GreyNoise Splunk app provides multiple dashboards to effectively analyse and visualize the contextual and statistical data provided by GreyNoise. It also includes custom commands and alert actions which can be used along with Splunk searches to leverage GreyNoise APIs for custom use cases. It periodically scans the Splunk deployment through saved search to indicate the noise IPs in the complete Splunk deployment. Along with this, the workflow action provided can be used to obtain live context information of any CIM compliant field containing an IP address.
Search Head Cluster
Scan Deploymentis configured on only single search head. In such cases, the configuration will not be visible on other search heads. In case if user wants to configure the
Logging(default is INFO), user can configure individually on every search head. This is recommended.
$SPLUNK_HOME$/etc/shcluster/apps/app-greynoise/local/server.confand add following information to the stanza:
conf_replication_include.app_greynoise_settings = true
Follow the below-listed steps to install an app from the bundle:
Note: This app contains Adaptive Response Actions, which can be used along with Splunk Enterprise Security. To use these alert actions on the Splunk instance without Splunk Enterprise Security, kindly install
Splunk Common Information Model (CIM).
The app can be configured in the following way:
Apps > GreyNoise App for Splunk > Configuration.
Apps > GreyNoise App for Splunk > Configurationand selecting Logging.
This feature helps user to scan the Splunk Deployment and identify the noise IP addresses from it. It can be configured in the following way:
Apps > GreyNoise App for Splunk > Configuration.
The following commands are included as a part of the app:
| gnip ip="(ip_address)"
| gnquick ip="(ip_address),(ip_address),(ip_address)" [OR] SPL_QUERY | gnquick ip_field="(ip_field)"
| gnquery query="(GNQL_query)" result_size="(result_size)"
| gnstats query="(GNQL_query)" count="(stats_count)"
SPL_QUERY | gnmulti ip_field="(ip_field)"
| gncontext ip="(ip_address)"
SPL_QUERY | gnfilter ip_field="(ip_field)" noise_events="(true/false)"
SPL_QUERY | gnenrich ip_field="(ip_field)"
Note : While executing the transforming commands from Splunk search UI, ensure that the event count passed to the command is less than 50,000, as per standard limits of Splunk. If the event count is higher than this number, user can create a Saved Search and pass higher number of Splunk statistical data to the command.
The following alert actions are included as a part of the app:
These alert actions can be used independently as well as with Splunk Enterprise Security in the form of Adaptive Response Actions. Results from these actions can be found in
The two sources for these adaptive response actions are:
Usage with Splunk Enterprise Security:
- These actions can be executed from Incident Review, and results can be accessed directly by refreshing the "Adaptive Responses" panel and clicking the appropriate link.
Identify Noise workflow action is enabled for all the CIM compliant IP fields which can be used to fetch the context information for the corresponding IP addresses.
This app contains the following three dashboards:
This app contains the following saved searches, which are used for populating data in the dashboard:
gn_scan_deployment_ip_lookuplookup and is triggered after configuring Scan Deployment feature.
gn_scan_deployment_ip_lookuplookup and is triggered at an interval of 60 minutes and scans the data of previous 70 minutes.
gn_overview_lookuplookup, and is triggered after configuring the API key.
gn_overview_lookuplookup, and is triggered at an interval of 30 minutes.
Note : greynoise_scan_deployment_once and greynoise_scan_deployment savedsearches are used for scanning the data indexed in Splunk. So, in case when these saved searches are skipped, the data indexed during that interval will not be scanned for noise status.
To uninstall app, user can follow below steps:
greynoise_overviewSaved Search is enabled.
greynoise_scan_deploymentSaved Search is enabled.
Exception occurred while fetching the context of the ip=<ip>. See greynoise_main.log for more details.
KV store not in ready state. Make sure it is enabled.is shown, ensure that KV store is enabled.
External command based lookup 'gn_scan_deployment_ip_lookup' is disabled because KV Store is disabled.
The third party library and its license information is as follows:
Bug fixes from 2.0.1
About this release
- Provides support for Splunk 8, specifically this app will work using both Python 2.7 or 3.7.
- Uses new Greynoise Python library
- You must have a valid GreyNoise API key for this app to function.
- `gnbulk` command has been removed as the endpoint is deprecated
Improves error messaging when a multivalued field is passed to the gnmulti command.
#### v 1.1.0
- Refactors the gnmulti command to preserve event information when used
#### v 1.1.1
- Fixed a bug in the gnmulti command that caused an error when over 100 IPs were passed to the API endpoint
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.