Set up Google Maps in Cortex XSOAR to use map automations
You need to set up Google Maps in Cortex XSOAR before using either the ShowLocationOnMap
or the ShowOnMap
automation. To use Google Maps, you need to create a Google Cloud Plaform project that has billing enabled. After creating the project, you need to enable the Maps JavaScript API and then create an API key for the project. You then need to add the API key to Cortex XSOAR. If using the ShowLocationOnMap
automation, to view the map, you also need to add the automation to a indicator layout.
In Google Cloud Platform, do the following:
- Create a Google Cloud Project.
- Enable APIs and Services (API & Services>Dashboard> ENABLE APIS AND SERVICES).
- Enable Maps JavaScript API.
- Create the Maps JavaScript API key ( Credentials> CREATE CREDENTIALS>API key).
- Copy the Maps JavaScript API key.
Add the Maps JavaScript API key to Cortex XSOAR.
Select Settings > ABOUT > Troubleshooting> Add Server Configuration.
Add the following key and value:
Key Value UI.google.api.key
Maps JavaScript API key
(copied from step 1.4 above)Click Save. You can now run the
ShowOnMap
automation in Cortex XSOAR. For example in the CLI type,!ShowOnMap lat=6.1287 lng=1.2215
.
For more information, see How to Display a Geo-location Using Google Maps in the War Room.
(ShowLocationOnMap automation only) Customize an indicator layout.
If using an out-of-the box layout, such as IP, duplicate/detach the layout.
Edit the layout.
Drag and drop the General Purpose Dynamic Section onto the indicator page.
In the General Purpose Dynamic Section, click Edit button>Edit section settings.
Edit the name as required.
In this example, we will call itGeneral Purpose Dynamic Section - ShowLocationOnMap
.In the Automation Script field, select ShowLocationOnMap.
.
Click OK.
Add the indicator layout to an indicator type.
Go to Settings>OBJECTS SETUP>Indicators.
Select the indicator type and click Edit.
In the Layout section select the layout you added in step 3.
Click Save.
In the Threat Intel page, select a relevant indicator that has a value for the Geo Location field. The map should be shown in the section that you created.
If you do not have an indicator that has a value for the Geo Location field, to test the indicator, do the following:
- Go to Settings>OBJECTS SETUP>Incident Fields>Indicators and search for Geo Location.
- Click Edit Geo Location and select the indicator type where you want the field to appear.
- Go to Threat Intel page, select the indicator and then click Edit
- In the Geo Location field, type
6.1287,1.2215
.