diff --git a/spoofsentry/README.md b/spoofsentry/README.md new file mode 100644 index 0000000000..b1e9adba2d --- /dev/null +++ b/spoofsentry/README.md @@ -0,0 +1,87 @@ +## Overview + +SpoofSentry by DomainSeal monitors your domains for email spoofing, DMARC failures, lookalike domain abuse, and phishing campaigns. This integration sends domain security events to Datadog for centralized logging, analysis, and alerting. + +Events include: +- DMARC authentication failures with sender details +- Spoofing campaign detections with IP attribution +- Lookalike domain threats with risk scores +- DNS enforcement changes (SPF, DKIM, DMARC policy) +- Takedown orchestration lifecycle (created, dispatched, escalated, resolved) + +## Setup + +### In SpoofSentry + +1. Log in to [SpoofSentry][1]. +2. Go to **Settings > Integrations > SIEM**. +3. Select **Datadog**. +4. Enter your **Datadog API key** (from Datadog > Organization Settings > API Keys). +5. Select your **Datadog site** (US: `datadoghq.com`, EU: `datadoghq.eu`). +6. Click **Test Connection** to verify. + +### In Datadog + +Events appear automatically in **Logs** with `source:spoofsentry`. A prebuilt dashboard is installed with this integration. + +### Validation + +To confirm the integration is working: + +1. In SpoofSentry, send a test event from **Settings > Integrations > SIEM > Datadog > Test Connection**. +2. In Datadog, navigate to **Logs** and filter by `source:spoofsentry`. +3. Verify that test events appear with the expected fields (`eventType`, `severity`, `domain`). + +### Log Pipeline + +The integration includes a log pipeline that: +- Maps `eventType` to `evt.name` +- Maps `severity` to log status +- Maps `domain` to `network.destination.domain` +- Categorizes severity levels + +## Uninstallation + +1. In SpoofSentry, go to **Settings > Integrations > SIEM** and remove the Datadog configuration. +2. In Datadog, uninstall the SpoofSentry integration from **Integrations > Integrations**. + +## Data Collected + +### Logs + +SpoofSentry sends domain security events as JSON logs through the Datadog Logs API. + +| Field | Description | +|-------|-------------| +| `eventType` | Event classification (for example, `SPOOF_THREAT_DETECTED`) | +| `severity` | `critical`, `high`, `medium`, `low`, `info` | +| `domain` | Target domain | +| `tenantId` | Customer tenant identifier | +| `message` | Human-readable event summary | + +### Metrics + +The SpoofSentry integration does not include any metrics. + +### Service Checks + +The SpoofSentry integration does not include any service checks. + +### Events + +The SpoofSentry integration does not include any events. + +### Tags + +All events include the following tags: +- `service:spoofsentry` +- `event_type:` +- `severity:` +- `domain:` + +## Support + +Need help? Contact [SpoofSentry support][2]. + +[1]: https://spoofsentry.com +[2]: mailto:hello@spoofsentry.com diff --git a/spoofsentry/assets/dashboards/spoofsentry.json b/spoofsentry/assets/dashboards/spoofsentry.json new file mode 100644 index 0000000000..b04455eb86 --- /dev/null +++ b/spoofsentry/assets/dashboards/spoofsentry.json @@ -0,0 +1,160 @@ +{ + "title": "SpoofSentry - Domain Security Overview", + "description": "DMARC monitoring, spoofing detection, lookalike domains, and takedown orchestration events from SpoofSentry.", + "widgets": [ + { + "id": 1, + "definition": { + "title": "Security Events", + "type": "query_value", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "search": { "query": "source:spoofsentry" }, + "indexes": ["*"], + "compute": { "aggregation": "count" } + } + ], + "response_format": "scalar" + } + ] + } + }, + { + "id": 2, + "definition": { + "title": "Critical & High Threats", + "type": "query_value", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "search": { "query": "source:spoofsentry (severity:critical OR severity:high)" }, + "indexes": ["*"], + "compute": { "aggregation": "count" } + } + ], + "response_format": "scalar" + } + ] + } + }, + { + "id": 3, + "definition": { + "title": "Events by Severity", + "type": "timeseries", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "search": { "query": "source:spoofsentry" }, + "indexes": ["*"], + "compute": { "aggregation": "count" }, + "group_by": [ + { "facet": "@severity", "limit": 5, "sort": { "aggregation": "count", "order": "desc" } } + ] + } + ], + "response_format": "timeseries", + "display_type": "bars" + } + ] + } + }, + { + "id": 4, + "definition": { + "title": "Events by Type", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "search": { "query": "source:spoofsentry" }, + "indexes": ["*"], + "compute": { "aggregation": "count" }, + "group_by": [ + { "facet": "@eventType", "limit": 10, "sort": { "aggregation": "count", "order": "desc" } } + ] + } + ], + "response_format": "scalar" + } + ] + } + }, + { + "id": 5, + "definition": { + "title": "Events by Domain", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "search": { "query": "source:spoofsentry" }, + "indexes": ["*"], + "compute": { "aggregation": "count" }, + "group_by": [ + { "facet": "@network.destination.domain", "limit": 10, "sort": { "aggregation": "count", "order": "desc" } } + ] + } + ], + "response_format": "scalar" + } + ] + } + }, + { + "id": 6, + "definition": { + "title": "Takedown Activity", + "type": "timeseries", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "search": { "query": "source:spoofsentry @eventType:(TAKEDOWN_*)" }, + "indexes": ["*"], + "compute": { "aggregation": "count" }, + "group_by": [ + { "facet": "@eventType", "limit": 5, "sort": { "aggregation": "count", "order": "desc" } } + ] + } + ], + "response_format": "timeseries", + "display_type": "line" + } + ] + } + }, + { + "id": 7, + "definition": { + "title": "Recent Security Events", + "type": "log_stream", + "query": "source:spoofsentry", + "columns": ["@eventType", "@severity", "@network.destination.domain", "@tenantId"], + "sort": { "column": "time", "order": "desc" }, + "message_display": "expanded-md" + } + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} diff --git a/spoofsentry/assets/logs/spoofsentry.yaml b/spoofsentry/assets/logs/spoofsentry.yaml new file mode 100644 index 0000000000..55bb78521a --- /dev/null +++ b/spoofsentry/assets/logs/spoofsentry.yaml @@ -0,0 +1,67 @@ +id: spoofsentry +type: pipeline +name: SpoofSentry +enabled: true +filter: + query: "source:spoofsentry" +processors: + - type: attribute-remapper + name: Map eventType to evt.name + enabled: true + sources: + - eventType + target: evt.name + preserveSource: true + sourceType: attribute + targetType: attribute + + - type: attribute-remapper + name: Map severity to log status + enabled: true + sources: + - severity + target: status + preserveSource: true + sourceType: attribute + targetType: attribute + + - type: attribute-remapper + name: Map domain to network.destination.domain + enabled: true + sources: + - domain + target: network.destination.domain + preserveSource: true + sourceType: attribute + targetType: attribute + + - type: attribute-remapper + name: Map tenantId to usr.id + enabled: true + sources: + - tenantId + target: usr.id + preserveSource: true + sourceType: attribute + targetType: attribute + + - type: category-processor + name: Categorize severity levels + enabled: true + categories: + - filter: + query: "@severity:critical" + name: Critical + - filter: + query: "@severity:high" + name: High + - filter: + query: "@severity:medium" + name: Medium + - filter: + query: "@severity:low" + name: Low + - filter: + query: "@severity:info" + name: Info + target: severity_category diff --git a/spoofsentry/assets/service_checks.json b/spoofsentry/assets/service_checks.json new file mode 100644 index 0000000000..fe51488c70 --- /dev/null +++ b/spoofsentry/assets/service_checks.json @@ -0,0 +1 @@ +[] diff --git a/spoofsentry/manifest.json b/spoofsentry/manifest.json new file mode 100644 index 0000000000..e89cd7c35c --- /dev/null +++ b/spoofsentry/manifest.json @@ -0,0 +1,48 @@ +{ + "manifest_version": "2.0.0", + "app_uuid": "87ffb85e-b1e8-4f3d-8978-ce5a2d43036f", + "app_id": "spoofsentry", + "display_on_public_website": true, + "tile": { + "overview": "README.md#Overview", + "configuration": "README.md#Setup", + "uninstallation": "README.md#Uninstallation", + "support": "README.md#Support", + "changelog": "CHANGELOG.md", + "description": "DMARC monitoring, spoofing detection, and takedown events from SpoofSentry", + "title": "SpoofSentry", + "media": [], + "classifier_tags": [ + "Category::Security", + "Category::Log Collection", + "Category::Notifications", + "Submitted Data Type::Logs", + "Offering::Integration" + ] + }, + "assets": { + "dashboards": { + "SpoofSentry - Domain Security Overview": "assets/dashboards/spoofsentry.json" + }, + "logs": { + "source": "spoofsentry" + }, + "integration": { + "source_type_name": "SpoofSentry", + "auto_install": true, + "configuration": {}, + "events": { + "creates_events": false + }, + "service_checks": { + "metadata_path": "assets/service_checks.json" + } + } + }, + "author": { + "homepage": "https://spoofsentry.com", + "name": "DomainSeal", + "support_email": "hello@spoofsentry.com", + "sales_email": "hello@spoofsentry.com" + } +}