Modular Inputs
Automated data collection: health check, threat intel populators, attack-surface baselines, and watchlist monitoring.
Modular Inputs Documentation
The Whisper Security Add-on includes three modular inputs for automated data collection. All are configured via the Inputs page in the add-on UI and disabled by default.
ES Threat Intelligence Feed
Populates the Splunk ES threat intelligence framework with scored indicators from the Whisper explain() API.
| Setting | Default | Range | Description |
|---|---|---|---|
| Interval | 21600s (6 hr) | 300-86400 | Collection frequency |
| Max Indicators | 10000 | 1-100000 | Indicators per run |
| Include Infrastructure | off | — | Add ASN/country/prefix context |
| Account | required | — | Whisper API account |
| Index | whisper | — | Destination index |
Output: sourcetype=whisper:threat_intel
Where do threat indicators come from?
The input populates two KV Store collections:
| Collection | Key Field | Description |
|---|---|---|
whisper_ip_intel | ip | IP indicators with threat scores, ASN, country |
whisper_domain_intel | domain | Domain indicators with threat scores |
These integrate with ES via the threat intelligence framework. Correlation searches reference them automatically.
Automatic seeding: On first run, when both KV Store collections are empty, the input automatically queries the Whisper Knowledge Graph for IPV4 and HOSTNAME nodes with threatScore > 0. This bootstraps the collections so threat intelligence flows immediately without manual setup.
After the first run, the input re-assesses all existing indicators in the collections on each interval. To add new indicators, insert them into the appropriate collection:
| makeresults
| eval ip="203.0.113.50", description="Suspicious IP from investigation"
| outputlookup whisper_ip_intel append=true
| makeresults
| eval domain="malicious-example.com", description="Phishing domain"
| outputlookup whisper_domain_intel append=true
Verification:
| inputlookup whisper_ip_intel | head 10
| inputlookup whisper_domain_intel | head 10
Attack Surface Baseline
Collects DNS infrastructure snapshots for monitored domains. Used by the DNS Infrastructure Change Detection correlation search.
| Setting | Default | Range | Description |
|---|---|---|---|
| Interval | 86400s (24 hr) | 3600-604800 | Collection frequency |
| Domains | required | — | Comma-separated domain list |
| Account | required | — | Whisper API account |
| Index | whisper | — | Destination index |
How to specify domains
Enter the domains you want to monitor as a comma-separated list in the Domains field when configuring the input. For example:
example.com, corp.example.com, subsidiary.com
The input discovers the full DNS infrastructure for each domain (A records, nameservers, mail servers, CNAME chains, and subdomains). You do not need to list subdomains individually — they are discovered automatically.
Records collected per domain:
| Record Type | Cypher Query | Description |
|---|---|---|
| A | RESOLVES_TO → IPV4 | DNS A records |
| NS | NAMESERVER_FOR → HOSTNAME | Nameservers |
| MX | MAIL_FOR → HOSTNAME | Mail servers |
| CNAME | ALIAS_OF → HOSTNAME (up to 5 hops) | CNAME chains |
| SUBDOMAIN | CHILD_OF → HOSTNAME (up to 1000) | Subdomains |
Outputs:
| Sourcetype | When emitted | Purpose |
|---|---|---|
whisper:attack_surface | Every run | Per-record DNS baseline (one event per A/NS/MX/CNAME/SUBDOMAIN record) |
whisper:spf_compliance | Every run | One event per domain with SPF record analysis |
whisper:attack_surface_change | Second run onward | Diff between the previous run's snapshot and the current run; one event per added or removed record |
index=risk (sourcetype stash) | When NS, MX, or wildcard records change | High-priority risk events with MITRE ATT&CK technique annotations for ES Risk-Based Alerting |
The input keeps a per-domain snapshot in the modular input checkpoint after each run. The next run compares the new baseline against the saved snapshot and emits change events. The first run after install therefore produces only baseline events; change detection begins on the second run.
Each record is also written to the whisper_dns_baseline KV Store collection. That collection seeds the Watchlist Enrichment input (see below).
Verification:
`whisper_index` sourcetype="whisper:attack_surface" | stats count by domain, record_type
Watchlist Enrichment
Pre-computes enrichment for a custom list of indicators, storing results in KV Store for instant lookup without live API calls.
| Setting | Default | Range | Description |
|---|---|---|---|
| Interval | 14400s (4 hr) | 300-86400 | Enrichment frequency |
| Max Indicators | 10000 | 1-100000 | Indicators per run |
| Account | required | — | Whisper API account |
| Index | whisper | — | Destination index |
Output: sourcetype=whisper:watchlist
Results are stored in the whisper_precomputed_enrichment KV Store collection. The whisperlookup command checks this collection before making live API calls.
How to populate the watchlist
The input enriches all indicators in the whisper_watchlist KV Store collection. Each record has three fields:
| Field | Required | Description |
|---|---|---|
indicator | yes | Domain name or IP address |
indicator_type | no | "domain" or "ip" (auto-detected if omitted) |
description | no | Free-text note (e.g., why this indicator is watched) |
Add indicators via SPL:
| makeresults
| eval indicator="example.com", indicator_type="domain", description="Primary domain"
| append [| makeresults | eval indicator="203.0.113.50", indicator_type="ip", description="Critical server"]
| outputlookup whisper_watchlist append=true
Bulk-load from existing Splunk data:
index=firewall action=blocked
| stats count by dest_ip
| where count > 100
| rename dest_ip AS indicator
| eval indicator_type="ip", description="Frequently blocked IP"
| outputlookup whisper_watchlist append=true
View current watchlist:
| inputlookup whisper_watchlist
Automatic seeding: When the watchlist collection is empty and an Attack Surface Baseline input has already run, the watchlist input automatically seeds itself with domains from the whisper_dns_baseline collection. This means your organization's known infrastructure domains are enriched by default without manual setup. You can add or remove indicators at any time after seeding.
Verification:
| inputlookup whisper_precomputed_enrichment | head 10
Input scheduling guidelines
| Input | Recommended Interval | Notes |
|---|---|---|
| Threat Intel | 6 hours | Moderate — processes many indicators |
| Baseline | 24 hours | Infrequent — DNS changes slowly |
| Watchlist | 4 hours | Moderate — depends on watchlist size |
All inputs respect the API rate limit. Intervals shorter than the minimum are rejected during configuration.