This app was created to allow users of Splunk to programatically query Greynoise.io API. This is performed by leveraging the Adaptive Response Framework.
As Alert Action
- Install the Splunk Add on For CIM https://splunkbase.splunk.com/app/1621/
- Git clone this repo and install the Add on to the following server types: Indexer, Search Head
- After installation restart the Indexer and Search Head
- If you have a proxy visit https://yoursplunkserver/en-GB/app/TA-greynoise/configuration#proxy and configure the proxy settings
- Configure the destination index that this data will be stored in by visiting https://yoursplunkserver/en-GB/app/TA-greynoise/configuration#add-on-settings
- Write a search that generates an IP address. Such as index=firewall | stats count by src_ip | head 10
- Click Save as Alert
- Under Triggers click Add Action and select Query IP.
- Enter field you want to search against greynoise with '$' preceding and following, for example
$src_ip$ - Data is stored in the index specified in Step 5.
Version 1.0.0 - No API Key functionality - Fixed
Hit me up on twitter (@)MickeyPerre for any issues, bugs and features.
1.1.0 - Added API Key support, Validate that IP addresses and API Keys are valid. 1.0.0 - Initial Release, supports Alert Action / Adaptive Response to search an IP Address. API Key option is present but not working. Will add in next release once api key is received