Skip to content

Add SpoofSentry integration#18360

Open
netallion wants to merge 1 commit intoelastic:mainfrom
netallion:add-spoofsentry-v2
Open

Add SpoofSentry integration#18360
netallion wants to merge 1 commit intoelastic:mainfrom
netallion:add-spoofsentry-v2

Conversation

@netallion
Copy link
Copy Markdown

@netallion netallion commented Apr 13, 2026

What does this PR do?

Adds a new community integration for SpoofSentry by DomainSeal — a DMARC monitoring, domain spoofing detection, and automated takedown platform.

SpoofSentry sends domain security events to Elastic via an HTTP endpoint input.

Includes

  • Integration manifest (http_endpoint input, Fleet-compatible)
  • Data stream (events) with ECS-compliant ingest pipeline
  • Field definitions (custom fields + ECS references + base fields)
  • Kibana dashboard (event counts, severity timeseries, domain breakdown, threat toplist)
  • Documentation (setup guide, ECS field mapping, log reference)
  • Changelog

Ingest Pipeline

The pipeline (data_stream/events/elasticsearch/ingest_pipeline/default.yml) processes incoming events:

  • Sets ECS base fields (event.kind: alert, event.dataset: spoofsentry.alert)
  • Remaps eventTypeevent.action, domainhost.domain, tenantIdlabels.tenant_id
  • Maps severity strings (info/low/medium/high/critical) to ECS numeric severity (1-10)
  • Categorizes events into event.category and event.type based on event action

Event Types

  • DMARC authentication failures
  • Spoofing campaign detections
  • Lookalike domain threats
  • DNS enforcement changes (SPF, DKIM, DMARC policy)
  • Takedown orchestration lifecycle

Author

@claude
Add SpoofSentry integration
60d8c6c 
Adds a new integration for SpoofSentry by DomainSeal — a DMARC
monitoring, domain spoofing detection, and automated takedown platform.

Includes:
- Integration manifest with http_endpoint input
- Data stream (events) with ECS-compliant ingest pipeline
- Kibana dashboard (event counts, severity, domain breakdown)
- Field definitions (custom + ECS references)
- Documentation and changelog

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@netallion netallion requested a review from a team as a code owner April 13, 2026 01:44
@cla-checker-service
Copy link
Copy Markdown

cla-checker-service bot commented Apr 13, 2026

❌ Author of the following commits did not sign a Contributor Agreement:
60d8c6c

Please, read and sign the above mentioned agreement if you want to contribute to this project

@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod bot commented Apr 13, 2026

Reviewers

Buildkite won't run for external contributors automatically; you need to add a comment:

  • /test : will kick off a build in Buildkite.

NOTE: https://github.com/elastic/integrations/blob/main/.buildkite/pull-requests.json contains all those details.

@andrewkroh andrewkroh added needs CLA User must sign the Elastic Contributor License before review. New Integration Issue or pull request for creating a new integration package. dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. labels Apr 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. needs CLA User must sign the Elastic Contributor License before review. New Integration Issue or pull request for creating a new integration package.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@netallion @andrewkroh