A domain, such as example.com, triggers a callback or phishing alert to your SIEM. Is it a fleeting hit, or is it chronically listed across feeds, signaling ongoing threats? Manual feed checks across sources fragment your hunt.
The Threat Feeds tab displays a timeline of when a domain or IP (e.g., URL) appeared in threat intelligence feeds, either historically or currently, in Total View. It highlights IOFA (Indicators of Future Attack) exposures via flags, such as ‘Part of IOFA Feed,’ which aggregates sources for risk patterns, including phishing or malware.
Available for Domains and IPv4, this tab pulls from Silent Push’s feed integrations, complementing Whois for ownership ties and PADNS for resolution context.
Why is it useful?
Threat feeds expose malicious timelines, but disjointed views obscure persistence. This tab tracks first/last seen dates and spans, revealing behaviors like brief IOFA listings for emerging campaigns. The IOFA Feed flag identifies proactive risks, prompting deeper dives.
Teams assess activity duration (e.g., 10 days on FIN7 feeds) and correlate it with Infrastructure Variance for infrastructure shifts, or use historical views for actor attribution, which is essential for SOC triage or defender monitoring.
How does it work?
Silent Push’s aggregation engine compiles feed data in-house, creating timelines without gaps from third-party sources. Core fields (First Seen, Last Seen, spans) populate with ago calculations; the graph visualizes trends, with hovers revealing feed specifics (e.g., "TrafficAI Generated Websites Domains").
Feeds Historical View details entries, including IOFA ties. Basic Raw Data mode shows unprocessed listings (e.g., exact dates/sources) for audits. It links to other tabs; a recent listing here might align with PADNS anomalies, flagging takeovers.
Generate a set of results
Input a domain (e.g., grands sofa.site) in the search bar to open Total View, and click the Threat Feeds tab. Timeline and fields load; expand Historical View for details, filter by date or feed, and toggle Domain Wide View for subdomains.
Example
Query grands sofa.site in Threat Feeds: Fields show First Seen 2025-09-29 (9 days ago), Last Seen 2025-10-08 (0 days ago), Listed Span 10 days. The Part of IOFA Feed flag highlights exposure.
Historical View lists Threat Actor - FIN7 Domains (first seen 2025-09-29, last 2025-10-07), with a trend graph spiking to 2034 indicators (Last Updated 2025-10-08). Hover the red line for feed details: Description notes FIN7's financial targeting.
Fields
First Seen: The initial date an Observable was detected on a threat feed (e.g., 2025-08-03).
First Seen Ago: The time elapsed since the first detection (e.g., 30 days ago).
Last Seen: The most recent date the observable was detected on a feed (e.g., 2025-09-01).
Last Seen Ago: The time elapsed since the last detection (e.g., 1 day ago).
Listed Span: The total duration the observable has been listed.
Feeds Historical view
The historical view provides a detailed log of specific feed entries and listing dates for analysis. For benign domains such as example.com, it may appear empty.
It includes feed names (e.g., TrafficAI Generated Websites Domains), the first/last seen dates, and IOFA indicators. Hover lines on the timeline graph for expanded info: Feed source, description, and update timestamps.
Use case
Track patterns, like FIN7 listings, are tied to actor TTPs.
Work with Threat Feed results
The tab enables direct actions, such as copying fields, customizing columns (e.g., adding descriptions), or downloading CSVs for reports. Save to a Feed or Draft Feed to monitor listings, like IOFA spikes.
Tips
Test Observables: Input a suggested domain to populate First Seen, Last Seen, and Listed Span fields.
Analyze Trends: Use the Feeds Historical View to track feed-specific activity over time.
Cross-Check: Correlate with PADNS or Infrastructure Variance for a more comprehensive understanding.