Automate with Bots
In InsightCloudSec, a Bot (short for ‘robot’), is an automated program that executes an action. Bots execute a user-defined action or actions on resources according to user-defined conditions.
The Bots you create through BotFactory use your resources and the InsightCloudSec Query Filters (or a user-specified condition for matching resources) to help you narrow the scope of analysis. Combining filters via Insights provide additional refinement to give you the ability to answer specific questions for your Bots to take action on.
Here’s a simple graphic that outlines some of the key InsightCloudSec components including Bots.
Using Insights allows you to combine filters, scope, and reporting around resources. For scenarios that address multiple security or compliances issues, users can take advantage of Insight Packs through Compliance Packs (which are Insight Packs that come out-of-the-box with InsightCloudSec), or Custom Packs (which are user created Insight Packs).
How Does a Bot Work?
A Bot is composed of a scope, filters, and actions. These components are defined below.
| Components | Definition | Example |
|---|---|---|
| Scope | Scope specifies the resources the Bot will evaluate. A Bot will only evaluate resources within the scope of clouds or resource groups you choose. | A scope may confine the Bot to act on resources of a certain type or resources contained within specific resource groups or cloud accounts. |
| Query Filters | Query Filters define the conditions specifying what a Bot should act upon. | A Query Filter confines a Bot to act only on scoped resources meeting specific conditions. For example, the tags the resource has (or does not have), or whether ports are (or are not) open. |
| Actions | Actions specify what a bot does. Actions are executed for a single resource at a time. When a Bot includes multiple actions, the actions are executed in parallel. If you want actions to run in a specific order, some actions have a delay option that can be set to wait a certain amount of time after the Bot is triggered. | An action may delete a resource, start or stop an instance, or send an email containing information about the evaluated resource. |
Prerequisites for Bots
Before getting started with BotFactory you will need:
- A functioning InsightCloudSec platform
- Appropriate permissions for the actions and resources required to create your Bot, including the appropriate entitlements for BotFactory (either
EditororAdmin) - An understanding of the actions you want your Bot to perform
In the next sections of the BotFactory documentation we cover:
- Creating Bots: The end-to-end process(es) of creating a Bot
- Managing Bots: Management of existing Bots, with details on editing, modifying, or rescoping Bots
- Working with Bots (Best Practices & Examples): A deeper look at our recommendations around best practices for using Bots, along with detailed Bot examples and their configurations
Frequently Asked Questions (FAQ)
How do I create a Bot?
See Create a Bot for details.
What permissions do I need to create a Bot?
In order to create Bots, basic users will require Editor or Admin rights under Permissions Entitlements.
- If you only have View permissions, your Bot inherits your permissions and will not be able to take any lifecycle actions (for example, start, stop, edit) on resources.
- If you have Modify permissions, some additional actions are available.
- In order to Delete, specific delete permissions are required.
How do I copy an existing Bot?
See Manage Bots for details.
How do I delete a Bot?
Bots can’t be deleted, but they can be archived, which permanently disables the Bot. The Bot’s history and metadata are retained, but scheduled events and noncompliance data are deleted. See Managing Bots for details.
How do I see a Bot’s recent actions?
From the Bot Listing page, click the Bot you want to review and select the Audit tab. This displays a log of actions the Bot has performed successfully or unsuccessfully.
What happens to a Bot if a cloud account in its scope is removed from InsightCloudSec?
Bots will remain active and operate on their defined schedules but return 0 resource results. You will need to pause or archive any Bots manually.
What happens to a Bot if the linked Insight is edited?
The Bot configuration will automatically update to include edits and the Bot will continue to run.
What happens to a Bot if the linked Insight is deleted?
If you delete an Insight associated with a Bot, InsightCloudSec will show you any associated Bots after the Insight is deleted. Associated Bots will be automatically paused.
Renaming a Bot and Scheduled Events
If you reconfigure an existing Bot to change the name, any currently active events will be deleted. To simply rename a Bot, use Update Information and any currently active events will remain.