STIX 2.1 Feed Integration Guides
DugganUSA FREE Threat Intelligence Feed - Vendor Integration Documentation
β οΈ IMPORTANT: API keys are LIVE. Anonymous access ends March 15, 2026 β register now.
Tiered API keys are deployed today. Anonymous access ends March 15, 2026 β after that date all requests without a key will be rejected.
Free: $0 (25/day) Pro: $99/mo (2,000/day, 24h email SLA) Enterprise: $995/mo (50,000/day, 4h response SLA β [email protected]) - Register now: https://analytics.dugganusa.com/stix/register
π― What Makes This Different
244 unique threat discoveries that AbuseIPDB, VirusTotal, AND ThreatFox all scored as ZERO β but we blocked them at 95% confidence based on actual production attack behavior.
5-source simultaneous correlation:
- AbuseIPDB (community reports)
- VirusTotal (95 malware engines)
- ThreatFox (C2 infrastructure)
- Production attack logs (real traffic)
- OSINT analysis (WHOIS, Certificate Transparency, behavioral patterns)
Why free? Digital goods have zero marginal cost to share. Democratic Sharing Law: 99.5% of our data is public. We donβt hoard threat intelligence behind paywalls.
Overview
Step-by-step integration guides for connecting the DugganUSA FREE STIX 2.1 Threat Feed to the top 5 security platforms. Each guide includes platform-specific query languages, configuration examples, and automation scripts.
Feed URL: https://analytics.dugganusa.com/api/v1/stix-feed
License: CC0-1.0 (Public Domain)
Format: STIX 2.1 Bundle
Update Frequency: Real-time from production security operations
Supported Platforms
1. CrowdStrike Falcon (EDR/XDR)
Integration Guide: CrowdStrike STIX Integration
Platform: Endpoint Detection & Response (EDR) / Extended Detection & Response (XDR)
Key Features:
- FQL (Falcon Query Language) threat hunting examples
- Custom detection logic for auto-blocking high-confidence threats
- Integration with Falcon Intelligence and Threat Graph
- Query examples for MITRE ATT&CK correlation
Difficulty: π’ Easy (API-based import)
2. Palo Alto Cortex XDR (XDR)
Integration Guide: Cortex STIX Integration
Platform: Extended Detection & Response (XDR)
Key Features:
- External Dynamic Lists configuration
- IOC rules for automated blocking
- XQL (Cortex Query Language) hunting queries
- BIOC (Behavioral Indicators of Compromise) rules
- AutoFocus integration
Difficulty: π‘ Medium (Multiple configuration steps)
3. Microsoft Sentinel (SIEM)
Integration Guide: Sentinel STIX Integration
Platform: Cloud-native SIEM (Azure)
Key Features:
- TAXII connector for threat intelligence import
- Alternative Logic App integration (JSON workflow)
- KQL (Kusto Query Language) analytic queries
- Custom workbooks with charts and threat maps
- Automated alert rules
Difficulty: π‘ Medium (Azure Logic App setup)
4. Splunk Enterprise Security (SIEM)
Integration Guide: Splunk STIX Integration
Platform: On-premises/cloud SIEM
Key Features:
- Splunk ES 8.x native STIX import β no custom scripting needed (
?format=splunk) - Query parameter authentication (
?api_key=) for SIEMs that cannot set custom headers - Threat Intelligence Framework integration (classic method)
- SPL (Splunk Processing Language) correlation searches
- Notable Events generation
- Custom threat dashboard
- Configuration files (inputs.conf, transforms.conf, props.conf)
Difficulty: π’ Easy (ES 8.x native) / π΄ Advanced (Classic custom scripting)
5. Wiz Cloud Security (CSPM)
6. OPNsense (Firewall/IDS)
Integration Guide: OPNsense Integration
Platform: Open-source firewall and IDS/IPS
Key Features:
- 3-source blocklist feeds (IP, domain, URL) in firewall-ready plain-text format
- Alias-based integration with OPNsense URL Table
- Cron-based refresh with Bearer token authentication
- Suricata IDS/IPS custom rule generation from STIX feed
- 15 upstream sources: URLhaus, ThreatFox, Feodo, Spamhaus, PhishTank, OpenPhish, Phishing Army, Tor, JA3, and more
Difficulty: π‘ Medium (cron script for auth header injection) Integration Guide: Wiz STIX Integration
Platform: Cloud Security Posture Management (CSPM)
Key Features:
- Custom integration for threat intelligence import
- WQL (Wiz Query Language) for cloud asset monitoring
- Security policies for malicious communication alerts
- AWS Security Group automation (Python)
- Azure NSG automation (Python)
- Runtime protection for containers and VMs
Difficulty: π΄ Advanced (Custom automation scripts)
7. Troubleshooting: STIX Feed Integration (KB)
Knowledge Base: STIX Feed Troubleshooting
Category: Troubleshooting / Knowledge Base
Key Topics:
- Corporate proxy 403 errors (Zscaler, Palo Alto Prisma, CrowdStrike)
- Splunk Cloud edge blocking (Cloudflare managed challenges)
- Splunk ES 8.3+ setup with
?format=splunkand?api_key=query param auth - Common failure modes and diagnostic SPL commands
- CSV exports and generic STIX 2.1 consumer examples
Based on: Real incident resolution with Juan Leon (Datavant, Splunk ES 8.3 on Splunk Cloud through Zscaler proxy), March 2026
Integration Summary Matrix
| Platform | Type | Query Language | Automation | Difficulty |
|---|---|---|---|---|
| CrowdStrike | EDR/XDR | FQL | API-based | π’ Easy |
| Cortex XDR | XDR | XQL | IOC Rules | π‘ Medium |
| Sentinel | SIEM | KQL | Logic Apps | π‘ Medium |
| Splunk ES | SIEM | SPL | Native (ES 8.x) / Python | π’ Easy (ES 8.x) |
| Wiz | CSPM | WQL | Python/Cloud APIs | π΄ Advanced |
| OPNsense | Firewall/IDS | pfctl/Suricata | Cron + Bearer | π‘ Medium |
Feed Customization
All platforms support these feed parameters:
days- Historical depth (default: 30, max: 90)min_confidence- Minimum confidence score (default: 70, range: 0-100)country- Geographic filter (ISO 3166-1 alpha-2 codes)unique_only- Only unique discoveries (default: true)format- Output format. Use?format=splunkfor Splunk ES 8.x compatibility (returnsobserved-dataobjects instead ofindicatorobjects)api_key- Query parameter authentication. For SIEMs that cannot set custom headers (Splunk ES, QRadar), use?api_key=YOUR_KEYinstead of theAuthorizationheader
Example (header auth):
curl -H "Authorization: Bearer <YOUR_API_KEY>" \
"https://analytics.dugganusa.com/api/v1/stix-feed?days=7&min_confidence=80&unique_only=true"
Example (query param auth β for SIEMs):
curl "https://analytics.dugganusa.com/api/v1/stix-feed?days=7&min_confidence=80&api_key=YOUR_API_KEY"
Note: Use
Authorization: Bearer <key>or?api_key=β notX-API-Key. Cloudflare strips custom headers;X-API-Keywill not reach the API.
Rate Limits
| Tier | STIX Feed | OPNsense Feed | General API |
|---|---|---|---|
| Free | 10 req/min | 30 req/min | 100 req/min |
| Pro | 60 req/min | 30 req/min | 100 req/min |
| Enterprise | Unlimited | Unlimited | Unlimited |
Common Integration Pattern
All vendor integrations follow this pattern:
- Fetch - Download STIX 2.1 bundle from feed URL with
Authorization: Bearer <key>header (or?api_key=query parameter for SIEMs) - Parse - Extract indicators (IPs, domains, URLs, hashes)
- Enrich - Add MITRE ATT&CK context and confidence scores
- Ingest - Import into platformβs threat intelligence database
- Query - Use platform-specific query language for threat hunting
- Alert - Create rules for automated detection and response
Support & Documentation
Comprehensive Documentation: Whitepaper #9 - FREE STIX Feed
API Endpoint: https://analytics.dugganusa.com/api/v1/stix-feed
Contact:
- Email: [email protected]
- Website: https://security.dugganusa.com
Democratic Sharing Law
99.5% of our data is public. Zero marginal cost to share digital goods. We donβt hoard threat intelligence behind paywalls.
License: CC0-1.0 (Public Domain) - Use it however you want
Attribution: Appreciated but not required
Β© 2025 DugganUSA LLC. All Rights Reserved.
Integration guides created November 13, 2025