SpoofSentry Add-on for Splunk ingests and normalizes domain security events from the SpoofSentry DMARC monitoring and domain protection platform. Events are delivered via Splunk HEC and include DMARC authentication failures, spoofing campaign detections, lookalike domain threats, DNS enforcement changes, and automated takedown orchestration lifecycle events. This add-on provides: - Sourcetype definitions for spoofsentry:alert, spoofsentry:cef, and riskreply:event - Automatic JSON field extraction with normalized field aliases (severity, event_type, domain, tenant_id) - CEF (Common Event Format) parsing for legacy SIEM workflows - CIM data model compatibility (Alerts, Email, Intrusion Detection, Change, Web) - 8 pre-built saved searches covering critical threats, DMARC pass rates, spoofing campaigns, lookalike domains, takedown activity, and enforcement changes - 1 pre-built alert for critical threat detection (disabled by default, configurable suppression) - Lookup tables for severity mapping and event type categorization SpoofSentry detects email spoofing, monitors DMARC enforcement, identifies lookalike domains, and orchestrates automated takedowns across Google Web Risk, Netcraft, URLhaus, and registrar abuse channels. This add-on brings those security events into Splunk for centralized analysis, correlation with other security data, and SOC workflow integration.