API Documentation

DugganUSA Threat Intelligence Platform API - Free STIX 2.1 feed and integration guides.

STIX 2.1 Feed FREE

Returns a complete STIX 2.1 bundle with indicators, attack patterns, and relationships. Requires Authorization: Bearer <key> or ?api_key=YOUR_KEY — register free. Anonymous access ends March 15, 2026.

# Header authentication
curl -H "Authorization: Bearer <YOUR_API_KEY>"   https://analytics.dugganusa.com/api/v1/stix-feed

# Query parameter authentication (for SIEMs that cannot set custom headers)
curl "https://analytics.dugganusa.com/api/v1/stix-feed?api_key=YOUR_API_KEY"

Pattern-Specific Feeds

# Pattern 38: Stealc/Rhadamanthys distribution
curl -H "Authorization: Bearer <YOUR_API_KEY>"   "https://analytics.dugganusa.com/api/v1/stix-feed?pattern=38"

# Pattern 43: RAT developer social networks
curl -H "Authorization: Bearer <YOUR_API_KEY>"   "https://analytics.dugganusa.com/api/v1/stix-feed?pattern=43"

Query Parameters

SIEM Integration

Splunk ES 8.x (Native — No Scripting Required)

Configure → Threat Intelligence → Add Data Source → STIX/OpenIOC:

URL: https://analytics.dugganusa.com/api/v1/stix-feed?format=splunk&api_key=YOUR_API_KEY
File Parser: stix2
Interval: 86400

The ?format=splunk parameter returns observed-data objects compatible with Splunk ES 8.x. No custom headers or scripting needed.

Splunk (Classic) / Elastic

# Cron job to pull daily IOCs
curl -s -H "Authorization: Bearer <YOUR_API_KEY>"   https://analytics.dugganusa.com/api/v1/stix-feed | \
  jq -r '.objects[] | select(.type=="indicator") | .pattern' >> /var/log/threat-intel/dugganusa.log

Firewall Blocklist

# Extract IPs for blocking
curl -s -H "Authorization: Bearer <YOUR_API_KEY>"   https://analytics.dugganusa.com/api/v1/stix-feed | \
  jq -r '.objects[] | select(.type=="indicator") | .pattern' | \
  grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | sort -u

Tor Infrastructure Attribution NEW — v1.3.1

Seven endpoints for Tor relay attribution, operator clustering, and proactive hunting. Built on a live consensus collector (10,269 relays indexed). Backs Precog signal #10 (tor_infrastructure_shift).

Endpoint	Method	Purpose
/api/v1/tor/relays	GET	Search relay archive (filter by country, ASN, flag, operator)
/api/v1/tor/relay/:fingerprint	GET	Relay detail + consensus history
/api/v1/tor/cluster/:fingerprint	GET	Operator cluster — shared ASN, contact, family
/api/v1/tor/hunt	GET	Proactive threat hunting by risk score
/api/v1/tor/stats	GET	Relay statistics
/api/v1/tor/correlations	GET	IOC cross-references (onion hosts, C2 attributions)
/api/v1/tor/collect	POST	Trigger consensus collection (Enterprise tier)

# Search Swedish exit relays
curl -H "Authorization: Bearer <YOUR_API_KEY>"   "https://analytics.dugganusa.com/api/v1/tor/relays?country=SE&flag=Exit"

# Pull operator cluster for a given relay fingerprint
curl -H "Authorization: Bearer <YOUR_API_KEY>"   "https://analytics.dugganusa.com/api/v1/tor/cluster/ABCDEF..."

# Proactive hunt — high-risk relays by shared ASN / recent appearance
curl -H "Authorization: Bearer <YOUR_API_KEY>"   "https://analytics.dugganusa.com/api/v1/tor/hunt?min_risk=70"

Published case study: 50 Tor Exit Relays. One Operator. Same ASN as Interlock Ransomware C2. — the Quetzalcoatl cluster (50 exit relays, 7 countries, FranTech/1337 Services).

OTX Integration

Subscribe to our pulses on AlienVault OTX for automatic updates:

Pulse	ID	Content
Master Feed	6927d4c1611927c371ffd3cb	Auto-updated threat feed
Pattern 38	6927c1e8e999ea91cede6585	GitHub → C2 infrastructure
Pattern 43	6927c24a65cd7ecdc2a7c175	RAT developer networks

OTX Profile: @pduggusa

Roadmap

• ThreatFox bi-directional sync
• MISP feed format
• Hourly IOC deltas for real-time ingestion
• GitHub Actions workflow for automated blocking