Whisper, inside the tools you already run
Pipe Whisper’s infrastructure graph straight into Splunk, Microsoft Sentinel, and the SOAR workflows your team already lives in. One command enriches every event — no rip-and-replace, no new console to learn.
Multi-hop pivots, inside your SIEM
A flat lookup adds a column. Whisper adds the graph: from one IP in your alert, follow the ASN that routes it, the domains co-hosted alongside it, the registrant behind them, and the feeds that flag the whole cluster — without ever leaving Splunk or switching to another tab.
One command enriches every event
| dest_ip | whisper_asn_name | whisper_country | whisper_threat_level | whisper_is_tor |
|---|---|---|---|---|
| 1.1.1.1 | CLOUDFLARENET | US | INFO | 0 |
| 185.220.101.1 | TELNA-UK | DE | INFO | tor |
| 8.8.8.8 | US | INFO | 0 | |
| 104.16.132.229 | CLOUDFLARENET | US | INFO | 0 |
| 93.184.216.34 | SYSAID-ASN | CH | NONE | 0 |
Raw dest_ip in → ASN ownership, geo, threat level, and Tor/C2 flags out — inline. The Tor exit lights up on its own.
Connectors for the stack you run
Splunk and OpenCTI are live today. Microsoft Sentinel and Wazuh are close behind. Each one speaks its host platform’s native language.
Run a single `| whisperlookup` command over any field to enrich events inline with ASN ownership, geo, threat level, and Tor/C2 flags — plus a full Lookup / Investigation dashboard for ad-hoc pivots. Nothing leaves your indexers.
- whisperlookup SPL command
- Investigation dashboards
- Alert enrichment
- Threat scoring
Enrich Sentinel incidents and hunting queries with infrastructure context, so every external IP and domain carries its ownership, connections, and a sourced threat score.
- Incident enrichment
- KQL functions
- Hunting queries
Hydrate STIX observables with Whisper relationships — resolving IPs, co-hosted domains, shared certificates, and registrant pivots — straight into your threat-intel knowledge base.
- STIX observable enrichment
- Relationship pivots
- Native connector
Enrich Wazuh alerts and threat hunts with infrastructure intelligence on every external indicator — ASN ownership, co-hosting, and sourced threat scores.
- Alert enrichment
- Active response
- Threat hunting
Not on the list? Wire it up yourself
The same graph is a REST/Cypher API and an MCP endpoint. Drop infrastructure context into any pipeline, notebook, or AI agent in a few lines — no connector required.
Add infrastructure context to your stack
Install the Splunk app or the OpenCTI connector today, or talk to us about Sentinel and Wazuh — available cloud-hosted or on-prem.