Source Types
9 source types for enrichment, health, threat intel, attack surface, compliance.
Source Types Documentation
Overview
The Whisper Security Add-on produces events with the following source types. All events are written to the index configured in the modular input settings (default: whisper for data events, _internal for operational events).
Source type reference
whisper:enrichment
Enrichment results from the whisperlookup streaming command or the watchlist enrichment input.
| Property | Value |
|---|---|
| Index | Configured per input (default: whisper) |
| Generated by | whisperlookup command, watchlist enrichment input |
| CIM models | Network Resolution, DNS, Threat Intelligence |
| CIM tags | network, resolution, dns |
| Event type | whisper_enrichment |
Key fields:
| Field | Type | Description |
|---|---|---|
whisper_ip | string | Resolved IP address |
whisper_asn | string | Autonomous System Number |
whisper_asn_name | string | ASN organization name |
whisper_country | string | Country code |
whisper_prefix | string | IP prefix (CIDR notation) |
whisper_threat_score | number | Threat score (0-100+) |
whisper_threat_level | string | NONE / LOW / MEDIUM / HIGH / CRITICAL |
vendor | string | "Whisper Security" (computed) |
vendor_product | string | "Whisper Knowledge Graph" (computed) |
See the Enrichment page for the full field list (66+ fields).
Example event:
indicator=example.com indicator_type=domain whisper_ip=93.184.216.34 whisper_asn=AS15133 whisper_asn_name="Edgecast Inc." whisper_country=US whisper_threat_level=NONE whisper_threat_score=0
whisper:health
API health check events from the health monitoring modular input.
| Property | Value |
|---|---|
| Index | _internal |
| Generated by | Whisper API Health Check input |
| CIM models | -- |
| CIM tags | -- |
| Event type | whisper_health |
Key fields:
| Field | Type | Description |
|---|---|---|
status | string | API health status: UP or ERROR |
node_count | number | Total nodes in the Knowledge Graph |
edge_count | number | Total edges in the Knowledge Graph |
threat_intel_loaded | boolean | Whether threat intelligence data is available |
feed_source_count | number | Number of active threat intel feed sources |
response_time_ms | number | API response time in milliseconds |
Example event:
status=UP node_count=3671006529 edge_count=30815103317 threat_intel_loaded=true feed_source_count=40 response_time_ms=142
whisper:threat_intel
Threat intelligence collection events from the threat intel modular input.
| Property | Value |
|---|---|
| Index | _internal |
| Generated by | Whisper Threat Intelligence input |
| CIM models | Threat Intelligence |
| CIM tags | threat, report |
| Event type | whisper_threat_intel |
Key fields:
| Field | Type | Description |
|---|---|---|
indicator | string | IP or domain indicator |
indicator_type | string | ip or domain |
threat_score | number | Threat score from explain API |
threat_level | string | NONE / LOW / MEDIUM / HIGH / CRITICAL |
whisper:attack_surface
DNS baseline collection events from the DNS baseline modular input.
| Property | Value |
|---|---|
| Index | Configured per input (default: whisper) |
| Generated by | Whisper DNS Baseline input, Multi-Tenant Baseline input |
| CIM models | Network Traffic |
| CIM tags | network, communicate |
| Event type | whisper_attack_surface |
Key fields:
| Field | Type | Description |
|---|---|---|
domain | string | Monitored domain |
record_type | string | DNS record type: A, NS, MX, CNAME, subdomain |
record_value | string | DNS record value |
collection_id | string | Unique baseline collection identifier |
client_id | string | Tenant identifier (multi-tenant only) |
Example event:
domain=example.com record_type=A record_value=93.184.216.34 collection_id=20260401T120000Z
whisper:attack_surface_change
Infrastructure change detection events generated by comparing successive baseline collections.
| Property | Value |
|---|---|
| Index | Configured per input (default: whisper) |
| Generated by | Whisper DNS Baseline input (change detection) |
| CIM models | Change |
| CIM tags | change |
| Event type | whisper_attack_surface_change |
Key fields:
| Field | Type | Description |
|---|---|---|
domain | string | Affected domain |
change_type | string | added or removed |
record_type | string | DNS record type |
old_value | string | Previous value (for removed) |
new_value | string | New value (for added) |
risk_score | number | Calculated risk score |
mitre_attack | object | MITRE ATT&CK technique mapping |
Example event:
domain=example.com change_type=added record_type=A new_value=203.0.113.50 risk_score=45
whisper:attack_surface_summary
Collection summary events for multi-tenant baseline runs.
| Property | Value |
|---|---|
| Index | Configured per input (default: whisper) |
| Generated by | Whisper Multi-Tenant Baseline input |
| CIM models | -- |
| CIM tags | -- |
| Event type | -- |
Key fields:
| Field | Type | Description |
|---|---|---|
client_id | string | Tenant identifier |
domains_processed | number | Domains successfully collected |
changes_detected | number | Total changes found |
high_priority_changes | number | NS/MX changes (high risk) |
elapsed_seconds | number | Collection duration |
whisper:watchlist
Pre-computed enrichment events from the watchlist modular input.
| Property | Value |
|---|---|
| Index | Configured per input (default: whisper) |
| Generated by | Whisper Watchlist Enrichment input |
| CIM models | Threat Intelligence |
| CIM tags | threat, report |
| Event type | whisper_watchlist |
Key fields: Same as whisper:enrichment.
whisper:spf_compliance
SPF compliance check results from the compliance query input.
| Property | Value |
|---|---|
| Index | Configured per input (default: whisper) |
| Generated by | Whisper Compliance Queries input |
| CIM models | -- |
| CIM tags | -- |
| Field alias | collected_at aliased to last_checked |
whisper:dnssec_compliance
DNSSEC compliance check results from the compliance query input.
| Property | Value |
|---|---|
| Index | Configured per input (default: whisper) |
| Generated by | Whisper Compliance Queries input |
| CIM models | -- |
| CIM tags | -- |
| Field alias | collected_at aliased to last_checked |
Index mapping
| Source type | Default index | Purpose |
|---|---|---|
whisper:enrichment | whisper | Enrichment results |
whisper:health | _internal | Operational health |
whisper:threat_intel | _internal | Threat intel collection logs |
whisper:attack_surface | whisper | DNS baseline data |
whisper:attack_surface_change | whisper | Infrastructure changes |
whisper:attack_surface_summary | whisper | Multi-tenant summaries |
whisper:watchlist | whisper | Pre-computed enrichments |
whisper:spf_compliance | whisper | SPF compliance data |
whisper:dnssec_compliance | whisper | DNSSEC compliance data |
ta_whisper_security | _internal | TA operational logs (UCC framework) |
Tip: All dashboards reference the
whisper_indexmacro (default:index=whisper). Override this macro to use a different index for data events.