events include these tags:
+- `service:spoofsentry`
+- `event_type:<type>`
+- `severity:<level>`
+- `domain:<domain>`
+
+## Support
+
+- Email: hello@spoofsentry.com
+- Documentation: [https://spoofsentry.com/docs/integrations/datadog](https://spoofsentry.com/docs/integrations/datadog)
+- Status: [https://spoofsentry.com/status](https://spoofsentry.com/status)

spoofsentry/assets/dashboards/spoofsentry.json

@@ -0,0 +1,160 @@
+{
+  "title": "SpoofSentry - Domain Security Overview",
+  "description": "DMARC monitoring, spoofing detection, lookalike domains, and takedown orchestration events from SpoofSentry.",
+  "widgets": [
+    {
+      "id": 1,
+      "definition": {
+        "title": "Security Events (24h)",
+        "type": "query_value",
+        "requests": [
+          {
+            "queries": [
+              {
+                "data_source": "logs",
+                "name": "query1",
+                "search": { "query": "source:spoofsentry" },
+                "indexes": ["*"],
+                "compute": { "aggregation": "count" }
+              }
+            ],
+            "response_format": "scalar"
+          }
+        ]
+      }
+    },
+    {
+      "id": 2,
+      "definition": {
+        "title": "Critical & High Threats (24h)",
+        "type": "query_value",
+        "requests": [
+          {
+            "queries": [
+              {
+                "data_source": "logs",
+                "name": "query1",
+                "search": { "query": "source:spoofsentry (severity:critical OR severity:high)" },
+                "indexes": ["*"],
+                "compute": { "aggregation": "count" }
+              }
+            ],
+            "response_format": "scalar"
+          }
+        ]
+      }
+    },
+    {
+      "id": 3,
+      "definition": {
+        "title": "Events by Severity",
+        "type": "timeseries",
+        "requests": [
+          {
+            "queries": [
+              {
+                "data_source": "logs",
+                "name": "query1",
+                "search": { "query": "source:spoofsentry" },
+                "indexes": ["*"],
+                "compute": { "aggregation": "count" },
+                "group_by": [
+                  { "facet": "@severity", "limit": 5, "sort": { "aggregation": "count", "order": "desc" } }
+                ]
+              }
+            ],
+            "response_format": "timeseries",
+            "display_type": "bars"
+          }
+        ]
+      }
+    },
+    {
+      "id": 4,
+      "definition": {
+        "title": "Events by Type",
+        "type": "toplist",
+        "requests": [
+          {
+            "queries": [
+              {
+                "data_source": "logs",
+                "name": "query1",
+                "search": { "query": "source:spoofsentry" },
+                "indexes": ["*"],
+                "compute": { "aggregation": "count" },
+                "group_by": [
+                  { "facet": "@eventType", "limit": 10, "sort": { "aggregation": "count", "order": "desc" } }
+                ]
+              }
+            ],
+            "response_format": "scalar"
+          }
+        ]
+      }
+    },
+    {
+      "id": 5,
+      "definition": {
+        "title": "Events by Domain",
+        "type": "toplist",
+        "requests": [
+          {
+            "queries": [
+              {
+                "data_source": "logs",
+                "name": "query1",
+                "search": { "query": "source:spoofsentry" },
+                "indexes": ["*"],
+                "compute": { "aggregation": "count" },
+                "group_by": [
+                  { "facet": "host", "limit": 10, "sort": { "aggregation": "count", "order": "desc" } }
+                ]
+              }
+            ],
+            "response_format": "scalar"
+          }
+        ]
+      }
+    },
+    {
+      "id": 6,
+      "definition": {
+        "title": "Takedown Activity",
+        "type": "timeseries",
+        "requests": [
+          {
+            "queries": [
+              {
+                "data_source": "logs",
+                "name": "query1",
+                "search": { "query": "source:spoofsentry @eventType:(TAKEDOWN_*)" },
+                "indexes": ["*"],
+                "compute": { "aggregation": "count" },
+                "group_by": [
+                  { "facet": "@eventType", "limit": 5, "sort": { "aggregation": "count", "order": "desc" } }
+                ]
+              }
+            ],
+            "response_format": "timeseries",
+            "display_type": "line"
+          }
+        ]
+      }
+    },
+    {
+      "id": 7,
+      "definition": {
+        "title": "Recent Security Events",
+        "type": "log_stream",
+        "query": "source:spoofsentry",
+        "columns": ["@eventType", "@severity", "host", "@tenantId"],
+        "sort": { "column": "time", "order": "desc" },
+        "message_display": "expanded-md"
+      }
+    }
+  ],
+  "layout_type": "ordered",
+  "notify_list": [],
+  "reflow_type": "fixed"
+}

spoofsentry/assets/logs/spoofsentry.yaml

@@ -0,0 +1,67 @@
+id: spoofsentry
+type: pipeline
+name: SpoofSentry
+enabled: true
+filter:
+  query: "source:spoofsentry"
+processors:
+  - type: attribute-remapper
+    name: Map eventType to evt.name
+    enabled: true
+    sources:
+      - eventType
+    target: evt.name
+    preserveSource: true
+    sourceType: attribute
+    targetType: attribute
+
+  - type: attribute-remapper
+    name: Map severity to log status
+    enabled: true
+    sources:
+      - severity
+    target: status
+    preserveSource: true
+    sourceType: attribute
+    targetType: attribute
+
+  - type: attribute-remapper
+    name: Map domain to network.destination.domain
+    enabled: true
+    sources:
+      - domain
+    target: network.destination.domain
+    preserveSource: true
+    sourceType: attribute
+    targetType: attribute
+
+  - type: attribute-remapper
+    name: Map tenantId to usr.id
+    enabled: true
+    sources:
+      - tenantId
+    target: usr.id
+    preserveSource: true
+    sourceType: attribute
+    targetType: attribute
+
+  - type: category-processor
+    name: Categorize severity levels
+    enabled: true
+    categories:
+      - filter:
+          query: "@severity:critical"
+        name: Critical
+      - filter:
+          query: "@severity:high"
+        name: High
+      - filter:
+          query: "@severity:medium"
+        name: Medium
+      - filter:
+          query: "@severity:low"
+        name: Low
+      - filter:
+          query: "@severity:info"
+        name: Info
+    target: severity_category

spoofsentry/assets/service_checks.json

@@ -0,0 +1 @@
+[]

spoofsentry/manifest.json

@@ -0,0 +1,48 @@
+{
+  "manifest_version": "2.0.0",
+  "app_uuid": "87ffb85e-b1e8-4f3d-8978-ce5a2d43036f",
+  "app_id": "spoofsentry",
+  "display_on_public_website": true,
+  "tile": {
+    "overview": "README.md#Overview",
+    "configuration": "README.md#Setup",
+    "uninstallation": "README.md#Uninstallation",
+    "support": "README.md#Support",
+    "changelog": "CHANGELOG.md",
+    "description": "Ingest DMARC monitoring, spoofing detection, and takedown events from SpoofSentry",
+    "title": "SpoofSentry",
+    "media": [],
+    "classifier_tags": [
+      "Category::Security",
+      "Category::Log Collection",
+      "Category::Notifications",
+      "Submitted Data Type::Logs",
+      "Offering::Integration"
+    ]
+  },
+  "assets": {
+    "dashboards": {
+      "SpoofSentry - Domain Security Overview": "assets/dashboards/spoofsentry.json"
+    },
+    "logs": {
+      "source": "spoofsentry"
+    },
+    "integration": {
+      "source_type_name": "SpoofSentry",
+      "auto_install": true,
+      "configuration": {},
+      "events": {
+        "creates_events": false
+      },
+      "service_checks": {
+        "metadata_path": "assets/service_checks.json"
+      }
+    }
+  },
+  "author": {
+    "homepage": "https://spoofsentry.com",
+    "name": "DomainSeal",
+    "support_email": "hello@spoofsentry.com",
+    "sales_email": "hello@spoofsentry.com"
+  }
+}