io.github.pduggusa/dugganusa-threat-intel

Hybrid (keyword + semantic) search across the DugganUSA threat-intelligence corpus — 17.9M+ indexed documents. Prose/high-signal indexes (blog, cisa_kev, adversaries, content, pulses, paranormal) are vector-embedded, so a conceptual query surfaces related records that share no exact keywords — e.g. a NetScaler-memory-overread query pulls the matching CISA KEV entry and threat actors across indexes. Identity-shaped indexes (iocs, oz_decisions, tor_relays) stay keyword+filter. Public indexes only, read-only, prompt-injection sanitized. Returns up to 25 hits with title, snippet, source, and timestamp. Available indexes: • iocs (1.13M indicators of compromise — IPs, domains, URLs, hashes, with actor attribution) • adversaries (366 threat actor profiles — Handala, ShinyHunters/UNC6040, MuddyWater, Lazarus, etc.) • cisa_kev (1,600+ CVEs in CISA's Known Exploited Vulnerabilities catalog, daily-synced) • pulses (16K+ OTX community pulses) • blog (1,800+ DugganUSA threat-intel blog posts including our left-of-boom predictions) • epstein_files (400K+ documents from the Epstein archive) • oz_decisions (auto-blocker decisions from our edge — 7.5M+ rows) • paranormal (3,400 fringe-research docs) • tor_relays (1.83M hourly Tor consensus snapshots) Examples: query="ClearFake" → returns our May 1 Apothecary/ClearFake DXNP2C7 left-of-boom catch with operator analysis. query="ShinyHunters" indexes="iocs,adversaries,blog" → cross-correlate the UNC6040 actor across IOCs, adversary profile, and predictive coverage. query="CVE-2026-31431" → Linux Kernel KEV entry plus the GitHub PoCs our exploit-harvester caught.

Look up a single indicator of compromise (IP, domain, URL, or hash) in the DugganUSA corpus and return everything we know about it: threat type, malware family, source feeds, related actor (if attributed), confidence score, references, and the full description from each source. Read-only. Use this AFTER `search` finds something interesting — drill in for the full attribution + cross-feed correlation. Or use it directly when triaging a single indicator from your SIEM. Pass the IOC as either `indicator` or `value` (both work). Optional `type` hint: ip / domain / url / hash / auto. Examples: indicator="185.93.3.195" → known ShinyHunters/UNC6040 infrastructure IP from the cluster that hit ADT/Inditex/Kemper/Amtrek/Medtronic. indicator="goldenleafway.lat" → fresh Apothecary/ClearFake .lat rotation domain. indicator="ee28b3137d65d74c0234eea35fa536af" → Volexity-attributed malware MD5 (BrazenBamboo/DEEPDATA campaign). Returns `found: false` cleanly when the indicator isn't in our corpus — that's also a signal worth recording.

Live shape report on the DugganUSA STIX 2.1 threat feed for a chosen lookback window (1-7 days). Returns total indicator count, top malware families, top source feeds, type breakdown (ip/domain/url/hash/cidr), and top countries. Use this BEFORE pulling the full STIX bundle to gauge feed depth and freshness, plan SIEM ingestion budget, or sanity-check that a campaign you read about is actually in our corpus. Does NOT return the full bundle — for that, fetch `https://analytics.dugganusa.com/api/v1/stix-feed` with the same Bearer key. The bundle is STIX 2.1 / TAXII 2.1 with Splunk ES, OPNsense, Suricata, and Unbound DNS sinkhole plugins. Authentication required (Bearer token). Anonymous callers get a clear 401 with the registration URL. Example: `{"days": 7}` returns the last week's feed shape — useful for capacity planning and spot-checking recent ingest tags.