Valimail Enforce Solution: New Email Authentication Monitoring for DMARC/SPF/DKIM Configuration Changes

What Changed

New complete solution for Valimail Enforce platform monitoring, including CCF connector, 4 analytic rules, and 4 hunting queries targeting email authentication configuration security.

Data Source

Valimail Enforce platform configuration events via REST API polling. Ingests domain management events including DMARC policy changes, SPF/DKIM configuration modifications, and user management activities into custom table ValimailEnforceEvents_CL.

Ingestion Mechanism

CCF-based connector using DCR ingestion with custom stream Custom-ValimailReporting_API. Polls Valimail Enforce API for configuration events and normalizes fields including Subject (domain), User (actor), EventType (action), EventChange (details), and PerformedAt (timestamp).

Detection Coverage Unlocked

DMARC Policy Weakening (High Severity)

Detects DMARC policy changes to ’none’ that disable enforcement
MITRE: T1566 (Phishing), T1562 (Impair Defenses)
Maps Account and DNS entities for incident correlation

Email Authentication Key Deletion (Medium Severity)

Monitors SPF delegation and DKIM key removals
MITRE: T1562 (Impair Defenses)
Tracks configuration changes that degrade authentication posture

Unusual Configuration Change Rate (Medium Severity)

Flags users making >3 changes in 1-hour windows
MITRE: T1562, T1531 (Account Access Removal), T1078 (Valid Accounts)
Detects potential compromised admin accounts or insider threats

High-Value User Management Events (High Severity)

Monitors critical user deletion/deactivation events
MITRE: T1531, T1078
Account-centric alerting for privileged access changes

MITRE Coverage

Primary techniques from YAML diffs: T1078 (Valid Accounts), T1098 (Account Manipulation), T1531 (Account Access Removal), T1562 (Impair Defenses), T1566 (Phishing). Focus on defense evasion through email authentication weakening and account-based persistence mechanisms.

Hunting Capabilities

Bulk domain change detection across multiple domains by single user
Configuration change rate trending with hourly bucketing
DMARC policy change history for forensic analysis
High-value event summarization for security reviews

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/ValimailEnforceEvents_CL.json
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Logos/valimail.svg
Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_AuthKeyChanged.yaml
Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_DMARCPolicyWeakened.yaml
Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_UnusualChangeRate.yaml
Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_UserManagementHighValue.yaml
Solutions/ValimailEnforce/Data Connectors/ValimailEnforceEventLogs_ccp/ValimailEnforceEventLogs_DCR.json
Solutions/ValimailEnforce/Data Connectors/ValimailEnforceEventLogs_ccp/ValimailEnforceEventLogs_PollerConfig.json
Solutions/ValimailEnforce/Data Connectors/ValimailEnforceEventLogs_ccp/ValimailEnforceEventLogs_Table.json
Solutions/ValimailEnforce/Data Connectors/ValimailEnforceEventLogs_ccp/ValimailEnforceEventLogs_connectorDefinition.json
Solutions/ValimailEnforce/Hunting Queries/ValimailEnforce_BulkChanges.yaml
Solutions/ValimailEnforce/Hunting Queries/ValimailEnforce_ChangeRateTrend.yaml
Solutions/ValimailEnforce/Hunting Queries/ValimailEnforce_DMARCPolicyHistory.yaml
Solutions/ValimailEnforce/Hunting Queries/ValimailEnforce_HighValueEventSummary.yaml
Solutions/ValimailEnforce/Package/testParameters.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_ValimailEvents.json, createUiDefinition.json, mainTemplate.json)

What Changed#

Data Source#

Ingestion Mechanism#

Detection Coverage Unlocked#

DMARC Policy Weakening (High Severity)#

Email Authentication Key Deletion (Medium Severity)#

Unusual Configuration Change Rate (Medium Severity)#

High-Value User Management Events (High Severity)#

MITRE Coverage#

Hunting Capabilities#

Affected Files#