Your SIEM Can Block Iranian Wipers in 5 Minutes. Here's How.

The Problem Nobody Talks About

You bought the SIEM. You hired the analyst. You have the dashboards. But when Iran's Handala wiper hit Stryker last week — 200,000 devices wiped — most security teams found out from the news. Not from their tools.

The tools weren't broken. They just weren't fed.

A SIEM without threat intelligence is a security camera with no film. It records everything and catches nothing. The fix takes 5 minutes. This post walks you through it.

What's a STIX Feed?

STIX stands for Structured Threat Information Expression. It's a standard format for sharing threat data — malicious IPs, file hashes, domain names, attack patterns — between security tools.

Think of it like a phone book of known bad guys. Your firewall checks the phone book before letting someone in. If the IP matches a known attacker, it blocks them.

Our STIX feed has over 1 million indicators. Updated continuously. The same feed Microsoft, AT&T, and Starlink pull from daily.

Pick Your Setup

Option 1: Splunk Enterprise Security

Splunk ES is the most common SIEM we see. It's also the one that gives people the most trouble with external feeds. Here's why and how to fix it.

The Problem: Splunk ES expects threat intel in a specific format. Most STIX feeds deliver standard STIX 2.1 objects. Splunk looks at them and says "I don't know what this is."

The Fix: We built a Splunk-native format. Instead of standard STIX indicator objects, it delivers observed-data objects that Splunk ES understands natively.

Step 1: Go to Splunk ES → Configure → Data Enrichment → Threat Intelligence → Add New

Step 2: Use this URL:

https://analytics.dugganusa.com/api/v1/stix-feed?format=splunk&api_key=YOUR_KEY

The ?format=splunk part is what makes it work. That tells our API to send the data in the format Splunk expects. Without it, you'll get standard STIX 2.1 and Splunk will ignore it.

Step 3: Set the polling interval. Every 6 hours is fine. Every hour if you want to be aggressive.

Step 4: Save. Wait for the first pull. Check Settings → Lookups → KV Store to verify data arrived.

Common Splunk Problems:

• "No results after adding feed" — Check that you used format=splunk in the URL. The default format won't work.

• 403 errors — Your API key might be on the free tier (1 query/day). You need at least Starter (500/day) for automated polling. Email us and we'll bump you.

• Splunk Cloud specifically — Splunk Cloud routes external requests through its own proxy. Some Cloudflare security rules block this. If you're getting 403s from Splunk Cloud, email us your Splunk Cloud IP range and we'll whitelist it. We've done this before — it takes 2 minutes on our end.

Option 2: Zscaler Internet Access (ZIA)

Zscaler sits between your users and the internet. It inspects traffic, blocks threats, and generally acts as a bouncer. Adding a threat feed tells the bouncer who to watch for.

The Problem: Zscaler's corporate proxy rewrites the source IP of your requests. If your company runs Zscaler and your analyst tries to pull our feed from a browser, the request comes from Zscaler's IP range — not your office. Some security tools (including ours) flag proxy traffic from security vendors as potentially competitive scanning.

The Fix: Use an API key. When your request includes a valid API key, we skip all proxy detection and serve the feed directly. The key proves you're a customer, not a scanner.

Step 1: Register for a free API key at analytics.dugganusa.com/register

Step 2: In ZIA, go to Administration → Threat Intelligence Feeds → Custom

Step 3: Add the feed URL:

https://analytics.dugganusa.com/api/v1/stix-feed/ips.csv?api_key=YOUR_KEY

• /ips.csv — IP blocklist (most firewalls and proxies want this)

• /domains.csv — Malicious domains

• /hashes.csv — Malware file hashes

• /urls.csv — Malicious URLs

• Full STIX 2.1: /api/v1/stix-feed?api_key=YOUR_KEY

• Splunk format: /api/v1/stix-feed?format=splunk&api_key=YOUR_KEY

Step 4: Set polling to every 6-24 hours.

Common Zscaler Problems:

• "Connection timeout" — Zscaler has strict timeout thresholds. Our full STIX bundle is large (1M+ indicators). Use the CSV endpoints instead — they're smaller and faster.

• "SSL inspection breaking the connection" — Add analytics.dugganusa.com to your SSL inspection bypass list. Zscaler's SSL inspection can interfere with API key authentication.

• "403 Forbidden" — This is almost always the proxy detection issue. Make sure your API key is in the URL, not just in a header. Zscaler sometimes strips custom headers.

Option 3: Palo Alto XSOAR / Cortex

Step 1: In XSOAR, go to Settings → Integrations → Search for "TAXII"

• Discovery URL: https://analytics.dugganusa.com/api/v1/stix-feed/taxii2

• API key in the authentication field

Step 3: Set the fetch interval and run a test.

Option 4: OPNsense / pfSense Firewall

For home labs and small businesses running open-source firewalls:

• Firewall → Aliases → Add

• Type: URL Table (IPs)

• URL: https://analytics.dugganusa.com/api/v1/stix-feed/ips.csv?api_key=YOUR_KEY

• Apply to a block rule on WAN interface

• Firewall → Aliases → IP → Add

• Type: URL Table

• Same URL as above

We also publish native OPNsense feeds — IP blocklist, Suricata IDS rules, and DNS blocklist. These are live right now.

Option 5: Any SIEM That Speaks STIX/TAXII

If your tool supports TAXII 2.1 (QRadar, Sentinel, Chronicle, Elastic, TheHive, OpenCTI, MISP):

Discovery: https://analytics.dugganusa.com/api/v1/stix-feed/taxii2
Auth: Bearer YOUR_API_KEY

That's it. The TAXII discovery endpoint tells your tool where to find the collections. Your tool handles the rest.

What You Get

Free tier (1 query/day): Good for manual checks. Not enough for automated polling.

Starter ($9/month, 500 queries/day): Enough for a SIEM polling every 6 hours plus ad-hoc lookups. This is what most small teams need.

Professional ($29/month, 5,000 queries/day): Multiple SIEMs, hourly polling, API integrations.

Enterprise ($499/month, unlimited): Real-time alerts, Splunk ES native format, full attack graphs, dedicated support, SLA.

All tiers get the same indicators. The difference is how often you can ask.

Pricing: analytics.dugganusa.com/stix/pricing

Code NOTAFAKE for 20% off any tier. Running CrowdStrike? We found the malware that impersonates your product. Least we can do is discount the protection.

Need Help?

This is the part where most vendors say "read the docs." We're not most vendors.

If you're stuck — Splunk throwing errors, Zscaler blocking the feed, your firewall not pulling updates, anything — email us:

[email protected]

1. What tool you're using (Splunk, Zscaler, Palo Alto, QRadar, whatever)

2. What error you're seeing

3. Your API key (so we can check your logs)

We'll fix it. Usually within hours. We're two people in Minneapolis who actually answer email.

The Iranian Handala wiper is named CrowdStrike.bin. It's on GitHub right now. 46 out of 76 VirusTotal engines detect it. The IOCs are in the feed. Your SIEM just needs to know where to look.

Five minutes. That's the difference between finding out from the news and finding out from your tools.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →