Free Threat Intelligence for Palo Alto Cortex XDR Users: DugganUSA STIX 2.1 Feed

Published: November 13, 2025 Category: Threat Intelligence Vendor: Palo Alto Networks Cortex XDR

⚠️ IMPORTANT: API keys are LIVE. Anonymous access ends March 15, 2026 — register now.

Tiered API keys are deployed today. Anonymous access ends March 15, 2026 — after that date all requests without a key will be rejected.

• Free: $0 (25/day)

  Pro: $99/mo (2,000/day, 24h email SLA)

  Enterprise: $995/mo (50,000/day, 4h response SLA — [email protected])

• Register: https://analytics.dugganusa.com/stix/register

The Value Proposition

DugganUSA discovered 244 threats that billion-dollar vendors (AbuseIPDB, VirusTotal, ThreatFox) scored as ZERO.

63% unique discovery rate. Multi-source correlation. Free.

Your Cortex XDR platform is excellent. Our STIX 2.1 feed makes it better.

What You Get

• Free STIX 2.1 threat intelligence feed
• Real-time updates from production security operations
• MITRE ATT&CK mapped indicators
• Zero cost - Democratic Sharing Law (Judge Dredd D6: 99.5% public)
• 244+ unique discoveries missed by major threat intel vendors

Feed URL: https://analytics.dugganusa.com/api/v1/stix-feed

Cortex XDR Integration

Step 1: Access Threat Intelligence Management

1. Log into Cortex XDR Console
2. Navigate to Response → External Dynamic Lists
3. Click + New List

Step 2: Configure STIX Feed

List Type: Threat Intelligence
Name: DugganUSA STIX 2.1 Feed
Description: Free threat intel - 244 unique discoveries
Source URL: https://analytics.dugganusa.com/api/v1/stix-feed?days=30&min_confidence=70
Format: STIX 2.1
Update Frequency: Hourly
Authentication Header: Authorization: Bearer <YOUR_API_KEY>
Certificate Validation: Enabled

Note: Use Authorization: Bearer <key> — not X-API-Key. Cloudflare strips custom headers; X-API-Key will not reach the API. Register for an API key at: https://analytics.dugganusa.com/stix/register

Step 3: Create IOC Rule

Navigate to Response → IOC Rules → + New Rule

Rule Name: Block DugganUSA High-Confidence Threats
Description: Auto-block IPs from unique discovery feed
Source: DugganUSA STIX 2.1 Feed
Severity: High
Action: Block
Scope: All endpoints

Step 4: XQL Queries for Hunt

Find Communications with Unique Discoveries

dataset = xdr_data
| filter event_type = STORY and event_sub_type = NETWORK_STORY
| alter remote_ip = arrayindex(regextract(action_remote_ip, "(\d+\.\d+\.\d+\.\d+)"), 0)
| join type=left (
    dataset = threat_intel_feeds
    | filter feed_name = "DugganUSA STIX 2.1 Feed"
    | alter indicator_ip = indicator_value
  ) indicator_ip = remote_ip
| filter isnotnull(indicator_value)
| fields agent_hostname, remote_ip, indicator_value, threat_score, unique_discovery

Alert on Vendors-Missed Threats

config case_sensitive = false
| dataset = network_story  
| join type=inner (
    dataset = threat_intel_feeds 
    | filter feed_name contains "DugganUSA"
    | filter unique_discovery = true
  ) dst_ip_v4 = indicator_value
| alter 
    missed_by = json_extract_scalar(custom_properties, "$.x_dugganusa_discovery.sources_with_zero_score"),
    confidence = json_extract_scalar(custom_properties, "$.confidence")
| fields _time, src_host_name, dst_ip_v4, confidence, missed_by

Prevention Policy Rules

Bioc Rule: Block High-Confidence Malicious IPs

// Navigate to Response → BIOC Rules
config case_sensitive = false
| dataset = network_story
| join type=inner (
    dataset = threat_intel_feeds
    | filter feed_name = "DugganUSA STIX 2.1 Feed"
    | filter confidence >= 85
    | filter indicator_types contains "malicious-activity"
  ) dst_ip_v4 = indicator_value
| alter threat_name = indicator_name
| fields agent_hostname, dst_ip_v4, threat_name, confidence

Action: Terminate network connection + Alert

Feed Parameters

Customize for your environment:

# High confidence only (recommended for prevention)
curl -H "Authorization: Bearer <YOUR_API_KEY>" \
  "https://analytics.dugganusa.com/api/v1/stix-feed?days=7&min_confidence=90"

# Detection mode (broader coverage)
curl -H "Authorization: Bearer <YOUR_API_KEY>" \
  "https://analytics.dugganusa.com/api/v1/stix-feed?days=30&min_confidence=60"

# Specific threat actors by country
curl -H "Authorization: Bearer <YOUR_API_KEY>" \
  "https://analytics.dugganusa.com/api/v1/stix-feed?country=RU&min_confidence=70"

Why This Matters

Cortex XDR has the visibility. We have the correlation.

You see network traffic, endpoint behavior, cloud activity. We see 5 threat intelligence sources simultaneously.

When every major vendor scores an IP as benign, but we blocked it at 95% confidence — that’s the indicator your XDR needs.

244 unique discoveries that would have slipped through vendor-only threat feeds.

Integration with AutoFocus

1. Navigate to Threat Intelligence → AutoFocus
2. Create custom tag: DugganUSA_UniqueDiscovery
3. Import our STIX feed as tag source
4. Enable automatic tagging for sessions matching our indicators

Result: Enrich AutoFocus sessions with our unique discovery intelligence.

Democratic Sharing Law

This feed is free because hoarding threat intelligence is bullshit.

Zero marginal cost to share digital goods. We publish openly because that’s how you prove you’re not lying about your discoveries.

Judge Dredd Dimension 6 (Democratic Sharing): 99.5% public (4,780 files tracked).

7.1x evidence-to-claims ratio. We show receipts.

Technical Details

• Format: STIX 2.1 Bundle
• Attribution: created_by_ref: identity--dugganusa-llc-f4a8c3d2-1b9e-4f7a-8c2d-9e3f5b6a7c8d
• Update Frequency: Real-time from production auto-blocking
• License: CC0-1.0 (Public Domain)
• Contact: [email protected]

Support

Questions? Email [email protected]

API health: https://analytics.dugganusa.com/api/v1/stix-feed/info

Documentation: https://analytics.dugganusa.com/docs/stix-feed.md

Your security is our problem now.

— DugganUSA LLC (Minnesota)