Saved Searches

What saved searches the add-on ships, how to customise the example enrichment templates, and how to build your own detections.

Updated April 2026Splunk Integration

Saved Searches Documentation

The add-on ships a small set of saved searches. All of them are disabled by default.

Three workflows

The saved searches support three workflows:

  1. Enrichment pipelines -- Example templates that take events from a source index, run whisperlookup on an indicator field, and write the enriched events to a destination index the customer chooses.
  2. Indicator investigation -- Not a scheduled search; this runs on demand through the Lookup / Investigation dashboard.
  3. Owned-domain / attack-surface monitoring -- Not a saved search; driven by the owned-domain modular input and visualised on the Attack Surface Change Timeline dashboard.

What ships

StanzaPurpose
Whisper - Evict Expired Cache EntriesRemove expired entries from the whisper_enrichment_cache KV Store. Enable if you use enrichment caching.
Whisper - Populate IP Threat Intel KV StoreOptional ES Threat Intel populator for IPs.
Whisper - Populate Domain Threat Intel KV StoreOptional ES Threat Intel populator for domains.
Whisper - Populate Precomputed Enrichment KV StoreOptional -- pre-warm the enrichment cache for frequently used indicators.
Example - Whisper - Enrich DNS DomainsTemplate: enrich DNS query domains and write to a destination index.
Example - Whisper - Enrich Destination IPsTemplate: enrich destination IPs from network traffic.
Example - Whisper - Enrich Proxy HostnamesTemplate: enrich proxy/web hostnames.
Example - Whisper - Custom Graph Query EnrichmentTemplate: run a custom Cypher query for enrichment.

Customising an enrichment template

Each template is disabled and uses placeholder parameters. To adopt one:

  1. Copy the stanza into local/savedsearches.conf and rename it (e.g. My Company - Enrich DNS Domains).
  2. Replace the placeholders:
    • <source_index> -- the index containing your logs
    • <source_sourcetype> -- the sourcetype filter to apply
    • <indicator_field> / rename clause -- the field holding the IOC
    • <destination_index> -- the index where enriched events should land
    • <destination_sourcetype> -- a sourcetype to tag the enriched events
  3. Adjust dispatch.earliest_time and cron_schedule to match your dedup window and schedule.
  4. Set disabled = 0 and enableSched = 1.

Example template body:

index=<source_index> earliest=-15m <indicator_field>=*
| rename <indicator_field> as indicator
| dedup indicator
| whisperlookup field=indicator type=<domain|ip|auto>
| collect index=<destination_index> sourcetype="<destination_sourcetype>"

Building your own detections

The add-on does not ship prebuilt correlation searches. To build a detection of your own, either:

  • Clone the relevant example enrichment template and point it at the source index you want to monitor, or
  • Write a detection in SPL using whisperquery against the Graph and the enrichment fields produced by whisperlookup.
PreviousModular InputsNextCypher Reference for Splunk