API Documentation

DugganUSA Threat Intelligence Platform API - Free STIX 2.1 feed and integration guides.

Table of Contents

STIX 2.1 Feed
Query Parameters
SIEM Integration
Firewall Blocklist
OTX Integration
Roadmap

STIX 2.1 Feed FREE

GET https://analytics.dugganusa.com/api/v1/stix-feed

Returns a complete STIX 2.1 bundle with indicators, attack patterns, and relationships. Requires Authorization: Bearer <key> or ?api_key=YOUR_KEY — register free. Anonymous access ends March 15, 2026.

# Header authentication
curl -H "Authorization: Bearer <YOUR_API_KEY>"   https://analytics.dugganusa.com/api/v1/stix-feed

# Query parameter authentication (for SIEMs that cannot set custom headers)
curl "https://analytics.dugganusa.com/api/v1/stix-feed?api_key=YOUR_API_KEY"

Pattern-Specific Feeds

# Pattern 38: Stealc/Rhadamanthys distribution
curl -H "Authorization: Bearer <YOUR_API_KEY>"   "https://analytics.dugganusa.com/api/v1/stix-feed?pattern=38"

# Pattern 43: RAT developer social networks
curl -H "Authorization: Bearer <YOUR_API_KEY>"   "https://analytics.dugganusa.com/api/v1/stix-feed?pattern=43"

Query Parameters

days integer Number of days of data (default: 30, max: 90)

min_confidence integer Minimum confidence score 0-100 (default: 60)

country string Filter by country code (e.g., CN, RU, US)

unique_only boolean Only return unique discoveries (default: false)

pattern integer Filter by pattern number (38, 42, 43)

format string Output format. Use splunk for Splunk ES 8.x compatibility (returns observed-data objects)

api_key string Query parameter auth — alternative to Authorization header for SIEMs (Splunk ES, QRadar)

SIEM Integration

Splunk ES 8.x (Native — No Scripting Required)

Configure → Threat Intelligence → Add Data Source → STIX/OpenIOC:

URL: https://analytics.dugganusa.com/api/v1/stix-feed?format=splunk&api_key=YOUR_API_KEY
File Parser: stix2
Interval: 86400

The ?format=splunk parameter returns observed-data objects compatible with Splunk ES 8.x. No custom headers or scripting needed.

Splunk (Classic) / Elastic

# Cron job to pull daily IOCs
curl -s -H "Authorization: Bearer <YOUR_API_KEY>"   https://analytics.dugganusa.com/api/v1/stix-feed | \
  jq -r '.objects[] | select(.type=="indicator") | .pattern' >> /var/log/threat-intel/dugganusa.log

Firewall Blocklist

# Extract IPs for blocking
curl -s -H "Authorization: Bearer <YOUR_API_KEY>"   https://analytics.dugganusa.com/api/v1/stix-feed | \
  jq -r '.objects[] | select(.type=="indicator") | .pattern' | \
  grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | sort -u

OTX Integration

Subscribe to our pulses on AlienVault OTX for automatic updates:

Pulse	ID	Content
Master Feed	6927d4c1611927c371ffd3cb	Auto-updated threat feed
Pattern 38	6927c1e8e999ea91cede6585	GitHub → C2 infrastructure
Pattern 43	6927c24a65cd7ecdc2a7c175	RAT developer networks

OTX Profile: @pduggusa

Roadmap

ThreatFox bi-directional sync
MISP feed format
Hourly IOC deltas for real-time ingestion
GitHub Actions workflow for automated blocking

Questions? Email [email protected]