CIM Mapping
CIM data model compliance: field aliases, event types, tags.
CIM Mapping Documentation
Overview
The Whisper Security Add-on maps enrichment fields to Splunk's Common Information Model (CIM) using FIELDALIAS definitions in props.conf and tag assignments in tags.conf. This enables compatibility with CIM-based dashboards, reports, and Enterprise Security.
Data model mappings
Network Resolution (DNS)
Source type: whisper:enrichment
Event type: whisper_enrichment
Tags: network, resolution, dns
| Whisper field | CIM field | Description |
|---|---|---|
whisper_ip | dest_ip | Destination IP address |
whisper_country | dest_country | Destination country code |
whisper_asn | dest_asn | Destination Autonomous System Number |
Threat Intelligence
Source type: whisper:enrichment
Event type: whisper_enrichment
| Whisper field | CIM field | Description |
|---|---|---|
whisper_threat_score | threat_score | Numeric threat score (0-100+) |
whisper_threat_level | threat_level | Threat severity level |
whisper_is_threat | is_threat | Known threat indicator |
whisper_is_c2 | is_c2 | Command-and-control server |
whisper_is_tor | is_tor | Tor exit node |
whisper_is_malware | is_malware | Malware distribution |
whisper_is_phishing | is_phishing | Phishing host |
whisper_is_anonymizer | is_anonymizer | Anonymization service |
whisper_is_spam | is_spam | Spam source |
whisper_is_bruteforce | is_bruteforce | Brute-force source |
whisper_is_scanner | is_scanner | Network scanner |
whisper_is_blacklist | is_blacklist | Public blacklist entry |
whisper_is_proxy | is_proxy | Open proxy |
whisper_is_vpn | is_vpn | Known VPN exit |
whisper_is_whitelist | is_whitelist | Explicitly whitelisted |
whisper_risk_score | risk_score | Normalized risk score (0-100) |
whisper_risk_level | risk_level | Risk level classification |
Computed fields
These fields are set automatically on all whisper:enrichment events via EVAL in props.conf:
| Field | Value | Purpose |
|---|---|---|
vendor | Whisper Security | CIM vendor identification |
vendor_product | Whisper Knowledge Graph | CIM product identification |
Event type and tag reference
| Event type | Source type | Tags | CIM data models |
|---|---|---|---|
whisper_enrichment | whisper:enrichment | network, resolution, dns | Network Resolution, DNS |
whisper_threat_intel | whisper:threat_intel | threat, report | Threat Intelligence |
whisper_watchlist | whisper:watchlist | threat, report | Threat Intelligence |
whisper_attack_surface | whisper:attack_surface | network, communicate | Network Traffic |
whisper_attack_surface_change | whisper:attack_surface_change | change | Change |
whisper_health | whisper:health | -- | -- |
Field alias configuration
All field aliases are defined in default/props.conf under the [whisper:enrichment] stanza:
[whisper:enrichment]
FIELDALIAS-whisper_dest_ip = whisper_ip AS dest_ip
FIELDALIAS-whisper_dest_country = whisper_country AS dest_country
FIELDALIAS-whisper_dest_asn = whisper_asn AS dest_asn
FIELDALIAS-whisper_threat_score = whisper_threat_score AS threat_score
FIELDALIAS-whisper_threat_level = whisper_threat_level AS threat_level
FIELDALIAS-whisper_is_threat = whisper_is_threat AS is_threat
...
EVAL-vendor = "Whisper Security"
EVAL-vendor_product = "Whisper Knowledge Graph"
Field coexistence: Both the
whisper_prefixed field and the CIM alias exist simultaneously on each event. Usewhisper_prefixed fields for Whisper-specific queries and CIM fields for cross-vendor dashboards and data model searches.
Compliance field aliases
| Source type | Whisper field | CIM field |
|---|---|---|
whisper:spf_compliance | collected_at | last_checked |
whisper:dnssec_compliance | collected_at | last_checked |
ES threat intel collection schema
The threat intelligence modular input populates ES-compatible KV Store collections:
whisper_ip_intel
Compatible with the ES ip_intel lookup. Fields:
| Field | Type | Description |
|---|---|---|
ip | string | IP address (lookup key) |
description | string | Threat description |
threat_key | string | Threat classification |
threat_group | string | Threat group attribution |
weight | number | ES threat weight: 1 (low), 2 (medium), 3 (high) |
whisper_asn | string | ASN |
whisper_asn_name | string | ASN organization |
whisper_country | string | Country code |
whisper_prefix | string | IP prefix |
whisper_risk_score | number | Risk score (0-100) |
whisper_risk_level | string | Risk level |
whisper_threat_score | number | Raw threat score |
whisper_threat_level | string | Threat level |
whisper_domain_intel
Compatible with the ES domain_intel lookup. Fields:
| Field | Type | Description |
|---|---|---|
domain | string | Domain name (lookup key) |
description | string | Threat description |
threat_key | string | Threat classification |
threat_group | string | Threat group attribution |
weight | number | ES threat weight |
whisper_asn_name | string | ASN organization |
whisper_country | string | Country code |
whisper_risk_score | number | Risk score (0-100) |
whisper_risk_level | string | Risk level |
whisper_threat_score | number | Raw threat score |
whisper_threat_level | string | Threat level |
Validating CIM compliance
Search for events that match CIM data model tags:
tag=network tag=resolution tag=dns
| head 10
| table _time dest_ip dest_country dest_asn vendor vendor_product
Check that CIM field aliases are populated:
sourcetype=whisper:enrichment
| head 10
| table whisper_ip dest_ip whisper_country dest_country whisper_asn dest_asn