Use Cases
Security workflows: threat intel, EASM, incident investigation, compliance.
Use Cases Documentation
Overview
This page organizes the Whisper Security Add-on capabilities by security workflow. Each use case shows the problem, the Splunk commands to solve it, and the expected output.
Threat intelligence enrichment
Enrich firewall logs with infrastructure context
Problem: Your firewall logs contain destination IPs, but you need ASN, country, and threat intelligence to prioritize alerts.
Solution:
index=firewall sourcetype=pan:traffic
| whisperlookup field=dest_ip type=ip
| where whisper_threat_score > 0
| table _time dest_ip whisper_asn_name whisper_country whisper_threat_level whisper_threat_score
| sort -whisper_threat_score
Identify Tor exit nodes in your traffic
Problem: Detect connections to or from known Tor exit nodes.
Solution:
index=firewall sourcetype=pan:traffic
| whisperlookup field=dest_ip type=ip
| where whisper_is_tor="true"
| table _time src_ip dest_ip whisper_asn_name whisper_country
Find connections to bulletproof hosting
Problem: Identify traffic to infrastructure hosted on ASNs known for hosting malicious content.
Solution:
index=firewall sourcetype=pan:traffic
| whisperlookup field=dest_ip type=ip
| lookup whisper_high_risk_asns_lookup asn AS whisper_asn OUTPUT asn_category
| where isnotnull(asn_category)
| table _time dest_ip whisper_asn whisper_asn_name asn_category
Cross-reference with multiple threat feeds
Problem: Check if indicators appear in multiple threat intelligence feeds for higher confidence.
Solution:
index=firewall sourcetype=pan:traffic
| whisperlookup field=dest_ip type=ip include_threat_intel=true include_feeds=true
| where whisper_threat_sources_count > 2
| table dest_ip whisper_threat_level whisper_threat_sources_count whisper_feed_names
External Attack Surface Management (EASM)
Monitor DNS infrastructure changes
Problem: Detect unauthorized changes to your external DNS infrastructure (new subdomains, IP changes, NS migrations).
Setup: Configure the Whisper DNS Baseline modular input with your domain list. The input runs on a schedule and detects changes between collections.
Query changes:
sourcetype=whisper:attack_surface_change
| stats count by domain change_type record_type
| sort -count
High-priority changes (NS and MX):
sourcetype=whisper:attack_surface_change record_type IN ("NS", "MX")
| table _time domain record_type change_type old_value new_value
Detect subdomain takeover risk
Problem: Find dangling CNAME records that point to decommissioned services, creating subdomain takeover risk.
Solution:
| `whisper_cname_chain("cdn.yourdomain.com")`
| table cname_chain cname_target depth
API plan requirement: The
whisper_cname_chainmacro requires a Professional API plan (5-hop traversal depth).
Map your external infrastructure
Problem: Get a complete inventory of your external-facing DNS, IP, and ASN infrastructure.
Solution:
sourcetype=whisper:attack_surface
| stats dc(record_value) AS unique_records values(record_value) AS records by domain record_type
| sort domain record_type
Incident investigation
Full infrastructure investigation
Problem: A suspicious domain or IP appears in your logs. You need to understand its complete infrastructure context.
Solution:
| `whisper_full_investigation("suspicious-domain.com")`
This macro returns:
- IP addresses the domain resolves to
- BGP prefix
- ASN and country information
- Co-hosted domain count
Pivot on shared infrastructure
Problem: You found a malicious domain. You need to find other domains sharing the same infrastructure.
Solution:
| `whisper_shared_nameservers("malicious-domain.com")`
| `whisper_cohosted_domains("malicious-domain.com")`
Investigate an ASN
Problem: You identified a suspicious ASN. You need to see all prefixes and hostnames behind it.
Solution:
| `whisper_asn_infrastructure("AS12345")`
Trace BGP routing
Problem: Verify that an IP's BGP routing matches its RIR registration to detect potential route hijacking.
Solution:
index=firewall sourcetype=pan:traffic
| whisperlookup field=dest_ip type=ip
| where whisper_bgp_hijack_detected="true"
| table dest_ip whisper_bgp_announcing_asn whisper_bgp_registered_asn whisper_bgp_announced_prefix
WHOIS-based attribution
Problem: Correlate domains by registration data to identify related threat infrastructure.
Solution:
| whisperquery query="MATCH (h:HOSTNAME {name: $domain})-[:HAS_EMAIL]->(e:EMAIL)<-[:HAS_EMAIL]-(other:HOSTNAME) RETURN other.name AS related_domain, e.name AS shared_email LIMIT 25" params="domain=suspicious-domain.com"
Compliance monitoring
SPF compliance audit
Problem: Check which of your domains have valid SPF records and comply with the RFC 7208 10-lookup limit.
Solution:
| `whisper_spf_chain("yourdomain.com")`
Or view the SPF Compliance dashboard for all monitored domains.
DNSSEC deployment status
Problem: Verify DNSSEC deployment across your domain portfolio.
Solution: The DNSSEC Compliance dashboard shows:
- DNSSEC adoption rate
- Deprecated algorithm usage (RSASHA1, DSA)
- Per-domain signing status with NIST SP 800-81 compliance assessment
Mail server configuration audit
Problem: Monitor MX record changes that could indicate email infrastructure compromise.
Solution: The Mail Configuration dashboard tracks:
- MX record inventory across all monitored domains
- Recent MX changes
- Per-domain mail server configuration history
Risk-based alerting
Enable correlation searches
Problem: You want automated alerting when Whisper data indicates infrastructure risk.
Setup:
- Navigate to Settings > Searches, Reports, and Alerts
- Enable the correlation searches relevant to your environment:
| Search | Risk signal |
|---|---|
| Bulletproof ASN Communication | Traffic to known bulletproof hosting |
| Shared Nameserver with Threat Infrastructure | DNS infrastructure overlap with threats |
| DNS Infrastructure Change Detection | Unexpected DNS changes |
| Low Co-Hosting Density Anomaly | Dedicated threat infrastructure |
| BGP Prefix Conflict Detection | Route hijacking indicators |
| Impossible Travel Detection | Geographically inconsistent resolution |
All enabled searches generate risk events with MITRE ATT&CK annotations for ES Risk-Based Alerting.
Custom risk-based workflows
Problem: You want to build custom alerts based on Whisper enrichment data.
Solution:
index=firewall sourcetype=pan:traffic
| whisperlookup field=dest_ip type=ip
| where whisper_threat_score >= 50 AND whisper_is_threat="true"
| eval risk_message="Connection to high-threat IP " . dest_ip . " (ASN: " . whisper_asn_name . ", Score: " . whisper_threat_score . ")"
| collect index=risk risk_score=whisper_threat_score risk_object=dest_ip risk_object_type=system
Multi-tenant monitoring (MSSP)
Per-client attack surface monitoring
Problem: You manage security for multiple clients and need isolated monitoring for each.
Setup: Configure the Whisper Multi-Tenant Baseline input with per-client domain lists and indexes.
Per-client summary:
sourcetype=whisper:attack_surface_summary
| table client_id domains_processed changes_detected high_priority_changes elapsed_seconds
| sort -changes_detected
Cross-client threat comparison:
sourcetype=whisper:attack_surface_change
| stats count AS changes dc(domain) AS affected_domains by client_id
| sort -changes