How to Consume Our Free STIX/TAXII Threat Intelligence Feed: A SIEM Integration Guide

TL;DR

We publish free, public threat intelligence. No API key. No rate limits. No registration.

# Get threat indicators right now
curl https://analytics.dugganusa.com/api/v1/stix-feed/v2

This guide shows you how to integrate our feed into the top 5 SIEMs.

What We Publish

101,000+ IOCs from production security operations, updated hourly:

Format: STIX 2.1 (industry standard) Protocol: REST API + TAXII 2.1 License: CC0-1.0 (public domain) Cost: Free

Endpoints

STIX 2.1 REST API

Base URL: https://analytics.dugganusa.com

• days=30 - Filter to last N days (default: 30)

• min_confidence=80 - Minimum confidence score 0-100

• country=CN - Filter by 2-letter country code

• limit=100 - Maximum indicators returned

TAXII 2.1 Server

TAXII Collection ID: dugganusa-threat-intel

Quick Start Examples

Bash + jq

# Get all high-confidence IPs
curl -s "https://analytics.dugganusa.com/api/v1/stix-feed/v2?min_confidence=80" | \
  jq -r '.objects[] | select(.type=="indicator") | .pattern' | \
  grep -oP "\d+\.\d+\.\d+\.\d+"

Python

#!/usr/bin/env python3
"""
DugganUSA STIX Feed Consumer
pip install requests stix2
"""

import requests from stix2 import parse

def fetch_threats(days=30, min_confidence=70): """Fetch threat indicators from DugganUSA feed.""" url = "https://analytics.dugganusa.com/api/v1/stix-feed/v2" params = { "days": days, "min_confidence": min_confidence }

response = requests.get(url, params=params) response.raise_for_status()

bundle = parse(response.json())

indicators = [] for obj in bundle.objects: if obj.type == 'indicator': # Extract IP from STIX pattern import re ip_match = re.search(r'\d+\.\d+\.\d+\.\d+', obj.pattern) if ip_match: indicators.append({ 'ip': ip_match.group(), 'name': obj.name, 'confidence': obj.confidence, 'labels': obj.labels, 'created': str(obj.created), 'custom': getattr(obj, 'x_dugganusa_threat_intel', {}) })

return indicators

def main(): print("Fetching high-confidence threats...") threats = fetch_threats(days=7, min_confidence=80)

print(f"\nFound {len(threats)} indicators:\n") for t in threats[:10]: print(f" {t['ip']:18} | {t['confidence']:3}% | {t['name'][:50]}")

if __name__ == "__main__": main() ```

JavaScript/Node.js

/**
 * DugganUSA STIX Feed Consumer
 * npm install node-fetch
 */

const fetch = require('node-fetch');

async function fetchThreats(options = {}) { const { days = 30, minConfidence = 70, country = null } = options;

const params = new URLSearchParams({ days: days.toString(), min_confidence: minConfidence.toString() });

if (country) params.append('country', country);

const url = https://analytics.dugganusa.com/api/v1/stix-feed/v2?${params}; const response = await fetch(url); const bundle = await response.json();

return bundle.objects .filter(obj => obj.type === 'indicator') .map(indicator => { const ipMatch = indicator.pattern.match(/\d+\.\d+\.\d+\.\d+/); return { ip: ipMatch ? ipMatch[0] : null, name: indicator.name, confidence: indicator.confidence, labels: indicator.labels, created: indicator.created, custom: indicator.x_dugganusa_threat_intel || {} }; }); }

// Usage (async () => { const threats = await fetchThreats({ days: 7, minConfidence: 80 }); console.log(Found ${threats.length} high-confidence threats); threats.slice(0, 5).forEach(t => { console.log( ${t.ip} - ${t.confidence}% - ${t.name}); }); })(); ```

SIEM Integration Guides

1. Splunk Enterprise Security

Splunk ES has native STIX/TAXII support via the Splunk Add-on for TAXII.

#### Option A: TAXII Add-on (Recommended)

1. Install the Add-on

1. Configure Data Input

1. Verify Data

#### Option B: HTTP Event Collector (Custom Script)

#!/usr/bin/env python3
"""
Splunk HEC STIX Ingestion
Cron: 0 * * * * /opt/scripts/splunk_stix_ingest.py
"""

import requests import json from datetime import datetime

def main(): # Fetch STIX bundle response = requests.get(f"{STIX_URL}?min_confidence=70") bundle = response.json()

for obj in bundle.get('objects', []): if obj.get('type') == 'indicator': event = { "time": datetime.now().timestamp(), "sourcetype": "stix:indicator", "index": "threat_intel", "event": obj }

requests.post(SPLUNK_HEC_URL, headers=headers, json=event, verify=False)

print(f"Ingested {len(bundle.get('objects', []))} objects")

if __name__ == "__main__": main() ```

#### Splunk Correlation Searches

-- Alert on connections to known C2
index=firewall dest_ip=*
| lookup threat_intel_iocs ip AS dest_ip OUTPUT threat_name, confidence
| where isnotnull(threat_name) AND confidence >= 80
| stats count by src_ip, dest_ip, threat_name, confidence

-- Enrich network events with threat intel index=network | join type=left dest_ip [ | inputlookup threat_intel_iocs | rename ip as dest_ip ] | where isnotnull(threat_type) | table _time, src_ip, dest_ip, threat_type, confidence, mitre_technique ```

2. Microsoft Sentinel

Sentinel has native Threat Intelligence connectors supporting STIX/TAXII.

#### Option A: Threat Intelligence - TAXII Connector

1. Enable the Connector

1. Add Server

1. Verify in Log Analytics

#### Option B: Logic App (Custom Integration)

Create a Logic App with HTTP trigger:

{
  "definition": {
    "triggers": {
      "Recurrence": {
        "type": "Recurrence",
        "recurrence": {
          "frequency": "Hour",
          "interval": 1
        }
      }
    },
    "actions": {
      "HTTP_Get_STIX": {
        "type": "Http",
        "inputs": {
          "method": "GET",
          "uri": "https://analytics.dugganusa.com/api/v1/stix-feed/v2?min_confidence=70"
        }
      },
      "Parse_JSON": {
        "type": "ParseJson",
        "inputs": {
          "content": "@body('HTTP_Get_STIX')",
          "schema": {
            "type": "object",
            "properties": {
              "objects": { "type": "array" }
            }
          }
        }
      },
      "For_each_indicator": {
        "type": "Foreach",
        "foreach": "@body('Parse_JSON')?['objects']",
        "actions": {
          "Send_to_Sentinel": {
            "type": "ApiConnection",
            "inputs": {
              "host": {
                "connection": {
                  "name": "@parameters('$connections')['azuresentinel']['connectionId']"
                }
              },
              "method": "post",
              "path": "/threatintelligence/createIndicator"
            }
          }
        }
      }
    }
  }
}

#### Sentinel Analytics Rules

-- Alert: Connection to Known Malicious IP
let MaliciousIPs = ThreatIntelligenceIndicator
    | where SourceSystem contains "DugganUSA"
    | where ConfidenceScore >= 80
    | where NetworkIP != ""
    | distinct NetworkIP;
CommonSecurityLog
| where TimeGenerated > ago(1h)
| where DestinationIP in (MaliciousIPs)
| project TimeGenerated, SourceIP, DestinationIP, DeviceAction, DeviceVendor

-- Hunting: Identify Potential C2 Beaconing let C2Indicators = ThreatIntelligenceIndicator | where Tags contains "c2" or Tags contains "botnet" | distinct NetworkIP; CommonSecurityLog | where DestinationIP in (C2Indicators) | summarize ConnectionCount = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), BytesSent = sum(SentBytes) by SourceIP, DestinationIP | where ConnectionCount > 10 | extend BeaconScore = ConnectionCount / datetime_diff('minute', LastSeen, FirstSeen) ```

3. Elastic Security (ELK Stack)

Elastic has native Threat Intelligence integrations via Fleet.

#### Option A: Fleet Integration (Recommended)

1. Add Integration

1. Configure TAXII Input

#### Option B: Logstash Pipeline

# /etc/logstash/conf.d/stix-feed.conf

input { http_poller { urls => { dugganusa => { method => get url => "https://analytics.dugganusa.com/api/v1/stix-feed/v2?min_confidence=70" } } schedule => { cron => "0 " } # Hourly codec => "json" } }

filter { split { field => "[objects]" }

if [objects][type] == "indicator" { mutate { add_field => { "[@metadata][index]" => "threat-intel" "indicator.type" => "%{[objects][type]}" "indicator.name" => "%{[objects][name]}" "indicator.confidence" => "%{[objects][confidence]}" "indicator.pattern" => "%{[objects][pattern]}" } }

grok { match => { "[objects][pattern]" => "%{IP:indicator.ip}" } }

output { if [@metadata][index] == "threat-intel" { elasticsearch { hosts => ["localhost:9200"] index => "threat-intel-%{+YYYY.MM}" document_id => "%{[objects][id]}" } } } ```

#### Elastic Detection Rules

{
  "name": "Connection to DugganUSA Threat Intel IOC",
  "description": "Detects network connections to IPs in DugganUSA threat feed",
  "risk_score": 73,
  "severity": "high",
  "type": "threat_match",
  "threat_index": ["threat-intel-*"],
  "threat_mapping": [
    {
      "entries": [
        {
          "field": "destination.ip",
          "type": "mapping",
          "value": "indicator.ip"
        }
      ]
    }
  ],
  "threat_indicator_path": "threat.indicator",
  "query": "event.category:network and destination.ip:*",
  "language": "kusto",
  "interval": "5m",
  "from": "now-6m"
}

# Kibana SIEM rule (YAML format)
name: High Confidence Malicious IP Connection
description: Alert when connection detected to IP with confidence >= 80
type: threat_match
threat_index:
  - threat-intel-*
threat_mapping:
  - entries:
      - field: destination.ip
        type: mapping
        value: indicator.ip
threat_filters:
  - query:
      match:
        indicator.confidence:
          gte: 80
index:
  - filebeat-*
  - packetbeat-*
query: 'event.category:network'

4. IBM QRadar

QRadar supports threat intelligence via Reference Sets and custom log sources.

#### Option A: Pulse App (STIX/TAXII Native)

1. Install IBM Security App Exchange - Threat Intelligence

2. Configure Feed

#### Option B: Reference Set Population Script

#!/usr/bin/env python3
"""
QRadar Reference Set Updater for DugganUSA STIX Feed
Cron: 0 * * * * /opt/scripts/qradar_stix_update.py
"""

import requests import re

def get_stix_ips(min_confidence=70): """Fetch IPs from STIX feed.""" response = requests.get(f"{STIX_URL}?min_confidence={min_confidence}") bundle = response.json()

ips = [] for obj in bundle.get('objects', []): if obj.get('type') == 'indicator': match = re.search(r'\d+\.\d+\.\d+\.\d+', obj.get('pattern', '')) if match: ips.append(match.group())

return list(set(ips))

def update_reference_set(ips): """Update QRadar reference set.""" headers = { "SEC": QRADAR_TOKEN, "Content-Type": "application/json" }

print(f"Updated {len(ips)} IPs in reference set")

def main(): ips = get_stix_ips(min_confidence=80) update_reference_set(ips)

if __name__ == "__main__": main() ```

#### QRadar AQL Queries

-- Find connections to malicious IPs
SELECT
    sourceip,
    destinationip,
    CATEGORYNAME(category) as category,
    SUM(eventcount) as event_count
FROM events
WHERE destinationip IN (
    SELECT * FROM reference_data('DugganUSA_Malicious_IPs')
)
GROUP BY sourceip, destinationip, category
ORDER BY event_count DESC
LAST 24 HOURS

-- Custom rule building block SELECT * FROM events WHERE ( sourceip IN reference_data('DugganUSA_Malicious_IPs') OR destinationip IN reference_data('DugganUSA_Malicious_IPs') ) AND NOT INCIDR(sourceip, '10.0.0.0/8') ```

5. CrowdStrike Falcon LogScale (Humio)

Falcon LogScale supports threat intel via custom parsers and scheduled queries.

#### Ingest Configuration

# Package manifest for LogScale
name: dugganusa-stix-feed
version: 1.0.0
description: DugganUSA Threat Intelligence Feed Ingestion

parsers: - name: stix-indicator script: | parseJson() | case { type == "indicator" | @rawstring := pattern | @timestamp := parseTimestamp("yyyy-MM-dd'T'HH:mm:ss", field=created) | regex("(?<ip>\d+\.\d+\.\d+\.\d+)", field=pattern) | threat_name := name | threat_confidence := confidence | @type := "stix_indicator"; * | drop(); }

scheduled-searches: - name: fetch-dugganusa-feed query: | // Fetch via HTTP data source @type=stix_indicator | groupBy([ip, threat_name, threat_confidence]) schedule: "0 " timeWindow: 1h ```

#### HTTP Data Source

# Configure HTTP input in LogScale
curl -X POST "https://cloud.humio.com/api/v1/repositories/threat-intel/datasources" \
  -H "Authorization: Bearer $HUMIO_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "dugganusa-stix",
    "url": "https://analytics.dugganusa.com/api/v1/stix-feed/v2?min_confidence=70",
    "parser": "stix-indicator",
    "pollIntervalSeconds": 3600
  }'

#### LogScale Queries

// Find connections to threat intel IPs
#type=network
| join({#type=stix_indicator}, field=dest_ip, key=ip, include=[threat_name, threat_confidence])
| threat_confidence >= 80
| groupBy([src_ip, dest_ip, threat_name])
| sort(count, order=desc)

// Alert on high-confidence C2 communication #type=firewall | in(dest_ip, values=["threat_intel_ips"]) | timechart(span=5m, function=count()) | alert( name="C2 Communication Detected", condition="_count > 0", throttle=15m )

// Threat intel coverage dashboard #type=stix_indicator | groupBy([threat_confidence]) | stats(count=count()) | sort(threat_confidence, order=desc) ```

TAXII Client Examples

Python (taxii2-client)

#!/usr/bin/env python3
"""
TAXII 2.1 Client for DugganUSA Feed
pip install taxii2-client stix2
"""

from taxii2client.v21 import Server, Collection, as_pages from stix2 import parse

TAXII_URL = "https://analytics.dugganusa.com/api/v1/taxii/" COLLECTION_ID = "dugganusa-threat-intel"

def main(): # Connect to TAXII server server = Server(TAXII_URL)

if __name__ == "__main__": main() ```

OpenCTI Integration

# docker-compose.yml addition for OpenCTI
services:
  connector-taxii:
    image: opencti/connector-taxii2:latest
    environment:
      - OPENCTI_URL=http://opencti:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
      - CONNECTOR_ID=dugganusa-taxii
      - CONNECTOR_NAME=DugganUSA-TAXII
      - TAXII2_URL=https://analytics.dugganusa.com/api/v1/taxii/
      - TAXII2_COLLECTION=dugganusa-threat-intel
      - TAXII2_INTERVAL=3600
      - TAXII2_INITIAL_HISTORY=30

Best Practices

1. Polling Frequency

2. Confidence Thresholds

3. Deduplication

• IPv4Address SCOs: ipv4-addr--{sha256(ip)[:36]}

• Same IP always gets same ID across fetches

• Safe to poll frequently without duplicates

4. Error Handling

import requests
from requests.adapters import HTTPAdapter
from urllib3.util.retry import Retry

session = requests.Session() retries = Retry( total=3, backoff_factor=1, status_forcelist=[500, 502, 503, 504] ) session.mount('https://', HTTPAdapter(max_retries=retries))

response = session.get( "https://analytics.dugganusa.com/api/v1/stix-feed/v2", timeout=30 ) ```

Feed Statistics (Live)

As of January 2026:

Why Free?

We believe shared intelligence improves faster than hoarded intelligence.

• Zero marginal cost to share digital goods

• Community feedback improves detection

• Open data prevents vendor lock-in

• Transparency builds trust

We're a two-person shop competing with $5,000/month enterprise offerings by being more useful, not more expensive.

Support

• Email: [email protected]

• Feed Status: https://status.dugganusa.com

• Documentation: https://analytics.dugganusa.com/docs/stix-feed

Found a false positive? Email us with the IP - we investigate every report.

Need a custom integration? We're happy to help - no charge for reasonable requests.

License

CC0-1.0 (Public Domain)

Use it however you want. Attribution appreciated but not required:

Threat intelligence provided by DugganUSA
https://analytics.dugganusa.com/api/v1/stix-feed

Published by DugganUSA LLC - Minnesota's finest threat intel operation.

"The Cribl of Agentic AI"

Her name is Renee Nicole Good.