Create a Bot

Bots are a powerful tool for automating remediation and assisting with risk prioritization. One of the most effective ways to use a Bot is to curate resource groups or data groups. For examples of Bots that work in real-world environments, go to Working with Bots (Best Practices & Examples).

Before you begin

While there are no system or configuration prerequisites for creating a Bot, it’s important that you have a good understanding of Resources, Query Filters, Insights, and Jinja2 before getting started. It’s also useful to have a notification-based integration configured, like email, Slack, or PagerDuty.

Create a Bot

You can create three types of Bots:

Custom Bot

Custom Bots allow you to set a custom scope, query filters, and run actions.

To create a custom Bot:

Go to Automation > Bot Factory > Listing and click Create Bot.
For Bot Details:
1. Enter a Bot Name.
2. Optionally, enter a Category, Severity, and Description.
3. Click Next.
For Scope:
1. Select Resource Types for the Bot to check. Selecting multiple resource types limits the number of applicable Query Filters.
2. Select to scope resources by badge or by cloud account, Kubernetes cluster, or resource group.
3. Select the preferred badges or cloud accounts, clusters, or resource groups.
4. Click Next.
For Query Filters:
1. Click Add Query Filter.
2. Find a Query Filter and click Apply.
3. Configure the Query Filter as necessary.
4. Repeat the previous steps until you have as many Query Filters as necessary. The Bot will only take action on resources that match all Query Filters.
5. Click Next.
For Actions:
1. Click Add Action. Note: some actions can use Jinja2 templating and some can send notifications to an integration.
2. Find an action and click Apply.
3. Configure the action as necessary.
4. Repeat the previous steps until you have as many actions as necessary. If you add multiple actions, note that all actions are executed instantly in parallel unless it’s a delayed action.
5. Click Next.
For Run Options:
1. Click Select for each run option you want to implement.
2. Set an execution threshold to prevent the Bot from running against more resources than expected:
  1. Select Set Resource Threshold.
  2. Enter the maximum number of resources the Bot can act on.
  3. Select the email addresses to notify when the threshold is reached.
Click Save.

Insight Bot

Insight Bots have configurations that update dynamically, based on a specific Insight or Exception.

ℹ️

Removing automatic configuration from Insight Bots

Bots that you create from an Insight or Exception are locked into this configuration. You can click Unlock to break the association, but this will cancel the automatic update if the associated Insight or Exception is modified.

To create an Insight Bot:

Go to Security > Insights > Library, find the Insight, and click Action (…) > Create Bot Automation.
For Bot Details:
1. Enter a Bot Name.
2. Optionally, enter a Category, Severity, and Description.
3. Click Next.
For Scope:
1. Select Resource Types for the Bot to check. Selecting multiple resource types limits the number of applicable Query Filters.
2. Select to scope resources by badge or by cloud account, Kubernetes cluster, or resource group.
3. Select the preferred badges or cloud accounts, clusters, or resource groups.
4. Click Next.
For Query Filters:
1. Click Add Query Filter.
2. Find a Query Filter and click Apply.
3. Configure the Query Filter as necessary.
4. Repeat the previous steps until you have as many Query Filters as necessary. The Bot will only take action on resources that match all Query Filters.
5. Click Next.
For Actions:
1. Click Add Action. Note: some actions can use Jinja2 templating and some can send notifications to an integration.
2. Find an action and click Apply.
3. Configure the action as necessary.
4. Repeat the previous steps until you have as many actions as necessary. If you add multiple actions, note that all actions are executed instantly in parallel unless it’s a delayed action.
5. Click Next.
For Run Options:
1. Click Select for each run option you want to implement.
2. Set an execution threshold to prevent the Bot from running against more resources than expected:
  1. Select Set Resource Threshold.
  2. Enter the maximum number of resources the Bot can act on.
  3. Select the email addresses to notify when the threshold is reached.
Click Save.

Template Bot

Create a Template Bot when you want to duplicate an existing Bot and modify it slightly. See Manage Bots for more information on creating and managing Bot templates.

To create a Template Bot:

Go to Automation > Bot Factory > Templates and click Action (…) > Use Template.
For Bot Details:
1. Enter a Bot Name.
2. Optionally, enter a Category, Severity, and Description.
3. Click Next.
For Scope:
1. Select Resource Types for the Bot to check. Selecting multiple resource types limits the number of applicable Query Filters.
2. Select to scope resources by badge or by cloud account, Kubernetes cluster, or resource group.
3. Select the preferred badges or cloud accounts, clusters, or resource groups.
4. Click Next.
For Query Filters:
1. Click Add Query Filter.
2. Find a Query Filter and click Apply.
3. Configure the Query Filter as necessary.
4. Repeat the previous steps until you have as many Query Filters as necessary. The Bot will only take action on resources that match all Query Filters.
5. Click Next.
For Actions:
1. Click Add Action. Note: some actions can use Jinja2 templating and some can send notifications to an integration.
2. Find an action and click Apply.
3. Configure the action as necessary.
4. Repeat the previous steps until you have as many actions as necessary. If you add multiple actions, note that all actions are executed instantly in parallel unless it’s a delayed action.
5. Click Next.
For Run Options:
1. Click Select for each run option you want to implement.
2. Set an execution threshold to prevent the Bot from running against more resources than expected:
  1. Select Set Resource Threshold.
  2. Enter the maximum number of resources the Bot can act on.
  3. Select the email addresses to notify when the threshold is reached.
Click Save.