DataDog · netallion · Apr 9, 2026 · Apr 13, 2026 · Apr 13, 2026 · Apr 16, 2026
@@ -0,0 +1,87 @@
+## Overview
+
+SpoofSentry by DomainSeal monitors your domains for email spoofing, DMARC failures, lookalike domain abuse, and phishing campaigns. This integration sends domain security events to Datadog for centralized logging, analysis, and alerting.
+
+Events include:
+- DMARC authentication failures with sender details
+- Spoofing campaign detections with IP attribution
+- Lookalike domain threats with risk scores
+- DNS enforcement changes (SPF, DKIM, DMARC policy)
+- Takedown orchestration lifecycle (created, dispatched, escalated, resolved)
+
+## Setup
+
+### In SpoofSentry
+
+1. Log in to [SpoofSentry][1].
+2. Go to **Settings > Integrations > SIEM**.
+3. Select **Datadog**.
+4. Enter your **Datadog API key** (from Datadog > Organization Settings > API Keys).
+5. Select your **Datadog site** (US: `datadoghq.com`, EU: `datadoghq.eu`).
+6. Click **Test Connection** to verify.
+
+### In Datadog
+
+Events appear automatically in **Logs** with `source:spoofsentry`. A prebuilt dashboard is installed with this integration.
+
+### Validation
+
+To confirm the integration is working:
+
+1. In SpoofSentry, send a test event from **Settings > Integrations > SIEM > Datadog > Test Connection**.
+2. In Datadog, navigate to **Logs** and filter by `source:spoofsentry`.
+3. Verify that test events appear with the expected fields (`eventType`, `severity`, `domain`).
+
+### Log Pipeline
+
+The integration includes a log pipeline that:
+- Maps `eventType` to `evt.name`
+- Maps `severity` to log status
+- Maps `domain` to `network.destination.domain`
+- Categorizes severity levels
+
+## Uninstallation
+
+1. In SpoofSentry, go to **Settings > Integrations > SIEM** and remove the Datadog configuration.
+2. In Datadog, uninstall the SpoofSentry integration from **Integrations > Integrations**.
+
+## Data Collected
+
+### Logs
+
+SpoofSentry sends domain security events as JSON logs through the Datadog Logs API.
+
+| Field | Description |
+|-------|-------------|
+| `eventType` | Event classification (for example, `SPOOF_THREAT_DETECTED`) |
+| `severity` | `critical`, `high`, `medium`, `low`, `info` |
+| `domain` | Target domain |
+| `tenantId` | Customer tenant identifier |
+| `message` | Human-readable event summary |
+
+### Metrics
+
+The SpoofSentry integration does not include any metrics.
+
+### Service Checks
+
+The SpoofSentry integration does not include any service checks.
+
+### Events
+
+The SpoofSentry integration does not include any events.
+
+### Tags
+
+All events include the following tags:
+- `service:spoofsentry`
+- `event_type:<type>`
+- `severity:<level>`
+- `domain:<domain>`
+
+## Support
+
+Need help? Contact [SpoofSentry support][2].
+
+[1]: https://spoofsentry.com
+[2]: mailto:hello@spoofsentry.com
@@ -0,0 +1,160 @@
+{
+  "title": "SpoofSentry - Domain Security Overview",
-  "title": "SpoofSentry - Domain Security Overview",
+  "title": "SpoofSentry: Domain Security Overview",
-  "title": "SpoofSentry - Domain Security Overview",
+  "title": "SpoofSentry: Domain Security Overview",
+  "description": "DMARC monitoring, spoofing detection, lookalike domains, and takedown orchestration events from SpoofSentry.",
+  "widgets": [
+    {
+      "id": 1,
+      "definition": {
+        "title": "Security Events",
-        "title": "Security Events",
+        "title": "Security events",
-        "title": "Security Events",
+        "title": "Security events",
+        "type": "query_value",
+        "requests": [
+          {
+            "queries": [
+              {
+                "data_source": "logs",
+                "name": "query1",
+                "search": { "query": "source:spoofsentry" },
+                "indexes": ["*"],
+                "compute": { "aggregation": "count" }
+              }
+            ],
+            "response_format": "scalar"
+          }
+        ]
+      }
+    },
+    {
+      "id": 2,
+      "definition": {
+        "title": "Critical & High Threats",
-        "title": "Critical & High Threats",
+        "title": "Critical and high threats",
-        "title": "Critical & High Threats",
+        "title": "Critical and high threats",
+        "type": "query_value",
+        "requests": [
+          {
+            "queries": [
+              {
+                "data_source": "logs",
+                "name": "query1",
+                "search": { "query": "source:spoofsentry (severity:critical OR severity:high)" },
+                "indexes": ["*"],
+                "compute": { "aggregation": "count" }
+              }
+            ],
+            "response_format": "scalar"
+          }
+        ]
+      }
+    },
+    {
+      "id": 3,
+      "definition": {
+        "title": "Events by Severity",
-        "title": "Events by Severity",
+        "title": "Events by severity",
-        "title": "Events by Severity",
+        "title": "Events by severity",
+        "type": "timeseries",
+        "requests": [
+          {
+            "queries": [
+              {
+                "data_source": "logs",
+                "name": "query1",
+                "search": { "query": "source:spoofsentry" },
+                "indexes": ["*"],
+                "compute": { "aggregation": "count" },
+                "group_by": [
+                  { "facet": "@severity", "limit": 5, "sort": { "aggregation": "count", "order": "desc" } }
+                ]
+              }
+            ],
+            "response_format": "timeseries",
+            "display_type": "bars"
+          }
+        ]
+      }
+    },
+    {
+      "id": 4,
+      "definition": {
+        "title": "Events by Type",
-        "title": "Events by Type",
+        "title": "Events by type",
-        "title": "Events by Type",
+        "title": "Events by type",
+        "type": "toplist",
+        "requests": [
+          {
+            "queries": [
+              {
+                "data_source": "logs",
+                "name": "query1",
+                "search": { "query": "source:spoofsentry" },
+                "indexes": ["*"],
+                "compute": { "aggregation": "count" },
+                "group_by": [
+                  { "facet": "@eventType", "limit": 10, "sort": { "aggregation": "count", "order": "desc" } }
+                ]
+              }
+            ],
+            "response_format": "scalar"
+          }
+        ]
+      }
+    },
+    {
+      "id": 5,
+      "definition": {
+        "title": "Events by Domain",
-        "title": "Events by Domain",
+        "title": "Events by domain",
-        "title": "Events by Domain",
+        "title": "Events by domain",
+        "type": "toplist",
+        "requests": [
+          {
+            "queries": [
+              {
+                "data_source": "logs",
+                "name": "query1",
+                "search": { "query": "source:spoofsentry" },
+                "indexes": ["*"],
+                "compute": { "aggregation": "count" },
+                "group_by": [
+                  { "facet": "@network.destination.domain", "limit": 10, "sort": { "aggregation": "count", "order": "desc" } }
+                ]
+              }
+            ],
+            "response_format": "scalar"
+          }
+        ]
+      }
+    },
+    {
+      "id": 6,
+      "definition": {
+        "title": "Takedown Activity",
-        "title": "Takedown Activity",
+        "title": "Takedown activity",
-        "title": "Takedown Activity",
+        "title": "Takedown activity",
+        "type": "timeseries",
+        "requests": [
+          {
+            "queries": [
+              {
+                "data_source": "logs",
+                "name": "query1",
+                "search": { "query": "source:spoofsentry @eventType:(TAKEDOWN_*)" },
+                "indexes": ["*"],
+                "compute": { "aggregation": "count" },
+                "group_by": [
+                  { "facet": "@eventType", "limit": 5, "sort": { "aggregation": "count", "order": "desc" } }
+                ]
+              }
+            ],
+            "response_format": "timeseries",
+            "display_type": "line"
+          }
+        ]
+      }
+    },
+    {
+      "id": 7,
+      "definition": {
+        "title": "Recent Security Events",
-        "title": "Recent Security Events",
+        "title": "Recent security events",
-        "title": "Recent Security Events",
+        "title": "Recent security events",
+        "type": "log_stream",
+        "query": "source:spoofsentry",
+        "columns": ["@eventType", "@severity", "@network.destination.domain", "@tenantId"],
+        "sort": { "column": "time", "order": "desc" },
+        "message_display": "expanded-md"
+      }
+    }
+  ],
+  "layout_type": "ordered",
+  "notify_list": [],
+  "reflow_type": "fixed"
+}
@@ -0,0 +1,67 @@
+id: spoofsentry
+type: pipeline
+name: SpoofSentry
+enabled: true
+filter:
+  query: "source:spoofsentry"
+processors:
+  - type: attribute-remapper
+    name: Map eventType to evt.name
+    enabled: true
+    sources:
+      - eventType
+    target: evt.name
+    preserveSource: true
+    sourceType: attribute
+    targetType: attribute
+
+  - type: attribute-remapper
+    name: Map severity to log status
+    enabled: true
+    sources:
+      - severity
+    target: status
+    preserveSource: true
+    sourceType: attribute
+    targetType: attribute
+
+  - type: attribute-remapper
+    name: Map domain to network.destination.domain
+    enabled: true
+    sources:
+      - domain
+    target: network.destination.domain
+    preserveSource: true
+    sourceType: attribute
+    targetType: attribute
+
+  - type: attribute-remapper
+    name: Map tenantId to usr.id
+    enabled: true
+    sources:
+      - tenantId
+    target: usr.id
+    preserveSource: true
+    sourceType: attribute
+    targetType: attribute
+
+  - type: category-processor
+    name: Categorize severity levels
+    enabled: true
+    categories:
+      - filter:
+          query: "@severity:critical"
+        name: Critical
+      - filter:
+          query: "@severity:high"
+        name: High
+      - filter:
+          query: "@severity:medium"
+        name: Medium
+      - filter:
+          query: "@severity:low"
+        name: Low
+      - filter:
+          query: "@severity:info"
+        name: Info
+    target: severity_category
diff --git a/spoofsentry/assets/service_checks.json b/spoofsentry/assets/service_checks.json
@@ -0,0 +1 @@
+[]
@@ -0,0 +1,48 @@
+{
+  "manifest_version": "2.0.0",
+  "app_uuid": "87ffb85e-b1e8-4f3d-8978-ce5a2d43036f",
+  "app_id": "spoofsentry",
+  "display_on_public_website": true,
+  "tile": {
+    "overview": "README.md#Overview",
+    "configuration": "README.md#Setup",
+    "uninstallation": "README.md#Uninstallation",
+    "support": "README.md#Support",
+    "changelog": "CHANGELOG.md",
+    "description": "DMARC monitoring, spoofing detection, and takedown events from SpoofSentry",
+    "title": "SpoofSentry",
+    "media": [],
+    "classifier_tags": [
+      "Category::Security",
+      "Category::Log Collection",
+      "Category::Notifications",
+      "Submitted Data Type::Logs",
+      "Offering::Integration"
+    ]
+  },
+  "assets": {
+    "dashboards": {
+      "SpoofSentry - Domain Security Overview": "assets/dashboards/spoofsentry.json"
+    },
+    "logs": {
+      "source": "spoofsentry"
+    },
+    "integration": {
+      "source_type_name": "SpoofSentry",
+      "auto_install": true,
+      "configuration": {},
+      "events": {
+        "creates_events": false
+      },
+      "service_checks": {
+        "metadata_path": "assets/service_checks.json"
+      }
+    }
+  },
+  "author": {
+    "homepage": "https://spoofsentry.com",
+    "name": "DomainSeal",
+    "support_email": "hello@spoofsentry.com",
+    "sales_email": "hello@spoofsentry.com"
+  }
+}