Source Types

Source types written by the add-on for enrichment, threat intel, attack-surface, watchlist, and SPF compliance events.

Updated May 2026Splunk

Source Types Documentation

Overview

The Whisper Security Add-on produces events with the following source types. All events are written to the index configured in the modular input settings (default: whisper for data events, _internal for operational events).

Source type reference

whisper:enrichment

Enrichment results from the whisperlookup streaming command or the watchlist enrichment input.

PropertyValue
IndexConfigured per input (default: whisper)
Generated bywhisperlookup command, watchlist enrichment input
CIM modelsNetwork Resolution, DNS, Threat Intelligence
CIM tagsnetwork, resolution, dns
Event typewhisper_enrichment

Key fields:

FieldTypeDescription
whisper_ipstringResolved IP address
whisper_asnstringAutonomous System Number
whisper_asn_namestringASN organization name
whisper_countrystringCountry code
whisper_prefixstringIP prefix (CIDR notation)
whisper_threat_scorenumberThreat score (0-100+)
whisper_threat_levelstringNONE / LOW / MEDIUM / HIGH / CRITICAL
vendorstring"Whisper Security" (computed)
vendor_productstring"Whisper Knowledge Graph" (computed)

See the Enrichment page for the full field list (66+ fields).

Example event:

indicator=example.com indicator_type=domain whisper_ip=93.184.216.34 whisper_asn=AS15133 whisper_asn_name="Edgecast Inc." whisper_country=US whisper_threat_level=NONE whisper_threat_score=0

whisper:threat_intel

Threat intelligence collection events from the threat intel modular input.

PropertyValue
Index_internal
Generated byWhisper Threat Intelligence input
CIM modelsThreat Intelligence
CIM tagsthreat, report
Event typewhisper_threat_intel

Key fields:

FieldTypeDescription
indicatorstringIP or domain indicator
indicator_typestringip or domain
threat_scorenumberThreat score from explain API
threat_levelstringNONE / LOW / MEDIUM / HIGH / CRITICAL

whisper:attack_surface

DNS baseline collection events from the DNS baseline modular input.

PropertyValue
IndexConfigured per input (default: whisper)
Generated byWhisper DNS Baseline input
CIM models-- (not CIM-normalised; query by native field names)
CIM tags--
Event type--

Key fields:

FieldTypeDescription
domainstringMonitored domain
record_typestringDNS record type: A, NS, MX, CNAME, subdomain
record_valuestringDNS record value
collection_idstringUnique baseline collection identifier

Example event:

domain=example.com record_type=A record_value=93.184.216.34 collection_id=20260401T120000Z

whisper:watchlist

Pre-computed enrichment events from the watchlist modular input.

PropertyValue
IndexConfigured per input (default: whisper)
Generated byWhisper Watchlist Enrichment input
CIM modelsThreat Intelligence
CIM tagsthreat, report
Event typewhisper_watchlist

Key fields: Same as whisper:enrichment.

whisper:spf_compliance

SPF compliance check results from the compliance query input.

PropertyValue
IndexConfigured per input (default: whisper)
Generated byWhisper Compliance Queries input
CIM models--
CIM tags--
Field aliascollected_at aliased to last_checked

Index mapping
Source typeDefault indexPurpose
whisper:enrichmentwhisperEnrichment results
whisper:threat_intel_internalThreat intel collection logs
whisper:attack_surfacewhisperDNS baseline data
whisper:watchlistwhisperPre-computed enrichments
whisper:spf_compliancewhisperSPF compliance data
ta_whisper_graph_internalTA operational logs (UCC framework)

Custom index: All dashboards reference the whisper_index macro (default: index=whisper). Override this macro to use a different index for data events.

PreviousCIM MappingNextTroubleshooting