Threat Feed
The Threat Feed in DMARC Protection is where DMARC failures based on RUF data is detailed. You can use the information in the Threat Feed to help you identify threat campaigns and commonalities in failure samples.
The Threat Feed is a list of DMARC failure samples. Each sample contains specific information passed into the reporting environment about a message that did not pass DMARC from messages sent from one of your domains
You can use the Threat Feed to:
- Identify campaigns by using the filters to see failure samples with commonalities, such as the same IP address or subject.
- Identify URLs in messages that fail DMARC.
- Use the API endpoint to have your SIEM system correlate with email data.
The table on the Threat Feed page lists the following for each Threat Feed item:
- Count: The number of times the URL has been seen in the Threat Feed.
- URI: The specific URL in the message.
- From Domain/Email Source IP: The domain in the From header and the IP address that represents that domain.
- Subject: The Subject from the message header.
- Last Reported: The date and time that the threat was most recently reported.
- Detected By: How the threat was detected. Visible only if the Include detected by: threat source in feed emails setting is enabled. See Threat Feed Settings for details.
Each row in the Threat Feed table represents a URL found in a failure sample. You may see a unique URL represented multiple times (indicated by a Count value greater than 1) in messages from the same domain and with the same subject, and you may see several URLs found messages from the same domain and with the same subject (indicated by duplicate values in the From Domain/Email Source IP and Subject columns).