All Apps and Add-ons

Use googlemaps app instead of amMap for Cisco Security App?

dnolan
Explorer

Anyone tried to swap out the amMap flash map in the Cisco Security App and replace it with the new google maps app? How hard is it? How is the performance compared to the flash app? Any chance of the Cisco Security App gaining a configuration option to select which mapping app to use?

Will_Hayes
Splunk Employee
Splunk Employee

You win Ziegfried! The next release of the Cisco Security App will be utilizing you're brilliant work with Google Maps. I'm packing up my flash and going home! 😉

araitz
Splunk Employee
Splunk Employee

SPP 1, Bill Hayes 0 😉

0 Karma

ziegfried
Influencer

Yes, it is possible. You'll have to edit the cisco_security_overview view. It is located at

$SPLUNK_HOME/etc/apps/SplunkForCiscoSecurity/default/data/ui/cisco_security_overview.xml

As of line 33, replace this:

  <module name="HiddenSearch" layoutPanel="panel_row1_col1" group="" autoRun="True">
    <param name="search">eventtype="cisco*" OR eventtype="ironport*"  src_ip=* src_ip!=10.* src_ip!=192.* src_ip!=0.0.* | stats count by src_ip | eval count_label="Cisco Security Event" | eval iterator="src_ip" | eval iterator_label="IP" | eval movie_color="#FF0000" | eval output_file="rt_threat_data.xml" | eval app="SplunkforCiscoSecurity" | lookup geoip clientip as src_ip | ciscomap</param>
        <param name="earliest">rt</param>
        <param name="latest">rt</param>

<module name="JobProgressIndicator"/>
</module>
  <module name="LinkSwitcher" layoutPanel="panel_row1_col1" group="Cisco Security Events by Geo">
    <param name="mode">independent</param>
    <param name="label"> </param>
  <module name="ServerSideInclude"  group="Real Time" layoutPanel="panel_row1_col1">
    <param name="src">rt_map.html</param>
  </module>
  <module name="ServerSideInclude" group="Last 24 Hours" layoutPanel="panel_row1_col1">
    <param name="src">threat_map.html</param>
  </module>

</module>

with this:

<module name="TimeRangePicker" layoutPanel="panel_row1_col1">
    <param name="searchWhenChanged">true</param>
    <param name="default">All time (real-time)</param>
    <module name="HiddenSearch" group="" autoRun="True">
        <param name="search">eventtype="cisco*" OR eventtype="ironport*"  src_ip=* src_ip!=10.* src_ip!=192.* src_ip!=0.0.* | stats count as _geo_count by src_ip | geoip src_ip</param>
        <module name="GoogleMaps">
            <param name="autoPostProcess">false</param>
            <param name="height">350</param>
            <param name="mapType">terrain</param>
            <param name="mapTypeControl">on</param>
            <param name="navigationControl">on</param>
            <param name="scaleControl">on</param>
            <param name="scrollwheel">off</param>
        </module>
    </module>
</module>

The Google Maps app has to be installed prior doing this. Please create a backup of the view file first.

To see the changes, you have to reload the CiscoSecurity app (eg. click on the Splunk icon on the top left).

There are a few caveats using this solution:

  • Currently, no drill-down
  • You'll have to use the time-range picker instead of the link for realtime or last 24 hours

Let me know how this works for you.

tcgprez
New Member

I take it you never got an answer to this question? You didn't happen to figure it out yourself did you? If so, please do tell. Many thanks.

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...