Reddit Was Right: Our STIX Feed Needed Fixing

--- title: "Reddit Was Right: Our STIX Feed Needed Fixing" slug: stix-v2-reddit-feedback-opencti-ready date: 2025-12-22 author: Patrick Duggan tags: [stix, opencti, reddit, community, threat-intel, relationships, sco, feedback] category: Threat Intelligence featured: true ---

The Feedback

Reddit user u/broadexample dropped this in our thread:

> "You're creating everything as Indicator, not as IPv4Address linked to Indicator via STIX Relationship hierarchy. This works when you use just this feed alone, but for everyone using multiple feeds it would be much less useful."

They were right.

We were doing STIX wrong. Not broken-wrong. But "good enough" wrong. The kind of wrong that works until you try to use our feed alongside others in OpenCTI.

The Problem

Our V1 feed creates flat Indicator objects:

{
  "type": "indicator",
  "pattern": "[ipv4-addr:value = '1.2.3.4']",
  "x_dugganusa_threat_intel": { ... }
}

This works. You can ingest it. You can block IPs from it.

But when OpenCTI tries to correlate our feed with others, it can't. Because:

• No IPv4Address SCO object to deduplicate against

• No Relationship objects linking Indicator → Observable

• No Malware SDOs to link Indicator → Threat

Every feed creates its own isolated island. No graph traversal. No correlation.

The Fix: STIX 2.1 V2

New endpoint: `https://analytics.dugganusa.com/api/v1/stix-feed/v2`

Proper STIX 2.1 hierarchy per OASIS best practices:

Bundle
├── Identity (DugganUSA LLC)
├── Attack Patterns (9 MITRE ATT&CK)
├── Malware SDOs (10 families)
├── IPv4Address SCOs (deterministic UUIDs)
├── Indicators (detection patterns)
└── Relationships
    ├── Indicator --"based-on"--> IPv4Address
    └── Indicator --"indicates"--> Malware

What this enables:

| Feature | V1 | V2 | |---------|----|----| | Indicators | Yes | Yes | | IPv4Address SCOs | No | Yes | | Relationships | No | Yes | | Malware SDOs | No | Yes | | Cross-feed deduplication | No | Yes | | OpenCTI graph traversal | No | Yes |

Deterministic IDs: The Secret Sauce

Every IPv4Address SCO gets a deterministic UUID using uuid5:

ipv4-addr--cab17f4e-abbb-5929-8dc3-aac2743795f0

Same IP = same ID. Every time. Across every feed that follows this pattern.

When you ingest our V2 feed into OpenCTI alongside other STIX feeds:

1. OpenCTI sees `ipv4-addr--cab17f4e-abbb-5929-8dc3-aac2743795f0` 2. Another feed references the same IP with the same ID 3. Graph link created automatically 4. You see all Indicators, Malware, and Campaigns linked to that IP

That's the interoperability u/broadexample was talking about.

Malware Families Supported

V2 includes Malware SDOs with MITRE ATT&CK mappings:

| Family | Type | MITRE ID | |--------|------|----------| | Stealc | Infostealer | S1069 | | LummaC2 | Infostealer | - | | RedLine Stealer | Infostealer | S0943 | | Rhadamanthys | Infostealer | - | | Cobalt Strike | C2 Framework | S0154 | | AsyncRAT | RAT | S0373 | | Raccoon Stealer | Infostealer | S0650 | | Vidar | Infostealer | S0538 | | Amadey | Loader/Bot | - | | Sliver | C2 Framework | - |

When our feed identifies an IP as Stealc C2 infrastructure, the V2 bundle includes:

1. The IPv4Address SCO 2. The Indicator with pattern 3. The Stealc Malware SDO 4. Relationship: Indicator → IPv4Address ("based-on") 5. Relationship: Indicator → Stealc ("indicates")

Five objects instead of one. But infinitely more useful for correlation.

V1 Isn't Going Anywhere

No deprecation. No migration required.

V1 remains at `https://analytics.dugganusa.com/api/v1/stix-feed`

• Just need IOC lists for firewall rules

• Have a simple STIX parser

• Don't need cross-feed correlation

• Run OpenCTI or similar graph platforms

• Correlate multiple threat feeds

• Want proper STIX 2.1 compliance

The Endpoints

V2 Feed (Full Graph): ``` https://analytics.dugganusa.com/api/v1/stix-feed/v2 ```

V2 Stats: ``` https://analytics.dugganusa.com/api/v1/stix-feed/v2/stats ```

Legacy V1: ``` https://analytics.dugganusa.com/api/v1/stix-feed ```

Same query parameters work on both: `?days=30`, `?min_confidence=70`, `?limit=100`

Thank You, Reddit

This is what open source is about.

Someone on the internet told us we were doing it wrong. We checked. They were right. We fixed it.

Fat Stevenson (u/broadexample) - thanks for the feedback. The V2 endpoint exists because you took the time to comment.

To everyone else: If you see something we're doing wrong, tell us. We'd rather be corrected than comfortable.

Technical References

• [OASIS STIX 2.1 Best Practices](https://docs.oasis-open.org/cti/stix-bp/v1.0.0/cn01/stix-bp-v1.0.0-cn01.html)

• [OpenCTI Data Model](https://docs.opencti.io/latest/usage/data-model/)

• [Our STIX Feed Documentation](https://analytics.dugganusa.com/docs/stix-feed)

V2 is live. OpenCTI-ready. Reddit-approved.

curl https://analytics.dugganusa.com/api/v1/stix-feed/v2/stats

*DugganUSA LLC - Minnesota* *Free threat intelligence. Community-driven improvements.*

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →