Free Threat Intelligence for Splunk Enterprise Security Users: DugganUSA STIX 2.1 Feed
Published: November 13, 2025 Category: Threat Intelligence Vendor: Splunk Enterprise Security
⚠️ IMPORTANT: API keys are LIVE. Anonymous access ends March 15, 2026 — register now.
Tiered API keys are deployed today. Anonymous access ends March 15, 2026 — after that date all requests without a key will be rejected.
Free: $0 (25/day) Pro: $99/mo (2,000/day, 24h email SLA) Enterprise: $995/mo (50,000/day, 4h response SLA — [email protected]) - Register: https://analytics.dugganusa.com/stix/register
The Value Proposition
DugganUSA discovered 244 threats that billion-dollar vendors (AbuseIPDB, VirusTotal, ThreatFox) scored as ZERO.
63% unique discovery rate. Multi-source correlation. Free. STIX 2.1.
Your Splunk Enterprise Security is excellent. Our feed makes it better.
What You Get
- Free STIX 2.1 threat intelligence feed
- Real-time updates from production security operations
- MITRE ATT&CK mapped indicators
- Zero cost - Democratic Sharing Law (Judge Dredd D6: 99.5% public)
- 244+ unique discoveries missed by major threat intel vendors
Feed URL: https://analytics.dugganusa.com/api/v1/stix-feed
Authentication
Option A: Authorization Header (Standard)
curl -H "Authorization: Bearer <YOUR_API_KEY>" \
"https://analytics.dugganusa.com/api/v1/stix-feed"
Option B: Query Parameter (SIEMs)
Many SIEMs — including Splunk ES, QRadar, and others — cannot set custom Authorization headers on threat intelligence downloads. For these platforms, pass your key as a query parameter:
https://analytics.dugganusa.com/api/v1/stix-feed?api_key=YOUR_API_KEY
This is equivalent to Authorization: Bearer YOUR_API_KEY and works on all STIX endpoints.
Note: Do not use
X-API-Key— Cloudflare strips custom headers. Register for an API key at: https://analytics.dugganusa.com/stix/register
Splunk ES 8.x Integration (Recommended)
Splunk Enterprise Security 8.x has a built-in STIX/OpenIOC threat intelligence downloader. No custom scripting required.
Important: Splunk ES 8.x only parses
observed-dataSTIX objects — it does not supportindicator.patternsyntax. Use the?format=splunkparameter to get a compatible format.
Step 1: Navigate to Threat Intelligence Configuration
Configure → Threat Intelligence → Add Data Source → STIX/OpenIOC
Step 2: Configure the Data Source
URL: https://analytics.dugganusa.com/api/v1/stix-feed?format=splunk&api_key=YOUR_API_KEY
File Parser: stix2
Interval: 86400 (daily)
That’s it. No “Remote Site User” field needed — authentication is in the URL.
The ?format=splunk parameter returns a STIX 2.1 bundle using observed-data objects with the objects property that Splunk ES 8.x expects:
{
"type": "observed-data",
"objects": {
"0": { "type": "ipv4-addr", "value": "1.2.3.4" }
}
}
Step 3: Verify Ingestion
After the first download interval, check for ingested indicators:
index=threat_activity sourcetype="stix:json"
| stats count by type
Splunk Enterprise Security Integration (Classic / Custom Script)
For Splunk versions before ES 8.x, or if you need more control over parsing, use the custom script approach below.
Step 1: Install Threat Intelligence Framework
- Navigate to Apps → Find More Apps
- Install “Splunk Threat Intelligence Management” (if not already installed)
- Restart Splunk
Step 2: Configure Threat Intelligence Download
Navigate to Enterprise Security → Configuration → Data Enrichment → Threat Intelligence Downloads
Click New:
Name: DugganUSA STIX 2.1 Feed
Description: Free threat intel - 244 unique discoveries
URL: https://analytics.dugganusa.com/api/v1/stix-feed?days=30&min_confidence=70&api_key=YOUR_API_KEY
Type: STIX
Weight: 5
Disabled: No
Interval: 3600 (hourly)
Extraction: Auto
Tip: If your Splunk version supports custom headers, you can also use
Authorization: Bearer <YOUR_API_KEY>in the Authentication Header field instead of?api_key=in the URL.
Step 3: Create Threat Intelligence Lookup
inputs.conf:
[script://./bin/dugganusa_stix_download.py]
disabled = false
index = threat_activity
interval = 3600
sourcetype = stix:json
source = dugganusa_stix_feed
dugganusa_stix_download.py:
#!/usr/bin/env python3
import requests
import json
import sys
FEED_URL = "https://analytics.dugganusa.com/api/v1/stix-feed?days=30&min_confidence=70"
API_KEY = "<YOUR_API_KEY>" # Set via environment variable or Splunk credential store
headers = {"Authorization": f"Bearer {API_KEY}"}
# Note: Do NOT use X-API-Key — Cloudflare strips custom headers
response = requests.get(FEED_URL, headers=headers)
stix_bundle = response.json()
for indicator in stix_bundle.get('objects', []):
if indicator.get('type') == 'indicator':
event = {
'ip': indicator.get('pattern', '').split("'")[1],
'confidence': indicator.get('confidence', 0),
'threat_type': ','.join(indicator.get('indicator_types', [])),
'unique_discovery': indicator.get('x_dugganusa_discovery', {}).get('unique_detection', False),
'sources_missed': ','.join(indicator.get('x_dugganusa_discovery', {}).get('sources_with_zero_score', []))
}
print(json.dumps(event))
SPL Queries for Hunting
Find Communications with Malicious IPs
index=* dest_ip=*
| lookup dugganusa_threat_intel ip AS dest_ip OUTPUT confidence, threat_type, unique_discovery
| where isnotnull(confidence)
| where confidence >= 80
| stats count by src_ip, dest_ip, confidence, threat_type
| sort - confidence
Alert on Unique Discoveries
index=threat_activity sourcetype="stix:json" source="dugganusa_stix_feed"
| spath input=_raw path=x_dugganusa_discovery.unique_detection output=unique_discovery
| where unique_discovery="true"
| spath input=_raw path=x_dugganusa_discovery.sources_with_zero_score{} output=missed_vendors
| table _time, ip, confidence, threat_type, missed_vendors
Correlate with Firewall Denies
index=firewall action=deny
| lookup dugganusa_threat_intel ip AS dest_ip OUTPUT confidence, threat_type
| where isnotnull(confidence)
| stats count by dest_ip, confidence, threat_type, src_ip
| where count > 5
| eval severity=case(
confidence >= 90, "CRITICAL",
confidence >= 75, "HIGH",
confidence >= 60, "MEDIUM",
1=1, "LOW"
)
Notable Events: Vendor-Missed Threats
index=* dest_ip=*
| lookup dugganusa_threat_intel ip AS dest_ip OUTPUT confidence, threat_type, unique_discovery, sources_missed
| where unique_discovery="true"
| eval notable_description="Communication with IP missed by: ".sources_missed
| collect index=notable_events
Correlation Searches
Create Correlation Search: DugganUSA High-Confidence Threat
Navigate to Content Management → Create New Content → Correlation Search
| tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic where * by All_Traffic.dest_ip, All_Traffic.src_ip
| lookup dugganusa_threat_intel ip AS All_Traffic.dest_ip OUTPUT confidence, threat_type, unique_discovery
| where confidence >= 85
| eval severity="high"
| eval description="Communication with high-confidence malicious IP from DugganUSA feed"
| table _time, All_Traffic.src_ip, All_Traffic.dest_ip, confidence, threat_type, unique_discovery
Notable Event Settings:
- Severity: High
- Drilldown Search: Yes
- Throttle: Suppress for 1 hour per dest_ip
Threat Intelligence Framework Configuration
transforms.conf:
[dugganusa_threat_intel]
filename = dugganusa_threat_intel.csv
max_matches = 1
min_matches = 1
default_match = unknown
props.conf:
[stix:json]
INDEXED_EXTRACTIONS = json
KV_MODE = json
TIMESTAMP_FIELDS = created
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3NZ
Dashboard: DugganUSA Threat Overview
XML Source:
<dashboard>
<label>DugganUSA Threat Intelligence</label>
<row>
<panel>
<title>Unique Discoveries by Confidence</title>
<chart>
<search>
<query>
index=threat_activity source="dugganusa_stix_feed"
| spath path=x_dugganusa_discovery.unique_detection output=unique
| where unique="true"
| stats count by confidence
| sort - confidence
</query>
</search>
<option name="charting.chart">column</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Threats Missed by Major Vendors</title>
<table>
<search>
<query>
index=threat_activity source="dugganusa_stix_feed"
| spath path=x_dugganusa_discovery.sources_with_zero_score{} output=missed
| where isnotnull(missed)
| stats count by missed
| sort - count
</query>
</search>
</table>
</panel>
</row>
</dashboard>
Feed Parameters
# High confidence for automated response
curl -H "Authorization: Bearer <YOUR_API_KEY>" \
"https://analytics.dugganusa.com/api/v1/stix-feed?days=7&min_confidence=90"
# Broader detection coverage
curl -H "Authorization: Bearer <YOUR_API_KEY>" \
"https://analytics.dugganusa.com/api/v1/stix-feed?days=30&min_confidence=60"
# Specific threat origins
curl -H "Authorization: Bearer <YOUR_API_KEY>" \
"https://analytics.dugganusa.com/api/v1/stix-feed?country=RU&min_confidence=70"
Why This Matters
Splunk ES has the data. We have the correlation.
You index everything. We correlate across 5 threat intelligence sources simultaneously.
When AbuseIPDB, VirusTotal, and ThreatFox all score an IP as zero — but we blocked it at 95% confidence — that’s the indicator your SIEM needs.
244 unique discoveries. Free. Forever.
Democratic Sharing Law
This feed is free because hoarding threat intelligence is bullshit.
Zero marginal cost to share digital goods. We publish openly because that’s how you prove you’re telling the truth about your discoveries.
Judge Dredd Dimension 6 (Democratic Sharing): 99.5% public (4,780 files tracked).
7.1x evidence-to-claims ratio. We show receipts.
Technical Details
- Format: STIX 2.1 Bundle
- Attribution:
created_by_ref: identity--dugganusa-llc-f4a8c3d2-1b9e-4f7a-8c2d-9e3f5b6a7c8d - Update Frequency: Real-time from production auto-blocking
- License: CC0-1.0 (Public Domain)
- Contact: [email protected]
Support
Questions? Email [email protected]
API health: https://analytics.dugganusa.com/api/v1/stix-feed/info
Documentation: https://analytics.dugganusa.com/docs/stix-feed.md
Your security is our problem now.
— DugganUSA LLC (Minnesota)