Splunk Use Cases for Infrastructure Intel
Security workflows: enrichment pipelines, indicator investigation, attack-surface monitoring, and ES integration.
Splunk Use Cases for Infrastructure Intel Documentation
The add-on does not ship a prebuilt correlation-search pack or an analytic
story. To build detection logic of your own, clone one of the disabled
example enrichment templates in savedsearches.conf and adapt it to your
data model.
Overview
This page organizes the add-on's capabilities by security workflow. Each use case shows the problem, the Splunk commands that solve it, and the expected output.
Threat intelligence enrichment
Enrich firewall logs with infrastructure context
Problem: Your firewall logs contain destination IPs, but you need ASN, country, and threat intelligence to prioritize alerts.
Solution:
index=firewall sourcetype=pan:traffic
| whisperlookup field=dest_ip type=ip
| where whisper_threat_score > 0
| table _time dest_ip whisper_asn_name whisper_country whisper_threat_level whisper_threat_score
| sort -whisper_threat_score
Identify Tor exit nodes in your traffic
Problem: Detect connections to or from known Tor exit nodes.
Solution:
index=firewall sourcetype=pan:traffic
| whisperlookup field=dest_ip type=ip
| where whisper_is_tor="true"
| table _time src_ip dest_ip whisper_asn_name whisper_country
Find connections to bulletproof hosting
Problem: Identify traffic to infrastructure hosted on ASNs known for hosting malicious content.
Solution:
index=firewall sourcetype=pan:traffic
| whisperlookup field=dest_ip type=ip
| lookup whisper_high_risk_asns_lookup asn AS whisper_asn OUTPUT asn_category
| where isnotnull(asn_category)
| table _time dest_ip whisper_asn whisper_asn_name asn_category
Cross-reference with multiple threat feeds
Problem: Check if indicators appear in multiple threat intelligence feeds for higher confidence.
Solution:
index=firewall sourcetype=pan:traffic
| whisperlookup field=dest_ip type=ip include_threat_intel=true include_feeds=true
| where whisper_threat_sources_count > 2
| table dest_ip whisper_threat_level whisper_threat_sources_count whisper_feed_names
External Attack Surface Management (EASM)
Monitor DNS infrastructure changes
Problem: Detect unauthorized changes to your external DNS infrastructure (new subdomains, IP changes, NS migrations).
Setup: Configure the Whisper DNS Baseline modular input with your domain list. The input runs on a schedule and collects DNS infrastructure snapshots.
Query baseline data:
sourcetype=whisper:attack_surface
| stats count by domain record_type
| sort -count
View latest baseline for a domain:
sourcetype=whisper:attack_surface domain="example.com"
| stats latest(record_value) AS current_value by record_type
Detect subdomain takeover risk
Problem: Find dangling CNAME records that point to decommissioned services, creating subdomain takeover risk.
Solution:
| `whisper_cname_chain("cdn.yourdomain.com")`
| table cname_chain cname_target depth
API plan requirement: The
whisper_cname_chainmacro requires a Professional API plan (5-hop traversal depth).
Map your external infrastructure
Problem: Get a complete inventory of your external-facing DNS, IP, and ASN infrastructure.
Solution:
sourcetype=whisper:attack_surface
| stats dc(record_value) AS unique_records values(record_value) AS records by domain record_type
| sort domain record_type
Incident investigation
Full infrastructure investigation
Problem: A suspicious domain or IP appears in your logs. You need to understand its complete infrastructure context.
Solution:
| `whisper_full_investigation("suspicious-domain.com")`
This macro returns:
- IP addresses the domain resolves to
- BGP prefix
- ASN and country information
- Co-hosted domain count
Pivot on shared infrastructure
Problem: You found a malicious domain. You need to find other domains sharing the same infrastructure.
Solution:
| `whisper_shared_nameservers("malicious-domain.com")`
| `whisper_cohosted_domains("malicious-domain.com")`
Investigate an ASN
Problem: You identified a suspicious ASN. You need to see all prefixes and hostnames behind it.
Solution:
| `whisper_asn_infrastructure("AS12345")`
Trace BGP routing
Problem: Verify that an IP's BGP routing matches its RIR registration to detect potential route hijacking.
Solution:
index=firewall sourcetype=pan:traffic
| whisperlookup field=dest_ip type=ip
| where whisper_bgp_hijack_detected="true"
| table dest_ip whisper_bgp_announcing_asn whisper_bgp_registered_asn whisper_bgp_announced_prefix
WHOIS-based attribution
Problem: Correlate domains by registration data to identify related threat infrastructure.
Solution:
| whisperquery query="MATCH (h:HOSTNAME {name: $domain})-[:HAS_EMAIL]->(e:EMAIL)<-[:HAS_EMAIL]-(other:HOSTNAME) RETURN other.name AS related_domain, e.name AS shared_email LIMIT 25" params="domain=suspicious-domain.com"
Compliance monitoring
SPF compliance audit
Problem: Check which of your domains have valid SPF records and comply with the RFC 7208 10-lookup limit.
Solution:
| `whisper_spf_chain("yourdomain.com")`
Or view the SPF Compliance dashboard for all monitored domains.
Mail server configuration audit
Problem: Monitor MX record changes that could indicate email infrastructure compromise.
Solution: The Mail Configuration dashboard tracks:
- MX record inventory across all monitored domains
- Recent MX changes
- Per-domain mail server configuration history
Risk-based alerting
Enable correlation searches
Problem: You want automated alerting when Whisper data indicates infrastructure risk.
Setup:
- Navigate to Settings > Searches, Reports, and Alerts
- Enable the correlation searches relevant to your environment:
| Search | Risk signal |
|---|---|
| Bulletproof ASN Communication | Traffic to known bulletproof hosting |
| Shared Nameserver with Threat Infrastructure | DNS infrastructure overlap with threats |
| DNS Infrastructure Change Detection | Unexpected DNS changes |
| Low Co-Hosting Density Anomaly | Dedicated threat infrastructure |
| BGP Prefix Conflict Detection | Route hijacking indicators |
| Impossible Travel Detection | Geographically inconsistent resolution |
All enabled searches generate risk events with MITRE ATT&CK annotations for ES Risk-Based Alerting.
Custom risk-based workflows
Problem: You want to build custom alerts based on Whisper enrichment data.
Solution:
index=firewall sourcetype=pan:traffic
| whisperlookup field=dest_ip type=ip
| where whisper_threat_score >= 50 AND whisper_is_threat="true"
| eval risk_message="Connection to high-threat IP " . dest_ip . " (ASN: " . whisper_asn_name . ", Score: " . whisper_threat_score . ")"
| collect index=risk risk_score=whisper_threat_score risk_object=dest_ip risk_object_type=system
Cypher equivalents in the Cookbook
Every Splunk use case below has a Cypher counterpart in the Cookbook. Use Cypher when you want to pivot through the graph; use SPL when you want enrichment inline with your Splunk events.
- Firewall enrichment, Tor detection → SOC recipes
- Bulletproof hosting, ASN reputation → Threat-intel recipes
- BGP hijack detection → BGP recipes
- SPF/DMARC posture, dangling DNS → DNS/email recipes
- External attack-surface monitoring → Pentest recon recipes
- Insurance / third-party risk scoring → Insurance & TPRM recipes