icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading GreyNoise
SHA256 checksum (greynoise_201.tgz) 0eba1f4a1d96f9e7145c3bc92084e85462cb339f3f68020d3ce4ba791e73ce0b SHA256 checksum (greynoise_113.tgz) e611576d467c8507b0efdf9833afc4e0344abfa8027a2e06dcdbda73cae37d50 SHA256 checksum (greynoise_112.tgz) 3720321ae53d9a6b811f830c2d0f1ffa884727ce59ac98f73e0f6f0362f8e317 SHA256 checksum (greynoise_111.tgz) 024ad28390a8ce9f5c56dd2eeabccb2993f5c622d8043d34392a5a745647656f SHA256 checksum (greynoise_100.tgz) 6b159dd393ee4eb2956bf4ca4af7496e4440bd1b7a5ca30ab62c2fa1dcec15a4
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

GreyNoise

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
Every device with a routable IPv4 IP address sees some amount of scan and attack traffic from Internet-wide scanners, attackers, bots, and worms. GreyNoise collects, analyzes, and filters this Internet background noise. Use the GreyNoise Splunk app to reduce false-positives and filter Internet-wide scanners from your logs.

GreyNoise App for Splunk

OVERVIEW

GreyNoise Splunk app provides multiple dashboards to effectively analyse and visualize the contextual and statistical data provided by GreyNoise. It also includes custom commands and alert actions which can be used along with Splunk searches to leverage GreyNoise APIs for custom use cases. It periodically scans the Splunk deployment through saved search to indicate the noise IPs in the complete Splunk deployment. Along with this, the workflow action provided can be used to obtain live context information of any CIM compliant field containing an IP address.

  • Author: GreyNoise Intelligence Inc
  • Version: 2.0.1
  • Creates Index: False
  • Has index-time operation: True
  • Implements summarization: False
  • Prerequisites: GreyNoise API Key, Search heads without Enterprise Security requires the Splunk Common Information Model (CIM) Add-on to for the Modular Alerts to function.

COMPATIBILITY MATRIX

  • Splunk Enterprise version: 8.0, 7.3, 7.2
  • OS: Platform independent
  • Vendor Products: GreyNoise API

TOPOLOGY AND SETTING UP SPLUNK ENVIRONMENT

Standalone Mode

  • Install GreyNoise App for Splunk. See INSTALLATION section for more details.
  • Configure the API key and log level. See CONFIGURATION section for details.

Search Head Cluster

  • In case of Search Head Clustering, make sure that the GreyNoise Setup and Scan Deployment is configured on only single search head. In such cases, the configuration will not be visible on other search heads. In case if user wants to configure the Logging (default is INFO), user can configure individually on every search head. This is recommended.
  • If user wants to replicate the configuration settings, follow these steps:
    • On search head deployer, extract the app at $SPLUNK_HOME$/etc/shcluster/apps.
    • Create stanza shclustering at path $SPLUNK_HOME$/etc/shcluster/apps/app-greynoise/local/server.conf and add following information to the stanza: conf_replication_include.app_greynoise_settings = true
    • Push the bundle to search head.
    • Configure the API key and log level. See CONFIGURATION section for details. Following these steps will replicate the configuration on all search heads.

INSTALLATION

Follow the below-listed steps to install an app from the bundle:

  • Download the App package.
  • From the UI navigate to Apps > Manage Apps.
  • In the top right corner select Install app from file.
  • Select Choose File and select the App package.
  • Select Upload and follow the prompts.
  • Restart the Splunk to complete the installation.

Note: This app contains Adaptive Response Actions, which can be used along with Splunk Enterprise Security. To use these alert actions on the Splunk instance without Splunk Enterprise Security, kindly install Splunk Common Information Model (CIM).

CONFIGURATION

The app can be configured in the following way:

  • From the Splunk UI navigate to Apps > GreyNoise App for Splunk > Configuration.
  • Click on GreyNoise Setup and enter the API Key.
  • Click on Save button.
  • The app is now configured and all the features apart from Scan Deployment are ready to be used.

Logging

  • User can configure the log level by navigating to Apps > GreyNoise App for Splunk > Configuration and selecting Logging.

SCAN DEPLOYMENT

This feature helps user to scan the Splunk Deployment and identify the noise IP addresses from it. It can be configured in the following way:

  • From the Splunk UI navigate to Apps > GreyNoise App for Splunk > Configuration.
  • Click on Scan Deployment.
  • Enter the following details to set up the Scan Deployment:
    • Indexes: Indexes to be scanned in the deployment.
    • CIM Fields: CIM fields containing IP address to scan for noise status.
    • Other Fields: Other comma(,) separated fields containing IP address to scan for noise status.
    • Scan Start Time: Time range for scanning the indexed Splunk data.
    • Enable Scan Deployment: Checkbox to enable or disable scanning of the deployment.
    • Force Scan Deployment: This is useful when user wants to override current running scan immediately and start a new one.

CUSTOM COMMANDS

The following commands are included as a part of the app:

  • gnip
    • Search format: | gnip ip="(ip_address)"
    • Purpose: Retrieves context information for a given IP address from the GreyNoise.
  • gnquick
    • Search format: | gnquick ip="(ip_address),(ip_address),(ip_address)" [OR] SPL_QUERY | gnquick ip_field="(ip_field)"
    • Purpose: Retrieve the noise status of all the IP addresses as separate events [OR] Retrieve the noise status for all the given IPs returned by the SPL_QUERY for specified ip_field.
  • gnquery
    • Search format: | gnquery query="(GNQL_query)" result_size="(result_size)"
    • Purpose: Retrieve the results of the given GNQL query from GreyNoise. result_size denotes the number of results to be retrieved which is capped at 50,000. result_size is an optional parameter with default value of 50,000.
  • gnstats
    • Search format: | gnstats query="(GNQL_query)" count="(stats_count)"
    • Purpose: Fetch the aggregate statistics for the top organizations, actors, tags, ASNs, countries, classifications, and operating systems of all the results for a given GNQL query. count denotes the number of stats to be retrieved. count is an optional parameter.
  • gnmulti
    • Search format: SPL_QUERY | gnmulti ip_field="(ip_field)"
    • Purpose: Retrieves noise status of the IP addresses represented by ip_field parameter present in each event, and adds the noise information to each event.
  • gncontext
    • Search format: | gncontext ip="(ip_address)"
    • Purpose: Retrieves context information for a given IP address from the GreyNoise.
  • gnfilter
    • Search format: SPL_QUERY | gnfilter ip_field="(ip_field)" noise_events="(true/false)"
    • Purpose: Filter Splunk events returned by given SPL_QUERY based on the noise status of IP address present in ip_field of the events. noise_events is an optional parameter with default value true. So, it will return events with noise IP addresses by default.
  • gnenrich
    • Search format: SPL_QUERY | gnenrich ip_field="(ip_field)"
    • Purpose: Enrich the Splunk events returned by given SPL_QUERY with the context information of IP address represented by ip_field in Splunk Search.

Note : While executing the transforming commands from Splunk search UI, ensure that the event count passed to the command is less than 50,000, as per standard limits of Splunk. If the event count is higher than this number, user can create a Saved Search and pass higher number of Splunk statistical data to the command.

ALERT ACTIONS

The following alert actions are included as a part of the app:

  • GreyNoise Quick Check: Returns noise information from GreyNoise for given IP addresses.
  • GreyNoise Context Check: Returns context information from GreyNoise for given IP Addresses.

These alert actions can be used independently as well as with Splunk Enterprise Security in the form of Adaptive Response Actions. Results from these actions can be found in index=main sourcetype=greynoise
The two sources for these adaptive response actions are: source=greynoise_context and source=greynoise_quick.

Usage with Splunk Enterprise Security:
- These actions can be executed from Incident Review, and results can be accessed directly by refreshing the "Adaptive Responses" panel and clicking the appropriate link.

WORKFLOW ACTION

Identify Noise workflow action is enabled for all the CIM compliant IP fields which can be used to fetch the context information for the corresponding IP addresses.

DASHBOARDS

This app contains the following three dashboards:

  • Overview: This dashboard represents an overall visualization of the statistics provided by GreyNoise platform as well as the statistics of the noise IPs in the Splunk deployment.
  • Noise IP Addresses: This dashboard displays all the IP addresses along with their noise status scanned by GreyNoise through Scan Deployment feature in the current Splunk deployment. This dashboard will be populated when Scan Deployment feature is enabled.
  • Live Investigation: This dashboard can be used to obtain context information fetched dynamically from the GreyNoise platform based on the form input provided.

SAVED SEARCHES

This app contains the following saved searches, which are used for populating data in the dashboard:

  • greynoise_scan_deployment_once: Used to populate gn_scan_deployment_ip_lookup lookup and is triggered after configuring Scan Deployment feature.
  • greynoise_scan_deployment: Used to populate gn_scan_deployment_ip_lookup lookup and is triggered at an interval of 60 minutes and scans the data of previous 70 minutes.
  • greynoise_overview_once: Used to populate gn_overview_lookup lookup, and is triggered after configuring the API key.
  • greynoise_overview: Used to populate gn_overview_lookup lookup, and is triggered at an interval of 30 minutes.

Note : greynoise_scan_deployment_once and greynoise_scan_deployment savedsearches are used for scanning the data indexed in Splunk. So, in case when these saved searches are skipped, the data indexed during that interval will not be scanned for noise status.

UNINSTALL APP

To uninstall app, user can follow below steps:

  • SSH to the Splunk instance
  • Go to folder apps($SPLUNK_HOME/etc/apps)
  • Remove the app-greynoise folder from apps directory
  • Restart Splunk

TROUBLESHOOTING

  • Alerts fail to write to index=main sourcetype=greynoise and Enterprise Security is not installed.
    • Ensure that the Splunk Common Information Model (CIM) Add-on has been installed. No configuration of this add-on is necessary.
  • Data in Overview dashboard is not being populated.
    • Ensure that greynoise_overview Saved Search is enabled.
  • Data in Noise IP Address dashboard is not being populated.
    • Ensure that the Scan Deployment feature is enabled. The data must populate in an hour. In case the issue still persists, make sure that greynoise_scan_deployment Saved Search is enabled.
    • Ensure that the KV store is enabled.
  • Custom commands are not being executed and failing with unknown exception. For example: Exception occurred while fetching the context of the ip=<ip>. See greynoise_main.log for more details.
    • Ensure that the user executing custom command has list_storage_passwords capability.
  • Noise information of some of the IP addresses is being missed in Noise IP Address dashboard.
    • Ensure that the corresponding index and fields are entered as per the format while enabling Scan Deployment feature.
  • Custom commands exited unexpectedly.
    • Ensure that maximum 50000 results are passed to the custom command while executing search from the Splunk Search Interface, as Splunk supports maximum 50000 results. For processing more results, Saved Searches can be used.
  • Scan Deployment feature is not working as expected.
    • Check for the messages in Splunk UI. If message like KV store not in ready state. Make sure it is enabled. is shown, ensure that KV store is enabled.
    • Check in splunkd.log for messages like External command based lookup 'gn_scan_deployment_ip_lookup' is disabled because KV Store is disabled.
    • If such messages show up, then ensure that the KV store is enabled.
  • In search head clustering, configurations are visible on only one search head and not on others.
    • This is the expected behaviour when replication is not enabled. The functionalities will work on all the search heads.

SUPPORT

OPEN SOURCE COMPONENTS AND LICENSES

The third party library and its license information is as follows:

COPYRIGHT

  • Copyright (C) 2020 GreyNoise Intelligence Inc. All Rights Reserved.

Release Notes

Version 2.0.1
Feb. 4, 2020

Bug fixes from 2.0.1

Version 1.1.3
Oct. 29, 2019

v 1.1.3

About this release
- Provides support for Splunk 8, specifically this app will work using both Python 2.7 or 3.7.
- Uses new Greynoise Python library
- You must have a valid GreyNoise API key for this app to function.
- `gnbulk` command has been removed as the endpoint is deprecated

Version 1.1.2
Sept. 6, 2019

Improves error messaging when a multivalued field is passed to the gnmulti command.

Version 1.1.1
June 27, 2019

#### v 1.1.0
- Refactors the gnmulti command to preserve event information when used

#### v 1.1.1
- Fixed a bug in the gnmulti command that caused an error when over 100 IPs were passed to the API endpoint

Version 1.0.0
Aug. 2, 2018

99
Installs
559
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.