From db18c9563e09d596102bfae2b729cd3232b103fc Mon Sep 17 00:00:00 2001
From: netallion <netallion@ir-mac.lan>
Date: Thu, 9 Apr 2026 22:18:36 +1200
Subject: [PATCH 1/6] Add SpoofSentry integration: DMARC monitoring, spoofing
 detection, and takedown events

SpoofSentry by DomainSeal sends domain security events to Datadog via the Logs API.

Includes:
- Integration tile with manifest and classifier tags
- Pre-built dashboard (7 widgets: event counts, severity timeseries, threat toplist, domain breakdown, takedown activity, log stream)
- Log pipeline with attribute remapping (eventType, severity, domain, tenantId)
- Setup documentation

Event types: DMARC failures, spoofing campaigns, lookalike domains, DNS enforcement changes, takedown orchestration lifecycle.

Severity levels: critical, high, medium, low, info
Sourcetype: spoofsentry (ddsource tag)
Auth: DD-API-KEY header
Multi-site: datadoghq.com (US), datadoghq.eu (EU)
---
 spoofsentry/README.md                         |  61 +++++++
 .../assets/dashboards/spoofsentry.json        | 160 ++++++++++++++++++
 spoofsentry/assets/logs/spoofsentry.yaml      |  67 ++++++++
 spoofsentry/manifest.json                     |  37 ++++
 4 files changed, 325 insertions(+)
 create mode 100644 spoofsentry/README.md
 create mode 100644 spoofsentry/assets/dashboards/spoofsentry.json
 create mode 100644 spoofsentry/assets/logs/spoofsentry.yaml
 create mode 100644 spoofsentry/manifest.json

diff --git a/spoofsentry/README.md b/spoofsentry/README.md
new file mode 100644
index 0000000000..2508af4e84
--- /dev/null
+++ b/spoofsentry/README.md
@@ -0,0 +1,61 @@
+## Overview
+
+SpoofSentry by DomainSeal monitors your domains for email spoofing, DMARC failures, lookalike domain abuse, and phishing campaigns. This integration sends domain security events to Datadog for centralized logging, analysis, and alerting.
+
+Events include:
+- DMARC authentication failures with sender details
+- Spoofing campaign detections with IP attribution
+- Lookalike domain threats with risk scores
+- DNS enforcement changes (SPF, DKIM, DMARC policy)
+- Takedown orchestration lifecycle (created, dispatched, escalated, resolved)
+
+## Setup
+
+### In SpoofSentry
+
+1. Log in to [SpoofSentry](https://spoofsentry.com)
+2. Go to **Settings > Integrations > SIEM**
+3. Select **Datadog**
+4. Enter your **Datadog API key** (from Datadog > Organization Settings > API Keys)
+5. Select your **Datadog site** (US: `datadoghq.com`, EU: `datadoghq.eu`)
+6. Click **Test Connection** to verify
+
+### In Datadog
+
+Events appear automatically in **Logs** with `source:spoofsentry`. The pre-built dashboard is installed with this integration.
+
+### Log Pipeline
+
+A log pipeline is included that:
+- Maps `eventType` to `evt.name`
+- Maps `severity` to log status
+- Maps `domain` to `network.destination.domain`
+- Categorizes severity levels
+
+## Data Collected
+
+### Logs
+
+SpoofSentry sends domain security events as JSON logs via the Datadog Logs API.
+
+| Field | Description |
+|-------|-------------|
+| `eventType` | Event classification (e.g., `SPOOF_THREAT_DETECTED`) |
+| `severity` | `critical`, `high`, `medium`, `low`, `info` |
+| `domain` | Target domain |
+| `tenantId` | Customer tenant identifier |
+| `message` | Human-readable event summary |
+
+### Tags
+
+All events include these tags:
+- `service:spoofsentry`
+- `event_type:<type>`
+- `severity:<level>`
+- `domain:<domain>`
+
+## Support
+
+- Email: hello@spoofsentry.com
+- Documentation: [https://spoofsentry.com/docs/integrations/datadog](https://spoofsentry.com/docs/integrations/datadog)
+- Status: [https://spoofsentry.com/status](https://spoofsentry.com/status)
diff --git a/spoofsentry/assets/dashboards/spoofsentry.json b/spoofsentry/assets/dashboards/spoofsentry.json
new file mode 100644
index 0000000000..c422834256
--- /dev/null
+++ b/spoofsentry/assets/dashboards/spoofsentry.json
@@ -0,0 +1,160 @@
+{
+  "title": "SpoofSentry - Domain Security Overview",
+  "description": "DMARC monitoring, spoofing detection, lookalike domains, and takedown orchestration events from SpoofSentry.",
+  "widgets": [
+    {
+      "id": 1,
+      "definition": {
+        "title": "Security Events (24h)",
+        "type": "query_value",
+        "requests": [
+          {
+            "queries": [
+              {
+                "data_source": "logs",
+                "name": "query1",
+                "search": { "query": "source:spoofsentry" },
+                "indexes": ["*"],
+                "compute": { "aggregation": "count" }
+              }
+            ],
+            "response_format": "scalar"
+          }
+        ]
+      }
+    },
+    {
+      "id": 2,
+      "definition": {
+        "title": "Critical & High Threats (24h)",
+        "type": "query_value",
+        "requests": [
+          {
+            "queries": [
+              {
+                "data_source": "logs",
+                "name": "query1",
+                "search": { "query": "source:spoofsentry (severity:critical OR severity:high)" },
+                "indexes": ["*"],
+                "compute": { "aggregation": "count" }
+              }
+            ],
+            "response_format": "scalar"
+          }
+        ]
+      }
+    },
+    {
+      "id": 3,
+      "definition": {
+        "title": "Events by Severity",
+        "type": "timeseries",
+        "requests": [
+          {
+            "queries": [
+              {
+                "data_source": "logs",
+                "name": "query1",
+                "search": { "query": "source:spoofsentry" },
+                "indexes": ["*"],
+                "compute": { "aggregation": "count" },
+                "group_by": [
+                  { "facet": "@severity", "limit": 5, "sort": { "aggregation": "count", "order": "desc" } }
+                ]
+              }
+            ],
+            "response_format": "timeseries",
+            "display_type": "bars"
+          }
+        ]
+      }
+    },
+    {
+      "id": 4,
+      "definition": {
+        "title": "Events by Type",
+        "type": "toplist",
+        "requests": [
+          {
+            "queries": [
+              {
+                "data_source": "logs",
+                "name": "query1",
+                "search": { "query": "source:spoofsentry" },
+                "indexes": ["*"],
+                "compute": { "aggregation": "count" },
+                "group_by": [
+                  { "facet": "@eventType", "limit": 10, "sort": { "aggregation": "count", "order": "desc" } }
+                ]
+              }
+            ],
+            "response_format": "scalar"
+          }
+        ]
+      }
+    },
+    {
+      "id": 5,
+      "definition": {
+        "title": "Events by Domain",
+        "type": "toplist",
+        "requests": [
+          {
+            "queries": [
+              {
+                "data_source": "logs",
+                "name": "query1",
+                "search": { "query": "source:spoofsentry" },
+                "indexes": ["*"],
+                "compute": { "aggregation": "count" },
+                "group_by": [
+                  { "facet": "host", "limit": 10, "sort": { "aggregation": "count", "order": "desc" } }
+                ]
+              }
+            ],
+            "response_format": "scalar"
+          }
+        ]
+      }
+    },
+    {
+      "id": 6,
+      "definition": {
+        "title": "Takedown Activity",
+        "type": "timeseries",
+        "requests": [
+          {
+            "queries": [
+              {
+                "data_source": "logs",
+                "name": "query1",
+                "search": { "query": "source:spoofsentry @eventType:(TAKEDOWN_*)" },
+                "indexes": ["*"],
+                "compute": { "aggregation": "count" },
+                "group_by": [
+                  { "facet": "@eventType", "limit": 5, "sort": { "aggregation": "count", "order": "desc" } }
+                ]
+              }
+            ],
+            "response_format": "timeseries",
+            "display_type": "line"
+          }
+        ]
+      }
+    },
+    {
+      "id": 7,
+      "definition": {
+        "title": "Recent Security Events",
+        "type": "log_stream",
+        "query": "source:spoofsentry",
+        "columns": ["@eventType", "@severity", "host", "@tenantId"],
+        "sort": { "column": "time", "order": "desc" },
+        "message_display": "expanded-md"
+      }
+    }
+  ],
+  "layout_type": "ordered",
+  "notify_list": [],
+  "reflow_type": "fixed"
+}
diff --git a/spoofsentry/assets/logs/spoofsentry.yaml b/spoofsentry/assets/logs/spoofsentry.yaml
new file mode 100644
index 0000000000..55bb78521a
--- /dev/null
+++ b/spoofsentry/assets/logs/spoofsentry.yaml
@@ -0,0 +1,67 @@
+id: spoofsentry
+type: pipeline
+name: SpoofSentry
+enabled: true
+filter:
+  query: "source:spoofsentry"
+processors:
+  - type: attribute-remapper
+    name: Map eventType to evt.name
+    enabled: true
+    sources:
+      - eventType
+    target: evt.name
+    preserveSource: true
+    sourceType: attribute
+    targetType: attribute
+
+  - type: attribute-remapper
+    name: Map severity to log status
+    enabled: true
+    sources:
+      - severity
+    target: status
+    preserveSource: true
+    sourceType: attribute
+    targetType: attribute
+
+  - type: attribute-remapper
+    name: Map domain to network.destination.domain
+    enabled: true
+    sources:
+      - domain
+    target: network.destination.domain
+    preserveSource: true
+    sourceType: attribute
+    targetType: attribute
+
+  - type: attribute-remapper
+    name: Map tenantId to usr.id
+    enabled: true
+    sources:
+      - tenantId
+    target: usr.id
+    preserveSource: true
+    sourceType: attribute
+    targetType: attribute
+
+  - type: category-processor
+    name: Categorize severity levels
+    enabled: true
+    categories:
+      - filter:
+          query: "@severity:critical"
+        name: Critical
+      - filter:
+          query: "@severity:high"
+        name: High
+      - filter:
+          query: "@severity:medium"
+        name: Medium
+      - filter:
+          query: "@severity:low"
+        name: Low
+      - filter:
+          query: "@severity:info"
+        name: Info
+    target: severity_category
diff --git a/spoofsentry/manifest.json b/spoofsentry/manifest.json
new file mode 100644
index 0000000000..176631d24d
--- /dev/null
+++ b/spoofsentry/manifest.json
@@ -0,0 +1,37 @@
+{
+  "manifest_version": "2.0.0",
+  "app_uuid": "spoofsentry-domainseal",
+  "app_id": "spoofsentry",
+  "display_on_public_website": true,
+  "tile": {
+    "overview": "README.md#Overview",
+    "configuration": "README.md#Setup",
+    "support": "README.md#Support",
+    "changelog": "CHANGELOG.md",
+    "description": "Ingest DMARC monitoring, spoofing detection, and takedown events from SpoofSentry",
+    "title": "SpoofSentry",
+    "media": [],
+    "classifier_tags": [
+      "Category::Security",
+      "Category::Log Collection",
+      "Category::Notifications",
+      "Submitted Data Type::Logs",
+      "Offering::Integration"
+    ]
+  },
+  "assets": {
+    "dashboards": {
+      "SpoofSentry - Domain Security Overview": "assets/dashboards/spoofsentry.json"
+    },
+    "logs": {
+      "spoofsentry": "assets/logs/spoofsentry.yaml"
+    },
+    "monitors": {}
+  },
+  "author": {
+    "homepage": "https://spoofsentry.com",
+    "name": "DomainSeal",
+    "support_email": "hello@spoofsentry.com",
+    "sales_email": "hello@spoofsentry.com"
+  }
+}

From 9ed61807693f1920a0f8eb4b38b5e60288b24eda Mon Sep 17 00:00:00 2001
From: netallion <netallion@gmail.com>
Date: Mon, 13 Apr 2026 13:21:48 +1200
Subject: [PATCH 2/6] fix: correct app_uuid, logs asset structure, add
 integration block

---
 spoofsentry/manifest.json | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/spoofsentry/manifest.json b/spoofsentry/manifest.json
index 176631d24d..c5b7df6185 100644
--- a/spoofsentry/manifest.json
+++ b/spoofsentry/manifest.json
@@ -1,11 +1,12 @@
 {
   "manifest_version": "2.0.0",
-  "app_uuid": "spoofsentry-domainseal",
+  "app_uuid": "87ffb85e-b1e8-4f3d-8978-ce5a2d43036f",
   "app_id": "spoofsentry",
   "display_on_public_website": true,
   "tile": {
     "overview": "README.md#Overview",
     "configuration": "README.md#Setup",
+    "uninstallation": "README.md#Uninstallation",
     "support": "README.md#Support",
     "changelog": "CHANGELOG.md",
     "description": "Ingest DMARC monitoring, spoofing detection, and takedown events from SpoofSentry",
@@ -24,9 +25,19 @@
       "SpoofSentry - Domain Security Overview": "assets/dashboards/spoofsentry.json"
     },
     "logs": {
-      "spoofsentry": "assets/logs/spoofsentry.yaml"
+      "source": "spoofsentry"
     },
-    "monitors": {}
+    "integration": {
+      "source_type_name": "SpoofSentry",
+      "auto_install": true,
+      "configuration": {},
+      "events": {
+        "creates_events": false
+      },
+      "service_checks": {
+        "metadata_path": "assets/service_checks.json"
+      }
+    }
   },
   "author": {
     "homepage": "https://spoofsentry.com",

From 7eb8ce6454fb9f28c74d84595154f97017586964 Mon Sep 17 00:00:00 2001
From: netallion <netallion@gmail.com>
Date: Mon, 13 Apr 2026 13:21:55 +1200
Subject: [PATCH 3/6] add empty service_checks.json

---
 spoofsentry/assets/service_checks.json | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 spoofsentry/assets/service_checks.json

diff --git a/spoofsentry/assets/service_checks.json b/spoofsentry/assets/service_checks.json
new file mode 100644
index 0000000000..fe51488c70
--- /dev/null
+++ b/spoofsentry/assets/service_checks.json
@@ -0,0 +1 @@
+[]

From a9e83e036f8b3231075197be0be040e6374e6704 Mon Sep 17 00:00:00 2001
From: netallion <netallion@gmail.com>
Date: Thu, 16 Apr 2026 19:01:17 +1200
Subject: [PATCH 4/6] =?UTF-8?q?fix:=20address=20editorial=20review=20?=
 =?UTF-8?q?=E2=80=94=20README=20restructure?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 spoofsentry/README.md | 54 ++++++++++++++++++++++++++++++++-----------
 1 file changed, 40 insertions(+), 14 deletions(-)

diff --git a/spoofsentry/README.md b/spoofsentry/README.md
index 2508af4e84..b1e9adba2d 100644
--- a/spoofsentry/README.md
+++ b/spoofsentry/README.md
@@ -13,42 +13,67 @@ Events include:
 
 ### In SpoofSentry
 
-1. Log in to [SpoofSentry](https://spoofsentry.com)
-2. Go to **Settings > Integrations > SIEM**
-3. Select **Datadog**
-4. Enter your **Datadog API key** (from Datadog > Organization Settings > API Keys)
-5. Select your **Datadog site** (US: `datadoghq.com`, EU: `datadoghq.eu`)
-6. Click **Test Connection** to verify
+1. Log in to [SpoofSentry][1].
+2. Go to **Settings > Integrations > SIEM**.
+3. Select **Datadog**.
+4. Enter your **Datadog API key** (from Datadog > Organization Settings > API Keys).
+5. Select your **Datadog site** (US: `datadoghq.com`, EU: `datadoghq.eu`).
+6. Click **Test Connection** to verify.
 
 ### In Datadog
 
-Events appear automatically in **Logs** with `source:spoofsentry`. The pre-built dashboard is installed with this integration.
+Events appear automatically in **Logs** with `source:spoofsentry`. A prebuilt dashboard is installed with this integration.
+
+### Validation
+
+To confirm the integration is working:
+
+1. In SpoofSentry, send a test event from **Settings > Integrations > SIEM > Datadog > Test Connection**.
+2. In Datadog, navigate to **Logs** and filter by `source:spoofsentry`.
+3. Verify that test events appear with the expected fields (`eventType`, `severity`, `domain`).
 
 ### Log Pipeline
 
-A log pipeline is included that:
+The integration includes a log pipeline that:
 - Maps `eventType` to `evt.name`
 - Maps `severity` to log status
 - Maps `domain` to `network.destination.domain`
 - Categorizes severity levels
 
+## Uninstallation
+
+1. In SpoofSentry, go to **Settings > Integrations > SIEM** and remove the Datadog configuration.
+2. In Datadog, uninstall the SpoofSentry integration from **Integrations > Integrations**.
+
 ## Data Collected
 
 ### Logs
 
-SpoofSentry sends domain security events as JSON logs via the Datadog Logs API.
+SpoofSentry sends domain security events as JSON logs through the Datadog Logs API.
 
 | Field | Description |
 |-------|-------------|
-| `eventType` | Event classification (e.g., `SPOOF_THREAT_DETECTED`) |
+| `eventType` | Event classification (for example, `SPOOF_THREAT_DETECTED`) |
 | `severity` | `critical`, `high`, `medium`, `low`, `info` |
 | `domain` | Target domain |
 | `tenantId` | Customer tenant identifier |
 | `message` | Human-readable event summary |
 
+### Metrics
+
+The SpoofSentry integration does not include any metrics.
+
+### Service Checks
+
+The SpoofSentry integration does not include any service checks.
+
+### Events
+
+The SpoofSentry integration does not include any events.
+
 ### Tags
 
-All events include these tags:
+All events include the following tags:
 - `service:spoofsentry`
 - `event_type:<type>`
 - `severity:<level>`
@@ -56,6 +81,7 @@ All events include these tags:
 
 ## Support
 
-- Email: hello@spoofsentry.com
-- Documentation: [https://spoofsentry.com/docs/integrations/datadog](https://spoofsentry.com/docs/integrations/datadog)
-- Status: [https://spoofsentry.com/status](https://spoofsentry.com/status)
+Need help? Contact [SpoofSentry support][2].
+
+[1]: https://spoofsentry.com
+[2]: mailto:hello@spoofsentry.com

From 5d64ac3f65b5e25945d8569a1a57e32c86cf571d Mon Sep 17 00:00:00 2001
From: netallion <netallion@gmail.com>
Date: Thu, 16 Apr 2026 19:01:40 +1200
Subject: [PATCH 5/6] fix: remove (24h) suffixes, use
 @network.destination.domain facet

---
 spoofsentry/assets/dashboards/spoofsentry.json | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/spoofsentry/assets/dashboards/spoofsentry.json b/spoofsentry/assets/dashboards/spoofsentry.json
index c422834256..b04455eb86 100644
--- a/spoofsentry/assets/dashboards/spoofsentry.json
+++ b/spoofsentry/assets/dashboards/spoofsentry.json
@@ -5,7 +5,7 @@
     {
       "id": 1,
       "definition": {
-        "title": "Security Events (24h)",
+        "title": "Security Events",
         "type": "query_value",
         "requests": [
           {
@@ -26,7 +26,7 @@
     {
       "id": 2,
       "definition": {
-        "title": "Critical & High Threats (24h)",
+        "title": "Critical & High Threats",
         "type": "query_value",
         "requests": [
           {
@@ -108,7 +108,7 @@
                 "indexes": ["*"],
                 "compute": { "aggregation": "count" },
                 "group_by": [
-                  { "facet": "host", "limit": 10, "sort": { "aggregation": "count", "order": "desc" } }
+                  { "facet": "@network.destination.domain", "limit": 10, "sort": { "aggregation": "count", "order": "desc" } }
                 ]
               }
             ],
@@ -148,7 +148,7 @@
         "title": "Recent Security Events",
         "type": "log_stream",
         "query": "source:spoofsentry",
-        "columns": ["@eventType", "@severity", "host", "@tenantId"],
+        "columns": ["@eventType", "@severity", "@network.destination.domain", "@tenantId"],
         "sort": { "column": "time", "order": "desc" },
         "message_display": "expanded-md"
       }

From a3da5fad16e941bf7346fddec3773341432954d3 Mon Sep 17 00:00:00 2001
From: netallion <netallion@gmail.com>
Date: Thu, 16 Apr 2026 19:02:09 +1200
Subject: [PATCH 6/6] fix: trim tile description to under 80 chars

---
 spoofsentry/manifest.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spoofsentry/manifest.json b/spoofsentry/manifest.json
index c5b7df6185..e89cd7c35c 100644
--- a/spoofsentry/manifest.json
+++ b/spoofsentry/manifest.json
@@ -9,7 +9,7 @@
     "uninstallation": "README.md#Uninstallation",
     "support": "README.md#Support",
     "changelog": "CHANGELOG.md",
-    "description": "Ingest DMARC monitoring, spoofing detection, and takedown events from SpoofSentry",
+    "description": "DMARC monitoring, spoofing detection, and takedown events from SpoofSentry",
     "title": "SpoofSentry",
     "media": [],
     "classifier_tags": [