whisper.identify() — Identity & Assessment
Answer whose infrastructure a host is, whether it is dangerous, and — when there's no direct match — what sits around it. The identity family: identify, assess, walk.
whisper.identify() — Identity & Assessment Documentation
Three procedures answer the questions you ask about a host before you decide what to do with it: whose infrastructure is this, is it dangerous, and — when neither has a clean answer — what sits around it. They are built to run over a batch of hosts and return decision-ready columns, so they slot straight into triage and enrichment pipelines.
whisper.identify(hosts) — whose infrastructure is this
whisper.identify() resolves a host to the vendor or service that operates it. Pass one host or a batch (1 to 256 per call) and it returns the canonical identity plus the evidence behind it.
CALL whisper.identify(["api.stripe.com", "cdn.shopify.com"])
YIELD host, canonical_name, category, roles, host_class, confidence
RETURN host, canonical_name, category, host_class, confidence
| Column | Meaning |
|---|---|
host | The input host. |
canonical_name | The resolved vendor or service identity. |
category | What kind of service it is (saas, cloud, cdn, …). |
roles | The roles the host plays (api, mail, cdn-edge, …). |
host_class | A coarse classification of the host. |
confidence | How strongly the evidence supports the identity. |
evidence | The signals that produced the match. |
Use it to label infrastructure at scale — attributing a list of hostnames from a log or an alert to the services behind them, without a hop-by-hop traversal per host.
whisper.assess(hosts) — is it dangerous
whisper.assess() answers the safety question for a batch of hosts, and — critically — tells you how much it actually knows. The argument must be a list; passing a bare string returns a 400.
CALL whisper.assess(["example.com", "185.220.101.1"])
YIELD host, label, band, coverage, signals, evidence
RETURN host, label, band, coverage
| Column | Meaning |
|---|---|
label | The assessment (clean, suspicious, …). |
band | Severity band (NONE … CRITICAL). |
coverage | How much data backs the assessment. |
signals | The threat signals that fired. |
evidence | The underlying evidence. |
Gate on coverage. A clean label with coverage: no-data means we have no data on this host, not this host is safe. The coverage values are known-clean (we have data and it is clean), structural-only (we know the infrastructure but have no threat data), and no-data (nothing to go on). Treat no-data as unknown, never as benign.
whisper.walk(host [, depth] [, budgetMs]) — the structural neighborhood
When whisper.identify() has no direct match, whisper.walk() returns a bounded structural neighborhood — the host's siblings and the nearest known vendors — so you still get context to reason about an unknown host. It is depth- and budget-bounded so it stays fast on large networks.
CALL whisper.walk("unknown-host.example", 2, 800)
YIELD host, no_atlas_match, path
RETURN host, no_atlas_match, path
The optional second argument is the traversal depth and the third is a time budget in milliseconds. Keep both modest — this is a fallback for the case where a direct identity lookup came back empty, not a general graph crawler.
Where these fit
- Start with
identifyto attribute known infrastructure. - Use
assessfor the safety verdict on a batch, and always readcoveragebefore you act onlabel. - Fall back to
walkonly whenidentifyreturns no match and you need surrounding context.
For a single scored threat verdict with per-feed evidence, use explain(). For the full procedure catalog, see the Procedures overview.