Splunk Integration
Connect Whisper Security's Knowledge Graph to your Splunk environment for IOC enrichment, threat intelligence, ad-hoc graph queries, and attack surface monitoring.
Splunk Integration Documentation
Integrate Whisper Security's Knowledge Graph directly into your Splunk environment. Enrich IOCs, run ad-hoc graph queries, correlate threat intelligence across 40+ feeds, and monitor your attack surface -- all from within Splunk.
What you get
IOC enrichment -- Enrich IPs, domains, and hostnames in your Splunk events with threat intelligence, WHOIS data, BGP routing, and geolocation from the Knowledge Graph. Works as a streaming search command (whisperlookup) that processes events inline.
Ad-hoc graph queries -- Run Cypher queries directly from the Splunk search bar with whisperquery. Trace infrastructure relationships, pivot across DNS, IP, ASN, and registration data without leaving Splunk.
Threat intelligence -- Automated threat intel feeds populate KV Store collections with scored threat data. Integrates natively with Splunk Enterprise Security's threat intel framework for risk-based alerting.
Attack surface monitoring -- Scheduled modular inputs continuously monitor your domains, IPs, and ASNs for changes in DNS, routing, WHOIS, and threat feed status. Alerts on new exposures automatically.
Dashboards and reporting -- Pre-built dashboards for threat overview, enrichment activity, API health, and investigation workflows. Customizable with Splunk's dashboard framework.
Getting started
| Step | Guide |
|---|---|
| 1. Check requirements | Requirements |
| 2. Install the add-on | Installation |
| 3. Configure API key | Configuration |
| 4. Start enriching events | Search Commands |
Documentation
Setup
- Requirements -- Software versions, network access, and permissions
- Installation -- Single-instance, distributed, and Splunk Cloud deployment
- Deployment Architecture -- Enterprise patterns: SHC, deployment server, indexer clusters
- Configuration -- API key, proxy, caching, and modular input settings
Core features
- Search Commands --
whisperlookupandwhisperqueryreference - Enrichment Pipeline -- How IOC enrichment works end to end
- Lookups -- KV Store lookup tables and automatic enrichment
- Modular Inputs -- Scheduled data collection (threat intel, baselines, watchlists)
- Dashboards -- Pre-built views and customization
Advanced
- Enterprise Security -- Threat intel framework, risk-based alerting, correlation searches
- Investigation Macros -- One-click investigation shortcuts
- Cypher Reference -- Query syntax reference for Splunk users
- CIM Mapping -- Common Information Model field mapping
- Source Types -- Event types and source type reference
- Use Cases -- Real-world workflows and examples
Reference
- Troubleshooting -- Common issues and fixes
- Splunk Integration Overview -- Component summary and architecture