DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Free Threat Intelligence for Microsoft Sentinel Users: DugganUSA STIX 2.1 Feed

Patrick Duggan
Nov 13, 2025
3 min read

Published: November 13, 2025 Category: Threat Intelligence Vendor: Microsoft Sentinel (Azure)

The Value Proposition

DugganUSA discovered 244 threats that billion-dollar vendors (AbuseIPDB, VirusTotal, ThreatFox) scored as ZERO.

63% unique discovery rate. Multi-source correlation. Free. STIX 2.1.

Your Microsoft Sentinel is excellent. Our feed makes it better.

What You Get

• Free STIX 2.1 threat intelligence feed

• Real-time updates from production security operations

• MITRE ATT&CK mapped indicators

• Zero cost - Democratic Sharing Law (Judge Dredd D6: 99.5% public)

• 244+ unique discoveries missed by major threat intel vendors

Feed URL: `https://analytics.dugganusa.com/api/v1/stix-feed`

Microsoft Sentinel Integration

Step 1: Create Threat Intelligence Connector

1. Navigate to Microsoft Sentinel → Configuration → Data connectors 2. Search for "Threat Intelligence - TAXII" 3. Click Open connector page

Step 2: Add STIX Feed

Friendly Name: DugganUSA STIX Feed
API Root URL: https://analytics.dugganusa.com/api/v1/stix-feed
Collection ID: (leave blank - direct STIX bundle)
Username: (leave blank - public feed)
Password: (leave blank - public feed)
Import Indicators: All available
Polling Frequency: Every hour

Note: Sentinel expects TAXII, but can consume raw STIX. Use Logic App if native connector fails.

Alternative: Logic App Integration

Create Custom Logic App:

{
  "definition": {
    "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
    "actions": {
      "HTTP": {
        "type": "Http",
        "inputs": {
          "method": "GET",
          "uri": "https://analytics.dugganusa.com/api/v1/stix-feed?days=30&min_confidence=70"
        }
      },
      "Parse_STIX_Bundle": {
        "type": "ParseJson",
        "inputs": {
          "content": "@body('HTTP')",
          "schema": { "type": "object" }
        }
      },
      "Send_to_Sentinel": {
        "type": "ApiConnection",
        "inputs": {
          "host": {
            "connection": {
              "name": "@parameters('$connections')['azuresentinel']['connectionId']"
            }
          },
          "method": "post",
          "path": "/ThreatIntelligence/Indicators"
        }
      }
    },
    "triggers": {
      "Recurrence": {
        "type": "Recurrence",
        "recurrence": {
          "frequency": "Hour",
          "interval": 1
        }
      }
    }
  }
}

KQL Queries for Hunting

Find All DugganUSA Indicators

kql
ThreatIntelligenceIndicator
| where SourceSystem == "DugganUSA LLC"
| summarize count() by IndicatorType, ThreatType, ConfidenceScore
| render barchart

Correlate with Network Traffic

kql
let DugganThreats = ThreatIntelligenceIndicator
  | where SourceSystem == "DugganUSA LLC"
  | where Active == true
  | project NetworkIP, Confidence, ThreatType;
CommonSecurityLog
| where DeviceVendor != "DugganUSA"  // Avoid circular logic
| join kind=inner DugganThreats on $left.DestinationIP == $right.NetworkIP
| project TimeGenerated, SourceIP, DestinationIP, Confidence, ThreatType, DeviceAction

Alert on Unique Discoveries

kql
ThreatIntelligenceIndicator
| where SourceSystem == "DugganUSA LLC"
| extend UniqueDiscovery = parse_json(Tags).x_dugganusa_discovery.unique_detection
| where UniqueDiscovery == true
| extend MissedBy = parse_json(Tags).x_dugganusa_discovery.sources_with_zero_score
| project TimeGenerated, NetworkIP, Confidence, MissedBy

Cross-Reference with Sign-ins

kql
let MaliciousIPs = ThreatIntelligenceIndicator
  | where SourceSystem == "DugganUSA LLC"
  | where ConfidenceScore >= 80
  | project NetworkIP;
SigninLogs
| join kind=inner MaliciousIPs on $left.IPAddress == $right.NetworkIP
| project TimeGenerated, UserPrincipalName, IPAddress, Location, ResultType

Analytic Rules

Create Detection Rule: Block High-Confidence Threats

kql
ThreatIntelligenceIndicator
| where SourceSystem == "DugganUSA LLC"
| where ConfidenceScore >= 85
| where ThreatType contains "malicious"
| join kind=inner (
    CommonSecurityLog
    | where TimeGenerated > ago(1h)
  ) on $left.NetworkIP == $right.DestinationIP
| project 
    TimeGenerated,
    SourceIP,
    DestinationIP,
    ThreatType,
    Confidence = ConfidenceScore,
    DeviceAction,
    DeviceVendor

• Severity: High

• Tactics: Command and Control, Exfiltration

• Frequency: Every 5 minutes

• Query Period: Last 1 hour

Workbook for Visualization

Create Custom Workbook:

kql
// Top Threats by Confidence
ThreatIntelligenceIndicator
| where SourceSystem == "DugganUSA LLC"
| summarize count() by ThreatType, bin(ConfidenceScore, 10)
| render columnchart

// Geographic Distribution ThreatIntelligenceIndicator | where SourceSystem == "DugganUSA LLC" | extend Country = parse_json(Tags).country | summarize ThreatCount = count() by tostring(Country) | render map

// Unique Discoveries Timeline ThreatIntelligenceIndicator | where SourceSystem == "DugganUSA LLC" | extend UniqueDiscovery = parse_json(Tags).x_dugganusa_discovery.unique_detection | where UniqueDiscovery == true | summarize count() by bin(TimeGenerated, 1d) | render timechart ```

Feed Parameters

# High confidence for automated blocking
https://analytics.dugganusa.com/api/v1/stix-feed?days=7&min_confidence=90

Why This Matters

Microsoft Sentinel has the logs. We have the correlation.

You ingest data from everywhere. We correlate across 5 threat intelligence sources simultaneously.

When AbuseIPDB, VirusTotal, and ThreatFox all score an IP as zero — but we blocked it at 95% confidence — that's the indicator your SIEM needs.

244 unique discoveries. Free. Forever.

Democratic Sharing Law

This feed is free because hoarding threat intelligence is bullshit.

Zero marginal cost to share digital goods. We publish openly because that's how you prove you're telling the truth about your discoveries.

Judge Dredd Dimension 6 (Democratic Sharing): 99.5% public (4,780 files tracked).

7.1x evidence-to-claims ratio. We show receipts.

Technical Details

• Format: STIX 2.1 Bundle

• Attribution: `created_by_ref: identity--dugganusa-llc-f4a8c3d2-1b9e-4f7a-8c2d-9e3f5b6a7c8d`

• Update Frequency: Real-time from production auto-blocking

• License: CC0-1.0 (Public Domain)

• Contact: [email protected]

Support

Questions? Email [email protected]

API health: `https://analytics.dugganusa.com/api/v1/stix-feed/info`

Documentation: `https://analytics.dugganusa.com/docs/stix-feed.md`

Your security is our problem now.

— DugganUSA LLC (Minnesota)