Automate with Bots

In InsightCloudSec, a Bot (short for 'robot'), is an automated program that executes an action. Bots execute a user-defined action or actions on resources according to user-defined conditions.

The Bots you create through BotFactory use your resources and the InsightCloudSec Query Filters (or a user-specified condition for matching resources) to help you narrow the scope of analysis. Combining filters via Insights provide additional refinement to give you the ability to answer specific questions for your Bots to take action on.

Here's a simple graphic that outlines some of the key InsightCloudSec components including Bots.

InsightCloudSec Feature Overview

Using Insights allows you to combine filters, scope, and reporting around resources. For scenarios that address multiple security or compliances issues, users can take advantage of Insight Packs through Compliance Packs (which are Insight Packs that come out-of-the-box with InsightCloudSec), or Custom Packs (which are user created Insight Packs).

How Does a Bot Work?

A Bot is composed of a scope, filters, and actions. These components are defined below.

ComponentsDefinitionExample
ScopeScope specifies the resources the Bot will evaluate. A Bot will only evaluate resources within the scope of clouds or resource groups you choose.A scope may confine the Bot to act on resources of a certain type or resources contained within specific resource groups or cloud accounts.
Query FiltersQuery Filters define the conditions specifying what a Bot should act upon.A Query Filter confines a Bot to act only on scoped resources meeting specific conditions. For example, the tags the resource has (or does not have), or whether ports are (or are not) open.
ActionsActions specify what a bot does. Actions are executed for a single resource at a time. When a Bot includes multiple actions, the actions are executed in parallel. If you want actions to run in a specific order, some actions have a delay option that can be set to wait a certain amount of time after the Bot is triggered.An action may delete a resource, start or stop an instance, or send an email containing information about the evaluated resource.

Prerequisites for Bots

Before getting started with BotFactory you will need:

  • A functioning InsightCloudSec platform
  • Appropriate permissions for the actions and resources required to create your Bot, including the appropriate entitlements for BotFactory (either Editor or Admin)
  • An understanding of the actions you want your Bot to perform

In the next sections of the BotFactory documentation we cover:

Frequently Asked Questions (FAQ)

How do I create a Bot?

Bots can be created in one of three ways:

What permissions do I need to create a Bot?

In order to create Bots, basic users will require Editor or Admin rights under Permissions Entitlements.

  • If you only have View permissions, your Bot inherits your permissions and will not be able to take any lifecycle actions (e.g., start, stop, edit, etc.) on resources.
  • If you have Modify permissions, some additional actions are available.
  • In order to Delete, specific delete permissions are required.

Check out the full User Entitlements Matrix.

How do I copy an existing Bot?
  • Locate the Bot you are interested in copying, open the Bot by clicking on the name from the Bot Listing page, and in the details, copy the Bot Configuration JSON code.
  • In BotFactory open the templates capability and paste the JSON you just copied from the previous Bot Configuration to make a copy of the previous Bot.
How do I remove a Bot?
You can select Archive from the Actions menu next to the name of an individual Bot. You can also select multiple Bots from the Bot Listing page and select the trash icon to archive multiple Bots at once.
What does archiving do?

Archiving permanently disables a Bot. The Bot’s history and metadata are retained, but scheduled events and noncompliance data are purged.

How do I see a Bot's recent actions?

From the Bot listing page, click on the name of the Bot you want to review and select the Audit tab. This displays a log, in the form of an API trail, of actions your selected Bot has taken. Audit shows successful and failed actions and who initiated the action.

What happens to a Bot (or Bots) if the cloud account is removed from InsightCloudSec?

These Bots are not automatically deleted (there is no way for InsightCloudSec to automatically check for changes like this).

  • These Bots will remain active and operate on their defined schedules but return 0 resource results.
  • Customers will need to pause or delete these Bots manually.
What happens to a Bot if the linked Insight is edited?

For example if an additional filter is added:

  • The Bot configuration will automatically update to include the new filter.
  • The Bot will continue to run.
What happens to a Bot if the linked Insight is deleted?

When the Insight is deleted, a message will appear showing any linked Bots. Associated Bots will be put into a paused state.

Renaming a Bot and Scheduled Events

If you reconfigure an existing Bot to change the name, any related scheduled events will be deleted because it is effectively being reconfigured.

To simply rename a Bot, use Update Information and any scheduled events will remain.

Bot Run Options - When Should I Use Resource Created (Delayed)?

We have added a new BotFactory hookpoint Resource Created (Delayed) that triggers after a creation event, but rather than trigger the Bot to run immediately, it triggers the Bot to run after defined period of time (by default, 20 minutes).

Note

This default can be modified by request, reach out to us through any of the options outlined under Getting Support

This hookpoint is most useful when Event-driven Harvesting (EDH) is enabled and when examining resources that require additional time to configure for Bot analysis or to achieve a ready state for Bot corrective action. With the speed of EDH, a Bot using the Resource Created hookpoint can be triggered to evaluate or act before the cloud provider is ready -- a function of the cloud provider's guarantee of eventual consistency.

For example, with EDH and the Resource Created hookpoint, a Bot can be triggered by the creation of a misconfigured database instance while the database instance is still in a creating state. The cloud provider generally blocks any corrective action until after the database instance has reached a ready or available state. The Resource Created (Delayed) hookpoint combines the response to the event with the delay required to take action.