Free Threat Intelligence for Microsoft Sentinel Users: DugganUSA STIX 2.1 Feed

Published: November 13, 2025 Category: Threat Intelligence Vendor: Microsoft Sentinel (Azure)

⚠️ IMPORTANT: API keys are LIVE. Anonymous access ends March 15, 2026 — register now.

Tiered API keys are deployed today. Anonymous access ends March 15, 2026 — after that date all requests without a key will be rejected.

• Free: $0 (25/day)

  Pro: $99/mo (2,000/day, 24h email SLA)

  Enterprise: $995/mo (50,000/day, 4h response SLA — [email protected])

• Register: https://analytics.dugganusa.com/stix/register

The Value Proposition

DugganUSA discovered 244 threats that billion-dollar vendors (AbuseIPDB, VirusTotal, ThreatFox) scored as ZERO.

63% unique discovery rate. Multi-source correlation. Free. STIX 2.1.

Your Microsoft Sentinel is excellent. Our feed makes it better.

What You Get

• Free STIX 2.1 threat intelligence feed
• Real-time updates from production security operations
• MITRE ATT&CK mapped indicators
• Zero cost - Democratic Sharing Law (Judge Dredd D6: 99.5% public)
• 244+ unique discoveries missed by major threat intel vendors

Feed URL: https://analytics.dugganusa.com/api/v1/stix-feed

Microsoft Sentinel Integration

Step 1: Create Threat Intelligence Connector

1. Navigate to Microsoft Sentinel → Configuration → Data connectors
2. Search for “Threat Intelligence - TAXII”
3. Click Open connector page

Step 2: Add STIX Feed

Friendly Name: DugganUSA STIX Feed
API Root URL: https://analytics.dugganusa.com/api/v1/stix-feed
Collection ID: (leave blank - direct STIX bundle)
Authentication Header: Authorization: Bearer <YOUR_API_KEY>
Import Indicators: All available
Polling Frequency: Every hour

Note: Use Authorization: Bearer <key> — not X-API-Key. Cloudflare strips custom headers; X-API-Key will not reach the API. Register for an API key at: https://analytics.dugganusa.com/stix/register

Note: Sentinel expects TAXII, but can consume raw STIX. Use Logic App if native connector fails.

Alternative: Logic App Integration

Create Custom Logic App:

{
  "definition": {
    "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
    "actions": {
      "HTTP": {
        "type": "Http",
        "inputs": {
          "method": "GET",
          "uri": "https://analytics.dugganusa.com/api/v1/stix-feed?days=30&min_confidence=70",
          "headers": {
            "Authorization": "Bearer <YOUR_API_KEY>"
          }
        }
      },
      "Parse_STIX_Bundle": {
        "type": "ParseJson",
        "inputs": {
          "content": "@body('HTTP')",
          "schema": { "type": "object" }
        }
      },
      "Send_to_Sentinel": {
        "type": "ApiConnection",
        "inputs": {
          "host": {
            "connection": {
              "name": "@parameters('$connections')['azuresentinel']['connectionId']"
            }
          },
          "method": "post",
          "path": "/ThreatIntelligence/Indicators"
        }
      }
    },
    "triggers": {
      "Recurrence": {
        "type": "Recurrence",
        "recurrence": {
          "frequency": "Hour",
          "interval": 1
        }
      }
    }
  }
}

KQL Queries for Hunting

Find All DugganUSA Indicators

ThreatIntelligenceIndicator
| where SourceSystem == "DugganUSA LLC"
| summarize count() by IndicatorType, ThreatType, ConfidenceScore
| render barchart

Correlate with Network Traffic

let DugganThreats = ThreatIntelligenceIndicator
  | where SourceSystem == "DugganUSA LLC"
  | where Active == true
  | project NetworkIP, Confidence, ThreatType;
CommonSecurityLog
| where DeviceVendor != "DugganUSA"  // Avoid circular logic
| join kind=inner DugganThreats on $left.DestinationIP == $right.NetworkIP
| project TimeGenerated, SourceIP, DestinationIP, Confidence, ThreatType, DeviceAction

Alert on Unique Discoveries

ThreatIntelligenceIndicator
| where SourceSystem == "DugganUSA LLC"
| extend UniqueDiscovery = parse_json(Tags).x_dugganusa_discovery.unique_detection
| where UniqueDiscovery == true
| extend MissedBy = parse_json(Tags).x_dugganusa_discovery.sources_with_zero_score
| project TimeGenerated, NetworkIP, Confidence, MissedBy

Cross-Reference with Sign-ins

let MaliciousIPs = ThreatIntelligenceIndicator
  | where SourceSystem == "DugganUSA LLC"
  | where ConfidenceScore >= 80
  | project NetworkIP;
SigninLogs
| join kind=inner MaliciousIPs on $left.IPAddress == $right.NetworkIP
| project TimeGenerated, UserPrincipalName, IPAddress, Location, ResultType

Analytic Rules

Create Detection Rule: Block High-Confidence Threats

ThreatIntelligenceIndicator
| where SourceSystem == "DugganUSA LLC"
| where ConfidenceScore >= 85
| where ThreatType contains "malicious"
| join kind=inner (
    CommonSecurityLog
    | where TimeGenerated > ago(1h)
  ) on $left.NetworkIP == $right.DestinationIP
| project 
    TimeGenerated,
    SourceIP,
    DestinationIP,
    ThreatType,
    Confidence = ConfidenceScore,
    DeviceAction,
    DeviceVendor

Rule Properties:

• Severity: High
• Tactics: Command and Control, Exfiltration
• Frequency: Every 5 minutes
• Query Period: Last 1 hour

Workbook for Visualization

Create Custom Workbook:

// Top Threats by Confidence
ThreatIntelligenceIndicator
| where SourceSystem == "DugganUSA LLC"
| summarize count() by ThreatType, bin(ConfidenceScore, 10)
| render columnchart

// Geographic Distribution
ThreatIntelligenceIndicator
| where SourceSystem == "DugganUSA LLC"
| extend Country = parse_json(Tags).country
| summarize ThreatCount = count() by tostring(Country)
| render map

// Unique Discoveries Timeline
ThreatIntelligenceIndicator
| where SourceSystem == "DugganUSA LLC"
| extend UniqueDiscovery = parse_json(Tags).x_dugganusa_discovery.unique_detection
| where UniqueDiscovery == true
| summarize count() by bin(TimeGenerated, 1d)
| render timechart

Feed Parameters

# High confidence for automated blocking
curl -H "Authorization: Bearer <YOUR_API_KEY>" \
  "https://analytics.dugganusa.com/api/v1/stix-feed?days=7&min_confidence=90"

# Broader detection coverage
curl -H "Authorization: Bearer <YOUR_API_KEY>" \
  "https://analytics.dugganusa.com/api/v1/stix-feed?days=30&min_confidence=60"

# Specific regions
curl -H "Authorization: Bearer <YOUR_API_KEY>" \
  "https://analytics.dugganusa.com/api/v1/stix-feed?country=CN&min_confidence=70"

Why This Matters

Microsoft Sentinel has the logs. We have the correlation.

You ingest data from everywhere. We correlate across 5 threat intelligence sources simultaneously.

When AbuseIPDB, VirusTotal, and ThreatFox all score an IP as zero — but we blocked it at 95% confidence — that’s the indicator your SIEM needs.

244 unique discoveries. Free. Forever.

Democratic Sharing Law

This feed is free because hoarding threat intelligence is bullshit.

Zero marginal cost to share digital goods. We publish openly because that’s how you prove you’re telling the truth about your discoveries.

Judge Dredd Dimension 6 (Democratic Sharing): 99.5% public (4,780 files tracked).

7.1x evidence-to-claims ratio. We show receipts.

Technical Details

• Format: STIX 2.1 Bundle
• Attribution: created_by_ref: identity--dugganusa-llc-f4a8c3d2-1b9e-4f7a-8c2d-9e3f5b6a7c8d
• Update Frequency: Real-time from production auto-blocking
• License: CC0-1.0 (Public Domain)
• Contact: [email protected]

Support

Questions? Email [email protected]

API health: https://analytics.dugganusa.com/api/v1/stix-feed/info

Documentation: https://analytics.dugganusa.com/docs/stix-feed.md

Your security is our problem now.

— DugganUSA LLC (Minnesota)