DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Integrating STIX/TAXII Threat Intelligence Feeds with Palo Alto Products: A Practical Guide

Patrick Duggan
Dec 11, 2025
7 min read

--- title: "Integrating STIX/TAXII Threat Intelligence Feeds with Palo Alto Products: A Practical Guide" slug: stix-taxii-palo-alto-integration-guide date: 2025-12-11 author: Patrick Duggan tags: [stix, taxii, palo-alto, cortex, xdr, firewall, threat-intelligence, arctic-wolf, integration, edl] category: Technical Guides featured: true ---

For Security Teams Looking to Operationalize Threat Intel

A customer recently asked me: "How do I get external STIX feeds into my Palo Alto environment?" It's a great question, and the answer depends on which Palo Alto product you're using. This guide covers integration with Cortex XDR and Palo Alto Next-Generation Firewalls (NGFW/Panorama).

We'll use two examples: Arctic Wolf's Threat Intelligence Plus feed (for our friends at Arctic Wolf) and our own DugganUSA STIX feed.

Understanding STIX and TAXII

Before diving into configuration, let's clarify what we're working with:

• STIX (Structured Threat Information eXpression): A standardized language for describing cyber threat information - indicators, campaigns, threat actors, TTPs

• TAXII (Trusted Automated eXchange of Intelligence Information): The transport protocol for sharing STIX data between systems

mermaid
flowchart LR
    subgraph Sources["Threat Intel Sources"]
        AW[Arctic Wolf TI+]
        DG[DugganUSA STIX]
        OTX[AlienVault OTX]
    end

subgraph Transport["STIX/TAXII Protocol"] TAXII[TAXII Server] end

subgraph PaloAlto["Palo Alto Products"] XDR[Cortex XDR] NGFW[NGFW / Panorama] end

subgraph Actions["Automated Actions"] BLOCK[Block IOCs] ALERT[Generate Alerts] HUNT[Threat Hunting] end

Sources --> Transport Transport --> PaloAlto PaloAlto --> Actions ```

Option 1: Cortex XDR Integration

Cortex XDR handles threat intelligence with a focus on endpoint telemetry enrichment and correlation. It's the ideal choice for organizations wanting to enrich endpoint alerts with external threat context.

External Threat Intelligence Integration

1. Navigate to Settings > Configurations > Threat Intelligence 2. Click + Add Threat Intelligence Service

mermaid
flowchart TB
    subgraph XDR["Cortex XDR"]
        TI[Threat Intelligence Module]
        ALERTS[Alert Engine]
        EDR[Endpoint Data]
    end

subgraph Feeds["External Feeds"] STIX[STIX/TAXII Feeds] end

Configuration for Arctic Wolf Threat Intelligence Plus

| Field | Value | |-------|-------| | Service Name | `Arctic Wolf TI+` | | Feed Type | STIX/TAXII | | Discovery URL | `https://[your-arctic-wolf-tenant].taxii.arcticwolf.com/taxii2/` | | API Key | (From Arctic Wolf Portal) | | Collection | As provided by Arctic Wolf | | Polling Interval | 60 minutes (recommended) |

> Note: Arctic Wolf's Threat Intelligence Plus feed contains SOC-proven indicators - the same IOCs their analysts use for managed detection. This means low false positive rates.

Configuration for DugganUSA STIX Feed

| Field | Value | |-------|-------| | Service Name | `DugganUSA` | | STIX Feed URL | `https://analytics.dugganusa.com/api/stix/bundle` | | Authentication | None required (public feed) | | STIX Version | 2.1 | | Polling Interval | 15 minutes |

What Happens After Integration

• Endpoint events are automatically enriched with IOC context

• Alerts include threat intel correlation

• Historical events can be searched against new indicators

• Incident priority is adjusted based on IOC matches

Option 2: NGFW / Panorama External Dynamic Lists

For Palo Alto firewalls (physical or virtual), External Dynamic Lists (EDL) provide the most direct integration path for blocking malicious indicators. This is the bread-and-butter approach for most organizations.

Architecture Overview

mermaid
flowchart LR
    subgraph Intel["Threat Intelligence"]
        STIX[STIX Feed Provider]
        EDL_SVC[EDL Service]
    end

subgraph EDL["External Dynamic Lists"] IP_EDL[IP Address List] URL_EDL[URL List] DOMAIN_EDL[Domain List] end

subgraph NGFW["Palo Alto NGFW"] POLICY[Security Policy] BLOCK[Block Action] end

STIX -->|Converts| EDL_SVC EDL_SVC --> EDL EDL --> NGFW NGFW --> BLOCK ```

Direct EDL Configuration

The easiest approach is using pre-formatted EDL endpoints. Both Arctic Wolf and DugganUSA provide these:

#### DugganUSA EDL Endpoints (Free)

| EDL Type | URL | |----------|-----| | Malicious IPs | `https://analytics.dugganusa.com/api/edl/ips` | | Malicious Domains | `https://analytics.dugganusa.com/api/edl/domains` | | Malicious URLs | `https://analytics.dugganusa.com/api/edl/urls` |

#### Arctic Wolf TI+ EDL Endpoints

Contact your Arctic Wolf representative for your tenant-specific EDL URLs. They provide the same IOCs in both STIX/TAXII and plain-text EDL format.

Step-by-Step NGFW EDL Configuration

#### Step 1: Create the External Dynamic List

1. Log into your Palo Alto firewall or Panorama 2. Navigate to Objects > External Dynamic Lists 3. Click Add 4. Configure:

Name: DugganUSA-Malicious-IPs
Type: IP List
Source: https://analytics.dugganusa.com/api/edl/ips
Certificate Profile: (Your CA profile or None for HTTP)
Update Frequency: Hourly

Repeat for domains and URLs if needed.

#### Step 2: Create Security Policy

1. Navigate to Policies > Security 2. Click Add to create a new rule 3. Configure:

Name: Block-ThreatIntel-IPs
Source Zone: Any (or your internal zones)
Source Address: Any
Destination Zone: Any
Destination Address: DugganUSA-Malicious-IPs (select the EDL)
Application: Any
Service: Any
Action: Deny
Log at Session End: Yes
Log Forwarding: (Your log profile)

mermaid
sequenceDiagram
    participant FW as Palo Alto NGFW
    participant EDL as EDL Service
    participant TI as Threat Intel Feed
    participant USER as Internal User

Note over EDL,TI: Hourly Update Cycle EDL->>TI: Fetch latest IOCs TI-->>EDL: Return malicious IPs FW->>EDL: Poll EDL (hourly) EDL-->>FW: Updated IP list

Note over FW,USER: Real-time Blocking USER->>FW: Connection to malicious IP FW->>FW: Check against EDL FW-->>USER: Connection DENIED FW->>FW: Log blocked connection ```

#### Step 3: Commit and Verify

1. Click Commit to push the configuration 2. Verify EDL is populated: Objects > External Dynamic Lists > [Your EDL] > more actions > View Entries 3. Test with a known-bad IP (safely) or check logs for blocks

URL and Domain EDLs

For URL filtering, the process is similar but uses URL categories:

1. Create URL EDL: Objects > External Dynamic Lists > Add - Type: URL List - Source: `https://analytics.dugganusa.com/api/edl/urls`

2. Create URL Filtering Profile: Objects > Security Profiles > URL Filtering - Add a custom category using your EDL - Set action to Block

3. Apply to Security Policy: Attach the URL Filtering profile to your security rule

Arctic Wolf Threat Intelligence Plus: What Makes It Different

Arctic Wolf's September 2025 enhancement to Threat Intelligence Plus deserves special attention:

Key Differentiators

1. SOC-Proven Indicators: These aren't scraped from random feeds. They're the exact IOCs used by Arctic Wolf's SOC team for managed detection and response.

2. Low False Positive Rates: Because indicators are operationally tested before distribution.

3. Real-Time Updates: New indicators are pushed as they're validated - not on a daily or weekly schedule.

4. Cross-Platform Support: Native STIX/TAXII and EDL formats mean integration with firewalls, SIEMs, email gateways, and endpoint protection.

Integration Architecture

mermaid
flowchart TB
    subgraph ArcticWolf["Arctic Wolf"]
        AURORA[Aurora Platform]
        SOC[24x7 SOC]
        IR[Incident Response]
    end

subgraph TIPlus["Threat Intelligence Plus"] VALIDATION[IOC Validation] FEED[STIX/TAXII + EDL] end

subgraph Customer["Customer Environment"] FW[Firewalls] EMAIL[Email Gateway] EDR2[EDR/XDR] end

DugganUSA STIX Feed: Novel Threat Intelligence

Our feed focuses on novel indicators - threats that haven't yet been widely reported. We achieve this through:

1. Bloom Filter Deduplication: We track what's already in major feeds and only publish what's new 2. 10-Minute Sweep Cycles: Near real-time detection of emerging threats 3. Multi-Source Correlation: ThreatFox, URLhaus, OpenPhish, and our own GitHub malware detection

Feed Details

| Attribute | Value | |-----------|-------| | Format | STIX 2.1 + Plain-text EDL | | Update Frequency | Every 10 minutes | | Indicator Types | IP, Domain, URL, Hash | | Focus | Novel C2, Phishing, Malware Distribution | | Cost | Free |

Access Points

| Format | URL | |--------|-----| | STIX Bundle | `https://analytics.dugganusa.com/api/stix/bundle` | | IP EDL | `https://analytics.dugganusa.com/api/edl/ips` | | Domain EDL | `https://analytics.dugganusa.com/api/edl/domains` | | URL EDL | `https://analytics.dugganusa.com/api/edl/urls` | | OTX Pulse | DugganUSA on AlienVault OTX |

Recommended Integration Pattern

For organizations with Cortex XDR and NGFW:

mermaid
flowchart TB
    subgraph Feeds["Threat Feeds"]
        AW[Arctic Wolf TI+]
        DG[DugganUSA]
        INT[Internal TI]
    end

subgraph XDR["Cortex XDR"] STIX_IN[STIX/TAXII Ingest] ENRICH[Endpoint Enrichment] ALERT[Alert Correlation] end

subgraph NGFW["NGFW/Panorama"] EDL_IN[EDL Ingest] POLICY[Security Policy] BLOCK[Block at Perimeter] end

STIX_IN --> ENRICH --> ALERT EDL_IN --> POLICY --> BLOCK ```

Why This Pattern?

1. Defense in Depth: XDR catches what gets past the firewall 2. Different Enforcement Points: Block at perimeter (NGFW) + detect on endpoint (XDR) 3. Unified Threat Context: Both products see the same IOCs 4. No Single Point of Failure: If one misses, the other catches

Troubleshooting Common Issues

EDL Not Updating

EDL shows 0 entries or stale data

Solution: 1. Verify the EDL URL is accessible from the firewall (test with `curl` from management plane) 2. Check certificate validation settings 3. Force refresh: Objects > External Dynamic Lists > [EDL] > Refresh 4. Check system logs for HTTP errors

XDR Not Correlating

IOCs are ingested but no alerts are generated

Solution: 1. Verify the feed is actively polling (check last update timestamp) 2. Confirm indicator types match your telemetry (e.g., you need network telemetry for IP IOCs) 3. Check retention settings - historical correlation has time limits

High False Positive Rate

• Use allow-lists for known-good infrastructure (CDNs, cloud providers)

• Consider feed reputation (Arctic Wolf's SOC-proven = low FP)

• For EDLs, create exception rules for critical business applications

Connection Timeouts

Error: Connection timeout to EDL/TAXII server

Solution: 1. Check firewall rules allowing outbound HTTPS from management plane 2. Verify DNS resolution 3. Test connectivity: `curl -I https://analytics.dugganusa.com/api/edl/ips`

Conclusion

Integrating STIX/TAXII threat intelligence with Palo Alto products is straightforward once you understand the options:

• Cortex XDR: Use STIX/TAXII for endpoint enrichment and alert correlation

• NGFW/Panorama: Use EDLs for perimeter blocking - the simplest and most effective approach

Both Arctic Wolf's Threat Intelligence Plus and our DugganUSA feed provide value - Arctic Wolf for SOC-proven, low-FP indicators, and DugganUSA for novel threat detection that fills gaps in traditional feeds.

The key is layering: block at the perimeter with EDLs, and correlate on endpoints with XDR. This gives you defense in depth without requiring complex integration architecture.

Resources

• [Palo Alto EDL Configuration Guide](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/configure-the-firewall-to-access-an-external-dynamic-list)

• [Cortex XDR External Threat Intelligence](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-Threat-Intelligence-Feed)

• [Arctic Wolf Threat Intelligence Plus Announcement](https://arcticwolf.com/resources/press-releases/arctic-wolf-enhances-threat-intelligence-plus-to-strengthen-proactive-defense/)

• [DugganUSA STIX Feed](https://analytics.dugganusa.com)

• [STIX 2.1 Specification](https://oasis-open.github.io/cti-documentation/stix/intro.html)

*Patrick Duggan is the founder of DugganUSA LLC, a threat intelligence company in Minnesota. He builds tools that help security teams operationalize threat data.*

*Generated: 2025-12-11*

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]