top of page
Search

QRadar + DugganUSA STIX: Configure the Feed in 15 Minutes

  • Writer: Patrick Duggan
    Patrick Duggan
  • 2 minutes ago
  • 5 min read

If your SOC runs IBM QRadar, this is how you hook our STIX/TAXII feed into it. Fifteen minutes, two paths, neither involves calling an IBM sales engineer.


I am not going to explain why you should run QRadar or why you shouldn't. If you're here, you already have it. Let's get the feed working.



Step 1: Get an API key


Go to analytics.dugganusa.com/stix/register and fill in the form. Free tier gives you 25 queries per day and is fine for testing. Pro tier at $99 per month is what most production SOCs end up on because it lifts the rate limit and unlocks the full index. Enterprise for the F500 scale.


You'll get back an API key that looks like this:


dugusa_XXXXXXXXXXXXXXXXXXXXXXXX


Copy it. You'll paste it twice in the steps below.



Step 2: Pick your path


There are two ways to get our feed into QRadar. Pick the one your version supports.


Path A — TAXII 2.1 (QRadar 7.4.3 or newer, with the Threat Intelligence app installed). This is the clean path. QRadar polls our TAXII server on a schedule, pulls the STIX 2.1 bundles, and populates its internal threat-intelligence tables automatically. Handles updates, expirations, and confidence scores natively.


Path B — CSV reference sets (any QRadar version). Four reference sets, one per IOC type (IPs, domains, hashes, URLs). QRadar pulls the CSVs on a schedule via Reference Data Import. Simpler, older-version compatible, and some admins prefer it because reference sets are what their existing AQL rules already query.


If you have 7.4.3+ and the TI app, use Path A. If you don't, or your TI app license is lapsed, use Path B. Both work.



Path A: TAXII 2.1 setup


Navigate to Admin → Plug-ins → IBM Threat Intelligence → Add Collection Source.


Fill in:


  • Name: DugganUSA STIX Feed

  • URL: https://analytics.dugganusa.com/api/v1/stix-feed/taxii2

  • Authentication: Select "Custom Authentication" if your version supports it. Header name: Authorization. Header value: Bearer followed by a space and your key. So: Bearer dugusa_XXXXXXXXXXXXXXXXXXXXXXXX

  • Poll interval: 60 minutes. We update IOCs continuously, but 60 minutes is the right balance between freshness and rate-limit friction.

  • Collections: Select all. We publish IPs, domains, URLs, and hashes as separate STIX 2.1 observable types; selecting all maps them to the correct QRadar reference sets automatically.

Save. QRadar will attempt an initial pull within a minute. Check Admin → System → System Logs for the line mentioning "TAXII Discovery successful" — that's your confirmation.


If your QRadar version's TAXII UI does not allow custom headers, use this alternate URL instead:


https://analytics.dugganusa.com/api/v1/stix-feed/taxii2?api_key=YOUR_KEY_HERE


Replace YOUR_KEY_HERE with your actual key. We support query-parameter auth specifically for SIEMs whose TAXII clients cannot inject custom HTTP headers. Less secure in access logs, fine for a legitimately-issued key, and it unblocks older QRadar deployments without requiring an app upgrade.



Path B: Reference sets setup


Four reference sets, one per IOC type. For each one:


Create the reference set


Admin → Reference Set Management → New. Name it something predictable like DugganUSA:MaliciousIPs. Element type: IP, AlphaNumeric, AlphaNumeric, and AlphaNumeric for the IP, domain, hash, and URL sets respectively. Time-to-live: 25 hours. We refresh hourly; 25-hour TTL gives a one-hour buffer for any missed pulls.


Add the import


Admin → Reference Data Management → Imports → New. Type: URL. Configure:


  • IPs: https://analytics.dugganusa.com/api/v1/stix-feed/ips.csv?api_key=YOUR_KEY

  • Domains: https://analytics.dugganusa.com/api/v1/stix-feed/domains.csv?api_key=YOUR_KEY

  • Hashes: https://analytics.dugganusa.com/api/v1/stix-feed/hashes.csv?api_key=YOUR_KEY

  • URLs: https://analytics.dugganusa.com/api/v1/stix-feed/urls.csv?api_key=YOUR_KEY

Polling interval: 60 minutes. Format: CSV. Delimiter: comma. Header row: yes. Target reference set: the matching one you created in the previous step.


Save each import. QRadar will fire the first pull immediately and schedule the rest hourly. The Imports dashboard will show success or failure per job.



Step 3: Build the match rule


Populating the reference sets is half the job. You also need a rule that fires when a log event matches one of them. Here's the one that covers the broad case:


Rule name: DugganUSA Threat Intelligence Match


Apply the rule on events and flows


Match conditions:


  • when any of the following Reference Set properties match: Source IP, Destination IP in DugganUSA:MaliciousIPs

  • or when the DNS Query matches DugganUSA:MaliciousDomains

  • or when the File Hash matches DugganUSA:MaliciousHashes

  • or when the URL matches DugganUSA:MaliciousURLs

Response: Create offense; Category: Malicious/Compromise; Severity: 8 (Medium-High); Description: include the matching IOC value and reference-set name.


You can split this into four separate rules if you want per-IOC-type tuning. Most SOCs run it as one rule with four clauses for ease of maintenance.



Step 4: Test the integration


Pick one known-good IOC from our public feed. Open https://analytics.dugganusa.com/api/v1/stix-feed/ips.csv and copy any IP from the first ten rows.


On a lab host, run a harmless DNS or HTTP request toward that IP. Your firewall or flow collector should log the attempt; QRadar should match the destination IP against the DugganUSA:MaliciousIPs reference set and create an offense within 60 seconds.


If the offense fires, integration is working end-to-end: feed pulled, reference set populated, rule matched, offense created.


If it doesn't, the three places to look in order: Reference Data Import history for pull errors, the reference set itself for whether the IP landed in it, and the Rule Engine stats for whether the rule evaluated at all. Nine times out of ten the problem is at step one — the API key is wrong, the TAXII URL has a typo, or the Reference Data Import didn't save the target set.



Rate limits and what they look like in production


Free tier: 25 queries per day. Enough to test the integration, not enough to run a production SOC against. You'll hit the limit the first hour QRadar starts polling.


Pro tier at $99 per month: 2,000 queries per day, all indexes, 24-hour email SLA. This is what most production QRadar deployments run on. A TAXII poll every 60 minutes plus four CSV fetches every 60 minutes plus on-demand queries from AQL rules still leaves headroom.


Enterprise at $995 per month: 50,000 queries per day, bulk screening, 4-hour response SLA. For shops running multi-site QRadar with heavy AQL query volume against the reference data.


No usage-based billing surprises. No overage fees. If you hit the rate limit, QRadar gets HTTP 429 and logs it; we don't bill extra.



What you get


Continuously-updated IOCs — currently 1.1 million indicators across IPs, domains, URLs, and hashes. Sources include our own PreCog sweep, exploit-harvester output, 275-plus STIX consumer contributions in 46 countries, and curated vendor feeds (abuse.ch, Malwarebytes, threat-intel vendor blogs).


Confidence scores, malware-family attribution where we have it, country-of-infrastructure tags, and MITRE ATT&CK technique mapping where applicable. All of it flows through the same endpoints you've just configured.




That's the whole setup. Fifteen minutes on a QRadar you already know. If you hit anything weird, reply to whatever email got you here or ping [email protected]. We'll answer.


— Patrick




How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.


bottom of page