Free Threat Intel for Your SIEM: A 5-Minute Setup Guide

What You Get

Base URL: https://analytics.dugganusa.com

Current coverage: 270K+ IOCs, 2,500+ blocked IPs, 351 adversaries, 1,499 CISA KEV entries.

Splunk

Option 1: Sigma Conversion (Recommended)

# Install sigma-cli
pip install sigma-cli pysigma-backend-splunk

Option 2: Direct SPL Queries

# Download pre-built Splunk queries
curl -s https://analytics.dugganusa.com/api/v1/detection-rules/bundle -o rules.zip
unzip rules.zip
cat splunk/dugganusa-queries.spl

Option 3: Threat Intel Framework

| inputlookup append=t [
  | makeresults
  | eval url="https://analytics.dugganusa.com/api/v1/stix-feed?format=csv"
  | lookup threatintel url OUTPUT ip, confidence, actor
]

Microsoft Sentinel (Azure)

Option 1: KQL Direct Query

// External threat intel join
let ThreatIntel = externaldata(ip:string, confidence:int, actor:string, country:string)
[@"https://analytics.dugganusa.com/api/v1/stix-feed?format=csv"]
with (format="csv", ignoreFirstRecord=true);

CommonSecurityLog | where TimeGenerated > ago(24h) | join kind=inner (ThreatIntel | where confidence > 50) on $left.SourceIP == $right.ip | project TimeGenerated, SourceIP, actor, confidence, country, DeviceAction ```

Option 2: Sigma via Azure Function

# Convert Sigma to KQL
sigma convert -t microsoft365defender dugganusa.yml > sentinel_rules.kql

Option 3: Threat Intelligence Blade

1. Go to Sentinel > Threat Intelligence

2. Add Data Connector > Threat Intelligence - TAXII

3. API Root: https://analytics.dugganusa.com/taxii2/

4. Collection: stix-feed

IBM QRadar

Option 1: Reference Set Import

# Download IP blocklist
curl -s "https://analytics.dugganusa.com/api/v1/stix-feed?format=csv" | \
  awk -F',' 'NR>1 {print $1}' > malicious_ips.txt

Option 2: Sigma Conversion

sigma convert -t qradar dugganusa.yml > qradar_rules.xml

Option 3: Suricata Integration (via QRadar Network Insights)

# Copy Suricata rules
curl -s https://analytics.dugganusa.com/api/v1/detection-rules/suricata \
  -o /etc/suricata/rules/dugganusa.rules

Elastic SIEM

Option 1: Detection Rules API

# Convert Sigma to Elastic
pip install sigma-cli pysigma-backend-elasticsearch
sigma convert -t elasticsearch dugganusa.yml > elastic_rules.ndjson

Option 2: Threat Intel Filebeat Module

# filebeat.yml
filebeat.modules:
  - module: threatintel
    otx:
      enabled: false
    misp:
      enabled: true
      var.url: "https://analytics.dugganusa.com/api/v1/stix-feed"
      var.interval: 1h

Option 3: Elasticsearch Ingest Pipeline

PUT _ingest/pipeline/threat-intel-enrichment
{
  "processors": [{
    "enrich": {
      "policy_name": "dugganusa-iocs",
      "field": "source.ip",
      "target_field": "threat"
    }
  }]
}

Google Chronicle

Option 1: Chronicle SIEM Feed

# Chronicle accepts STIX 2.1 natively
# Configure in Chronicle: Settings > Feeds > Add Feed
# URL: https://analytics.dugganusa.com/api/v1/stix-feed
# Format: STIX 2.1
# Interval: 1 hour

Option 2: YARA Rules for Chronicle

# Download YARA rules
curl -s https://analytics.dugganusa.com/api/v1/detection-rules/yara \
  -o dugganusa.yar

Option 3: UDM Search with IOCs

// Chronicle UDM query
metadata.event_type = "NETWORK_CONNECTION"
AND target.ip IN %dugganusa_blocklist

Quick Start: All-in-One Bundle

Don't want to think about formats? Download everything:

curl -s https://analytics.dugganusa.com/api/v1/detection-rules/bundle -o dugganusa-rules.zip
unzip dugganusa-rules.zip

Update Frequency

Caching Headers

All endpoints return Cache-Control: no-cache - you'll always get fresh data.

Questions?

• API Docs: https://analytics.dugganusa.com/docs/stix-feed.md

• Dashboard: https://analytics.dugganusa.com/dashboard

• Contact: [email protected]

Free for non-commercial use. Commercial use requires attribution to DugganUSA LLC.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.