icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

End User License Agreement for Third-Party Content

Splunk Websites Terms and Conditions of Use

Thank You

Downloading GreyNoise
SHA256 checksum (greynoise_113.tgz) e611576d467c8507b0efdf9833afc4e0344abfa8027a2e06dcdbda73cae37d50 SHA256 checksum (greynoise_112.tgz) 3720321ae53d9a6b811f830c2d0f1ffa884727ce59ac98f73e0f6f0362f8e317 SHA256 checksum (greynoise_111.tgz) 024ad28390a8ce9f5c56dd2eeabccb2993f5c622d8043d34392a5a745647656f SHA256 checksum (greynoise_100.tgz) 6b159dd393ee4eb2956bf4ca4af7496e4440bd1b7a5ca30ab62c2fa1dcec15a4
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

GreyNoise

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
Every device with a routable IPv4 IP address sees some amount of scan and attack traffic from Internet-wide scanners, attackers, bots, and worms. GreyNoise collects, analyzes, and filters this Internet background noise. Use the GreyNoise Splunk app to reduce false-positives and filter Internet-wide scanners from your logs.

GreyNoise Search Add-on for Splunk

Support

  • Splunk 8.0, 7.3, 7.2

Table of Contents

INSTALLATION

  • Hardware and OS requirements
  • Installation steps
  • Deployment

USER GUIDE

  • Commands and Sample Searches
  • ES Functionality
  • Troubleshooting

OVERVIEW

About GreyNoise Search Addon for Splunk

Author GreyNoise
App Version 1.1.3
Vendor Products GreyNoise
Has index-time operations false
Create an index false
Implements summarization false

The GreyNoise Search Add-on for Splunk allows organizations to easily query the GreyNoise API to obtain intel on IPs seen within their logs. The app includes several custom commands and two adaptive response actions.

Release notes

1.1.3
About this release
  • Second release.
  • Provides support for Splunk 8, specifically this app will work using both Python 2.7 or 3.7.
  • Uses new Greynoise Python library
  • You must have a valid GreyNoise API key for this app to function.
  • gnbulk command has been removed as the endpoint is deprecated

Version 1.1.3 of the GreyNoise Search Addon for Splunk is compatible with:

Splunk Enterprise versions 7.2, 7.3, 8.0
Platforms Platform independent
Vendor Products GreyNoise API
Lookup file changes None
Prerequisites and Requirements

This app requires a valid GreyNoise API key to function. Search heads without Enterprise Security also require the
Splunk Common Information Model (CIM) Add-on to be installed for the
Modular Alerts to function.

Support
Email support@greynoise.io
Hours 9AM-5PM EDT Monday-Friday
Observed Holidays Major US Holidays

INSTALLATION AND CONFIGURATION

Hardware and software requirements

Hardware requirements

GreyNoise Search Addon for Splunk officially supports the following server platforms in the versions supported by
Splunk Enterprise:

  • Linux (Tested on Ubuntu 18.04)
  • macOS (Tested on macOS Mojave 10.14.6)

Splunk Enterprise system requirements

Because this add-on runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.

Installation steps

Single-instance

Install to search head

  1. Install the app.
  2. Click on 'Apps' in the top left corner of the Splunk UI. Then click 'Manage Apps' and search for the app.
    Click on 'Set up' under the 'Actions' column. Enter the API key and then click Save.

Distributed

Install to search head

  1. Install the app.
  2. Click on 'Apps' in the top left corner of the Splunk UI. Then click 'Manage Apps' and search for the app.
    Click on 'Set up' under the 'Actions' column. Enter the API key and then click Save.

Installations on Search Heads without Enterprise Security

  1. Install the app.
  2. Click on 'Apps' in the top left corner of the Splunk UI. Then click 'Manage Apps' and search for the app.
  3. Installation the Splunk Common Information Model (CIM) Add-on.
    No configuration of this app is necessary.

Adaptive Response

This app contains compatibility with the Enterprise Security feature Adaptive Response.
Responders can perform a quick check or a context check (single IP only) on IPs seen in alerts.

User Guide

Commands and Sample Searches

The following commands are included as part of the add-on:

  • gncontext
    • Search format: | gncontext ip=[ip_address]
    • Purpose: gncontext queries GreyNoise for activity data from a given IP address.
  • gnquick
    • Search format: | gnquick ip=[ip_address]
    • Purpose: gnquick queries GreyNoise to check whether a given IP address is "Internet background noise", or
      has been observed scanning or attacking devices across the Internet.

  • gnmulti

    • Search format: index=[your_index] | gnmulti ip_field=[ip_field]
    • Purpose: gnmulti returns whether IP address(es) are noise, similar to the gnquick command but able to be
      used for multiple IPs.

  • These commands correspond to specific endpoints in the GreyNoise API. Learn more about each endpoint in the
    GreyNoise API documentation.

ES Functionality

  • This app comes with two adaptive response actions: GreyNoise Quick Check and GreyNoise Context Check
  • This functionality can also be used outside of ES on alerts.
  • Results from these actions can be found in index=main sourcetype=greynoise
    • The two sources for these adaptive response actions are: source=greynoise_context and source=greynoise_quick
  • If executed from Incident Review, results can be accessed directly by refreshing the "Adaptive Responses" panel
    and clicking the appropriate link.

Troubleshooting

  • Custom commands return error code 1 when used and search.log contains a key error.
    • Check to see that the API key has been entered correctly in the app's setup page.
  • Alerts fail to write to index=main sourcetype=greynoise and Enterprise Security is not installed.

Release Notes

v 1.0.0

  • Includes the following commands: gnbulk, gncontext, gnquick, gnmulti
  • Adaptive Response Actions: Quick Check and Context Check. [See above under 'ES Functionality']

v 1.1.0

  • Refactors the gnmulti command to preserve event information when used

v 1.1.1

  • Fixed a bug in the gnmulti command that caused an error when over 100 IPs were passed to the API endpoint

v 1.1.2

  • Fixed a bug in the gnmulti command that caused duplicate IPs to have corresponding GreyNoise information

v 1.1.3

  • Updated Greynoise library
  • App is updated to use Python 3.7 for Splunk 8 compatibility
  • gnbulk command has been removed as the endpoint is deprecated

Third-party software attributions/credits:

requirejs/text.js 2.0.15

(https://github.com/requirejs/text) - MIT License

Copyright jQuery Foundation and other contributors, https://jquery.org/

This software consists of voluntary contributions made by many
individuals. For exact contribution history, see the revision history
available at https://github.com/requirejs/text

The following license applies to all parts of this software except as
documented below:

====

Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:

The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Release Notes

Version 1.1.3
Oct. 29, 2019

v 1.1.3

About this release
- Provides support for Splunk 8, specifically this app will work using both Python 2.7 or 3.7.
- Uses new Greynoise Python library
- You must have a valid GreyNoise API key for this app to function.
- `gnbulk` command has been removed as the endpoint is deprecated
Version 1.1.2
Sept. 6, 2019

Improves error messaging when a multivalued field is passed to the gnmulti command.
Version 1.1.1
June 27, 2019

#### v 1.1.0
- Refactors the gnmulti command to preserve event information when used

#### v 1.1.1
- Fixed a bug in the gnmulti command that caused an error when over 100 IPs were passed to the API endpoint
Version 1.0.0
Aug. 2, 2018
75
Installs
332
Downloads
Share Subscribe LOGIN TO DOWNLOAD
Version
This version has not passed Splunk AppInspect.
This version has not passed Splunk AppInspect.
This version has not passed Splunk AppInspect.
This version has not passed Splunk AppInspect.
Built by
Andrew Morris
Support
Not Supported
Questions on Splunk Answers Flag as inappropriate App Contents: Alert Actions App Contents: Alert Actions App Contents: Alert Actions App Contents: Alert Actions
Compatibility
Products: Splunk Cloud, Splunk Enterprise Products: Splunk Cloud, Splunk Enterprise Products: Splunk Cloud, Splunk Enterprise Products: Splunk Cloud, Splunk Enterprise
Splunk Versions: 8.0, 7.3, 7.2 Platform: Platform Independent Splunk Versions: 7.3, 7.2, 7.1, 7.0 Platform: Platform Independent Splunk Versions: 7.3, 7.2, 7.1, 7.0 Platform: Platform Independent Splunk Versions: 7.1, 7.0 Platform: Platform Independent
Licensing
End User License Agreement for Third-Party Content
Category & Contents
Categories: Security, Fraud & Compliance
App Type: App
Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Learn More

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Submit Your App Dev Resources
Follow Us:
© 2005-2019 Splunk Inc. All rights reserved.
Sitemap | Contact | Careers | Privacy | Terms of Use | Export Control | Report a Problem
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.