Displaying Geo Coordinates via Information Floater
Robert Ullrich08. Aug 2018 | Best PracticesConsultingCyber Security
Disclaimer:
The practical examples presented in our technical blog (blog.otrs.com) and now in the expert category in our FAQ blog section serve as a source of ideas and documentation to show what is theoretically possible with OTRS in concrete scenarios or sometimes even for more exotic configurations. All configurations presented here were developed under laboratory conditions as a proof of concept.
We can only guarantee testing and implementation of these concepts to be error-free and productive if implemented in a workshop with one of our OTRS consultants. Without this, the responsibility lies with the customer himself. Please note that configurations from older OTRS versions may not work in the newer ones.
One of the features of “STORM powered by OTRS” is the information floater which allows to search for patterns in an article of a ticket. The feature was designed to enrich the content of a ticket without having to add static content to it. The main use case is to give security teams valuable information at a glance without the need to look up the information in a separate browser tab.
Out of the box, the possibility to search for CVE numbers is available via the Sysconfig settings in Ticket->Ticket::Frontend::ZoomCollectMetaFilters###CVE-Google and Ticket->Ticket::Frontend::ZoomCollectMetaFilters###CVE-Mitre. Last time I wrote a blog article, where I described how to request information for an IP address from NeutrinoAPI. An additional use case, which I had to solve lately was to check the GEO coordinates of an IP address.
Highlighting GEO coordinates in the TicketZoom
The first action was to add an additional ZoomCollectMetaFilter which would match on GEO coordinates. Because the SysConfig structure has changed in OTRS 6, the example Jens showed you in 2010 will not work, I had to create a new XML file in “Kernel/Config/Files/XML” called “Floater.xml” using the new SysConfig structure with the following content:
<?xml version="1.0" encoding="utf-8" ?>
<otrs_config version="2.0" init="Framework">
<Setting Name="Ticket::Frontend::ZoomCollectMetaFilters###IP-GeoLocation" Required="0" Valid="0">
<Navigation>Frontend::Agent::View::TicketZoom</Navigation>
<Value>
<Hash>
<Item Key="RegExp">
<Array>
<Item>Long: \s* ( [-]* \d{1,3} \. \d{1,4} ) \s* Lat: \s* ([-]* \d{1,3} \. \d{1,4} )</Item>
</Array>
</Item>
<Item Key="Meta">
<Hash>
<Item Key="Name">IP-GeoLocation</Item>
<Item Key="URL">https://maps.google.com/maps?q</Item>
<Item Key="URLPreview">geolocation.pl?coordinates</Item>
<Item Key="Target">_blank</Item>
</Hash>
</Item>
</Hash>
</Value>
</Setting>
</otrs_config>
After I added this XML file to STORM, I had to run the following script as OTRS user:
bin/otrs.Console.pl Maint::Config::Rebuild
STORM will now show the found GPS coordinates in TicketZoom if the regular expression matches.
My PERL script
Now I can create my PERL script in “bin/cgi-bin” called geolocation.pl. I also attached the file at the end of this article:
Keep in mind, that this script has to be executable:
chmod +x bin/cgi-bin/geolocation.pl
Output
The Floater will now display the GPS coordinates in Google Maps. I also tried with OpenStreetMaps, but I faced some issues with the zoom within the floater.
I would really like to see your use cases and ideas to use the Information Floater of “STORM powered by OTRS“, so please leave a comment.
Geolocation.pl script
You can download my script here.
Matthias at 08.06.2019, 10:25
Hey Robert, is it possible to use data of an already filled dynamic field? Let's say I've parsed the geo coordinates with a postmaster filter into a field, I don't want to reparse them with the RegEx. Looking forward, Matthias