Splunk Dashboards Reference

Pre-built dashboards for investigation, attack surface, compliance, and add-on health.

Updated May 2026Splunk

Splunk Dashboards Reference Documentation

Overview

The TA ships with 5 dashboards focused on enrichment, investigation, and compliance. All dashboards use Splunk Dashboard Studio (JSON v2), which supports dark mode and Splunk Cloud.

All data-facing dashboards reference the whisper_index macro instead of a hardcoded index name. By default, this macro resolves to index=whisper. To use a different index, override the macro in Settings > Advanced Search > Search Macros or create a local/macros.conf override.

Navigation

After installing the TA, navigate to Apps > Whisper Security TA. The navigation is organized around the three customer workflows:

  • Investigation
    • Lookup / Investigation (default) -- Ad hoc domain/IP investigation with multiple read-only graph pivots
  • Attack Surface
    • Attack Surface Change Timeline -- DNS infrastructure change timeline with risk scoring (driven by the owned-domain modular input)
  • Compliance and Posture
    • Compliance Summary -- Executive compliance overview
    • SPF Compliance -- SPF authentication analysis
    • Mail Configuration -- MX record monitoring
  • Search -- Ad hoc SPL search view
  • Inputs -- Manage modular inputs (owned-domain monitoring, etc.)
  • Configuration -- API key and account settings

Lookup / Investigation dashboard

Ad hoc domain and IP investigation using the Whisper Knowledge Graph. Enter an indicator and click Submit to run a set of read-only graph pivots in parallel. The dashboard does not write data, does not use collect, and does not generate risk events or alerts.

Panels (semantics corrected per #480):

PanelWhat it shows
whisperlookup enrichmentFull enrichment table -- IP, ASN, country, risk, threat feeds, CNAME chain
Threat feed / explainCALL explain() result: score, level, factors, sources
Shared nameserversPeer hostnames that share at least one nameserver with the indicator, ordered by shared_ns_count (most-shared first). Useful for finding infrastructure siblings.
Co-hosted domains / shared IPDomains sharing a resolved IP with the indicator
WHOIS pivotsRelated domains sharing the indicator's HAS_REGISTRAR, REGISTERED_BY (organization), HAS_EMAIL, or HAS_PHONE attribute. Each row is tagged with the pivot type (registrar / organization / email / phone), the shared_value, and the peer_domain.
WHOIS / BGP historyCALL whisper.history() output -- previous registrar, ownership changes
CNAME chainALIAS_OF hops (up to 5)
SPF include chainSPF_INCLUDE hops (up to 5)
MX / mail infrastructureMAIL_FOR mail servers and their IPs
SubdomainsCHILD_OF subdomains of the indicator
ASN / BGP / prefix contextFull BGP path using the verified graph traversal HOSTNAME → IPV4 → ANNOUNCED_PREFIX → ASN → ASN_NAME. Exposes the announced prefix (CIDR), asn, and asn_name per resolved IP.
Web linksTrue inbound and outbound LINKS_TO edges (UNION ALL of directed patterns) with linked host, direction (inbound / outbound), and feed_count.

Input: Indicator (domain or IP). Panels only run after Submit is clicked, so the dashboard makes no API calls on load.

Indicator validation: Each pivot panel passes $indicator_input$ directly to whisperquery as the indicator Cypher parameter and enables the server-side allowlist validator via validate_indicator="indicator". The command lowercases the value and gates it on the regex allowlist ^[A-Za-z0-9._:\-]+$; empty or malicious input short-circuits with zero events before any Cypher executes. The enrichment panel uses the equivalent inline SPL guard (| makeresults | eval indicator=lower("$indicator_input$") | where match(indicator, "^[A-Za-z0-9._:\-]+$") | whisperlookup field=indicator) because whisperlookup is a streaming command and can consume a pipeline. Cypher queries are parameterized ($indicator placeholder) rather than string-interpolated.

Example SPL matching what the dashboard runs:

| makeresults | eval indicator="example.com" | whisperlookup field=indicator

| whisperquery query="MATCH (h:HOSTNAME {name: $indicator})-[:RESOLVES_TO]->(ip:IPV4) RETURN h.name, ip.name LIMIT 10" params="indicator=example.com"

SPF Compliance dashboard

Shows SPF (Sender Policy Framework) configuration for your monitored domains.

Panels:

PanelDescription
Domains with SPFPercentage of monitored domains with SPF records
Exceeds 10-Lookup LimitDomains violating RFC 7208
Total Authorized IPsSum of authorized sending IPs across all domains
SPF Compliance StatusPer-domain status table with drill-down
SPF Include ChainInclude chain for selected domain
Authorized Sending IPsAuthorized IPs for selected domain

Filters: Time range, domain filter

Drill-down: Click a domain row to see its SPF include chain and authorized sending IPs.

Mail Configuration dashboard

Shows MX (Mail Exchange) record configuration and changes.

Panels:

PanelDescription
Domains with MX RecordsCount of domains with mail servers
Total Mail ServersDistinct MX record count
Recent MX ChangesChange count (0 = stable, 1+ = review needed)
Mail Server ConfigurationPer-domain MX record table with drill-down
Mail Server ChangesChange history table
Mail Server DetailsDetail for selected domain

Filters: Time range, domain filter

Attack Surface Change Timeline dashboard

Shows the timeline of DNS infrastructure changes detected across your monitored domains, ranked by risk score and broken down by record type.

Panels:

PanelDescription
Total ChangesCount of all change events in the selected time range
High-Risk ChangesChanges with risk_score >= 40
Domains AffectedDistinct domain count among change events
Change Volume Over TimeDaily change count split by change_type (added / removed)
Risk Score TrendAverage and maximum risk score per day
Change Type BreakdownTop change types by count
High-Risk Changes TableRecent high-risk changes with MITRE ATT&CK technique annotations
All Changes TableFull change history with old/new values

Filters: Time range

Data dependency: This dashboard reads sourcetype=whisper:attack_surface_change events. The Attack Surface Baseline modular input emits these events on its second and subsequent runs (the first run only writes the baseline; change detection starts from the next run). If the dashboard is empty, verify that the baseline input is enabled and has run at least twice.

Compliance Summary dashboard

Compliance overview across all monitored domains, built for management reporting.

Panels:

PanelDescription
Overall Compliance ScoreSPF compliance rate
Monitored DomainsDistinct domain count
Infrastructure ChangesTotal change events
NIS2 Article 21DNS monitoring regulatory status
DMARC Enforcement ReadinessSPF readiness for DMARC deployment
Attack Surface InventoryDomain, subdomain, IP, NS, MX counts
Infrastructure Change TimelineChange volume over time by record type

Filters: Time range (default: 7 days)

Saved searches

The add-on ships a small set of disabled utility searches and example enrichment pipeline templates. It does not ship prebuilt correlation searches. Customers who want detections clone an example template, point it at their own source index and indicator field, and enable it. See Saved searches for the complete list and the customization parameters.

Attack surface monitoring

Tracks DNS infrastructure changes for your external-facing domains on a schedule.

DNS baseline collection

The Whisper DNS Baseline modular input collects:

  • A records (IP resolution)
  • Nameservers (authoritative NS)
  • Mail servers (MX records)
  • Subdomains
  • CNAME chains

Events are written with sourcetype=whisper:attack_surface.

Configuration

  1. Navigate to Apps > Whisper Security TA > Inputs
  2. Create a new Whisper DNS Baseline input
  3. Enter the domain list (comma-separated or one per line)
  4. Set the collection interval (default: 24 hours, minimum: 1 hour)
  5. Select the destination index
PreviousEnrichment PipelineNextSplunk Lookups & KV Store Reference