Enterprise Security Integration
Threat intel framework, risk-based alerting, correlation searches, MITRE ATT&CK.
Enterprise Security Integration Documentation
Overview
The TA integrates with Splunk Enterprise Security (ES) in three ways:
- Threat intel framework -- populates ES threat intel collections with Whisper data
- Risk-based alerting (RBA) -- scores indicators using graph context and generates risk events
- Correlation searches -- pre-built searches that combine Splunk events with Knowledge Graph data
Diagram
Threat intelligence setup
Modular input configuration
The Whisper Threat Intelligence modular input populates two ES threat intel collections:
| Collection | Schema | Description |
|---|---|---|
whisper_ip_intel | ES ip_intel | IP threat intelligence with Whisper infrastructure context |
whisper_domain_intel | ES domain_intel | Domain threat intelligence with Whisper infrastructure context |
The _time field on each record uses the indicator's latest lastSeen timestamp from threat feed sources, which reflects when the indicator was most recently observed as active. This is more useful for ES correlation than collection time. When no source timestamps are available (e.g., indicators not listed in any feed), _time falls back to the collection time.
Records are written to KV Store using batch_save (up to 1000 records per batch) for efficient bulk population. If a batch fails, the input falls back to single-record inserts to maximize the number of records saved.
Each record includes standard ES fields plus Whisper-specific fields:
IP Intel fields:
| Field | Description |
|---|---|
ip | IP address |
description | Threat description from explain API |
threat_key | Threat classification |
threat_group | Threat group attribution |
weight | ES threat weight: 3 (score >= 50), 2 (score >= 10), 1 (score > 0) |
whisper_asn | Autonomous System Number |
whisper_asn_name | ASN organization name |
whisper_country | Country code |
whisper_prefix | IP prefix (CIDR) |
whisper_risk_score | Normalized risk score (0-100) for ES Risk Analysis |
whisper_risk_level | Risk level: informational, low, medium, high, critical |
whisper_threat_score | Raw threat score from Whisper explain API |
whisper_threat_level | Threat level from Whisper explain API |
Domain Intel fields:
| Field | Description |
|---|---|
domain | Domain name |
description | Threat description |
threat_key | Threat classification |
whisper_asn_name | ASN organization name |
whisper_country | Country code |
whisper_risk_score | Normalized risk score (0-100) for ES Risk Analysis |
whisper_risk_level | Risk level: informational, low, medium, high, critical |
whisper_threat_score | Raw threat score from Whisper explain API |
whisper_threat_level | Threat level from Whisper explain API |
Setting up the input
- Navigate to Apps > Whisper Security TA > Inputs
- Create a new Whisper Threat Intel input
- Configure the indicator list source (CSV file or KV Store collection)
- Set the refresh interval
- Select the account with API key
Adaptive response action
The "Enrich with Whisper" adaptive response action lets you enrich from ES notable events on demand:
- In ES, navigate to Configure > Incident Management > Adaptive Response Actions
- The "Enrich with Whisper" action is automatically available
- When triggered, it extracts indicators from
src,dest,src_dns, anddest_dnsfields - Enrichment results are attached to the notable event
Risk-based alerting
Inline risk scores on every enrichment
Every | whisperlookup enrichment result includes first-class risk score fields:
| Field | Description |
|---|---|
whisper_risk_score | Normalized risk score (0-100), maps to ES risk_score via FIELDALIAS |
whisper_risk_level | Risk level: informational, low, medium, high, critical |
whisper_risk_factors_list | Comma-separated list of contributing risk factors |
whisper_risk_components | JSON object with per-factor score breakdown and detail |
Risk scores are calculated inline during enrichment, not deferred to correlation searches. This means every enriched event immediately has a risk score available for ES Risk Analysis dashboards and correlation rules.
Tuning risk weights
Ship whisper_risk_factors.csv in lookups/ with tunable weights per factor. ES admins can customize risk weights without modifying code by editing this CSV lookup. Each row specifies a factor name, point value, and description.
How risk scores are calculated
The risk scoring engine evaluates infrastructure factors and threat category signals from the Knowledge Graph API:
ASN reputation (checked first, highest priority):
| Factor | Points | Trigger |
|---|---|---|
| ASN high threat | 60 | API returns asn_threat_level of HIGH or CRITICAL |
| ASN medium threat | 30 | API returns asn_threat_level of MEDIUM or SUSPICIOUS |
| Bulletproof ASN (fallback) | 60 | ASN matches static whisper_high_risk_asns.csv list (used only when the API returns no threat level) |
Threat category booleans (only the single highest-severity match contributes):
| Factor | Points | Trigger |
|---|---|---|
| Threat category: C2 | 70 | is_c2 = true on the IPV4/HOSTNAME node |
| Threat category: malware | 60 | is_malware = true |
| Threat category: phishing | 50 | is_phishing = true |
| Threat category: brute force | 40 | is_bruteforce = true |
| Threat category: Tor | 30 | is_tor = true |
| Threat category: scanner | 25 | is_scanner = true |
| Threat category: anonymizer | 20 | is_anonymizer = true |
| Threat category: blacklist | 20 | is_blacklist = true |
| Reputation whitelist | -30 | is_whitelist = true (reduces score) |
Infrastructure factors:
| Factor | Points | Trigger |
|---|---|---|
| High co-hosting density | 30 | IP hosts 500+ domains (shared hosting) |
| Low co-hosting density | 15 | IP hosts fewer than 5 domains (dedicated infrastructure) |
| No DNSSEC | 15 | Domain lacks DNSSEC signing |
| Suspicious SPF | 20 | SPF exceeds 10-lookup limit or missing |
| Threat feed (low) | 40 | Listed on 1 threat feed |
| Threat feed (medium) | 60 | Listed on 2-3 threat feeds |
| Threat feed (high) | 80 | Listed on 4+ threat feeds |
| Known CDN | -20 | ASN is a known CDN/SaaS provider (reduces risk) |
| Shared NS with threat | 50 | Shares nameserver with threat infrastructure |
| Newly registered domain | 35 | Domain registered within the last 30 days |
| Privacy-proxied WHOIS | 15 | WHOIS data is privacy-proxied or redacted |
| Suspicious link profile | 25 | Domain linked primarily by suspicious/threat-listed domains |
| No inbound links | 10 | Domain has no legitimate inbound links (isolation signal) |
| HOSTNAME threat (HIGH+) | 50 | HOSTNAME node has HIGH/CRITICAL threat level |
| Prefix threat | 30 | Network prefix has threat indicators |
| BGP hijack detected | 70 | Announcing ASN differs from registered ASN |
| Registrar changed | 20 | Domain registrar has changed (possible hijacking) |
Tip: When the Knowledge Graph API returns
asn_threat_levelfor an ASN, the API-driven score takes precedence and the static bulletproof ASN list is skipped. The static list only applies when the API returns no threat level for the ASN.
The final score is normalized to 0-100 and mapped to risk levels:
| Score Range | Level |
|---|---|
| 0-19 | informational |
| 20-39 | low |
| 40-59 | medium |
| 60-79 | high |
| 80-100 | critical |
Risk event format
Risk events follow ES format and include:
risk_score— Calculated score (0-100)risk_object— The indicator (IP or domain)risk_object_type—systemfor IPs,otherfor domainsrisk_message— Human-readable explanationthreat_object— Related threat indicator- MITRE ATT&CK annotations
MITRE ATT&CK mapping
Each enrichment factor maps to a MITRE ATT&CK technique:
| Factor | Technique ID | Technique Name | Tactic |
|---|---|---|---|
| Bulletproof ASN | T1583 | Acquire Infrastructure | Resource Development |
| High co-hosting | T1608.001 | Upload Malware | Resource Development |
| Shared NS with threat | T1584 | Compromise Infrastructure | Resource Development |
| BGP prefix conflict | T1599 | Network Boundary Bridging | Defense Evasion |
| CNAME chain | T1568 | Dynamic Resolution | Command and Control |
| Nameserver anomaly | T1071.004 | DNS | Command and Control |
Correlation searches
All correlation searches ship disabled (AppInspect requirement). Enable them in ES > Configure > Content > Content Management.
Bulletproof ASN communication detection
Schedule: Every 15 minutes Risk Score: 60
Detects outbound communication with IPs hosted on known bulletproof hosting ASNs.
SPL Logic:
- Searches firewall/proxy events for outbound connections
- Enriches destination IPs via
whisperlookup - Compares ASN against the
whisper_high_risk_asnslookup - Generates risk events for matches
Tuning:
- Customize the
whisper_high_risk_asns.csvlookup with your own bulletproof ASN list - Known CDN ASNs are automatically excluded to reduce false positives
- Adjust the risk score in the saved search configuration
Shared nameserver with threat infrastructure
Schedule: Every 4 hours Risk Score: Variable (20-50 based on threat type)
Finds domains in your environment that share nameservers with known threat infrastructure.
SPL Logic:
- Collects unique domains from DNS logs
- Resolves nameservers via
whisperquery - Cross-references with threat intel collections
- Scores based on threat type (C2=50, malware=30, phishing=20)
Tuning:
- Exclude known DNS providers (Cloudflare, AWS Route53, etc.) via
whisper_dns_providers.csv - Adjust scoring weights per threat category
DNS infrastructure change detection
Schedule: Every 6 hours Risk Score: Variable (20-40 based on record type)
Catches unexpected DNS infrastructure changes for monitored domains.
SPL Logic:
- Compares current DNS baseline with previous checkpoint
- Flags new/removed NS, MX, A, CNAME, and subdomain records
- Prioritizes nameserver and mail server changes as high-risk
- Generates risk events with T1584 MITRE annotation
Change Risk Scores:
| Record Type | Added | Removed |
|---|---|---|
| NS | 60 | 50 |
| MX | 40 | 30 |
| CNAME | 30 | 25 |
| A | 20 | 20 |
| SUBDOMAIN | 15 | 10 |
Low co-hosting density anomaly
Schedule: Every 30 minutes Risk Score: 25
Flags traffic to IPs with very few co-hosted domains (under 5), which can indicate dedicated attacker infrastructure.
SPL Logic:
- Enriches destination IPs from network events
- Filters for low co-hosting count (< 5 domains)
- Excludes known CDN/SaaS ASNs
- Generates risk events for dedicated infrastructure communication
Tuning:
- Adjust the co-hosting threshold via the
whisper_low_cohosting_maxmacro (default: 3) - Exclude trusted ASNs via
whisper_cdn_asns.csv
BGP prefix conflict detection
Schedule: Every 4 hours Risk Score: 75
Detects BGP prefix conflicts where organizational prefixes are also announced by unexpected ASNs -- a signal for BGP hijacking.
Security use cases:
- BGP hijack detection -- alert when an organizational prefix is also announced by an unexpected ASN
- Route origin validation -- verify that prefixes are announced by expected ASNs only
- Supply chain monitoring -- detect upstream provider prefix conflicts
- Incident response -- during a BGP hijack incident, trace which prefixes were affected
SPL Logic:
- Reads organizational ASNs from
whisper_org_asnsCSV lookup - For each ASN, queries the Whisper Knowledge Graph for CONFLICTS_WITH relationships between ANNOUNCED_PREFIX nodes
- Filters for conflicts announced by other (unexpected) ASNs
- Generates risk events with T1599 (Network Boundary Bridging) MITRE annotation
Setup:
Populate the whisper_org_asns.csv lookup with your organization's ASNs:
asn,description
AS15169,Google
AS36040,Google Cloud
Navigate to Settings > Lookups > Lookup table files and edit whisper_org_asns.csv.
Tuning:
- The search runs every 4 hours by default; adjust the schedule based on your BGP monitoring needs
- Conflicts with known bulletproof ASNs (from
whisper_high_risk_asns.csv) receive elevated risk scores (95 instead of 75) - The query returns up to 50 conflicts per ASN
Query builder functions (Python):
The TA provides Python helper functions for programmatic use:
build_bgp_conflict_query()-- single-ASN conflict detection (parameter:$our_asn)build_bgp_conflict_query_multi(asn_list)-- multi-ASN batch detection using UNWINDparse_bgp_conflict_result(rows)-- parse conflict results into structured dictsevaluate_bgp_conflict_risk(conflicts)-- calculate risk scores with optional high-risk ASN elevationformat_bgp_conflict_risk_event(conflict)-- format as ES risk event with MITRE T1599 annotation
Newly observed domain communication
Schedule: Every 15 minutes Risk Score: 35
Detects internal hosts communicating with domains first seen in the enrichment cache within a configurable time window. New domains in network traffic often indicate phishing, C2, or DGA activity.
Tuning: Adjust the whisper_newly_observed_domain_age_hours macro (default: 24 hours).
Suspicious CNAME chain depth
Schedule: Every 4 hours Risk Score: 30
Detects domains with deep CNAME chains (exceeding threshold) that terminate at non-CDN infrastructure. Deep CNAME chains can indicate domain shadowing or traffic redirection.
Tuning: Adjust the whisper_cname_depth_threshold macro (default: 3 hops).
Fast flux domain detection
Schedule: Every 30 minutes Risk Score: 45
Detects domains resolving to an unusually high number of distinct IPs, indicative of fast-flux DNS techniques used by botnets and C2 infrastructure.
Tuning: Adjust the whisper_fast_flux_ip_threshold macro (default: 5 distinct IPs).
Domain typosquatting detection
Schedule: Every 6 hours Risk Score: 40
Identifies domains in DNS traffic that closely resemble monitored organizational domains, indicating potential typosquatting or homoglyph attacks. Requires the whisper_dns_baseline collection to be populated with monitored domains.
Infrastructure pivot detection
Schedule: Every 4 hours Risk Score: 25-55 (varies by threat score)
Detects domains sharing IP infrastructure with known threat-listed domains, using domain-to-IP-to-sibling-domain pivot patterns from the Whisper graph.
Shared hosting with known threat infrastructure
Schedule: Every 30 minutes Risk Score: 50
Identifies internal hosts communicating with IPs co-hosted alongside domains appearing on threat intelligence feeds.
Domain parking and sinkhole detection
Schedule: Every 6 hours Risk Score: 20-45 (sinkholed domains score higher)
Detects DNS queries for domains identified as parked or sinkholed in Whisper enrichment data.
Mail server infrastructure change
Schedule: Every 6 hours Risk Score: 35
Detects MX record changes for monitored domains by comparing current data against the DNS baseline. Mail server changes may indicate domain hijacking or email interception.
Shadow IT DNS provider detection
Schedule: Every 6 hours Risk Score: 30
Detects organizational domains using unauthorized DNS providers by comparing nameservers against the approved DNS provider list (whisper_dns_providers.csv).
Unauthorized subdomain detection
Schedule: Every 4 hours Risk Score: 25
Detects subdomains in DNS traffic that are not part of the monitored baseline, indicating potential unauthorized subdomain creation or subdomain takeover.
ASN migration detection
Schedule: Every 6 hours Risk Score: 35
Detects when monitored domains move to different ASNs, which may indicate infrastructure changes, compromises, or hijacking.
Nameserver delegation change
Schedule: Every 6 hours Risk Score: 40
Detects nameserver delegation changes for monitored domains. NS changes can indicate domain hijacking or unauthorized transfers.
Multi-feed threat IP communication
Schedule: Every 15 minutes Risk Score: 50-80 (varies by feed count)
Detects internal hosts communicating with IPs that appear on multiple distinct threat intelligence feeds. IPs flagged by multiple feeds have higher confidence of being malicious.
Tuning: Adjust the whisper_multi_feed_threshold macro (default: 2 feeds).
Newly registered domain resolution
Schedule: Every 15 minutes Risk Score: 30-50 (varies by domain age)
Detects DNS resolution of recently registered domains. Newly registered domains are frequently used in phishing campaigns and malware distribution.
Tuning: Adjust the whisper_newly_registered_domain_days macro (default: 30 days).
TOR exit node communication
Schedule: Every 15 minutes Risk Score: 55
Detects internal hosts communicating with known TOR exit nodes identified by the Whisper Knowledge Graph.
Tuning: Adjust the whisper_tor_risk_score macro (default: 55).
Configurable threshold macros
All correlation search thresholds are configurable via macros. Override them in Settings > Advanced Search > Search Macros:
| Macro | Default | Description |
|---|---|---|
whisper_cname_depth_threshold | 3 | Max CNAME chain depth before alerting |
whisper_newly_observed_domain_age_hours | 24 | Hours to consider a domain newly observed |
whisper_fast_flux_ip_threshold | 5 | Min distinct IPs for fast-flux detection |
whisper_low_cohosting_max | 3 | Max co-hosting count for low-density anomaly |
whisper_multi_feed_threshold | 2 | Min threat feeds for multi-feed detection |
whisper_newly_registered_domain_days | 30 | Max domain age (days) for new domain detection |
whisper_tor_risk_score | 55 | Risk score for TOR exit node communication |
whisper_bulletproof_risk_score | 60 | Risk score for bulletproof ASN communication |
whisper_bgp_conflict_risk_score | 75 | Risk score for BGP prefix conflicts |
Analytic story
All 20 correlation searches are grouped under the "Whisper Infrastructure Threat Detection" analytic story (category: Abuse), organized in four detection categories:
DNS/Infrastructure Intelligence: Bulletproof ASN Communication, Shared Nameserver with Threats, DNS Infrastructure Change, Newly Observed Domain, Suspicious CNAME Chain, Fast Flux Domain, Domain Typosquatting.
Infrastructure Pivot Detection: Low Co-Hosting Density, Infrastructure Pivot, Shared Hosting with Threats, Domain Parking/Sinkhole, Mail Server Infrastructure Change.
Network/BGP Intelligence: BGP Prefix Conflict, Shadow IT DNS Provider, Unauthorized Subdomain, ASN Migration, Nameserver Delegation Change.
Threat Intel Correlation: Multi-Feed Threat IP, Newly Registered Domain, TOR Exit Node.
MITRE ATT&CK annotations cover: T1583, T1583.001, T1583.004, T1584, T1584.001, T1568, T1568.001, T1071.004, T1090.003, T1595, T1599.
Find it in ES under Security Content > Analytic Stories.