Free Threat Intelligence for CrowdStrike Users: DugganUSA STIX 2.1 Feed

Published: November 13, 2025 Category: Threat Intelligence Vendor: CrowdStrike Falcon

⚠️ IMPORTANT: API keys are LIVE. Anonymous access ends March 15, 2026 — register now.

Tiered API keys are deployed today. Anonymous access ends March 15, 2026 — after that date all requests without a key will be rejected.

• Free: $0 (25/day)

  Pro: $99/mo (2,000/day, 24h email SLA)

  Enterprise: $995/mo (50,000/day, 4h response SLA — [email protected])

• Register: https://analytics.dugganusa.com/stix/register

The Value Proposition

DugganUSA discovered 244 threats that billion-dollar vendors (AbuseIPDB, VirusTotal, ThreatFox) scored as ZERO.

That’s a 63% unique discovery rate from multi-source correlation.

Your CrowdStrike Falcon platform is excellent. Our free STIX 2.1 feed makes it better.

What You Get

• Free STIX 2.1 threat intelligence feed
• Real-time updates from production security operations
• MITRE ATT&CK mapped indicators
• Zero cost - Democratic Sharing Law (Judge Dredd D6: 99.5% public)
• 244+ unique discoveries missed by major threat intel vendors

Feed URL: https://analytics.dugganusa.com/api/v1/stix-feed

CrowdStrike Falcon Integration

Step 1: Access Threat Intelligence Management

1. Log into CrowdStrike Falcon Console
2. Navigate to Threat Intelligence → Indicators
3. Click Import → STIX Feed

Step 2: Configure Feed URL

Feed URL: https://analytics.dugganusa.com/api/v1/stix-feed?days=30&min_confidence=70
Format: STIX 2.1
Authentication Header: Authorization: Bearer <YOUR_API_KEY>
Update Frequency: Hourly recommended

Note: Use Authorization: Bearer <key> — not X-API-Key. Cloudflare strips custom headers; X-API-Key will not reach the API. Register for an API key at: https://analytics.dugganusa.com/stix/register

Step 3: Map Indicators to Detections

CrowdStrike will automatically:

• Import IPv4 indicators as IOCs
• Map MITRE ATT&CK techniques to detections
• Trigger alerts when endpoints contact flagged IPs
• Enrich detections with our threat intelligence

Step 4: Create Custom Detection Logic

Example: Block High-Confidence Threats

-- Falcon Query Language (FQL)
event_simpleName=NetworkConnectIP4
| lookup threat_intel ip_address as RemoteAddressIP4
| where threat_intel.confidence >= 80
| eval severity=case(
    threat_intel.indicator_types contains "malicious-activity", "CRITICAL",
    threat_intel.indicator_types contains "anomalous-activity", "HIGH",
    true, "MEDIUM"
  )

Example: Hunt for Communications with Unique Discoveries

event_simpleName=NetworkConnectIP4
| lookup threat_intel ip_address as RemoteAddressIP4  
| where threat_intel.x_dugganusa_discovery.unique_detection=true
| stats count by ComputerName, RemoteAddressIP4, threat_intel.name

Query Examples

Find All DugganUSA Indicators

event_simpleName=ThreatIntelIndicatorMatch
| where IndicatorSource="DugganUSA LLC"
| stats count by IndicatorValue, IndicatorType, Severity

Correlate with MITRE ATT&CK

event_simpleName=ThreatIntelIndicatorMatch
| where IndicatorSource="DugganUSA LLC"
| join type=left aid, ContextTimestamp 
    [search event_simpleName=DetectionSummaryEvent]
| stats count by Tactic, Technique, IndicatorValue

Unique Discovery Alert

-- Alert on threats missed by other vendors
event_simpleName=ThreatIntelIndicatorMatch
| where IndicatorSource="DugganUSA LLC"
| where threat_intel.x_dugganusa_discovery.sources_with_zero_score != []
| eval missed_vendors=mvjoin(threat_intel.x_dugganusa_discovery.sources_with_zero_score, ", ")
| table ContextTimestamp, ComputerName, IndicatorValue, missed_vendors

Feed Parameters

Customize the feed for your environment:

# Last 7 days, high confidence only
curl -H "Authorization: Bearer <YOUR_API_KEY>" \
  "https://analytics.dugganusa.com/api/v1/stix-feed?days=7&min_confidence=85"

# Last 90 days, all indicators
curl -H "Authorization: Bearer <YOUR_API_KEY>" \
  "https://analytics.dugganusa.com/api/v1/stix-feed?days=90"

# China-origin threats only
curl -H "Authorization: Bearer <YOUR_API_KEY>" \
  "https://analytics.dugganusa.com/api/v1/stix-feed?country=CN&min_confidence=70"

Why This Matters

CrowdStrike has the telemetry. We have the correlation.

You see threats at the endpoint. We see threats across 5 intelligence sources simultaneously.

When AbuseIPDB scores an IP as zero, VirusTotal scores it as zero, and ThreatFox scores it as zero — but we blocked it at confidence 95% — that’s the threat your EDR needs to know about.

244 unique discoveries. Free. Forever.

Democratic Sharing Law

This feed is free because digital goods have zero marginal cost to share.

We’re not hoarding threat intelligence behind paywalls. We’re publishing it openly because that’s how you prove you’re not full of shit.

Judge Dredd Dimension 6 (Democratic Sharing): 99.5% public (4,780 files tracked, 1,011 excluded).

7.1x evidence-to-claims ratio. We show receipts.

Technical Details

• Format: STIX 2.1 Bundle
• Attribution: created_by_ref: identity--dugganusa-llc-f4a8c3d2-1b9e-4f7a-8c2d-9e3f5b6a7c8d
• Update Frequency: Real-time from production auto-blocking
• License: CC0-1.0 (Public Domain)
• Contact: [email protected]

Support

Questions? Email [email protected]

API issues? Check feed health: https://analytics.dugganusa.com/api/v1/stix-feed/info

Documentation: https://analytics.dugganusa.com/docs/stix-feed.md

Your security is our problem now.

— DugganUSA LLC (Minnesota)