Splunk Integration Overview
Connect your Splunk environment to Whisper Security's Knowledge Graph for IOC enrichment, threat intel, and attack surface monitoring.
Splunk Integration Overview Documentation
Splunk Technology Add-on for Whisper Security's Knowledge Graph API.
Overview
Whisper Splunk connects your Splunk environment to Whisper Security's Knowledge Graph -- billions of nodes, tens of billions of edges, and millions of threat intel edges across 40+ feed sources.
You get IOC enrichment, ad-hoc graph queries, threat intel lookups, risk-based alerting, correlation searches, attack surface monitoring, and compliance dashboards.
Components
| Component | Description |
|---|---|
| TA-whisper-security | Technology Add-on -- custom search commands, modular inputs, KV Store caching, and enrichment |
| ES Integration | Enterprise Security -- threat intel framework, risk-based alerting, correlation searches |
Search Commands
| Command | Type | Description |
|---|---|---|
whisperlookup | Streaming | Enrich events with IOC context from the Knowledge Graph |
whisperquery | Generating | Execute ad-hoc Cypher queries against the Knowledge Graph |
whisperschema | Generating | Explore the Knowledge Graph schema (labels, relationships, properties, metadata) |
whisperflush | Generating | Flush the enrichment cache |
Pre-Built Macros
| Macro | Description |
|---|---|
whisper_shared_nameservers(domain) | Find domains sharing nameservers |
whisper_asn_infrastructure(asn) | Enumerate prefixes and hostnames behind an ASN |
whisper_cname_chain(domain) | Resolve CNAME chain (up to 5 hops) |
whisper_spf_chain(domain) | Trace SPF include chain |
whisper_bgp_peers(asn) | List BGP peers |
whisper_cohosted_domains(domain) | Find co-hosted domains |
whisper_full_investigation(indicator) | Full infrastructure investigation |
whisper_explain(indicator) | Get threat assessment |
Correlation Searches
| Search | Schedule | Description |
|---|---|---|
| Bulletproof ASN Communication | 15 min | Detects communication with bulletproof hosting ASNs |
| Shared Nameserver with Threat Infrastructure | 4 hours | Identifies domains sharing nameservers with known threats |
| DNS Infrastructure Change Detection | 6 hours | Detects unexpected DNS infrastructure changes |
| Low Co-Hosting Density Anomaly | 30 min | Flags low co-hosting density (dedicated threat infrastructure) |
All correlation searches are disabled by default and generate ES risk events when enabled.
Getting Started
- About -- What the add-on does
- Requirements -- Hardware, software, and network prerequisites
- Installation -- Install the TA
- Configuration -- Set up your API key and connection settings
- Use Cases -- Security workflow examples
- Search Commands -- Start enriching events
- Dashboards -- Enable compliance and attack surface dashboards
Whisper Security Add-on for Splunk
The Whisper Security Add-on for Splunk connects your Splunk environment to Whisper Security's Knowledge Graph -- a large-scale internet infrastructure intelligence database.
Knowledge Graph at a glance
| Metric | Value |
|---|---|
| Total nodes | Billions |
| Total edges | Tens of billions |
| Threat intel edges | Millions |
| Threat feed sources | 40+ |
| Threat feed categories | 18 |
| Node types | 23 (HOSTNAME, IPV4, ASN, PREFIX, EMAIL, ORGANIZATION, ...) |
| Edge types | 60+ (DNS, BGP, WHOIS, GeoIP, SPF, Web, Threat) |
The graph covers DNS resolution, BGP routing, WHOIS registration, GeoIP location, SPF email authentication, web link relationships, and threat intelligence -- all queryable through a single Cypher API.
What the add-on does
The add-on brings this data into Splunk in four ways:
IOC enrichment -- Enrich IP addresses and domains in your security events with infrastructure context: ASN, country, threat score, CNAME chains, nameservers, WHOIS data, GeoIP, BGP hijack detection, and web link profiles. All enrichment happens inline in SPL via the whisperlookup streaming command.
Ad-hoc graph queries -- Execute Cypher queries directly against the Knowledge Graph from Splunk's search bar using whisperquery. Investigate infrastructure relationships, pivot across DNS/BGP/WHOIS data, and explore the graph schema with whisperschema.
Threat intelligence for Enterprise Security -- Populate ES threat intel collections (ip_intel and domain_intel) with Whisper data. Four correlation searches detect bulletproof ASN communication, shared nameservers with threat infrastructure, DNS changes, and co-hosting anomalies. All searches generate risk events with MITRE ATT&CK annotations.
Attack surface monitoring -- Track DNS infrastructure changes for your external-facing domains. Detect new subdomains, IP changes, nameserver migrations, and MX record modifications. Compliance dashboards cover SPF, DNSSEC, and mail configuration.
Feature matrix
| Feature | Description | Requires ES |
|---|---|---|
whisperlookup command | Inline IOC enrichment | No |
whisperquery command | Ad-hoc Cypher queries | No |
whisperschema command | Graph schema exploration | No |
whisperflush command | Cache management | No |
| 8 investigation macros | Pre-built Cypher queries | No |
| Health monitoring input | API health and graph stats | No |
| DNS baseline input | Attack surface monitoring | No |
| Multi-tenant baseline | MSSP multi-client support | No |
| Watchlist enrichment | Pre-computed IOC enrichment | No |
| Threat intel input | ES ip_intel / domain_intel | Yes |
| 29 correlation searches | Risk-based alerting with MITRE | Yes |
| Adaptive response action | Alert-triggered enrichment | Yes |
| 11 dashboards | Health, risk, compliance, investigation | No |
| KV Store caching | Enrichment result caching | No |
| CIM field mapping | Network Traffic, DNS, Threat Intelligence | No |
Compatibility
| Component | Supported versions |
|---|---|
| Splunk Enterprise | 9.3+ |
| Splunk Cloud | Victoria Experience |
| Python | 3.9, 3.11, 3.13 |
| Enterprise Security | 7.0+ |
Getting help
- Support: console.whisper.security/support
- Whisper Security: whisper.security