DDS: SpyCloud: Threat Intel Integration v1.0.0

[jaypatel7-crest]

What does this PR do?

This is a initial release PR of SpyCloud integration including all the required assets.

Integration Logo Source

Light Theme: https://spycloud.com/wp-content/uploads/2025/04/SpyCloud-Logo-Black-1.svg
Dark Theme: https://portal.spycloud.com/images/Logo-Reversed.png

Additional Notes

• Crawler code for this integration has been committed in its respective repo
• OOTB detection rules JSON would be shared separately with the required teams as a part of separate repository.
• Since during the standard attribute remapping we are not preserving the source attributes as per suggested best practices, it would result in filters using these standard attributes populating the values of other integrations as well as per current Datadog behaviour.

Review checklist (to be filled by reviewers)

• Feature or bugfix MUST have appropriate tests (unit, integration, e2e)
• Add the qa/skip-qa label if the PR doesn't need to be tested during QA.
• If you need to backport this PR to another branch, you can add the backport/<branch-name> label to the PR and it will automatically open a backport PR once this one is merged

[domalessi]

Left a few suggestions. Tag me or re-request review when ready for another look!

[domalessi]

Tightening:

Suggested change

	Integrate SpyCloud with Datadog to enhance your security logs with threat intelligence, enabling analysis of matched IOCs through pre-built dashboards. Additionally, the integration can be used for Cloud SIEM detection rules for enhanced monitoring and security.
	Integrate SpyCloud with Datadog to enrich your security logs with threat intelligence and analyze matched IOCs through pre-built dashboards. The integration also feeds Cloud SIEM detection rules.

[jaypatel7-crest]

Done.

[domalessi]

Headings use sentence case. Also, this heading says "SpyCloud Platform" but step 1 below points users to the "SpyCloud Customer Portal" — let's keep them consistent.

Suggested change

	### Obtain an API Key from SpyCloud Platform
	### Obtain an API key from the SpyCloud Customer Portal

[jaypatel7-crest]

Updated the PR.

[domalessi]

Missing article ("the") and use a colon to introduce the table.

Suggested change

	1. Provide following details.
	1. Provide the following details:

[jaypatel7-crest]

Updated the PR.

[domalessi]

"The default value is true" reads like a config-file value, but in the UI this is a toggle. Suggest "Enabled by default" for clarity.

Suggested change

	| Collect IP IOCs | Enable to collect IP IOCs. The default value is true. |
	| Collect IP IOCs | Enable to collect IP IOCs. Enabled by default. |

[jaypatel7-crest]

Done.

[domalessi]

Same wording fix as above.

Suggested change

	| Collect Domain IOCs | Enable to collect Domain IOCs. The default value is true. |
	| Collect Domain IOCs | Enable to collect Domain IOCs. Enabled by default. |

[jaypatel7-crest]

Done.

[domalessi]

Double space between "Contact" and the link.

Suggested change

	Need help? Contact [Datadog support](https://docs.datadoghq.com/help/).
	Need help? Contact [Datadog support](https://docs.datadoghq.com/help/).

[jaypatel7-crest]

Done.

[domalessi]

Thanks for the fixes! Left some more tweaks inline, but should be good to go after that. Two high-level things:

Consider adding a brief Data Collected note

This integration doesn't submit metrics, service checks, or events, so it doesn't need the full Data Collected section from the standard template. That said, the convention is to state explicitly that none are collected, for example:

## Data Collected

The SpyCloud integration does not include any metrics, service checks, or events.

Optional, but it makes the README consistent with other integrations and answers a question users often ask.

display_on_public_website: false

Flagging this for awareness — the integration is not yet rendering on the public docs site. If that's intentional for this initial release, no action needed; just confirming we haven't missed flipping it.

[domalessi]

Datadog style uses lowercase "API key" since it's not a proper noun. (Same applies in line 23.)

Suggested change

	3. In the **Keys** section, copy the **API Key**.
	3. In the **Keys** section, copy the **API key**.

[jaypatel7-crest]

Done.

[domalessi]

Lowercase "API key". Also, "for your account" reads more naturally than "of your account".

Suggested change

	| API Key | The API Key of your SpyCloud account. |
	| API key | The API key for your SpyCloud account. |

[jaypatel7-crest]

Updated.

[domalessi]

Step 1 doesn't tell the user where they are. Add a brief orienting phrase so it's clear they should be on the SpyCloud integration tile in Datadog.

Suggested change

	1. Provide the following details:
	1. In Datadog, on the SpyCloud integration tile, provide the following details:

[jaypatel7-crest]

Done.

[domalessi]

The description "Enable to collect IP IOCs" repeats the parameter name. "Whether to..." is a clearer pattern for a toggle setting.

Suggested change

	| Collect IP IOCs | Enable to collect IP IOCs. Enabled by default. |
	| Collect IP IOCs | Whether to collect IP IOCs from SpyCloud. Enabled by default. |

[jaypatel7-crest]

Updated.

[domalessi]

Same rephrase as the row above.

Suggested change

	| Collect Domain IOCs | Enable to collect Domain IOCs. Enabled by default. |
	| Collect Domain IOCs | Whether to collect domain IOCs from SpyCloud. Enabled by default. |

[jaypatel7-crest]

Done.

[domalessi]

Sentence case for widget titles.

Also, pluralizing all-caps tokens with a lowercase "s" ("CRITICALs") is grammatically awkward. Same applies to lines 1437, 1561, 1614, and 1667 (separate suggestions on each).

Suggested change

	"title": "CRITICALs",
	"title": "Critical signals",

[jaypatel7-crest]

Done.

[domalessi]

Suggested change

	"title": "HIGHs",
	"title": "High signals",

[jaypatel7-crest]

Done.

[domalessi]

Suggested change

	"title": "MEDIUMs",
	"title": "Medium signals",

[jaypatel7-crest]

Done.

[domalessi]

Suggested change

	"title": "LOWs",
	"title": "Low signals",

[jaypatel7-crest]

Done.

[domalessi]

Suggested change

	"title": "INFOs",
	"title": "Info signals",

[jaypatel7-crest]

Done.

[domalessi]

A few nits I missed last time but this is looking good! Approving so you're not blocked on me :)

[domalessi]

Suggested change

	"title": "Critical Security Signals",
	"title": "Critical security signals",

[jaypatel7-crest]

Done.

[domalessi]

Suggested change

	"title": "High Security Signals",
	"title": "High security signals",

[jaypatel7-crest]

Done.

[domalessi]

Suggested change

	"title": "Medium Security Signals",
	"title": "Medium security signals",

[jaypatel7-crest]

Done.

[domalessi]

Suggested change

	Integrate SpyCloud with Datadog to enrich your security logs with threat intelligence and analyze matched IOCs through pre-built dashboards. The integration also feeds Cloud SIEM detection rules.
	Integrate SpyCloud with Datadog to enrich your security logs with threat intelligence and analyze matched indicators of compromise (IOCs) through pre-built dashboards. The integration also feeds Cloud SIEM detection rules.

[jaypatel7-crest]

Done.