Add SpoofSentry integration

[netallion]

What does this PR do?

Adds a new integration for SpoofSentry by DomainSeal — a DMARC monitoring, domain spoofing detection, and automated takedown platform.

SpoofSentry sends domain security events to Datadog via the Logs API (HTTP intake).

Includes:

• Integration tile with manifest and classifier tags (Security, Log Collection, Notifications)
• Pre-built dashboard (7 widgets: event counts, severity timeseries, threat toplist, domain breakdown, takedown activity, log stream)
• Log pipeline with attribute remapping
• Setup documentation (README rendered in Datadog UI)

Motivation

SpoofSentry protects domains from email spoofing, phishing impersonation, and lookalike domain abuse. Security teams using Datadog need these events alongside their other security data for centralized analysis, correlation, and alerting.

Review checklist

• PR has a meaningful title
• Feature or bugfix has tests
• Git history is clean
• If PR impacts documentation, docs team has been notified
• If this PR includes a log pipeline, please add a description describing the remappers and processors.

Log Pipeline Description

The log pipeline (assets/logs/spoofsentry.yaml) includes these processors:

• Attribute remapper: eventType → evt.name (event classification)
• Attribute remapper: severity → status (log level mapping)
• Attribute remapper: domain → network.destination.domain (target domain)
• Attribute remapper: tenantId → usr.id (customer tenant)
• Category processor: Maps severity values (critical, high, medium, low, info) to named categories

Additional Notes

• Source: spoofsentry (ddsource tag)
• Auth: DD-API-KEY header
• Multi-site: datadoghq.com (US), datadoghq.eu (EU)
• Event types: DMARC failures, spoofing campaigns, lookalike domains, DNS enforcement changes, takedown orchestration lifecycle
• Author: DomainSeal (https://spoofsentry.com)
• Support: hello@spoofsentry.com

[cswatt]

Added DOCS-13959 to track docs review

[dd-dominic]

@netallion Your organization will need to onboard as a Technology Partner. Please reach out to ecosystems@datadoghq.com and reference this PR.

[domalessi]

The manifest references README.md#Uninstallation, but the README doesn't include an ## Uninstallation section. Please add one. For a log-based integration, this can be brief — for example:

## Uninstallation

Remove the SpoofSentry integration from **Integrations > Integrations**.

[domalessi]

This description is 81 characters, which exceeds the 80-character limit for tile descriptions. Trim slightly — for example:

Suggested change

	"description": "Ingest DMARC monitoring, spoofing detection, and takedown events from SpoofSentry",
	"description": "DMARC monitoring, spoofing detection, and takedown events from SpoofSentry",

[domalessi]

Suggested change

	A log pipeline is included that:
	The integration includes a log pipeline that:

[domalessi]

Suggested change

	SpoofSentry sends domain security events as JSON logs via the Datadog Logs API.
	SpoofSentry sends domain security events as JSON logs through the Datadog Logs API.

[domalessi]

The Support section for integrations-extras typically points directly to the creator's support contact. The Documentation: and Status: list items are non-standard here — consider simplifying to match the convention used by other integrations, and folding the docs link into the Setup section if it's useful there:

Suggested change

	## Support
	- Email: hello@spoofsentry.com
	- Documentation: [https://spoofsentry.com/docs/integrations/datadog](https://spoofsentry.com/docs/integrations/datadog)
	- Status: [https://spoofsentry.com/status](https://spoofsentry.com/status)
	## Support
	Need help? Contact [SpoofSentry support](mailto:hello@spoofsentry.com).

[domalessi]

The (24h) suffix implies a fixed time window, but this widget uses the dashboard's time selector. Consider removing it or renaming to reflect the dynamic range, for example "Security Events".

[domalessi]

Same as above — the (24h) suffix is misleading since the time range is controlled by the dashboard selector. Consider "Critical & High Threats".

[domalessi]

The "Events by Domain" widget groups by host, but the log pipeline maps domain to @network.destination.domain. Please verify that host is populated with the monitored domain — if not, this facet should likely be @network.destination.domain or @domain.

[domalessi]

Editorial review — SpoofSentry integration

Thanks for the submission! The integration looks well structured overall. A few things to address before this can be approved:

Blocking

• The manifest references README.md#Uninstallation but the README has no ## Uninstallation section. Add a brief one (see inline comment on manifest.json).

Must fix

• Missing Validation subsection: Add a ### Validation step under ## Setup explaining how users can confirm the integration is working — for example, by navigating to Logs and filtering by source:spoofsentry.
• Missing Data Collected subsections: The README is missing ### Metrics, ### Service Checks, and ### Events under ## Data Collected. Each should include a statement such as "The SpoofSentry integration does not include any metrics." See the standard README template for reference.

See inline comments for additional must-fix and suggestion items.

[domalessi]

Suggested change

	1. Log in to [SpoofSentry](https://spoofsentry.com)
	2. Go to **Settings > Integrations > SIEM**
	3. Select **Datadog**
	4. Enter your **Datadog API key** (from Datadog > Organization Settings > API Keys)
	5. Select your **Datadog site** (US: `datadoghq.com`, EU: `datadoghq.eu`)
	6. Click **Test Connection** to verify
	1. Log in to [SpoofSentry](https://spoofsentry.com).
	2. Go to **Settings > Integrations > SIEM**.
	3. Select **Datadog**.
	4. Enter your **Datadog API key** (from Datadog > Organization Settings > API Keys).
	5. Select your **Datadog site** (US: `datadoghq.com`, EU: `datadoghq.eu`).
	6. Click **Test Connection** to verify,

[domalessi]

Suggested change

	Events appear automatically in **Logs** with `source:spoofsentry`. The pre-built dashboard is installed with this integration.
	Events appear automatically in **Logs** with `source:spoofsentry`. A prebuilt dashboard is installed with this integration.

[domalessi]

Integration READMEs conventionally use reference-style links (e.g., [SpoofSentry][1] with [1]: https://spoofsentry.com at the bottom of the file) rather than inline URLs. Consider converting all links in this README to that format for consistency with the standard template.

[domalessi]

Suggested change

	| `eventType` | Event classification (e.g., `SPOOF_THREAT_DETECTED`) |
	| `eventType` | Event classification (for example, `SPOOF_THREAT_DETECTED`) |

[domalessi]

Suggested change

	All events include these tags:
	All events include the following tags:

[domalessi]

A few inline suggestions but nothing blocking. Approved!

[domalessi]

Is "log status" an attribute name? Ideally, this bullet would be parallel with the first and third bullets which include an attribute name.

[domalessi]

Suggested change

	"title": "Security Events",
	"title": "Security events",

[domalessi]

Suggested change

	"title": "Critical & High Threats",
	"title": "Critical and high threats",

[domalessi]

Suggested change

	"title": "Events by Severity",
	"title": "Events by severity",

[domalessi]

Suggested change

	"title": "Events by Type",
	"title": "Events by type",

[domalessi]

Suggested change

	"title": "Events by Domain",
	"title": "Events by domain",

[domalessi]

Suggested change

	"title": "Takedown Activity",
	"title": "Takedown activity",

[domalessi]

Suggested change

	"title": "Recent Security Events",
	"title": "Recent security events",

[domalessi]

Suggested change

	"title": "SpoofSentry - Domain Security Overview",
	"title": "SpoofSentry: Domain Security Overview",