Whisper Security Add-on for Splunk connects your Splunk environment to the Whisper Knowledge Graph: 7.3 billion nodes and 38 billion edges that map how the internet is wired. Hostnames, A/AAAA, CNAME, NS and MX records, SPF mechanism chains, BGP announcements, RIR allocations, ASN peering, WHOIS registrants, GeoIP, web-crawl link graph, and 5+ million threat-intel edges sourced from 40+ feeds across 18 categories — all queryable inline from the Splunk search bar over Cypher. The add-on is built around three workflows: 1. Enrich customer logs. Pipe events through the `whisperlookup` streaming command to add ~60 enrichment fields per indicator: ASN, prefix, country, registrar, organization, threat score, risk score, threat level, and 13 boolean flags such as `whisper_is_c2`, `whisper_is_phishing`, `whisper_is_tor`, `whisper_is_malware`. Output is CIM-aliased so it drops straight into Network Resolution, DNS, and Threat Intelligence data models without custom field extractions. 2. Investigate one indicator. Open the Lookup / Investigation dashboard, type a domain or IP, and the dashboard fans out a dozen read-only graph pivots in parallel: shared nameservers, co-hosted domains, WHOIS-attribute pivots (registrar, organization, email, phone), CNAME and SPF chains up to 5 hops, BGP path through ANNOUNCED_PREFIX to ASN_NAME, web inbound/outbound link graph, and a `CALL explain()` threat assessment with score, level, factors, and contributing feeds. 3. Monitor owned domains. Point the DNS Baseline modular input at your domain list and the add-on captures DNS infrastructure snapshots on a schedule. The Attack Surface Change Timeline dashboard surfaces the diffs with risk scoring; the SPF Compliance and Mail Configuration dashboards cover the email side. Two more things make this useful in practice: - Direct Cypher access from Splunk. `whisperquery` runs ad-hoc parameterized Cypher against the graph from the search bar. Want to find every domain co-hosted with a phishing site, then check which of them share a registrant email? That is one query, not a tool-switching exercise. Procedures like `CALL explain(indicator)` and `CALL whisper.history(domain)` give scored threat assessments and historical WHOIS/BGP snapshots. - Splunk ES integration without the lock-in. The add-on ships ES-compatible KV Store collections (`whisper_ip_intel`, `whisper_domain_intel`), an 'Enrich with Whisper' adaptive response action, CIM aliases, and nine `whisper_*` graph macros (`whisper_shared_nameservers`, `whisper_asn_infrastructure`, `whisper_cname_chain`, `whisper_spf_chain`, `whisper_bgp_peers`, `whisper_cohosted_domains`, `whisper_full_investigation`, `whisper_explain`, `whisper_index`). The add-on runs identically on Splunk Enterprise, Splunk Cloud Classic (with IDM event-based pipeline), and Splunk Cloud Victoria. Get a free API key at https://console.whisper.security to start.