Dashboards
12 pre-built dashboards for health, risk, compliance, and attack surface.
Dashboards Documentation
Overview
The TA ships with 12 dashboards covering health monitoring, risk analysis, threat intelligence, compliance, and investigation. All dashboards use Splunk Dashboard Studio (JSON v2), which supports dark mode and Splunk Cloud.
All dashboards reference the whisper_index macro instead of a hardcoded index name. By default, this macro resolves to index=whisper. To use a different index, override the macro in Settings > Advanced Search > Search Macros or create a local/macros.conf override.
Navigation
After installing the TA, navigate to Apps > Whisper Security TA to access the dashboard navigation:
- Compliance Summary (default view) -- Executive compliance overview
- Risk & Threats collection:
- Executive Risk Summary -- A-F risk grades across DNS, email, and infrastructure
- ES Risk Overview -- Risk scores and threat intel indicators for ES integration
- Geographic Threat Map -- GeoIP threat visualization with impossible-travel detection
- WHOIS Intelligence -- Registrar, registrant org/email, registration date analysis
- Web Link Graph & Trust -- Inbound/outbound link profiles and suspicious link detection
- MITRE ATT&CK Coverage -- Technique coverage from Whisper detections
- Monitoring collection:
- Health & Operations -- Unified health: API connectivity, graph stats, enrichment, quota, inputs, errors
- Attack Surface Timeline -- Infrastructure change timeline with risk scoring
- Compliance collection:
- SPF Compliance -- SPF authentication analysis
- DNSSEC Compliance -- DNSSEC deployment status
- Mail Configuration -- MX record monitoring
- Search -- Ad-hoc search view
Dashboard drilldowns
Key dashboard tables include custom drilldown configurations for investigation workflows. Clicking a table row opens a detailed search in a new tab, passing the relevant field values from the clicked row.
| Dashboard | Drilldown-enabled panels | Action |
|---|---|---|
| ES Risk Overview | Top Risky Indicators, Threat Intel Risk Scores | Search enrichment events for the clicked indicator |
| Executive Risk Summary | High-Risk Changes, MITRE Techniques | Search change events for the domain, or navigate to MITRE Coverage |
| Geographic Threat Map | Top Threat Countries, Threats by City, Impossible Travel | Search enrichment events for the country, city, or domain |
| WHOIS Intelligence | Registrant Org, Newly Registered, Registrar Changes, Shared Email, Org Pivot | Search enrichment events for the clicked entity |
| MITRE ATT&CK Coverage | Technique Detail, Affected Domains | Search attack surface events for the technique or domain |
| Health & Operations | Recent Errors | Search error events from the clicked source |
Drilldowns are configured using Dashboard Studio eventHandlers with drilldown.linkToSearch actions. The time range from the dashboard's time picker is passed to the drilldown search.
SplunkJS Stack deprecation
The add-on has no SplunkJS Stack dependencies:
- Dashboards use Dashboard Studio (JSON v2) -- no SplunkJS
- Custom JavaScript (
whisper_account_hook.js) uses native browser APIs (fetch, DOM, ES modules) -- no RequireJS, jQuery, Backbone, orsplunkjs/mvc
Health & Operations dashboard
Operational health dashboard covering API connectivity, enrichment stats, quota usage, input status, and errors in one view.
Panels:
| Section | Panels |
|---|---|
| API Connectivity | API Health Status, Last Health Check, API Response Time (ms) |
| Graph Statistics | Physical Nodes, Physical Edges, Virtual Nodes, Virtual Edges, Total Nodes, Total Edges, Total Object Count |
| Enrichment | Total Enrichments Performed, Cache Hit Rate, Enrichment Timeline, Enrichment Status, Threat Intel Indicators Collected |
| Quota | API Quota Usage (plan, daily/hourly usage, concurrent queries, timeouts) |
| Input Monitoring | Modular Input Status, Input Last Run Times |
| Error Tracking | Error Count, Errors Over Time, Recent Errors |
| History | Health Check History |
Filters: Time range
Data sources: \whisper_index` sourcetype=whisper:health, `whisper_index` sourcetype=whisper:threat_intel, index=_internal source=*ta_whisper_security.log (for errors), and the Splunk REST API (| rest /services/data/inputs/all`).
Executive Risk Summary dashboard
A-F risk grades modeled after SecurityScorecard's scoring system.
Panels:
| Panel | Description |
|---|---|
| Overall Risk Grade | A-F grade from average risk score across all changes |
| DNS Security Grade | Risk grade for DNS record changes (A, CNAME, NS) |
| Email Security Grade | Risk grade based on SPF compliance rate |
| Infrastructure Grade | Risk grade from average threat score in enrichment data |
| Risk Score Trend | Daily average and maximum risk score trend |
| High-Risk Changes | Changes with risk score >= 70 |
| Top MITRE Techniques | Most frequently detected MITRE ATT&CK techniques |
Filters: Time range (default: 7 days)
Grading: A (0-20) = Excellent, B (21-40) = Good, C (41-60) = Fair, D (61-80) = Poor, F (81-100) = Critical.
Geographic Threat Map dashboard
GeoIP threat visualization using the IPV4->LOCATED_IN->CITY path from the Knowledge Graph.
Panels:
| Panel | Description |
|---|---|
| GeoIP Coverage Summary | Total events with GeoIP data, distinct countries and cities |
| Events by Country | Bar chart of events per country |
| Threat Score Distribution | Pie chart of threat scores by severity range |
| Top Threat Countries | Table of countries ranked by threat event count |
| Threats by City | City-level detail with lat/lng coordinates |
| Impossible Travel | Domains resolving to IPs in multiple geographically distant cities |
Filters: Time range
Data source: whisper:enrichment events with whisper_geo_country, whisper_geo_latitude, whisper_geo_longitude fields.
WHOIS Intelligence dashboard
WHOIS registrar, registrant org, email, and registration date analysis. Includes contact correlation for threat attribution.
Panels:
| Panel | Description |
|---|---|
| WHOIS Data Coverage | Count of domains with registrar, org, email, and registration date data |
| Privacy-Proxied Domains | Count of domains using WHOIS privacy proxy services |
| Registrar Distribution | Pie chart of registrars by domain count |
| Registrant Org Clustering | Organizations with multiple domains |
| Newly Registered Domains | Domains registered within the last 30 days |
| Registrar Change History | Domains where current registrar differs from previous |
| Shared Registrant Email | Domains sharing the same registrant email (threat attribution pivot) |
| Organization Pivot Analysis | Organizations associated with multiple domains |
Filters: Time range
Data source: whisper:enrichment events with WHOIS fields: whisper_registrar, whisper_registrant_org, whisper_registrant_email, whisper_registration_date, whisper_prev_registrar, whisper_organization.
Web Link Graph & Trust dashboard
Link graph analysis using the HOSTNAME->LINKS_TO->HOSTNAME relationship.
Panels:
| Panel | Description |
|---|---|
| Web Link Coverage Summary | Total links, suspicious links, and suspicious percentage |
| Domains with Suspicious Links | Count of domains with suspicious inbound/outbound links |
| Isolated Domains | Domains with no legitimate inbound links (isolation indicator) |
| Link Count Distribution | Pie chart of domains by link count range |
| Domain Link Profiles | Full link profile table with trust assessment |
| Suspicious Link Profiles | Domains ranked by suspicious link count |
| Isolated Domains Detail | Domains with zero inbound links |
Filters: Time range
Data source: whisper:enrichment events with whisper_link_count, whisper_suspicious_link_count, whisper_inbound_links, whisper_outbound_links.
MITRE ATT&CK Coverage dashboard
Shows which MITRE ATT&CK techniques your Whisper detections cover.
Panels:
| Panel | Description |
|---|---|
| Unique Techniques Detected | Count of distinct MITRE techniques |
| Total MITRE-Mapped Detections | Total events with MITRE annotations |
| Detections by Tactic | Pie chart of detections per tactic |
| Detection Trend | Daily detection count by technique |
| Technique Coverage Detail | Full table with technique ID, name, tactic, detection count, affected domains |
| Most Affected Domains | Domains with the most MITRE-mapped detections |
Filters: Time range (default: 7 days)
Data source: whisper:attack_surface_change events with mitre_attack field containing technique_id, technique, and tactic.
Attack Surface Change Timeline dashboard
Timeline of infrastructure changes detected by the baseline modular input.
Panels:
| Panel | Description |
|---|---|
| Total Changes | Total change events in the time range |
| High-Risk Changes | Changes with risk score >= 70 |
| Affected Domains | Distinct domains with changes |
| Change Timeline | Stacked bar chart of changes by type over time |
| Risk Score Trend | Daily average and max risk score |
| Changes by Record Type | Pie chart of DNS record type distribution |
| High-Priority Changes | Table of changes with risk score >= 70 |
| All Change Details | Full change detail table |
Filters: Time range (default: 7 days)
SPF Compliance dashboard
Shows SPF (Sender Policy Framework) configuration for your monitored domains.
Panels:
| Panel | Description |
|---|---|
| Domains with SPF | Percentage of monitored domains with SPF records |
| Exceeds 10-Lookup Limit | Domains violating RFC 7208 |
| Total Authorized IPs | Sum of authorized sending IPs across all domains |
| SPF Compliance Status | Per-domain status table with drill-down |
| SPF Include Chain | Include chain for selected domain |
| Authorized Sending IPs | Authorized IPs for selected domain |
Filters: Time range, domain filter
Drill-down: Click a domain row to see its SPF include chain and authorized sending IPs.
DNSSEC Compliance dashboard
Shows DNSSEC (DNS Security Extensions) deployment status across your domains.
Panels:
| Panel | Description |
|---|---|
| DNSSEC Adoption Rate | Percentage of domains with DNSSEC signing |
| Deprecated Algorithms | Domains using deprecated RSASHA1 or DSA |
| Domains Without DNSSEC | Count of domains without DNSSEC deployment |
| DNSSEC Status by Domain | Per-domain status with NIST compliance assessment |
| DNSSEC Adoption Over Time | Adoption trend chart |
| Signing Algorithm Distribution | Pie chart of algorithm usage |
Filters: Time range, domain filter
Mail Configuration dashboard
Shows MX (Mail Exchange) record configuration and changes.
Panels:
| Panel | Description |
|---|---|
| Domains with MX Records | Count of domains with mail servers |
| Total Mail Servers | Distinct MX record count |
| Recent MX Changes | Change count (0 = stable, 1+ = review needed) |
| Mail Server Configuration | Per-domain MX record table with drill-down |
| Mail Server Changes | Change history table |
| Mail Server Details | Detail for selected domain |
Filters: Time range, domain filter
Compliance Summary dashboard
Compliance overview across all monitored domains, built for management reporting.
Panels:
| Panel | Description |
|---|---|
| Overall Compliance Score | Average of SPF and DNSSEC compliance rates |
| Monitored Domains | Distinct domain count |
| Infrastructure Changes | Total change events |
| NIS2 Article 21 | DNS monitoring regulatory status |
| NIST SP 800-81 Rev 3 | DNSSEC alignment assessment |
| DMARC Enforcement Readiness | SPF readiness for DMARC deployment |
| Attack Surface Inventory | Domain, subdomain, IP, NS, MX counts |
| Infrastructure Change Timeline | Change volume over time by record type |
Filters: Time range (default: 7 days)
Correlation Searches
The TA includes 29 correlation searches across five categories, all disabled by default. Enable them in Settings > Searches, Reports, and Alerts based on your environment needs.
Categories
| Category | Count | Description |
|---|---|---|
| DNS/Infrastructure Intelligence | 7 | Bulletproof ASN, shared nameservers, DNS changes, newly observed domains, CNAME chains, fast flux, typosquatting |
| Infrastructure Pivot | 5 | Co-hosting anomaly, infrastructure pivots, shared threat hosting, domain parking/sinkhole, MX changes |
| Network/BGP Intelligence | 5 | BGP prefix conflicts, shadow IT DNS, unauthorized subdomains, ASN migration, NS delegation changes |
| Threat Intel Correlation | 3 | Multi-feed threat IPs, newly registered domains, TOR exit nodes |
| Graph Utilization (#361) | 9 | Impossible travel, WHOIS contact correlation, BGP hijack, registrar changes, newly registered domain risk, privacy-proxied WHOIS, prefix-level threats, HOSTNAME threat properties, suspicious web link profiles |
All correlation searches generate risk events compatible with Splunk ES Risk-Based Alerting with MITRE ATT&CK annotations.
Attack surface monitoring
Tracks DNS infrastructure changes for your external-facing domains on a schedule.
DNS baseline collection
The Whisper DNS Baseline modular input collects:
- A records (IP resolution)
- Nameservers (authoritative NS)
- Mail servers (MX records)
- Subdomains
- CNAME chains
Events are written with sourcetype=whisper:attack_surface.
Configuration
- Navigate to Apps > Whisper Security TA > Inputs
- Create a new Whisper DNS Baseline input
- Enter the domain list (comma-separated or one per line)
- Set the collection interval (default: 24 hours, minimum: 1 hour)
- Select the destination index
Change detection
Changes between baseline collections are detected and written with sourcetype=whisper:attack_surface_change:
| Change Type | Description |
|---|---|
added | New DNS record appeared |
removed | Existing DNS record disappeared |
High-priority changes (NS and MX record changes) generate risk events for ES integration.
Multi-tenant support
For MSSPs and multi-client setups, the Whisper Multi-Tenant Baseline input supports:
- Per-client domain lists
- Per-client API keys (optional)
- Per-client indexes
- Per-client checkpointing
- Collection summaries with
sourcetype=whisper:attack_surface_summary
Configuration:
| Field | Required | Description |
|---|---|---|
client_id | Yes | Unique identifier for the tenant |
domains | Yes | Comma-separated domain list |
index | No | Destination index (default: main) |
max_domains | No | Maximum domains to monitor (default: 500, max: 10000) |
Querying attack surface changes
sourcetype=whisper:attack_surface_change
| stats count by domain change_type record_type
| sort - count
Filter for high-priority changes:
sourcetype=whisper:attack_surface_change record_type IN ("NS", "MX")
| table _time domain record_type change_type old_value new_value
Tenant summary:
sourcetype=whisper:attack_surface_summary
| table client_id domains_processed changes_detected high_priority_changes elapsed_seconds