DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Free Threat Intelligence for Splunk Enterprise Security Users: DugganUSA STIX 2.1 Feed

Patrick Duggan
Nov 13, 2025
3 min read

Published: November 13, 2025 Category: Threat Intelligence Vendor: Splunk Enterprise Security

The Value Proposition

DugganUSA discovered 244 threats that billion-dollar vendors (AbuseIPDB, VirusTotal, ThreatFox) scored as ZERO.

63% unique discovery rate. Multi-source correlation. Free. STIX 2.1.

Your Splunk Enterprise Security is excellent. Our feed makes it better.

What You Get

• Free STIX 2.1 threat intelligence feed

• Real-time updates from production security operations

• MITRE ATT&CK mapped indicators

• Zero cost - Democratic Sharing Law (Judge Dredd D6: 99.5% public)

• 244+ unique discoveries missed by major threat intel vendors

Feed URL: `https://analytics.dugganusa.com/api/v1/stix-feed`

Splunk Enterprise Security Integration

Step 1: Install Threat Intelligence Framework

1. Navigate to Apps → Find More Apps 2. Install "Splunk Threat Intelligence Management" (if not already installed) 3. Restart Splunk

Step 2: Configure Threat Intelligence Download

Navigate to Enterprise Security → Configuration → Data Enrichment → Threat Intelligence Downloads

Click New:

Name: DugganUSA STIX 2.1 Feed
Description: Free threat intel - 244 unique discoveries
URL: https://analytics.dugganusa.com/api/v1/stix-feed?days=30&min_confidence=70
Type: STIX
Weight: 5
Disabled: No
Interval: 3600 (hourly)
Extraction: Auto

Step 3: Create Threat Intelligence Lookup

inputs.conf:

ini
[script://./bin/dugganusa_stix_download.py]
disabled = false
index = threat_activity
interval = 3600
sourcetype = stix:json
source = dugganusa_stix_feed

dugganusa_stix_download.py:

python
#!/usr/bin/env python3
import requests
import json
import sys

FEED_URL = "https://analytics.dugganusa.com/api/v1/stix-feed?days=30&min_confidence=70"

response = requests.get(FEED_URL) stix_bundle = response.json()

for indicator in stix_bundle.get('objects', []): if indicator.get('type') == 'indicator': event = { 'ip': indicator.get('pattern', '').split("'")[1], 'confidence': indicator.get('confidence', 0), 'threat_type': ','.join(indicator.get('indicator_types', [])), 'unique_discovery': indicator.get('x_dugganusa_discovery', {}).get('unique_detection', False), 'sources_missed': ','.join(indicator.get('x_dugganusa_discovery', {}).get('sources_with_zero_score', [])) } print(json.dumps(event)) ```

SPL Queries for Hunting

Find Communications with Malicious IPs

spl
index=* dest_ip=*
| lookup dugganusa_threat_intel ip AS dest_ip OUTPUT confidence, threat_type, unique_discovery
| where isnotnull(confidence)
| where confidence >= 80
| stats count by src_ip, dest_ip, confidence, threat_type
| sort - confidence

Alert on Unique Discoveries

spl
index=threat_activity sourcetype="stix:json" source="dugganusa_stix_feed"
| spath input=_raw path=x_dugganusa_discovery.unique_detection output=unique_discovery
| where unique_discovery="true"
| spath input=_raw path=x_dugganusa_discovery.sources_with_zero_score{} output=missed_vendors
| table _time, ip, confidence, threat_type, missed_vendors

Correlate with Firewall Denies

spl
index=firewall action=deny
| lookup dugganusa_threat_intel ip AS dest_ip OUTPUT confidence, threat_type
| where isnotnull(confidence)
| stats count by dest_ip, confidence, threat_type, src_ip
| where count > 5
| eval severity=case(
    confidence >= 90, "CRITICAL",
    confidence >= 75, "HIGH",
    confidence >= 60, "MEDIUM",
    1=1, "LOW"
  )

Notable Events: Vendor-Missed Threats

spl
index=* dest_ip=*
| lookup dugganusa_threat_intel ip AS dest_ip OUTPUT confidence, threat_type, unique_discovery, sources_missed
| where unique_discovery="true"
| eval notable_description="Communication with IP missed by: ".sources_missed
| collect index=notable_events

Correlation Searches

Create Correlation Search: DugganUSA High-Confidence Threat

Navigate to Content Management → Create New Content → Correlation Search

spl
| tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic where * by All_Traffic.dest_ip, All_Traffic.src_ip
| lookup dugganusa_threat_intel ip AS All_Traffic.dest_ip OUTPUT confidence, threat_type, unique_discovery
| where confidence >= 85
| eval severity="high"
| eval description="Communication with high-confidence malicious IP from DugganUSA feed"
| table _time, All_Traffic.src_ip, All_Traffic.dest_ip, confidence, threat_type, unique_discovery

• Severity: High

• Drilldown Search: Yes

• Throttle: Suppress for 1 hour per dest_ip

Threat Intelligence Framework Configuration

transforms.conf:

ini
[dugganusa_threat_intel]
filename = dugganusa_threat_intel.csv
max_matches = 1
min_matches = 1
default_match = unknown

props.conf:

ini
[stix:json]
INDEXED_EXTRACTIONS = json
KV_MODE = json
TIMESTAMP_FIELDS = created
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3NZ

Dashboard: DugganUSA Threat Overview

XML Source:

xml
<dashboard>
  <label>DugganUSA Threat Intelligence</label>
  <row>
    <panel>
      <title>Unique Discoveries by Confidence</title>
      <chart>
        <search>
          <query>
            index=threat_activity source="dugganusa_stix_feed"
            | spath path=x_dugganusa_discovery.unique_detection output=unique
            | where unique="true"
            | stats count by confidence
            | sort - confidence
          </query>
        </search>
        <option name="charting.chart">column</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Threats Missed by Major Vendors</title>
      <table>
        <search>
          <query>
            index=threat_activity source="dugganusa_stix_feed"
            | spath path=x_dugganusa_discovery.sources_with_zero_score{} output=missed
            | where isnotnull(missed)
            | stats count by missed
            | sort - count
          </query>
        </search>
      </table>
    </panel>
  </row>
</dashboard>

Feed Parameters

# High confidence for automated response
https://analytics.dugganusa.com/api/v1/stix-feed?days=7&min_confidence=90

Why This Matters

Splunk ES has the data. We have the correlation.

You index everything. We correlate across 5 threat intelligence sources simultaneously.

When AbuseIPDB, VirusTotal, and ThreatFox all score an IP as zero — but we blocked it at 95% confidence — that's the indicator your SIEM needs.

244 unique discoveries. Free. Forever.

Democratic Sharing Law

This feed is free because hoarding threat intelligence is bullshit.

Zero marginal cost to share digital goods. We publish openly because that's how you prove you're telling the truth about your discoveries.

Judge Dredd Dimension 6 (Democratic Sharing): 99.5% public (4,780 files tracked).

7.1x evidence-to-claims ratio. We show receipts.

Technical Details

• Format: STIX 2.1 Bundle

• Attribution: `created_by_ref: identity--dugganusa-llc-f4a8c3d2-1b9e-4f7a-8c2d-9e3f5b6a7c8d`

• Update Frequency: Real-time from production auto-blocking

• License: CC0-1.0 (Public Domain)

• Contact: [email protected]

Support

Questions? Email [email protected]

API health: `https://analytics.dugganusa.com/api/v1/stix-feed/info`

Documentation: `https://analytics.dugganusa.com/docs/stix-feed.md`

Your security is our problem now.

— DugganUSA LLC (Minnesota)