- Flow Diagram
- Deploy the CloudBots to your Azure accounts
- Setup your Dome9 account
- Update the CloudBots code
- Log Collection for Troubleshooting
- What are CloudGuard CloudBots?
What are CloudGuard CloudBots?
Cloud-Bots is an auto remediation solution for Azure, built on top of the CloudGuard Native Continuous Compliance capabilities.
They can also be used standalone, without CloudGuard, to remedy issues in Azure subscriptions. Details are included how to configure and trigger them.
Refer to this file for a list of the bots, what each one does, and an example of a rule that could be used to trigger it.
Deploy the CloudBots to your Azure accounts
To use the CloudBots in your Azure accounts, you must setup your account and your CloudGuard account.
Setup your Azure subscriptions for CloudBots
Follow these steps to configure your Azure subscriptions to use CloudGuard CloudBots:
- Install Python and dependent packages needed by the Cloudbots
- Create a new Azure app registration for CloudBots
- Optionally, create a SendGrid account to forward email notifications
- Create a custom role for the CloudBots Function
- Assign IAM roles for the app registration created above
- Create an empty Azure function for the CloudBots
- Deploy the CloudBots in the Azure subscription
Note: If you already have Azure CLI and Azure functions make sure to use the latest versions
- Azure CLI, and then login to your Azure account
- Azure Functions Core Tools
- Python 3.6.X or higher
- NodeJS > 8.5
- Microsoft .NET core > 2.2
Create Azure App Registration:
- In the Azure portal, navigate to App registrations, and the click New registration.
- Enter a name for the app (for example, CloudGuardCloudBots), then click Register.
- Save the Application (client) ID and Directory (tenant) ID.
- Navigate to Certificates & secrets, from the left side menu, and click New client secret and click Add
- Save the secret's Value.
Create SendGrid, to be used to send remediation outputs by email (Optional)
- In the Azure portal, navigate to SendGrid Accounts.
- Click Add, and complete the signup form.
- Select the new SendGrid account, and then click Manage.
- Select Settings -> API Keys, and then click Create API Key.
- Enter a name (for example, CloudGuardCloudBots), select Full Access, then click Create & View.
- Save the key value (will be needed in a later step).
Create a custom role for the CloudBots Function
- In the Azure Portal, navigate to Subscriptions.
- Select the subscription that will use the CloudBots.
- Select Access control (IAM) from the menu on the left.
- Click Add -> Add custom role
Go to JSON section.
Click on Edit (in the top-right corner of the text box)
Copy the JSON object from the file: CloudGuard-CloudBots-Role.json
In the assignableScopes property, fill in your subscription id in the marked place.
Press Save (in the top-right corner).
Press Review + create (at the bottom).
Check the permissions granted and press Create.
Repeat these steps for each additional Subscription.
Navigate to Subscriptions.
Select the subscription that will use the CloudBots.
Select Access control (IAM) from the menu on the left.
Click Add -> Add role assignment
Search for the role you created in the last step and press on View.
Press on Review +assign.
Repeat these steps for each additional Subscription.
Create an Azure Function App
Clone the CloudBots Azure code from GitHub (git clone https://github.com/dome9/cloud-bots-azure.git)
Click the "Deploy to Azure" button and fill out the deployment form
Both the Azure Function name and the Storage Account name must be globally unique or deployment will fail (if a new storage account is created)
Once the ARM template deployment is complete, open a command prompt and navigate to the cloud-bots-azure folder
Install the Azure Functions command line tools (https://docs.microsoft.com/en-us/azure/azure-functions/functions-run-local?tabs=windows%2Ccsharp%2Cbash)
Run func init
Run func azure functionapp publish functname where the functname is your function name from the "Deploy to Azure" workflow. This will take a few minutes to complete. Be patient - get a coffee!
If you are deploying CloudBots on several Azure subscriptions, repeat step 4 (Assign Roles), above, for each subscription.
Setup your CloudGuard account
On CloudGuard you must add remediation definitions to rules in a compliance ruleset. Refer to the latest CloudGuard documentation on how to do this (https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/PostureManagement/Remediation.htm#microcontent1).
Configure the Remediation
Follow these steps in your CloudGuard account to tag the compliance rules & rulesets to use bots as a remediation step.
In the CloudGuard web app, navigate to the Remediation page in the Posture Management menu.
Click Create New Remediation, in the upper right.
Select the rules for which the remediation applies, from the given options. The options can be combined, and the effective rules on which the remediation applies are the combination of all the selected options.
- A Ruleset (mandatory)
- A specific Rule in the ruleset (optional, if missing, all rules are implied)
- A specific Entity, by its entity ID (optional, if missing, all entities are implied); this selects all rules involving the selected entities
- A specific Cloud Account, this applies the remediation to rules in the selected ruleset only when the ruleset is applied to the selected cloud accounts.
- Select the CloudBot, from the list. If the cloudbot is not in the list, select Custom, and then add the name of the cloudbot, along with the runtime arguments**. The cloudbot must be deployed in the selected cloud account, in the same folder as the other bots.
- Add a comment and then click Save.
** Example for using a custom bot:
Configure a Continuous Compliance policy
Once the rules in the ruleset have been tagged for remediation, set up a Continuous Compliance policy to run the ruleset, and send findings the Azure function webhook.
- Navigate to the Policies page in the Compliance & Governance menu.
- Click ADD POLICY (on the right).
- Select the account from the list, then click NEXT, this will be the one account in which the bots are deployed.
- Select the ruleset from the list, then click NEXT.
- Click ADD NOTIFICATION.
- Select Send to HTTP Endpoint and enter the URL from the Function App and then click SAVE.
Note: CloudGuard will send event messages to the webhook for new findings. To send events for previous findings, follow these steps:
- Navigate to the Policies page.
- Find the ruleset and account in the list, and hover over the right of the row, then click on the Send All Alerts icon.
- Select the webhook Notification Type option, and the Notification Policy (the one created above), then click SEND. CloudGuard will send event messages to the Azure function webhook.
Update the CloudBots code
See Update CloudBots Function App
Log Collection for Troubleshooting
The cloudbots send log information to CloudGuard, that is used for troubleshooting. By default, this is enabled for all bots. You can disable this in your Azure account. Select the function, and set the environment variable SEND_LOGS to False. This will apply to all bots in the account. By default, this is set to True, enabling logs.
Each account is controlled by the variable for the function configured in that account.