Features Pricing
Learn
What is DMARC? What is SPF? What is DKIM? What is BIMI?
Free Tools
DMARC Checker SPF Checker DKIM Checker BIMI Checker MTA-STS Checker Blacklist Checker Header Analyzer Domain Scanner Phishing URL Checker Email Verification BIMI Logo Converter Academy Blog Docs About Contact
Sign in Start →

SIEM Integrations

Forward SpoofWard events and alerts to your Security Information and Event Management (SIEM) platform for centralized monitoring, correlation with other security data, and long-term retention. SpoofWard supports integration with Microsoft Sentinel and Splunk.

Enterprise Feature

SIEM integrations are available on Enterprise plans only. Contact your account manager to enable this feature.

Supported SIEM Platforms

  • Microsoft Sentinel — Forward events via the Log Analytics Data Collector API
  • Splunk — Forward events via the HTTP Event Collector (HEC)

Microsoft Sentinel Integration

Prerequisites

  • An active Microsoft Sentinel workspace in Azure
  • Your Log Analytics Workspace ID
  • A Shared Key (primary or secondary) from your Log Analytics workspace

Finding Your Credentials

  1. In the Azure portal, navigate to your Log Analytics workspace
  2. Go to Agents management (or Settings → Agents)
  3. Copy the Workspace ID
  4. Copy the Primary key (or Secondary key)

Configuring in SpoofWard

  1. Navigate to Settings → Integrations → SIEM
  2. Select Microsoft Sentinel
  3. Enter your Workspace ID
  4. Enter your Shared Key
  5. Optionally set a custom Log Type name (defaults to SpoofWard). This determines the table name in Sentinel, which will appear as SpoofWard_CL.
  6. Select which event types to forward (see Event Types below)
  7. Click Test Connection to send a test event to Sentinel
  8. Click Save
Tip

After connecting, it may take 15–30 minutes for the custom log table to appear in your Sentinel workspace. Run a query for SpoofWard_CL in Log Analytics to verify data is arriving.

Splunk Integration

Prerequisites

  • A Splunk instance (Cloud or Enterprise) with the HTTP Event Collector enabled
  • An HEC Token configured for the target index
  • The HEC endpoint URL for your Splunk instance
  • The target Index where events should be stored

Setting Up the HEC Token in Splunk

  1. In Splunk, navigate to Settings → Data Inputs → HTTP Event Collector
  2. Click New Token
  3. Enter a name (e.g., "SpoofWard")
  4. Select the target index
  5. Set the source type to _json
  6. Click Submit and copy the generated token

Configuring in SpoofWard

  1. Navigate to Settings → Integrations → SIEM
  2. Select Splunk
  3. Enter your HEC Endpoint URL (e.g., https://your-splunk:8088)
  4. Enter your HEC Token
  5. Enter the target Index name
  6. Optionally set a Source value (defaults to spoofward)
  7. Select which event types to forward (see Event Types below)
  8. Click Test Connection to send a test event
  9. Click Save
Important

Ensure your Splunk HEC endpoint is accessible from the internet if you are using Splunk Enterprise on-premises. SpoofWard sends events from its cloud infrastructure and must be able to reach your HEC URL.

Event Types

Select which categories of events SpoofWard forwards to your SIEM. You can enable or disable each type independently.

  • DNS Changes — Records added, modified, or removed for monitored domains (DMARC, SPF, DKIM, MX, CNAME, TXT)
  • Authentication Failures — DMARC, SPF, or DKIM authentication failures detected in aggregate or forensic reports
  • Threat Alerts — Spoofing attempts, lookalike domain detections, and brand impersonation events
  • Anomalies — Unusual patterns such as sudden volume spikes, new sending sources, or geographic anomalies
  • Domain Health Changes — Changes to DNS health scores, new issues detected, or issues resolved
  • User Activity — Audit log events including logins, configuration changes, and administrative actions

Event Schema

All events forwarded to your SIEM follow a consistent JSON schema:

  • event_type — The category of event (e.g., dns_change, threat_alert)
  • severity — Event severity: low, medium, high, or critical
  • domain — The affected domain name
  • timestamp — ISO 8601 timestamp of the event
  • tenant_id — Your SpoofWard workspace identifier
  • details — An object containing event-specific data
  • source_ip — Relevant source IP address (where applicable)

Managing the Integration

  • Pause — Temporarily stop forwarding events without removing the configuration
  • Edit — Update credentials, endpoint URLs, or event type selections
  • Test — Send a test event to verify the connection is active
  • View Log — Review recent delivery attempts and any failures
  • Delete — Remove the SIEM integration and delete stored credentials

Troubleshooting

  • Events not appearing in Sentinel — Verify the Workspace ID and Shared Key are correct. Check that the custom log table has had time to provision (up to 30 minutes for new tables).
  • Events not appearing in Splunk — Verify the HEC token is active, the endpoint URL is reachable, and the index exists. Check Splunk's _internal index for HEC errors.
  • Connection test fails — Check firewall rules to ensure SpoofWard's IP ranges can reach your SIEM endpoint. Contact support for the current list of egress IPs.
  • Duplicate events — If you see duplicates, check whether you have both a SIEM integration and a webhook forwarding to the same destination. Disable one to avoid duplicates.

Your domain is being tested right now.
Are you watching?

Protect your brand and improve deliverability — automatically, with continuous monitoring and alerts.

Start Free — No Credit Card View Pricing →