Lookups
CSV lookups and KV Store collections for risk scoring and caching.
Lookups Documentation
The Whisper Security Add-on ships five CSV lookup files used by correlation searches and risk scoring. These can be customized to tune detection for your environment.
CSV Lookups
whisper_high_risk_asns.csv
Autonomous Systems known for hosting malicious infrastructure (bulletproof hosting). Communication with IPs on these ASNs triggers the Bulletproof ASN Communication Detection correlation search.
| Column | Description |
|---|---|
asn | ASN identifier (e.g., AS44477) |
description | Provider name |
category | Classification (e.g., bulletproof_hosting) |
Default entries: SERVERD (AS200052), Stark Industries (AS44477), M247 (AS9009), Aeza Group (AS210644), Delis (AS48693), Reba Communications (AS213371), Flyservers (AS14061), PQ Hosting (AS216319)
To customize:
- Navigate to Settings > Lookups > Lookup table files
- Find
whisper_high_risk_asnsand click Edit - Add or remove ASN entries
- Changes take effect immediately for correlation searches
Alternatively, create local/whisper_high_risk_asns.csv in the app directory to override without modifying the default.
whisper_dns_providers.csv
Major DNS providers excluded from the Shared Nameserver with Threat Infrastructure correlation search. Shared nameservers on these providers are expected and not suspicious.
| Column | Description |
|---|---|
nameserver_pattern | Wildcard match pattern (e.g., *.ns.cloudflare.com) |
provider | Provider name |
Default providers: Cloudflare, Google Cloud DNS, AWS Route 53, Azure DNS, Oracle Dyn, NS1, UltraDNS, DNSimple, Namecheap, GoDaddy, Hover, Gandi, OVH
Match type: WILDCARD — patterns use * for prefix matching.
whisper_cdn_asns.csv
CDN and major SaaS provider ASNs excluded from the Low Co-Hosting Density Anomaly correlation search. IPs on CDN ASNs naturally host many domains, so low co-hosting is not anomalous.
| Column | Description |
|---|---|
asn | ASN identifier |
provider | Provider name |
Default providers: Cloudflare (AS13335), Amazon/AWS (AS16509, AS14618), Google (AS15169), Microsoft Azure (AS8075), Akamai (AS20940), Fastly (AS54113), Meta (AS32934), YouTube (AS36040), Twitch (AS46489), DigitalOcean (AS14061), Linode (AS63949)
whisper_org_asns.csv
Organizational ASN list for the BGP Prefix Conflict Detection correlation search. Populate this with your organization's ASNs to monitor for BGP prefix conflicts (potential hijacking).
| Column | Description |
|---|---|
asn | ASN identifier (e.g., AS15169) |
description | Organization or description |
Default: Empty (header only). You must populate this with your ASNs for the BGP conflict search to work.
To customize:
- Navigate to Settings > Lookups > Lookup table files
- Find
whisper_org_asnsand click Edit - Add your organizational ASNs (one per row)
- Enable the "Whisper - BGP Prefix Conflict Detection" correlation search
Example:
asn,description
AS15169,Google
AS36040,Google Cloud
AS8075,Microsoft Azure
whisper_risk_factors.csv
Configurable weights for the risk scoring algorithm. Each factor contributes points to the overall risk score (0-100 scale).
| Column | Description |
|---|---|
factor | Factor identifier |
points | Point contribution (negative = risk reduction) |
description | Human-readable description |
Default factors:
| Factor | Points | Trigger |
|---|---|---|
bulletproof_asn | 60 | IP on a bulletproof hosting ASN (static fallback) |
asn_high_threat | 60 | ASN has HIGH or CRITICAL threat level from API |
asn_medium_threat | 30 | ASN has MEDIUM or SUSPICIOUS threat level from API |
threat_category_c2 | 70 | Indicator is C2 infrastructure (is_c2=true) |
threat_category_malware | 60 | Indicator distributes malware (is_malware=true) |
threat_category_phishing | 50 | Indicator is phishing infrastructure (is_phishing=true) |
threat_category_bruteforce | 40 | Indicator is a brute-force source (is_bruteforce=true) |
threat_category_tor | 30 | Indicator is a Tor exit node (is_tor=true) |
threat_category_scanner | 25 | Indicator is a network scanner (is_scanner=true) |
threat_category_anonymizer | 20 | Indicator is an anonymization service (is_anonymizer=true) |
threat_category_blacklist | 20 | Indicator is on a general blacklist (is_blacklist=true) |
threat_whitelist | -30 | Indicator is on a reputation whitelist — reduces score |
high_cohosting | 30 | IP hosts 500+ domains |
low_cohosting | 15 | IP hosts fewer than 5 domains (dedicated infra) |
no_dnssec | 15 | Domain lacks DNSSEC signing |
suspicious_spf | 20 | SPF record issues |
threat_feed_low | 40 | Listed in 1 threat feed |
threat_feed_medium | 60 | Listed in 2-3 threat feeds |
threat_feed_high | 80 | Listed in 4+ threat feeds |
known_cdn | -20 | IP on a known CDN ASN (reduces score) |
shared_ns_threat | 50 | Shares nameserver with threat infra |
Tip: Add a row with the same
factorname towhisper_risk_factors.csvto override any default weight. The CSV value takes precedence over the built-in default for that factor.
Risk levels:
| Range | Level |
|---|---|
| 0-19 | LOW |
| 20-39 | MEDIUM |
| 40-59 | HIGH |
| 60-100 | CRITICAL |
KV Store Collections
Five KV Store collections are created automatically. They are managed by modular inputs and search commands — direct editing is not recommended.
| Collection | Purpose | Populated By |
|---|---|---|
whisper_enrichment_cache | TTL cache for live enrichment | whisperlookup command |
whisper_precomputed_enrichment | Pre-computed watchlist data | Watchlist input |
whisper_ip_intel | ES IP threat intelligence | Threat intel input |
whisper_domain_intel | ES domain threat intelligence | Threat intel input |
whisper_dns_baseline | DNS infrastructure snapshots | Baseline / multi-tenant inputs |
Cache management:
| whisperflush collection=cache # Clear enrichment cache
| whisperflush collection=precomputed # Clear precomputed data
| whisperflush collection=all # Clear everything
The Whisper - Evict Expired Cache Entries saved search (disabled by default) runs hourly to remove expired cache entries. Enable it under Settings > Searches, reports, and alerts.