Investigation Macros
Pre-built macros for infrastructure investigation: shared nameservers, ASN context, CNAME and SPF chains, BGP peers, co-hosted domains.
Investigation Macros Documentation
SPL macros for common investigations against the Whisper Knowledge Graph.
All of them wrap whisperquery with a parameterized Cypher query.
Usage
Call a macro with backtick syntax:
| `whisper_shared_nameservers("example.com")`
Available macros
whisper_shared_nameservers(domain)
Find all domains sharing nameservers with the given domain. Good for spotting related infrastructure or attacker-controlled domain clusters.
| `whisper_shared_nameservers("phishing-target.com")`
Output fields: nameserver, related_domain
During IR, use this to find other domains on the same nameserver as a phishing domain. Shared nameservers often mean common ownership or compromised hosting.
whisper_asn_infrastructure(asn)
List all prefixes routed by an ASN.
| `whisper_asn_infrastructure("AS13335")`
Output fields: asn, prefix
Handy for scoping a bulletproof hosting provider or mapping out a threat actor's ASN.
whisper_cname_chain(domain)
Resolve the full CNAME alias chain for a domain, up to 5 hops deep.
| `whisper_cname_chain("www.example.com")`
Output fields: cname_chain, cname_target, depth
Good for detecting dangling CNAMEs (subdomain takeover risk) and understanding delegation patterns.
whisper_spf_chain(domain)
Trace the SPF include mechanism chain for a domain. Checks for RFC 7208 compliance (maximum 10 DNS lookups).
| `whisper_spf_chain("example.com")`
Output fields: spf_chain, depth
Use this to audit email auth compliance and catch SPF configs that are about to hit the 10-lookup limit.
whisper_bgp_peers(asn)
List BGP peers of an ASN with peer names and country information.
| `whisper_bgp_peers("AS13335")`
Output fields: peer_asn, peer_name, country
Helps you see the transit relationships of a network and spot unusual peering arrangements.
whisper_cohosted_domains(domain)
Find domains co-hosted on the same IP address as the given domain.
| `whisper_cohosted_domains("suspicious-site.com")`
Output fields: ip, cohosted_domain
Look for other potentially malicious domains on the same IP. Low co-hosting density (dedicated IPs) is a common sign of attacker-controlled infrastructure.
whisper_full_investigation(indicator)
Full infrastructure investigation: hostname to IP to ASN with geo context and co-hosting count.
| `whisper_full_investigation("malware-c2.evil.com")`
Output fields: hostname, ip, prefix, asn, asn_name, country, cohost_count
One-command infrastructure overview during triage. Combines domain resolution, ASN lookup, geolocation, and co-hosting analysis.
whisper_explain(indicator)
Get a threat assessment for an indicator via the Whisper explain API.
| `whisper_explain("8.8.8.8")`
Output fields: Results from the explain() stored procedure, including threat score, level, explanation, and contributing factors.
Quick threat check on a single indicator without running the full enrichment pipeline.
Index macro
| Macro | Default | Description |
|---|---|---|
whisper_index | index=whisper | Default index for Whisper Security events. Override it in Settings > Advanced Search > Search Macros if you write Whisper events to a custom index. |
Combining macros with SPL
Macros return tabular results, so you can pipe them into any SPL command:
Filter shared nameserver results by country:
| `whisper_shared_nameservers("target.com")`
| lookup whisper_domain_intel domain AS related_domain
| where isnotnull(threat_key)
Investigate suspicious ASNs from enriched events:
index=firewall sourcetype=pan:traffic
| whisperlookup field=dest_ip
| where whisper_cohost_count < 5
| dedup whisper_asn
| map search="| `whisper_asn_infrastructure(\"$$whisper_asn$$\")`"
Export CNAME chains to a lookup:
| `whisper_cname_chain("example.com")`
| outputlookup whisper_cname_results.csv