Entities
Every node label in WhisperGraph — what it represents, its count, and the queryable properties on threat-listed indicators, prefixes, ASNs, and ROAs.
Entities Documentation
Every entity in WhisperGraph is a node with a label and a name. This page lists all 39 node labels — what each represents, roughly how many exist, and the properties you can filter and return. For the edges that join them, see Connection Types; for the chains that cross layers, see Pivoting Examples.
There is no Domain or FQDN label — every name is a HOSTNAME. Counts are a snapshot and drift with each refresh; CALL db.labels() returns the live set.
Node labels
Core DNS & addressing
| Label | Count | Description |
|---|---|---|
HOSTNAME | ~2.6B | A fully qualified domain name (google.com, mail.google.com). |
IPV4 | ~619M | An IPv4 address. |
IPV6 | ~820K | An IPv6 address. |
PREFIX | ~2.5M | A CIDR block an IP belongs to. |
ANNOUNCED_PREFIX | ~1.4M | A prefix actually announced in BGP. |
REGISTERED_PREFIX | ~326K | A prefix allocated by a regional registry. |
TLD | ~1.7K | A top-level domain (com, nissan). |
Routing & organization
| Label | Count | Description |
|---|---|---|
ASN | ~116K | An autonomous system, named AS + number (AS13335). |
ASN_NAME | ~108K | The registered name of an autonomous system. |
ORGANIZATION | ~119M | A registrant or network organization. |
RIR | 5 | A regional internet registry. |
TLD_OPERATOR | ~737 | A registry that operates one or more TLDs. |
WHOIS & registration
| Label | Count | Description |
|---|---|---|
REGISTRAR | ~51K | A domain registrar. |
EMAIL | ~237M | A WHOIS contact email. |
PHONE | ~60M | A WHOIS contact phone. |
RDAP_ENTITY | ~355K | An RDAP registration entity (id-only terminal node). |
Geo & DNSSEC
| Label | Count | Description |
|---|---|---|
CITY | ~54K | A GeoIP city (New York, US). |
COUNTRY | 424 | A country. |
DNSSEC_ALGORITHM | 8 | A DNSSEC signing algorithm. |
Threat intelligence
| Label | Count | Description |
|---|---|---|
FEED_SOURCE | 43 | A threat-intelligence feed (Spamhaus DROP, Feodo Tracker). |
CATEGORY | 25 | A threat or reference category (C2 Servers, TOR Network). |
THREAT_TAG | ~12K | A MISP-galaxy threat tag. |
THREAT_SIGNAL_TYPE | 11 | A threat-signal taxonomy entry (bulletproof-hosting, c2-hosting). |
ACTOR | ~1.2K | A named threat actor (APT28). Case-sensitive. |
ATTACK_PATTERN | 712 | A MITRE ATT&CK technique or tactic. |
RPKI & routing observations
| Label | Count | Description |
|---|---|---|
ROA | ~966K | An RPKI Route Origin Authorization. |
BGP_PATH_OBSERVATION | ~2.9M | An observed AS-path (id-only terminal node). |
Physical infrastructure
| Label | Count | Description |
|---|---|---|
FACILITY | ~5.9K | A datacenter or carrier-hotel building (Equinix DA1 - Dallas). |
INTERNET_EXCHANGE | ~1.3K | An internet exchange point (LINX LON1). |
SUBMARINE_CABLE | 694 | A subsea cable (2Africa). |
CABLE_LANDING | ~1.9K | A landing point for a subsea cable. |
CDN_POP | ~1.7K | A CDN point of presence (operator-prefixed id). |
DNS_ROOT_INSTANCE | ~1.3K | A root-server instance. |
CLOUD_REGION | 91 | A cloud-provider region (aws:eu-west-1). |
Egress, fingerprint & transparency
| Label | Count | Description |
|---|---|---|
VENDOR | 53 | A cloud or SaaS vendor that operates address space (cloudflare). |
TOR_RELAY | ~2.6K | A Tor relay, keyed by fingerprint. |
TLS_FINGERPRINT | 324 | A JA3 or JARM TLS fingerprint. |
CT_OBSERVATION | ~15K | A Certificate Transparency observation. |
DMARC_RECIPIENT | 7 | An address a domain sends DMARC reports to. |
Every node has a
nameproperty, and{name: "value"}lookups are indexed.FEED_SOURCE,CATEGORY,ANNOUNCED_PREFIX, andREGISTERED_PREFIXare virtual labels synthesized at query time. The small ones (FEED_SOURCE,CATEGORY) can be listed directly; reach the prefix labels through an edge (ANNOUNCED_BY,BELONGS_TO) rather than scanning them.BGP_PATH_OBSERVATIONandRDAP_ENTITYare id-only terminal nodes: they exist to be reached, and carry no further hops.
Node properties
Most labels carry only name. Threat-listed indicators, announced prefixes, ASNs, and ROAs carry richer, queryable properties.
Threat & verdict (on threat-listed IPV4 / IPV6 / HOSTNAME)
| Property | Type | Notes |
|---|---|---|
verdictScore | Double | Reconciled triage score — prefer this over threatScore. |
verdictLevel | String | Reconciled level: NONE … CRITICAL. |
verdictBlocking | Boolean | Whether the reconciled verdict recommends blocking. |
threatScore | Double | Raw feed-weighted score. Never clamped, so it keeps the full feed evidence. |
threatLevel | String | NONE / INFO / LOW / MEDIUM / HIGH / CRITICAL. |
threatSources | List | The feed names that flagged the indicator. |
threatFirstSeen / threatLastSeen | epoch ms | First/last time the indicator was seen on a feed. |
Boolean flags (also on threat-listed nodes): isThreat, isAnonymizer, isC2, isMalware, isPhishing, isSpam, isBruteforce, isScanner, isBlacklist, isTor, isProxy, isVpn, isWhitelist, isReputation, isBotnet, isDga, isStateActor, isExfilDestination, isOfacSanctioned.
Curated well-known infrastructure (public resolvers like 8.8.8.8) carries an allowlisted flag, and its verdict surfaces (verdictLevel, threatLevel, isThreat) are clamped to benign. The raw threatScore is never clamped, so WHERE ip.threatScore > 5 still matches an allowlisted resolver.
// Triage an IP on the reconciled verdict (preferred over raw threatScore)
MATCH (ip:IPV4 {name: "185.220.101.1"})
RETURN ip.name, ip.verdictScore, ip.verdictLevel, ip.verdictBlocking, ip.isTor, ip.isAnonymizer
LIMIT 1
BGP enrichment (on ANNOUNCED_PREFIX)
| Property | Type | Notes |
|---|---|---|
isMoas | Boolean | Currently announced by more than one origin AS (MOAS). |
isAnycast | Boolean | Announced from multiple locations. |
isWithdrawn | Boolean | Currently withdrawn from the routing table. |
threatScore / threatLevel / threatSources | Double / String / List | Aggregate threat across the prefix. |
rir | String | The allocating regional registry. |
registrationDate / lastChangedDate | date | Allocation and last-change dates. |
ASN aggregate threat (on ASN)
| Property | Type | Notes |
|---|---|---|
maxThreatScore / avgThreatScore | Double | Max / average threat across the AS's routed prefixes. |
overallThreatLevel | String | Rolled-up level for the AS. |
hasThreateningPrefixes | Boolean | Whether any routed prefix is threat-listed. |
rir | String | The allocating regional registry. |
registrationDate / lastChangedDate | date | Allocation and last-change dates. |
RPKI (on ROA)
| Property | Type | Notes |
|---|---|---|
asn | String | The authorized origin AS. |
maxLength | Int | Maximum prefix length the ROA authorizes. |
authSource | String | rpki or irr. |
trustAnchor | String | The RPKI trust anchor. |
validFrom / validUntil | timestamp | ROA validity window. |
Other enriched labels
| Label | Notable properties |
|---|---|
TOR_RELAY | name (fingerprint), fingerprint, exitAddressCount, source. |
CT_OBSERVATION | name (the observed cert name), certCount, firstSeen, lastSeen, wildcard. |
VENDOR | name (lowercase slug), displayName, category (saas, cloud), confidence. |
TLS_FINGERPRINT | name (jarm:/ja3:-prefixed hash), hash, kind, family, firstSeen, lastSeen, sourceCount. |
THREAT_SIGNAL_TYPE | name — one of 11 signal kinds, e.g. bulletproof-hosting, c2-hosting, toxic-neighborhood, coordinated-campaign. |
LISTED_INedges carry no queryable properties. The per-feed evidence behind a verdict (each feed's weight and first/last-seen timestamps) comes fromexplain(), which returns it as an inspectablesourcesarray.
Confirm a label before you anchor
CALL db.labels() YIELD label RETURN label ORDER BY label
db.labels() lists every node label with its count and does not count against your quota. Checking it first is the fastest cure for the most common mistake — anchoring on a label that doesn't exist and getting silent empty results. The full property set is available live via CALL db.propertyKeys() and CALL db.schema.nodeTypeProperties().