Does the message tracking detail indicate if a message was blocked due to matching criteria on a content filter / HAT list with external threat feed input?

I'm asking because I would like to create a validation plan in my test environment to see how the threat feeds are affecting traffic.

You need to do some manual work for this to be easy for you. But first a warning, a lot of the free STIX/TAXII feeds are not the quality they should be. I would not take any decision only based on the results of a STIX /TAXI feed base don experience. Some of the better paid ones can be fully trusted.

Create three Policy Quarantines

TrapURLTAXII

TrapURLDomain

TrapURLFiles

then create content filters like :

TrapURLTaxii: if (url-external-threat-feeds (['HailATaxii_7days'], "", 1, 1)) { duplicate-quarantine("TrapURLTAXII"); log-entry("--TrapURLTAXII--"); }

TrapDomainTaxii: if (domain-external-threat-feeds (['HailATaxii_7days'], ['mail-from', 'from', 'reply-to'], "Domain_BypassList")) { duplicate-quarantine("TrapDomainTaxii"); log-entry("--TrapDomainTAXII--"); }

TrapFileTaxii: if (file-hash-etf-rule (['HailATaxii_7days'], "")) { duplicate-quarantine("TrapFilehashTaxii"); log-entry("--TrapFileTAXII--"); }

That way you can test in production without impacting life traffic.

Now you can either look at your hits in the 3 quarantines or grep the --string-- in mail_logs using CLI.

I hope that helps

-Marc