Investigation Macros

Pre-built SPL macros for common investigations against the Whisper Knowledge Graph. They all use whisperquery with parameterized Cypher under the hood.

Usage

Call a macro with backtick syntax:

| `whisper_shared_nameservers("example.com")`

Available macros

whisper_shared_nameservers(domain)

Find all domains sharing nameservers with the given domain. Good for spotting related infrastructure or attacker-controlled domain clusters.

| `whisper_shared_nameservers("phishing-target.com")`

Output fields: nameserver, related_domain

During IR, use this to find other domains on the same nameserver as a phishing domain. Shared nameservers often mean common ownership or compromised hosting.

whisper_asn_infrastructure(asn)

List all prefixes routed by an ASN.

| `whisper_asn_infrastructure("AS13335")`

Output fields: asn, prefix

Handy for scoping a bulletproof hosting provider or mapping out a threat actor's ASN.

whisper_cname_chain(domain)

Resolve the full CNAME alias chain for a domain, up to 5 hops deep.

| `whisper_cname_chain("www.example.com")`

Output fields: cname_chain, cname_target, depth

Good for detecting dangling CNAMEs (subdomain takeover risk) and understanding delegation patterns.

whisper_spf_chain(domain)

Trace the SPF include mechanism chain for a domain. Checks for RFC 7208 compliance (maximum 10 DNS lookups).

| `whisper_spf_chain("example.com")`

Output fields: spf_chain, depth

Use this to audit email auth compliance and catch SPF configs that are about to hit the 10-lookup limit.

whisper_bgp_peers(asn)

List BGP peers of an ASN with peer names and country information.

| `whisper_bgp_peers("AS13335")`

Output fields: peer_asn, peer_name, country

Helps you see the transit relationships of a network and spot unusual peering arrangements.

whisper_cohosted_domains(domain)

Find domains co-hosted on the same IP address as the given domain.

| `whisper_cohosted_domains("suspicious-site.com")`

Output fields: ip, cohosted_domain

Look for other potentially malicious domains on the same IP. Low co-hosting density (dedicated IPs) is a common sign of attacker-controlled infrastructure.

whisper_full_investigation(indicator)

Full infrastructure investigation: hostname to IP to ASN with geo context and co-hosting count.

| `whisper_full_investigation("malware-c2.evil.com")`

Output fields: hostname, ip, prefix, asn, asn_name, country, cohost_count

One-command infrastructure overview during triage. Combines domain resolution, ASN lookup, geolocation, and co-hosting analysis.

whisper_explain(indicator)

Get a threat assessment for an indicator via the Whisper explain API.

| `whisper_explain("8.8.8.8")`

Output fields: Results from the explain() stored procedure, including threat score, level, explanation, and contributing factors.

Quick threat check on a single indicator without running the full enrichment pipeline.

Correlation search threshold macros

These macros control the sensitivity of correlation searches. Override them in Settings > Advanced Search > Search Macros:

Combining macros with SPL

Macros return tabular results, so you can pipe them into any SPL command:

Filter shared nameserver results by country:

| `whisper_shared_nameservers("target.com")`
| lookup whisper_domain_intel domain AS related_domain
| where isnotnull(threat_key)

Investigate suspicious ASNs from enriched events:

index=firewall sourcetype=pan:traffic
| whisperlookup field=dest_ip
| where whisper_cohost_count < 5
| dedup whisper_asn
| map search="| `whisper_asn_infrastructure(\"$$whisper_asn$$\")`"

Export CNAME chains to a lookup:

| `whisper_cname_chain("example.com")`
| outputlookup whisper_cname_results.csv