Security.DugganUSA.com Documentation

Enterprise Security Operations Platform - Technical Whitepapers & Architecture Guides

KB: STIX Feed Integration Troubleshooting — Splunk ES, Zscaler, Cloud SIEMs

Published: March 14, 2026 Category: Troubleshooting / Knowledge Base Based on: Real incident with Juan Leon (Datavant, Splunk ES 8.3 on Splunk Cloud through Zscaler proxy)

⚠️ IMPORTANT: API keys are LIVE. Anonymous access ends March 15, 2026 — register now.

  • Free: $0 (25/day) Pro: $99/mo (2,000/day, 24h email SLA) Enterprise: $995/mo (50,000/day, 4h response SLA — [email protected])
  • Register: https://analytics.dugganusa.com/stix/register

Known Issues & Fixes

Issue 1: Corporate Proxy Detection (Zscaler, PANW, CrowdStrike)

Symptom: HTTP 403 Forbidden when pulling STIX feed from behind a corporate web proxy (Zscaler, Palo Alto Prisma, etc.)

Root Cause: Our competitor rate-limiting middleware detects known security vendor IP prefixes (Zscaler 165.225.*, 104.129.*, 136.226.*) and classifies traffic as competitor scanning. Customers behind these proxies get caught in the crossfire.

Fix (deployed): Authenticated requests (Authorization: Bearer header OR ?api_key= query param) now bypass competitor detection entirely. If you have a valid API key, you’re a customer regardless of proxy.

Commit: 51206578

Issue 2: Splunk Cloud Edge Blocking

Symptom: curl from local terminal works fine, but Splunk Cloud returns 403. Same URL, same API key.

Root Cause: Cloudflare edge security challenges requests based on source IP reputation. Splunk Cloud egress IPs may have lower reputation scores than residential/corporate IPs, triggering Cloudflare’s managed challenge before the request reaches our server.

Fix (deployed): Explicit Cloudflare ALLOW rule for any request matching:

/api/v1/stix-feed with api_key= in query string

This bypasses all Cloudflare security checks for authenticated STIX feed requests.

Cloudflare Rule ID: 94eeb67b5d5d4ddcbccede9c3eb157eb

Integration Guide: Splunk ES 8.3+

Setup

  1. Navigate to: ConfigureThreat IntelligenceAdd Data SourceSTIX/OpenIOC
  2. URL: https://analytics.dugganusa.com/api/v1/stix-feed?format=splunk&api_key=YOUR_KEY
  3. File Parser: stix2 (or auto)
  4. Interval: 86400 (daily) or your preferred cadence
  5. Save. That’s it.

Why ?format=splunk

Splunk ES only parses observed-data objects, not raw indicator.pattern syntax. The ?format=splunk parameter wraps every indicator as an observed-data object with the objects property Splunk’s parser expects.

Why ?api_key= (not Bearer header)

Splunk ES cannot set custom Authorization: Bearer headers in threat intel downloads. The credential store translates stored credentials inconsistently. Query parameter auth bypasses this entirely — auth is in the URL.

Common Failure Modes

Symptom Cause Fix
403 from Splunk Cloud Cloudflare edge blocking Should be resolved — ALLOW rule deployed
403 from corporate network Proxy detected as competitor Should be resolved — auth bypasses competitor detection
401 Invalid API Key Wrong key or key not registered for STIX Verify key at /api/v1/api-keys/verify
403 “not authorized for STIX feed” Key registered for Epstein only Contact us to add STIX access
200 but empty indicators Parser mismatch Use ?format=splunk for observed-data wrapping
Indicators don’t appear in Threat Intel dashboard Splunk processing delay Wait 5-10 mins, check index=_internal source=*threatlist*

Diagnostic Commands (Splunk SPL)

# Check threat list download status
index=_internal source=*threatlist* "security_dugganusa"

# Check for download errors
index=_internal source=*threatlist* "security_dugganusa" ERROR

# Verify indicators loaded
| inputlookup append=t threat_intel_by_domain_lookup | search source="security_dugganusa"

Other SIEM Integrations

OPNsense (no auth required)

IP Blocklist:    /api/v1/opnsense/ip-blocklist
Suricata Rules:  /api/v1/opnsense/suricata-rules
DNS Blocklist:   /api/v1/opnsense/dns-blocklist

These are public plaintext feeds — no API key needed. Configure as URL Table aliases in OPNsense.

Generic STIX 2.1 Consumer

curl -H "Authorization: Bearer YOUR_KEY" \
  "https://analytics.dugganusa.com/api/v1/stix-feed"

CSV Exports (firewalls, EDR, custom scripts)

IPs:     /api/v1/stix-feed/ips.csv
Hashes:  /api/v1/stix-feed/hashes.csv
Domains: /api/v1/stix-feed/domains.csv
URLs:    /api/v1/stix-feed/urls.csv

All endpoints accept ?api_key= for tools that can’t set headers.

Full API Documentation

https://analytics.dugganusa.com/api/v1/stix-feed/help

Lessons Learned

  1. Auth before identity. Check the API key before classifying the source. A customer behind Zscaler is a customer, not a competitor.
  2. Edge and app are two layers. Fixing app-level auth doesn’t help if Cloudflare blocks the request first.
  3. Test from the customer’s infrastructure, not yours. Local curl success doesn’t mean cloud SIEM success.
  4. Splunk ES can’t set custom headers. Always support query parameter auth for enterprise SIEM tools.
  5. Ship the fix the same day. Juan filed the issue and got two fixes deployed within hours. That’s the standard.

Support

Questions? Email [email protected]

API health: https://analytics.dugganusa.com/api/v1/stix-feed/info

Full docs: https://analytics.dugganusa.com/api/v1/stix-feed/help

Your security is our problem now.

— DugganUSA LLC (Minnesota)