icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading GreyNoise
SHA256 checksum (greynoise_112.tgz) 3720321ae53d9a6b811f830c2d0f1ffa884727ce59ac98f73e0f6f0362f8e317 SHA256 checksum (greynoise_111.tgz) 024ad28390a8ce9f5c56dd2eeabccb2993f5c622d8043d34392a5a745647656f SHA256 checksum (greynoise_100.tgz) 6b159dd393ee4eb2956bf4ca4af7496e4440bd1b7a5ca30ab62c2fa1dcec15a4
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

GreyNoise

Overview
Details
Every device with a routable IPv4 IP address sees some amount of scan and attack traffic from Internet-wide scanners, attackers, bots, and worms. GreyNoise collects, analyzes, and filters this Internet background noise. Use the GreyNoise Splunk app to reduce false-positives and filter Internet-wide scanners from your logs.

GreyNoise Search Add-on for Splunk

Support

  • Splunk 7.0, 7.1, 7.2, 7.3

Table of Contents

INSTALLATION

  • Hardware and OS requirements
  • Installation steps
  • Deployment

USER GUIDE

  • Commands and Sample Searches
  • ES Functionality
  • Troubleshooting

OVERVIEW

About GreyNoise Search Addon for Splunk

Author GreyNoise
App Version 1.1.2
Vendor Products GreyNoise
Has index-time operations false
Create an index false
Implements summarization false

The GreyNoise Search Add-on for Splunk allows organizations to easily query the GreyNoise API to obtain intel on IPs seen within their logs. The app includes several custom commands and two adaptive response actions.

Release notes

Version 1.1.2 is the third release. You must have a valid GreyNoise API key for this app to function.

About this release

Version 1.1.2 of the GreyNoise Search Addon for Splunk is compatible with:

Splunk Enterprise versions 7.0, 7.1, 7.2, 7.3
Platforms Platform independent
Vendor Products GreyNoise API
Lookup file changes None
Prerequisites and Requirements

This app requires a valid GreyNoise API key to function. Search heads without Enterprise Security also require the Splunk Common Information Model (CIM) Add-on to be installed.

Support
Email support@greynoise.io
Hours 9AM-5PM EDT Monday-Friday
Observed Holidays Major US Holidays

INSTALLATION AND CONFIGURATION

Hardware and software requirements

Hardware requirements

GreyNoise Search Addon for Splunk officially supports the following server platforms in the versions supported by Splunk Enterprise:

  • Linux (Tested on Ubuntu 16.04)
  • macOS (Tested on macOS High Sierra 10.13.6 )

Splunk Enterprise system requirements

Because this add-on runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.

Installation steps

Single-instance

Install to search head

  1. Install the app.
  2. Click on 'Apps' in the top left corner of the Splunk UI. Then click 'Manage Apps' and search for the app. Click on 'Set up' under the 'Actions' column. Enter the API key and then click Save.

Distributed

Install to search head

  1. Install the app.
  2. Click on 'Apps' in the top left corner of the Splunk UI. Then click 'Manage Apps' and search for the app. Click on 'Set up' under the 'Actions' column. Enter the API key and then click Save.

Installations on Search Heads without Enterprise Security

  1. Install the app.
  2. Click on 'Apps' in the top left corner of the Splunk UI. Then click 'Manage Apps' and search for the app.
  3. Installation the Splunk Common Information Model (CIM) Add-on. No configuration of this app is necessary.

Adaptive Response

This app contains compatibility with the Enterprise Security feature Adaptive Response.
Responders can perform a quick check or a context check (single IP only) on IPs seen in alerts.

User Guide

Commands and Sample Searches

The following commands are included as part of the add-on:

  • gnbulk
    • Search format: | gnbulk
    • Purpose: gnbulk queries GreyNoise for all noise IPs from today generated by internet scanners, search engines, and worms.
    • This command is intended to be used in a saved search to automatically populate a lookup.
  • gncontext
    • Search format: | gncontext ip=[ip_address]
    • Purpose: gncontext queries GreyNoise for activity data from a given IP address.
  • gnquick
    • Search format: | gnquick ip=[ip_address]
    • Purpose: gnquick queries GreyNoise to check whether a given IP address is "Internet background noise", or
      has been observed scanning or attacking devices across the Internet.
  • gnmulti

    • Search format: index=[your_index] | gnmulti ip_field=[ip_field]
    • Purpose: gnmulti returns whether IP address(es) are noise, similar to the gnquick command but able to be
      used for multiple IPs.
  • These commands correspond to specific endpoints in the GreyNoise API. Learn more about each endpoint in the
    GreyNoise API documentation.

ES Functionality

  • This app comes with two adaptive response actions: GreyNoise Quick Check and GreyNoise Context Check
    • GreyNoise Quick Check returns information from the /v2/noise/quick API endpoint, similar to gnquick.
    • GreyNoise Context Check returns information from the /v2/noise/context endpoint if given a single IP address
      (for example, if used in Incident Response). If given multiple addresses, it returns info from the
      /v2/noise/multi/quick endpoint.
  • This functionality can also be used outside of ES on alerts.
  • Results from these actions can be found in index=main sourcetype=greynoise
  • If executed from Incident Review, results can be accessed directly by refreshing the "Adaptive Responses" panel
    and clicking the appropriate link.

Troubleshooting

  • Custom commands return error code 1 when used and search.log contains a key error.
    • Check to see that the API key has been entered correctly in the app's setup page.
  • Alerts fail to write to index=main sourcetype=greynoise and Enterprise Security is not installed.

Release Notes

v 1.0.0

  • Includes the following commands: gnbulk, gncontext, gnquick, gnmulti
  • Adaptive Response Actions: Quick Check and Context Check. [See above under 'ES Functionality']

v 1.1.0

  • Refactors the gnmulti command to preserve event information when used

v 1.1.1

  • Fixed a bug in the gnmulti command that caused an error when over 100 IPs were passed to the API endpoint

v 1.1.2

  • Improves error messaging when a multivalued field is passed to the gnmulti command

Third-party software attributions/credits:

requirejs/text.js 2.0.15

(https://github.com/requirejs/text) - MIT License

Copyright jQuery Foundation and other contributors, https://jquery.org/

This software consists of voluntary contributions made by many
individuals. For exact contribution history, see the revision history
available at https://github.com/requirejs/text

The following license applies to all parts of this software except as
documented below:

====

Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:

The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Release Notes

Version 1.1.2
Sept. 6, 2019

Improves error messaging when a multivalued field is passed to the gnmulti command.

Version 1.1.1
June 27, 2019

#### v 1.1.0
- Refactors the gnmulti command to preserve event information when used

#### v 1.1.1
- Fixed a bug in the gnmulti command that caused an error when over 100 IPs were passed to the API endpoint

Version 1.0.0
Aug. 2, 2018

55
Installs
261
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2019 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.