Splunk Integration
Connect Splunk to WhisperGraph for IOC enrichment, ad-hoc graph queries, threat intel, and attack-surface monitoring. Components, commands, macros, and the full documentation index.
Splunk Integration Documentation
Whisper Splunk connects your Splunk environment to WhisperGraph — billions of nodes, tens of billions of edges, and millions of threat intelligence edges across 40+ feed sources. Enrich IOCs, run ad-hoc graph queries, populate ES threat intel, and monitor your owned attack surface — all from within Splunk.
Get the add-on: Whisper Security TA on Splunkbase →
What you get
IOC enrichment — Enrich IPs, domains, and hostnames in your Splunk events with threat intelligence, WHOIS, BGP routing, and geolocation. Streaming command (whisperlookup) processes events inline.
Ad-hoc graph queries — Run Cypher queries directly from the Splunk search bar with whisperquery. Trace infrastructure relationships, pivot across DNS, IP, ASN, and registration data without leaving Splunk.
Threat intelligence — Automated feeds populate KV Store collections with scored threat data. Integrates natively with Splunk Enterprise Security's threat-intel framework for risk-based alerting.
Attack surface monitoring — Scheduled modular inputs continuously monitor your domains, IPs, and ASNs for changes in DNS, routing, WHOIS, and threat-feed status. Alerts on new exposures automatically.
Dashboards and reporting — Pre-built dashboards for threat overview, enrichment activity, API health, and investigation workflows. Customizable with Splunk's dashboard framework.
The add-on focuses on three workflows: enrich your logs, investigate one indicator interactively, and monitor your owned domains. It does not ship a broad prebuilt detection pack and does not require Splunk ES by default.
Components
| Component | Description |
|---|---|
| TA-whisper-graph | Technology Add-on — custom search commands, modular inputs, KV Store caching, enrichment, investigation dashboard, attack-surface and compliance dashboards |
| **ES Integration ** | Threat-intel KV Store populators and example enrichment-to-risk pipelines. Opt-in, disabled by default. |
Search commands
| Command | Type | Description |
|---|---|---|
whisperlookup | Streaming | Enrich events with IOC context from WhisperGraph |
whisperquery | Generating | Execute ad-hoc Cypher queries against WhisperGraph |
whisperschema | Generating | Explore the graph schema (labels, relationships, properties, metadata) |
whisperflush | Generating | Flush the enrichment cache |
See the full search commands reference.
Pre-built investigation macros
| Macro | Description |
|---|---|
whisper_shared_nameservers(domain) | Find domains sharing nameservers |
whisper_asn_infrastructure(asn) | Enumerate prefixes and hostnames behind an ASN |
whisper_cname_chain(domain) | Resolve CNAME chain (up to 5 hops) |
whisper_spf_chain(domain) | Trace SPF include chain |
whisper_bgp_peers(asn) | List BGP peers |
whisper_cohosted_domains(domain) | Find co-hosted domains |
whisper_full_investigation(indicator) | Full infrastructure investigation |
whisper_explain(indicator) | Get threat assessment |
See the investigation macros reference.
Saved searches
The add-on ships only the searches needed for the three workflows above. The broad prebuilt detection pack was removed in favour of disabled example enrichment templates customers can clone and tailor.
| Search | Kind | Default |
|---|---|---|
| Whisper - Evict Expired Cache Entries | Utility | Disabled |
| Whisper - Populate IP Threat Intel KV Store | ES populator | Disabled |
| Whisper - Populate Domain Threat Intel KV Store | ES populator | Disabled |
| Whisper - Populate Precomputed Enrichment KV Store | Utility | Disabled |
| Example - Whisper - Enrich DNS Domains | Enrichment template | Disabled |
| Example - Whisper - Enrich Destination IPs | Enrichment template | Disabled |
| Example - Whisper - Enrich Proxy Hostnames | Enrichment template | Disabled |
| Example - Whisper - Custom Graph Query Enrichment | Enrichment template | Disabled |
See the saved searches reference.
Getting started
| Step | Guide |
|---|---|
| 1. Check requirements | Requirements |
| 2. Install the add-on | Installation |
| 3. Configure API key | Configuration |
| 4. Start enriching events | Search Commands |
Documentation index
Setup
- Requirements — Software versions, network access, and permissions
- Installation — Single-instance, distributed, and Splunk Cloud deployment
- Deployment Architecture — Enterprise patterns: SHC, deployment server, indexer clusters
- Configuration — API key, proxy, caching, and modular input settings
Core features
- Search Commands —
whisperlookupandwhisperqueryreference - Enrichment Pipeline — How IOC enrichment works end to end
- Lookups — KV Store lookup tables and automatic enrichment
- Modular Inputs — Scheduled data collection (threat intel, baselines, watchlists)
- Saved Searches — Example enrichment templates, KV Store populators, and how to build your own detections
- Dashboards — Pre-built views and customization
Advanced
- Enterprise Security — Threat intel framework, risk-based alerting, correlation searches
- Investigation Macros — One-click investigation shortcuts
- Cypher Reference — Query syntax reference for Splunk users
- CIM Mapping — Common Information Model field mapping
- Source Types — Event types and source type reference
- Use Cases — Real-world workflows and examples
Reference
- Troubleshooting — Common issues and fixes