Modular Inputs
Automated data collection: health check, threat intel, attack surface, watchlist.
Modular Inputs Documentation
The Whisper Security Add-on includes five modular inputs for automated data collection. All are configured via the Inputs page in the add-on UI and disabled by default.
API Health Check
Monitors the Whisper Knowledge Graph API availability and response time.
| Setting | Default | Range | Description |
|---|---|---|---|
| Interval | 300s (5 min) | 60-86400 | Check frequency |
| Account | required | — | Whisper API account |
| Index | _internal | — | Destination index |
Output: sourcetype=whisper:health
| Field | Description |
|---|---|
status | UP or DOWN |
node_count | Physical (persisted) graph nodes |
edge_count | Physical (persisted) graph edges |
virtual_node_count | Virtual (computed at query time) nodes |
virtual_edge_count | Virtual (computed at query time) edges |
total_node_count | Total nodes (physical + virtual) |
total_edge_count | Total edges (physical + virtual) |
object_count | Total object count across all types |
threat_intel_loaded | Whether threat feeds are active |
feed_source_count | Number of active threat feeds |
asn_enrichment_loaded | Whether ASN enrichment layer is active |
prefix_bgp_enrichment_loaded | Whether BGP prefix enrichment layer is active |
threat_intel_refresh_in_progress | Whether a threat intel feed refresh is currently running |
quota_plan | API plan name (e.g., Free, Professional) |
quota_daily_limit | Maximum daily API queries allowed |
quota_daily_used | API queries used today |
quota_daily_remaining | API queries remaining today |
quota_hourly_remaining | API queries remaining this hour |
quota_max_timeout_ms | Maximum query timeout allowed (ms) |
quota_max_response_limit | Maximum response row limit |
quota_max_concurrent_queries | Maximum concurrent queries allowed |
quota_concurrent_active | Currently active concurrent queries |
response_time_ms | API response time in milliseconds |
error | Error message (if status is DOWN) |
Verification:
index=_internal sourcetype="whisper:health" | head 5
ES Threat Intelligence Feed
Populates the Splunk ES threat intelligence framework with scored indicators from the Whisper explain() API.
| Setting | Default | Range | Description |
|---|---|---|---|
| Interval | 21600s (6 hr) | 300-86400 | Collection frequency |
| Max Indicators | 10000 | 1-100000 | Indicators per run |
| Include Infrastructure | off | — | Add ASN/country/prefix context |
| Account | required | — | Whisper API account |
| Index | _internal | — | Destination index |
Output: sourcetype=whisper:threat_intel
Where do threat indicators come from?
The input populates two KV Store collections:
| Collection | Key Field | Description |
|---|---|---|
whisper_ip_intel | ip | IP indicators with threat scores, ASN, country |
whisper_domain_intel | domain | Domain indicators with threat scores |
These integrate with ES via the threat intelligence framework. Correlation searches reference them automatically.
Automatic seeding: On first run, when both KV Store collections are empty, the input automatically queries the Whisper Knowledge Graph for IPV4 and HOSTNAME nodes with threatScore > 0. This bootstraps the collections so threat intelligence flows immediately without manual setup.
After the first run, the input re-assesses all existing indicators in the collections on each interval. To add new indicators, insert them into the appropriate collection:
| makeresults
| eval ip="203.0.113.50", description="Suspicious IP from investigation"
| outputlookup whisper_ip_intel append=true
| makeresults
| eval domain="malicious-example.com", description="Phishing domain"
| outputlookup whisper_domain_intel append=true
Verification:
| inputlookup whisper_ip_intel | head 10
| inputlookup whisper_domain_intel | head 10
Attack Surface Baseline
Collects DNS infrastructure snapshots for monitored domains. Used by the DNS Infrastructure Change Detection correlation search.
| Setting | Default | Range | Description |
|---|---|---|---|
| Interval | 86400s (24 hr) | 3600-604800 | Collection frequency |
| Domains | required | — | Comma-separated domain list |
| Account | required | — | Whisper API account |
| Index | whisper | — | Destination index |
How to specify domains
Enter the domains you want to monitor as a comma-separated list in the Domains field when configuring the input. For example:
example.com, corp.example.com, subsidiary.com
The input discovers the full DNS infrastructure for each domain (A records, nameservers, mail servers, CNAME chains, and subdomains). You do not need to list subdomains individually — they are discovered automatically.
Records collected per domain:
| Record Type | Cypher Query | Description |
|---|---|---|
| A | RESOLVES_TO → IPV4 | DNS A records |
| NS | NAMESERVER_FOR → HOSTNAME | Nameservers |
| MX | MAIL_FOR → HOSTNAME | Mail servers |
| CNAME | ALIAS_OF → HOSTNAME (up to 5 hops) | CNAME chains |
| SUBDOMAIN | CHILD_OF → HOSTNAME (up to 1000) | Subdomains |
Output: sourcetype=whisper:attack_surface
Each record is stored in the whisper_dns_baseline KV Store collection for change detection. This collection is also the seed source for the Watchlist Enrichment input (see below).
Verification:
`whisper_index` sourcetype="whisper:attack_surface" | stats count by domain, record_type
Watchlist Enrichment
Pre-computes enrichment for a custom list of indicators, storing results in KV Store for instant lookup without live API calls.
| Setting | Default | Range | Description |
|---|---|---|---|
| Interval | 14400s (4 hr) | 300-86400 | Enrichment frequency |
| Max Indicators | 10000 | 1-100000 | Indicators per run |
| Account | required | — | Whisper API account |
| Index | _internal | — | Destination index |
Output: sourcetype=whisper:watchlist
Results are stored in the whisper_precomputed_enrichment KV Store collection. The whisperlookup command checks this collection before making live API calls.
How to populate the watchlist
The input enriches all indicators in the whisper_watchlist KV Store collection. Each record has three fields:
| Field | Required | Description |
|---|---|---|
indicator | yes | Domain name or IP address |
indicator_type | no | "domain" or "ip" (auto-detected if omitted) |
description | no | Free-text note (e.g., why this indicator is watched) |
Add indicators via SPL:
| makeresults
| eval indicator="example.com", indicator_type="domain", description="Primary domain"
| append [| makeresults | eval indicator="203.0.113.50", indicator_type="ip", description="Critical server"]
| outputlookup whisper_watchlist append=true
Bulk-load from existing Splunk data:
index=firewall action=blocked
| stats count by dest_ip
| where count > 100
| rename dest_ip AS indicator
| eval indicator_type="ip", description="Frequently blocked IP"
| outputlookup whisper_watchlist append=true
View current watchlist:
| inputlookup whisper_watchlist
Automatic seeding: When the watchlist collection is empty and an Attack Surface Baseline input has already run, the watchlist input automatically seeds itself with domains from the whisper_dns_baseline collection. This means your organization's known infrastructure domains are enriched by default without manual setup. You can add or remove indicators at any time after seeding.
Verification:
| inputlookup whisper_precomputed_enrichment | head 10
Multi-Tenant Attack Surface
Extends the baseline collection for MSSP/multi-tenant deployments. Create one input instance per client tenant.
| Setting | Default | Range | Description |
|---|---|---|---|
| Interval | 86400s (24 hr) | 3600-604800 | Collection frequency |
| Client ID | required | — | Unique tenant identifier |
| Domains | required | — | Comma-separated domain list |
| Max Domains | 500 | 1-10000 | Domains per run |
| Account | required | — | Whisper API account |
| Index | whisper | — | Destination index |
How to configure tenants
Create a separate input instance for each client. In each instance:
- Set Client ID to a unique tenant identifier (e.g.,
acme-corp,tenant-123) - Enter the client's domains as a comma-separated list in the Domains field
- Optionally set Max Domains to limit the number of domains processed per run
For example, to monitor two clients you would create two input instances — one with Client ID = acme-corp and Domains = acme.com, acme.net, and another with Client ID = globex and Domains = globex.com.
Output: sourcetype=whisper:attack_surface (with client_id field) and sourcetype=whisper:attack_surface_change for detected changes.
DNS infrastructure changes are automatically detected by comparing against the previous checkpoint. High-priority changes (NS record changes) generate risk events.
Verification:
`whisper_index` sourcetype="whisper:attack_surface" client_id="acme-corp" | stats count by domain
`whisper_index` sourcetype="whisper:attack_surface_change" | table _time, domain, record_type, change_type
Input scheduling guidelines
| Input | Recommended Interval | Notes |
|---|---|---|
| Health Check | 5 minutes | Frequent — lightweight API call |
| Threat Intel | 6 hours | Moderate — processes many indicators |
| Baseline | 24 hours | Infrequent — DNS changes slowly |
| Watchlist | 4 hours | Moderate — depends on watchlist size |
| Multi-Tenant | 24 hours | Infrequent — per-tenant baseline |
All inputs respect the API rate limit. Intervals shorter than the minimum are rejected during configuration.