Splunk Lookups & KV Store Reference

CSV lookups and KV Store collections for risk scoring, threat intel, and enrichment caching.

Updated May 2026Splunk

Splunk Lookups & KV Store Reference Documentation

The add-on ships a small set of CSV lookup files plus several KV Store collections. Customize the CSVs to tune enrichment and to support any detections you build against the Whisper data. Sections that reference detection logic describe patterns you can build by cloning the example enrichment templates in savedsearches.conf; the add-on does not ship prebuilt correlation searches.

CSV Lookups

whisper_high_risk_asns.csv

Autonomous Systems known for hosting malicious infrastructure (bulletproof hosting). Communication with IPs on these ASNs triggers the Bulletproof ASN Communication Detection correlation search.

ColumnDescription
asnASN identifier (e.g., AS44477)
descriptionProvider name
categoryClassification (e.g., bulletproof_hosting)

Default entries: SERVERD (AS200052), Stark Industries (AS44477), M247 (AS9009), Aeza Group (AS210644), Delis (AS48693), Reba Communications (AS213371), Flyservers (AS14061), PQ Hosting (AS216319)

To customize:

  1. Navigate to Settings > Lookups > Lookup table files
  2. Find whisper_high_risk_asns and click Edit
  3. Add or remove ASN entries
  4. Changes take effect immediately for correlation searches

Alternatively, create local/whisper_high_risk_asns.csv in the app directory to override without modifying the default.

whisper_dns_providers.csv

Major DNS providers excluded from the Shared Nameserver with Threat Infrastructure correlation search. Shared nameservers on these providers are expected and not suspicious.

ColumnDescription
nameserver_patternWildcard match pattern (e.g., *.ns.cloudflare.com)
providerProvider name

Default providers: Cloudflare, Google Cloud DNS, AWS Route 53, Azure DNS, Oracle Dyn, NS1, UltraDNS, DNSimple, Namecheap, GoDaddy, Hover, Gandi, OVH

Match type: WILDCARD — patterns use * for prefix matching.

whisper_cdn_asns.csv

CDN and major SaaS provider ASNs excluded from the Low Co-Hosting Density Anomaly correlation search. IPs on CDN ASNs naturally host many domains, so low co-hosting is not anomalous.

ColumnDescription
asnASN identifier
providerProvider name

Default providers: Cloudflare (AS13335), Amazon/AWS (AS16509, AS14618), Google (AS15169), Microsoft Azure (AS8075), Akamai (AS20940), Fastly (AS54113), Meta (AS32934), YouTube (AS36040), Twitch (AS46489), DigitalOcean (AS14061), Linode (AS63949)

whisper_org_asns.csv

Organizational ASN list for the BGP Prefix Conflict Detection correlation search. Populate this with your organization's ASNs to monitor for BGP prefix conflicts (potential hijacking).

ColumnDescription
asnASN identifier (e.g., AS15169)
descriptionOrganization or description

Default: Empty (header only). You must populate this with your ASNs for the BGP conflict search to work.

To customize:

  1. Navigate to Settings > Lookups > Lookup table files
  2. Find whisper_org_asns and click Edit
  3. Add your organizational ASNs (one per row)
  4. Enable the "Whisper - BGP Prefix Conflict Detection" correlation search

Example:

asn,description
AS15169,Google
AS36040,Google Cloud
AS8075,Microsoft Azure

whisper_risk_factors.csv

Configurable weights for the risk scoring algorithm. Each factor contributes points to the overall risk score (0-100 scale).

ColumnDescription
factorFactor identifier
pointsPoint contribution (negative = risk reduction)
descriptionHuman-readable description

Default factors:

FactorPointsTrigger
bulletproof_asn60IP on a bulletproof hosting ASN (static fallback)
asn_high_threat60ASN has HIGH or CRITICAL threat level from API
asn_medium_threat30ASN has MEDIUM or SUSPICIOUS threat level from API
threat_category_c270Indicator is C2 infrastructure (is_c2=true)
threat_category_malware60Indicator distributes malware (is_malware=true)
threat_category_phishing50Indicator is phishing infrastructure (is_phishing=true)
threat_category_bruteforce40Indicator is a brute-force source (is_bruteforce=true)
threat_category_tor30Indicator is a Tor exit node (is_tor=true)
threat_category_scanner25Indicator is a network scanner (is_scanner=true)
threat_category_anonymizer20Indicator is an anonymization service (is_anonymizer=true)
threat_category_blacklist20Indicator is on a general blacklist (is_blacklist=true)
threat_whitelist-30Indicator is on a reputation whitelist — reduces score
high_cohosting30IP hosts 500+ domains
low_cohosting15IP hosts fewer than 5 domains (dedicated infra)
suspicious_spf20SPF record issues
threat_feed_low40Listed in 1 threat feed
threat_feed_medium60Listed in 2-3 threat feeds
threat_feed_high80Listed in 4+ threat feeds
known_cdn-20IP on a known CDN ASN (reduces score)
shared_ns_threat50Shares nameserver with threat infra

Overriding defaults: Add a row with the same factor name to whisper_risk_factors.csv to override any default weight. The CSV value takes precedence over the built-in default for that factor.

Risk levels:

RangeLevel
0-19LOW
20-39MEDIUM
40-59HIGH
60-100CRITICAL

KV Store Collections

Five KV Store collections are created automatically. They are managed by modular inputs and search commands — direct editing is not recommended.

CollectionPurposePopulated By
whisper_enrichment_cacheTTL cache for live enrichmentwhisperlookup command
whisper_precomputed_enrichmentPre-computed watchlist dataWatchlist input
whisper_ip_intelES IP threat intelligenceThreat intel input
whisper_domain_intelES domain threat intelligenceThreat intel input
whisper_dns_baselineDNS infrastructure snapshotsBaseline input

Cache management:

| whisperflush collection=cache        # Clear enrichment cache
| whisperflush collection=precomputed  # Clear precomputed data
| whisperflush collection=all          # Clear everything

The Whisper - Evict Expired Cache Entries saved search (disabled by default) runs hourly to remove expired cache entries. Enable it under Settings > Searches, reports, and alerts.

PreviousSplunk Dashboards ReferenceNextModular Inputs