Who Consumes Threat Intel? A Complete Integration Matrix
- Patrick Duggan
- Jan 25
- 4 min read
Updated: Apr 25
The Feed Formats
Format | URL | Best For |
STIX 2.1 | /api/v1/stix-feed | TIPs, modern SIEMs |
CSV | /api/v1/stix-feed?format=csv | Spreadsheets, custom scripts |
Plain Text | /api/v1/stix-feed?format=txt | Firewalls, blocklists |
JSON | /api/v1/stix-feed?format=json | APIs, automation |
YARA | /api/v1/detection-rules/yara | File scanning, EDR |
Suricata | /api/v1/detection-rules/suricata | Network IDS/IPS |
Sigma | /api/v1/detection-rules/sigma/ioc | SIEM conversion |
Bundle (ZIP) | /api/v1/detection-rules/bundle | Everything at once |
Category 1: SIEMs
Product | Integration | Guide |
Splunk | Sigma conversion, SPL queries | |
Microsoft Sentinel | KQL, TAXII connector | |
IBM QRadar | Reference sets, Sigma | |
Elastic SIEM | Detection rules API | |
Google Chronicle | Native STIX, YARA | |
Sumo Logic | Lookup tables, CSE rules | CSV import |
LogRhythm | AI Engine rules | Sigma conversion |
Exabeam | Threat intel module | STIX feed |
Category 2: Firewalls & Network Security
Product | Integration | Guide |
Palo Alto Panorama | External Dynamic Lists (EDL) | |
Fortinet FortiGate | Threat Feed Connector | |
Cisco Firepower | Security Intelligence feeds | |
Check Point | Updatable Objects | |
pfSense/OPNsense | pfBlockerNG, aliases | |
Sophos XG | IP blocklist import | TXT format |
Juniper SRX | Dynamic address feeds | TXT format |
Ubiquiti UniFi | Threat management | Manual import |
Category 3: EDR / XDR
Product | Integration Method |
CrowdStrike Falcon | Custom IOC upload, YARA rules |
SentinelOne | Threat Intelligence API |
Microsoft Defender | Custom indicators, YARA |
Carbon Black | Watchlists, YARA |
Cortex XDR | IOC rules, external feeds |
Cybereason | Malop hunting, custom IOCs |
Trellix (McAfee) | ATD YARA rules |
Trend Micro | Custom intelligence |
YARA Integration Example: ```bash curl -s https://analytics.dugganusa.com/api/v1/detection-rules/yara \ -o /opt/yara-rules/dugganusa.yar
Category 4: SOAR Platforms
Product | Integration Method |
Splunk SOAR (Phantom) | REST API app, playbooks |
Palo Alto XSOAR | TIM integration, playbooks |
IBM Resilient | Functions, integrations |
Swimlane | HTTP connector |
Tines | HTTP action |
Torq | REST integration |
XSOAR Playbook Example: ``python def enrich_indicator(indicator): response = demisto.executeCommand('http', { 'method': 'GET', 'url': f'https://analytics.dugganusa.com/api/v1/search?q={indicator}' }) return response ``
Category 5: Threat Intel Platforms (TIPs)
Product | Native Support |
MISP | STIX 2.1 import, feeds |
OpenCTI | STIX 2.1 native, connectors |
ThreatConnect | STIX/TAXII, API |
Anomali ThreatStream | STIX feed import |
Recorded Future | Intelligence card enrichment |
Mandiant Advantage | IOC correlation |
ThreatQuotient | STIX/TAXII integration |
MISP Import: ``bash # Add as MISP feed curl -X POST https://misp/feeds/add \ -H "Authorization: YOUR_API_KEY" \ -d '{ "name": "DugganUSA Threat Intel", "provider": "DugganUSA LLC", "url": "https://analytics.dugganusa.com/api/v1/stix-feed", "source_format": "stix2" }' ``
Category 6: Email Security
Product | Integration Method |
Proofpoint | URL Defense blocklist |
Mimecast | Managed URL blocklist |
Microsoft Defender for Office 365 | Tenant Allow/Block list |
Cisco Secure Email | Content filters |
Barracuda | URL blocklist |
Domain Extraction: ``bash # Extract domains from STIX feed curl -s https://analytics.dugganusa.com/api/v1/stix-feed?format=json | \ jq -r '.objects[] | select(.type=="domain-name") | .value' \ > malicious_domains.txt ``
Category 7: DNS Security
Product | Integration Method |
Cisco Umbrella | Custom blocklist |
Infoblox BloxOne | Threat intel feeds |
Cloudflare Gateway | Custom blocklist |
Pi-hole | Blocklist URL |
NextDNS | Denylist |
Quad9 | (uses our data indirectly) |
Pi-hole Integration: ```bash # Add to /etc/pihole/custom.list curl -s https://analytics.dugganusa.com/api/v1/stix-feed?format=json | \ jq -r '.objects[] | select(.type=="domain-name") | "0.0.0.0 " + .value' \ >> /etc/pihole/custom.list
pihole restartdns ```
Category 8: Web Proxies / CASB
Product | Integration Method |
Zscaler | Custom URL categories |
Netskope | Threat protection lists |
Symantec WSS | URL blocklists |
McAfee Web Gateway | External lists |
Squid Proxy | ACL blocklists |
Category 9: Network Detection & Response
Product | Integration Method |
Zeek (Bro) | Intel framework, Suricata |
Suricata | Native rule format |
Snort | Suricata rules (compatible) |
Darktrace | Model deviation triggers |
ExtraHop | Custom detections |
Corelight | Zeek intel feeds |
Vectra AI | Custom threat feeds |
Zeek Intel Framework: ``bash # Convert to Zeek intel format curl -s https://analytics.dugganusa.com/api/v1/stix-feed?format=csv | \ awk -F',' 'NR>1 {print $1"\tIntel::ADDR\tDugganUSA\t"$3"\t-\t-\tT"}' \ > /opt/zeek/share/zeek/site/intel.dat ``
Category 10: Vulnerability Management
Product | Use Case |
Tenable Nessus/IO | CISA KEV prioritization |
Qualys | Threat context enrichment |
Rapid7 InsightVM | CVE correlation |
CrowdStrike Spotlight | Exploitability context |
CISA KEV Correlation: ``bash # Our feed includes CISA KEV data curl -s https://analytics.dugganusa.com/api/v1/stix-feed | \ jq '.objects[] | select(.type=="vulnerability")' ``
Microsoft pulls this feed daily. AT&T pulls this feed daily. Starlink pulls this feed daily. Get the DugganUSA STIX feed — $9/mo →
Category 11: Container & Cloud Security
Product | Integration Method |
Aqua Security | YARA for image scanning |
Prisma Cloud | Custom threat feeds |
Sysdig | Falco rules, YARA |
Snyk | Vulnerability enrichment |
Trivy | Custom vulnerability DB |
Category 12: Malware Analysis / Sandboxes
Product | Integration Method |
VirusTotal | YARA retrohunt |
Any.Run | IOC correlation |
Joe Sandbox | YARA rules |
Hybrid Analysis | Indicator lookup |
Cuckoo Sandbox | YARA integration |
Universal Integration: cron + curl
For anything not listed above:
#!/bin/bash
# /opt/scripts/fetch-threat-intel.shecho "Updated at $(date)" ```
Cron (hourly): `` 0 * * * * /opt/scripts/fetch-threat-intel.sh >> /var/log/threat-intel.log 2>&1 ``
Summary
Format | Primary Consumers |
STIX 2.1 | TIPs, modern SIEMs, TAXII clients |
CSV | Firewalls, custom scripts, spreadsheets |
TXT | Firewalls, DNS blocklists, proxies |
YARA | EDR, sandboxes, malware analysis |
Suricata | Network IDS/IPS, Zeek |
Sigma | Any SIEM (after conversion) |
Questions?
API Docs: https://analytics.dugganusa.com/docs/stix-feed.md
Dashboard: https://analytics.dugganusa.com/dashboard
Contact: [email protected]
Free for non-commercial use. Commercial use requires attribution to DugganUSA LLC.
Her name was Renee Nicole Good.
His name was Alex Jeffery Pretti.
The cheapest, fastest, most accurate threat feed on the internet.
275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.
Comments