Description:Field of the Invention
The present invention relates to an Hyperautomate SoC and CCoE operations with LLM powered autobotAI platform to streamline cloud operations and security across multiple cloud, compute platforms, development tools, and security platforms such as AWS, Azure, GCP, Kubernetes, Code repository and security tools. More particularly, the present invention relates to a Hyperautomation with autobotAI Cloud detection and response automation platform to streamline cloud operations and security across multiple cloud platforms that provides easy to-use no code, low code, and flexible full-code workflows and support integration with any platform, communication tools and security solutions using IPaaS (integration platform as a service) architecture.
Background of the Invention

In the recent years, Artificial intelligence and machine learning have shown remarkable development in various fields. With the help of Generative AI streamlining processes, security enhancement became easier and more efficient. According to Gartner report 2023, Hyperautomation will be critical enabler for organizations deploying workload in cloud. Gartner 2024 Impact radar has also highlighted that use of such LLM models for hyperautomation is high and its future of operations automation. Increasing CloudOps and SecOps operations introduces technical debt for business. Hyperautomation with Generative AI integration becomes a critical enabler for SecOps and CloudOps since the scale of such resources are increasing with the pace where manual human operations will not provide operational excellence . AI cloud which is the amalgamation of Artificial intelligence and cloud computing system helps processing extensive data faster and better decision-making ability that plays a vital role in data-centric industries. AI and ML play a crucial role in automating incident management (security and non security incidents) in IT operations (includes cloud and on-premise morden application workloads). Through continuous monitoring of system behavior and performance metrics, these technologies can detect anomalies and potential security threats in real-time. The rapid acceleration of digital initiatives across various industries has underscored the critical need for advanced automation solutions for response actions. These solutions are pivotal in navigating the complex challenges associated with cloud and security operations. Hyperautomation stands at the confluence of multiple technological evolutions, aiming to automate the complex decision-making and processes that standard automation tools could not address. This comprehensive approach is designed to not only augment human capabilities but also to foster a more resilient, efficient, and secure digital ecosystem.
Existing technology often lacks flexibility and breadth of integration. They may also require more manual intervention and do not utilize generative AI for workflow automation. Many researchers and inventors have worked on the same concept and developed related works but those inventions are lacking in mechanism or missing one or more features. Some of such inventions are discussed below.
Reference has been made to US11775276B2, titled “METHODS AND SYSTEMS FOR APPLICATION INTEGRATION AND MACROSYSTEM AWARE INTEGRATION”, by Incentive Marketing Group Inc dated 2020-10-27, which discloses, methods and systems for system agnostic technologies allowing incorporation of APIs from multiple applications as well as integration of APIs from other applications that can assist in the integrations. Methods and systems for using block chain technology to enhance integration record keeping on an application and macro integration level as well as event and performance recording and other advantages. Methods and systems for integrating services between different software systems including integrating a plurality of software systems to enable data transfer between the plurality of software systems, at least one of adding a new software system and updating, removing, or altering one of the plurality of software systems, and dynamically updating other ones of the plurality of software systems based on the at least one of adding the new software system and updating, removing, or altering one of the plurality of software systems.
Another reference has been made to US20220318068, titled “METHODS AND SYSTEMS FOR MANAGING A PLURALITY OF CLOUD ASSETS”, by ManTech International Corporation, dated 05.04.2022, which discloses, methods and systems for managing a plurality of cloud assets are disclosed. A method may include receiving first cloud account data from a first cloud service provider; receiving second cloud account data from a second cloud service provider; receiving analyzed content from a first software vendor and a second software vendor, the analyzed content based on the first cloud account data and the second cloud account data; correlating the first account data, the second account data, and the analyzed content; generating a correlated data graphical user interface (GUI) based on the correlating; receiving a cloud account update request via user input to the GUI; identifying a first software module from a plurality of software modules, based on the cloud account update request; and transmitting a signal to the first software module based on the cloud account update request, the signal comprising information to perform the cloud account update.
Another reference has been made to US11457047B2, titled “MANAGING COMPUTER SECURITY SERVICES FOR CLOUD COMPUTING PLATFORMS”, by Vijay Chander, Praveen Patnala, Vishal Jain, dated 2021-03-09, which discloses, a computer-implemented method of managing security services for one or more cloud computing platforms is disclosed. The method comprises receiving, by a security gateway system having a processor, a digital communication related to one of one or more computing applications hosted by a virtual cluster for private use on a cloud computing platform, the security gateway system residing within the cloud computing platform, the security gateway system performing network security gateway functions for the one or more computing applications. The method also comprises storing the digital communication in association with a timestamp in a storage device. The method further comprises receiving a piece of threat intelligence data indicating a security threat from a main controller residing outside the virtual cluster; storing the piece of threat intelligence data in a database; and determining whether the piece of threat intelligence data applies to any of the digital communications in the storage device. Finally, the method comprises transmitting an estimate of an extent or timing of an impact of the security threat based on the determining.
Another reference has been made to US20230107233A1, titled “AUTOMATIC DATA TRANSFER BETWEEN A SOURCE AND A TARGET USING SEMANTIC ARTIFICIAL INTELLIGENCE FOR ROBOTIC PROCESS AUTOMATION”, by Bogdan Ripa, Mircea GRIGORE, Cosmin Voicu, dated 2021-10-05, which discloses, Automatic data transfer between a source and a target using semantic artificial intelligence (AI) for robotic process automation (RPA) is disclosed. A user may be provided with the option of selecting a source and a target and indicating through an intuitive user interface that he or she would like to copy data from the source to the destination, regardless of format. This may be done at design time or at run time. For instance, the source and/or target may be a web page, a graphical user interface (GUI) of an application, an image, a file explorer, a spreadsheet, a relational database, a flat file source, any other suitable format, or any combination thereof. The source and the target may have different formats. The source, target, or both may not necessarily be visible to the user.
Another reference has been made to US20230393832A1, titled “AUTOMATED TRANSLATION OF COMPUTER LANGUAGES TO EXTRACT AND DEPLOY COMPUTER SYSTEMS AND SOFTWARE”, by Harrison Touati, Adam Branch, dated 2023-04-12, which discloses a computer-implemented system and method for the integration and deployment of software applications, including an extraction module for obtaining data and replicating it in a usable format, including business knowledge and rules from the application source code, a conversion module for translating data from a legacy system to a new format, using Universal Application Notation (UAN), a deployment module for installing, configuring, updating, and enabling applications for use, including automated deployment of newly translated applications, and an integration module for seamlessly integrating new and legacy applications with a chatbot and/or low or no-code integration tools.
However, none of the above discussed inventions relates to an Hyperautomation with LLM agent powered autobotAI Cloud detection and response automation platform to streamline cloud operations and security across multiple cloud and security platforms. It drives maximum value and efficiency from existing cloud & security investments by helping operations team to automate response action with contextual details that helps human approvals and/or notifications. The present invention provides cloud & security teams with powerful, easy to-use no code, low code, and full-code flexible workflows that reduce manual tasks, freeing cloud & security professionals to focus on higher-value strategic activities. The present invention also supports Integration platform as a service (IPaaS) that can integrate with any platform with APIs (e.g. Cloud platforms, communication tools and security solutions). The said invention also employs generative AI to offer intuitive workflow automation at build time and runtime both, including event-driven architecture for threat detection and response, identify and access management and GRC (governance, risk and Compliance) response and/or remediation automations. All these feature that also provides complete data sovereignty and permission trust boundaries to customer’s own environment.
Objective of the Invention
The main objective of the present invention is to provide an Hyperautomate SoC and CCoE operations with LLM powered autobotAI cloud detection and response automation platform designed to streamline cloud operation and security across multiple cloud platforms such as AWS, Azure and GCP.
Another objective of the present invention is to utilize no-code, low-code and full custom code workflows to automate a vast array of IT and cloud security tasks, making cloud management effortless at scale.
Another objective is to use LLM agents during automation workflow build time and during runtime. buildtime to automatically build workflows based on task mining and process mining. Runtime LLM agent-based workflow that helps doing decision making, arriving on event context, automated action with contextual human approval, guided remediation-based notification. Allowing customers to choose their preferred LLM models using Model as service platforms like Amazon Bedrock, Azure OpenAI, openAI or locally hosted opensource models.
Another objective of the present invention is to reduce MTTR (mean time to respond and remediate).
Another objective of the present invention is to employ generative AI to offer intuitive and context aware workflow automation, including event driven architecture for threat detection and response, identity and access management and tracking compliance.
Another objective of the present invention is to use generative AI for automation bot development process with task mining and process mining.
Another objective of the invention is to provide development platform for event driven bot and scheduled automation workflow bots.
Another objective of the present invention is to provide cloud native incident response, for efficient and machine speed threat detection and prevention.
Another objective of the present invention is to provide risk-based patch management with AI driven security risk prioritization.
Another objective of the present invention is to provide IAM automations like least privilege enforcement for Cloud and SaaS applications for heightened security and operational efficiency.
Another objective of the present invention is to provide self-service based automation workflow capability (e.g. just in time access automation workflow to transform cloud security with self-service portal presented to cloud consumers) aiming to reduce support tickets with CloudOps and SecOps teams.
Another objective of the present invention is to provide Cloud operations automation (e.g. storage operation automation for streamline application outage related response automation, automating application outage troubleshooting with contextual details with LLM agent integration etc).
Another objective of the invention is to provide threat hunting and response automation with data lake integrations aiming to provide guided remediation or automated remediation of detected anomaly or detected indication of compromise.
Another objective of the present invention is to provide a centralized, user-friendly interface that allows security and IT teams to configure integration, design workflows, monitor automation execution details and do task mining and process mining to automate operations with contextual insights on cloud and kubernetes based violations.
Another objective of the present invention is to include the feature of drag and drop workflow builder, compliance violation insight and real time notification.
Another objective of the present invention is to provide a platform that can be accessed via web browser by signing up for a SaaS model or deploying a dedicated autobotAI workspace within their cloud environment.
Another objective of the present invention is to enable security measures with capabilities like posture assessment, identity and access management automation and compliance monitoring.
Another objective of the present invention is to automate repetitive cloud management tasks, including resource provisioning, cost optimization and incident management, reducing manual workload and improving operational efficiency.
Another objective of the present invention is to create autobotAI's bots feature approval systems, ensuring that all bot actions are verified and approved.

Another objective of the present invention is to provide an autobotAI platform with SaaS and flexibility for customer’s own environment deployment using unique workspace-based architecture to meet any compliance and data & permission sovereignty requirements.
Another objective of the invention is to provide “insight” feature that gives users a comprehensive view into their cloud configurations and resources to do effective task mining and process mining on their day-to-day operations.
Summary of the Invention
The present invention provides an an Hyperautomate SoC and CCoE operations with LLM powered autobotAI platform designed to streamline cloud operations and security across multiple cloud platform such as AWS, Azure GCP, kubernetes, code repositories, and security tools. The platform utilizes no code, low code and full custom code workflows with LLM agents to automate a vast array of IT and cloud security tasks, making cloud management effortless at scale. Such security automation will create AI capabilities that can help reduce MTTR (mean time to response and remediate) for companies to 60% and reduce IT support tickets by 45%. The platform also supports integration with major cloud platforms, communication tools (MS Teams, Google chat), and security solutions (e.g., Trend Micro, Crowdstrike, Paloalto, Wiz and many more etc). The said platform employs generative AI to offer intuitive workflow automation, including event-driven architecture for threat detection and response, identify and access management and compliance tracking.
The present invention provides a centralized, user-friendly interface that allows security and IT team users to configure integration, design workflow and monitor automation performance. autobotAI also provides highly accurate and useful visualization via 360-degree view custom dashboard. Features of the platform includes a drag and drop workflow editor, compliance violation insight, and real time notifications. User can access the platform via web browser by signing up for a SaaS model or deploying a dedicated autobotAI workspace within their cloud environment. The said platform also emphasizes security measures with the capabilities like posture assessment, identity and access management automation, and compliance monitoring. It Integrates contextual awareness with generative AI and event-driven architecture for advanced threat detection and response. Automates repetitive cloud management tasks, including resource provisioning, cost optimization, and incident management, reducing manual workload and improving operational efficiency.

Statement of Invention
Accordingly, the present invention provides an Hyperautomate SoC and CCoE operations with LLM powered autobotAI platform with the integration of generative AI for intuitive workflow automation and the ability to support no code, low code and full custom code workflow; the platform creates reusable building blocks for bots with autobotAI's intuitive GUI and build bots with effortless drag-and-drop functionality; the security operation uses cases include Self service automation workflow bots like JIT (just in time) access for Identity and Access Management for AWS, Azure, GCP, K8S (Kubernetes), Other SaaS applications like Salesforce etc. and deployment of security controls and tools during provisioning Cloud workload provisioning, cloud workload availability based incident response, automation for compliance hardening for OS, Cloudplatform and container platforms with contextual automated workflows, configuration of code repository merge rules, continuous threat detection and response, risk based automated security patch management, least privilege enforcement automation, guided threat hunting automation and compliance violation remediation automation IoC enrichment with multiple platform integration, user behavior analytics based response automation and enriched incident reporting and alerting automation; cloud operation uses cases include provisioning of monitoring controls and Container platform configuration like kubernetes cluster setup as per the business and security team’s defined workflows, deployment and configuration of network best practices setup for VPCs and vNETs with configuration of backup and logging policy at cloud account level and enabling required services, cloud access management automation, delivery pipeline, availability monitoring and response automation and cost optimization operations automation with approval system and other IT operations like OS level log storage cleanup and automated data lifecycle policy enforcement at object storage; performance monitoring based response automation to avoid application outage, disaster recovery playbooks, network optimization, security and incident response based on application log analytics.
Brief description of Drawing
Figure 1, shows the architecture diagram with cloud native serverless components deployed as workspace on customers environment to provide zero trust-based architecture for complete data control with customers.
Figure 2, shows a high-level application functional diagram.
Figure 3(a), shows the operational excellence advantage for business with autobotAI.
Figure 3(b), shows automation bot development process.
Figure 4(a), shows cloud detection and response automation integration and automation use case examples.
Figure 4(b), Show low level automation workflow overview with LLM agent integration and human approval.
Figure 4(c), shows the day 1 automation use case with self-service portal operational excellence advantage details for business.
Figure 5, shows day 2 cloud and security operations automation use cases
Figure 6(a), shows cloud native incident response with 3rd party threat intel source integration for detection enrichment automation.
Figure 6(b), shows the example use case for incident response for compromised key response automation.
Figure 7(a), shows example use case like IAM least privilege enforcement automation.
Figure 7(b), shows an example of self-service-based automation as Just-in-time Access with Self-Service App developed in autobotAI platform.
Figure 8(a), shows example use case workflow for the availability operations automation by automating log clean up automation.
Figure 8(b), shows threat Hunting and response automation with Security data lake.
Figure 9(a), Shows example of Risk Based Patch Management Automation.
Figure 9(b), shows example automation workflow of compromised cloud identity incident response from native cloud security detection tools.
Figure 10, shows flowchart of an Hyperautomation with autobotAI Cloud detection and response automation platform.
Figure 11(a), shows a screenshot of automation bot development user interface that shows noCode, LowCode based drag and drop workflow creations.
Figure 11(b), shows a screenshot of automation bot development user interface where complex Cloud operations and security operation workflow is created by doing drag drop of automaton nodes to automation development canvas.
Figure 12(a), shows a screenshot of a custom dashboard that allows customers to build their own high level view of automation executions and security violation dashboards.
Figure 12(b), shows a screenshot of Insight view user interface that highlights different GRC (Governance, Risk and compliance) based violations mapped with different compliance standards to help automation engineers to do task mining and process mining for automation workflow development.

The figure is merely for illustration purpose and shall not be construed to limit the scope of the invention.
Detailed Description of the Invention
It should be noted that the particular description and embodiments set forth in the specification below are merely exemplary of the wide variety and arrangement of instructions which can be employed with the present invention. The present invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. All the features disclosed in this specification may be replaced by similar other or alternative features performing similar or same or equivalent purposes. Thus, unless expressly stated otherwise, they all are within the scope of present invention. Various modifications or substitutions are also possible without departing from the scope or spirit of the present invention. Therefore, it is to be understood that this specification has been described by way of the most preferred embodiments and for the purposes of illustration and not limitation.
The present invention provides an Hyperautomate SoC and CCoE operations with LLM powered autobotAI platform designed to streamline cloud operations and security across multiple cloud platform such as AWS, Azure, GCP, Kubernetes and multiple security tools; said platform utilizes no-code, low-code and full custom code workflows to automate a vast array of IT and cloud security tasks, making cloud management effortless at scale.
The present invention provides a Hyperautomation with autobotAI Cloud detection and response automation platform that integrates generative AI for intuitive workflow automation. The platform stands at the convergence of cloud operations management with AIOps (artificial intelligence for cloud operations). By combining the capabilities of hyperautomation and AI-driven decision-making, the platform offers a holistic approach to managing and securing cloud infrastructures across multiple platforms, including AWS, Azure, GCP and workloads like kubernetes.
It is an automation platform that helps user in creating, managing and deploying automation workflows without extensive programming knowledge. The said platform also provides a low-code, visual interface for building automation workflows, which can integrate with a wide range of services and integrations, such as AWS, Azure, GCP, and more. The said platform provides a centralized, user-friendly interface that allows Security and IT team users to configure integrations, design workflows, and monitor automation performance with a highly accurate and useful visualization via 360-degree. Operational excellence can be measured with a custom dashboard and adjustments can be made as needed to align with evolving operational demands. This iterative process ensures sustained operational excellence and maximizes the benefits of hyperautomation. Users can access the platform via web browser by signing up for a SaaS model or deploying a dedicated autobotAI Workspace within their cloud environment.
The platform emphasizes proactive security measures by doing task mining and process mining from insight capabilities like posture assessment, identity and access management automation, Inventory and compliance monitoring. It also integrates contextual awareness and event-driven architecture for advanced threat detection and response. The said platform automates repetitive cloud management tasks, including resource provisioning, cost optimization, and incident management, reducing manual workload and improving operational efficiency.
Hyperautomation with autobotAI Cloud detection and response automation platform provides both cloud and security use cases. Process involves login on the platform, integrating cloud services with operation tools and creating bot via drag and drop based development UI. Bot data harvester nodes can collect data, after this data will be evaluated by AI nodes and deterministic condition nodes followed by filtered with low code or full code-based nodes to execute mundane tasks. Streamline Automation with Drag-and-Drop Builder creates reusable building blocks for bots with autobotAI's intuitive GUI, and build bots with effortless drag-and-drop functionality. Resource inventory keeps track of the data and easy availability when required. autobotAI's bots feature approval systems ensures that all bot actions are verified and approved. It also supports integration with various cloud platform, communication tools (MS teams, Google chat) and security solutions (e.g., Trend Micro, Crowdstrike, palo alto, wiz, sentinel one etc.) and employs generative AI to offer intuitive workflow automation, including event-driven architecture for threat detection and response, identity and access management and compliance tracking.
The platform began integration by choosing from a wide array of platforms such as AWS, Azure, GCP, Kubernetes, and more. Its intuitive interface makes it easy to start the integration process with just a few clicks. the Cloud integration provides a set of methods for managing multiple cloud IaaS, PaaS and SaaS resources, such as creating, updating, and deleting EC2 instances or S3 buckets, cloud identity. Similarly, the Microsoft Teams, slack, google chat type communication integration provides methods for sending messages to enhance collaboration for human approval before executing any critical operations. Users can also create custom integrations by using webhooks and HTTPS based api calling nodes. By automating routine IT and security tasks, autobotAI not only frees up the SOC team and CCoE team's time but also reduces the risk of human error. Continuous monitoring, real-time threat detection, and automated remediation keep the digital assets protected around the clock.
The effortless drag and drop builder provides streamline automation and the resource inventory keeps track of the data so that it can be made available at the time required. The said platform also includes enterprise level of security and certification. Ensuring a safe and liable platform for business. It also provides an option of self-hosting so that companies can maintain complete control over their data and security.
A Bot is an automated unit for remediation that runs an automation based on data from a data source (either a Fetcher or Listener) and is filtered through an Evaluator. An event-driven bot is a type of bot that is triggered by specific events or actions taken by users and are designed to automatically initiate a conversation or perform specific tasks based on pre-defined events or conditions. A scheduled bot is a type of chatbot that runs on a predetermined schedule or at specific intervals. Unlike event-driven bots, which are triggered by specific actions or events, scheduled bots operate according to a pre-defined schedule, regardless of user inputs.
Fetcher nodes available with nocode, low code or full code flexibility that is a building block of the bots to collect information from various integrations. It is used to fetch all the resources for the given data-source from the available integration. It also requires integration like AWS, Azure, GCP to fetch the resources so that any action can be performed on these resources.
A listener type nodes are the building block of the automation workflow that triggers based on event submitted by cloud or security tools and is used to provide an endpoint for all the applications that want to send the data to autobotAI and offer resources to the application to run automations on. Listeners require no code writing and are created within the application. Listener type automation nodes can integrate with any platform to trigger automation workflow.
Fleet terminology is used when group automation is applied to group of integrations. It is also a way to manage multiple bots and configure them at a central location. Configuration things like Global Communication Channel, default listener, multiple integrations, global evaluator etc. can be performed through this. Once the fleet is ready it can be deployed to multiple Integrations (Ex: AWS Accounts).
Workspace offers a cloud-based automation platform powered by an AI engine that enables users to build and deploy automation bots at scale. Automation workspace can be deployed in customer’s cloud account, which means that Customer has full control of data and permissions trust for deployed platform. This current invention supports deployment of workspace in AWS accounts that handles the underlying serverless infrastructure, security, and scalability, while users can focus on their automation bot workflows. This platform on AWS workspace allows users to create customized scalable service that can scale up or down based on the size and complexity of their automation workloads. Users can customize these services to include different compute and networking configurations. Platform can also be integrated with cloud identity system like AWS Cognito services to authenticate your users with built-in users or single sign-on. This allows users to manage easily and protect user authentication for automation engineers. Current state of workspace uses AWS ECS and AWS Lambda service to run automation workflow service for your operations automation in AWS. This integration allows users to take advantage of the powerful server less compute, while also leveraging the collaborative, no-code and low code environment of our platform.
Platform workspace serves less components and uses AWS API Gateway to securely connect with the frontend. It also provides AWS cloud native security and availability controls for using automation services. Platform workspace uses noSQL database, graph database and cloud object storage to store metadata and bot related data to non-relational databases. With databases stored in private at customer’s own VPC one can fully control and own data generated and stored by automation workflow bot management platform. Platform workspace on AWS provides a number of security and compliance features, such as role-based access control, encryption, and compliance with industry standards like RBI, CIS, PCIDSS, HIPAA and GDPR. Users can also take advantage of AWS security features, such as AWS Identity and Access Management (IAM) and Virtual Private Cloud (VPC), to further secure automation workflows.
Deployment of automation workspace can be performed in AWS, and this AWS account handles the underlying infrastructure, security, and scalability, while users can focus on their automation bot workflows. Platform on AWS workspace allows users to create customized scalable services that can scale up or down based on the size and complexity of their automation workloads. Users can customize these services to include different compute and networking configurations. Platform can be integrated with AWS Cognito service to authenticate your users with built-in users or single sign-on. This allows users to manage easily and protect user authentication for automation engineers.
An automation account is recommended in workspace-based deployment because it is used to authenticate and authorize access to external systems, services, and resources that the automation bots may need to interact with during their execution. By creating an automation account, users can securely store and manage the credentials, keys, and other secrets needed to access to this secured automation account, without exposing them in clear text to the automation environment. This ensures that the bots can perform their tasks without compromising security or violating compliance regulations.
AutobotAI's "Insight" is a powerful feature that gives users a comprehensive view into their cloud configurations and resources. Not only does it assist in identifying misconfigurations across multiple platforms, but it also provides an in-depth inventory of cloud and Kubernetes resources. It scans and reports misconfigurations across AWS, Azure, GCP, and Kubernetes. Users can also view their inventory in various formats such as graph view, tree view, and even perform ad-hoc resource searches. It can also check for the compliance violations across several standards for different cloud platforms.
An automation account needs to be created so that user can securely store and manage the credentials and keys needed to access these systems and resources, without exposing them in clear text to the bot code or other users. Before the utilization of autobotAI, creation of account is required, which is created by
? Navigating to autobotAI sign up page;
? enter the details;
? verify email address by clicking on the verification link;
? log in to autobotAI dashboard using essential credentials.
After signing up to the platform, the first thing to be decided here is whether to use autobotAI workspace or autobotAI SaaS.
If workspace is selected then, the process of deploying the first workspace is as follows:
? Go to Workspaces page, by clicking on Settings in the top right and then clicking on Workspaces;
? click on + New;
? fill in the fields:
? AWS Integration ID: Account where the workspace will be deployed,
? Admin Email: Email for admin account of this workspace,
? Admin Password: As the name suggests, password for the admin access,
? AWS Region: Region this workspace will be deployed on AWS,
? Workspace Name/ Sub-domain: Enter sub domain name for your workspace,
? Cloud9 User ARN: An IAM User in the Account which will be able to get access to Cloud9 that has access to Database,
? Click on Create.

NOTE: Current workspace feature is supported with AWS deployment but the same workspace can be also deployed to any other cloud platforms or on-premises kubernetes environment.
Once deployed, automation bots can be built, deployed and managed within the workspace.
Now, after the workspace deployment next stage involves integrating cloud accounts (AWS, Azure, GCP, Openstack etc) and communication tools (MS Teams, Google Chat, Email, etc.). This integration allows autobotAI to interact with your cloud resources and send notifications or gather approvals when necessary.
Process for the connection of an integration is as follows:
? Go to the Integrations page by clicking on the integrations in the left side panel;
? Select the integration by clicking on AWS;
? Enter the information in the fields -
? Account Name/Alias: Enter a meaningful alias for the integration
? Groups: Work like labels with different environments, business unities or logical segregation of resources, customer can organize multiple integrations into different groups
? Default Discovery Bots: These out-of-the-box bots will help to see stats of AWS accounts. For example, to see how many S3 buckets are in the account;
? Click Next;
? Select Execution Method -- Automated is pre-selected;
? Click Next;
? Before Clicking on Launch Stack;
? After clicking on launch stack, it is redirected to AWS account to deploy an AWS cloud formation stack;
Process to create a fleet is as follows:
? Login to the application;
? On the left-hand side, in the sidebar, click on Fleets;
? On the right-hand side, click on + New;
? In the center top, title the fleet;
? Select bots and/or templates;
? Click on Next on the right side;
? (Optional) Set overrides.
? Evaluator JSON
JSON rules for evaluator
? Click on Set Evaluator Json.
? Enter JSON in the textfield
? id: unique id of the evaluator
? rules: array of rule objects
o id: unique id of the rule
o field: the field which the rule will evaluate
Possible values:
o id
o name
o createdOn
o isPublicRead
o isPublicWrite
o tags.Key
o tags.Value
o region
? operator: type of evaluation operation
Possible values:
o begins_with
o not_begins_with
o between
o not_between
o contains
o not_contains
o ends_with
o not_ends_with
? valueSource: where the value is coming from
? value: the actual value of the evaluator
? combinator: the combination operation type
Possible values:
o and: logical and operation
o or: logical or operation
? not: boolean used to negate the rule. The opposite of the rule is true if value of this field is false. You can also nest the rules
? Approval integration
Integration for sending approval notifications.
o Choose Type.
o Choose an Account Id (integration id).
o Choose an Automation (integration action).
? Click on DONE.
? Now hover on the fleet and select deploy.
? Select all the integration wanted to be deployed and save it. The fleet will now create all the bots.
Fleet is a group of bots and also a way to manage multiple bots and configure them at a central location. Configure things like Global Communication Channel, default listener, multiple integrations, global evaluator etc. Once the fleet is ready, and deploy the fleet to multiple Integrations (Ex: AWS Accounts).
Fleet can be viewed by login in to the application, after that navigating to the side bar and clicking on fleet. Name of the fleet can also be selected here.
Removal of templates/bots for a fleet
? Login to the application.
? On the left-hand side, in the sidebar, click on Fleets.
? Select the Fleet you want to add templates to.
? Add and remove the template that you want for the fleet.
? Click on Save. The Bots will be created/removed according to the changes.
Removal of integration to a fleet
? Login to the application.
? On the left-hand side, in the sidebar, click on Fleets.
? Hover over the Fleet you want to add integrations to and select Deploy.
? Add and remove the integrations as needed.
? Click on Save. The Bots will be created/removed according to the changes.
Process described below is for creating a security bot.
? Go to Bots Page, by Clicking on Bots in the left panel;
? click on +New;
? select Scheduled Bot;
? fill in the fields –
o Name: Enter a meaningful name for the bot.
o Topic: Topic for the bot, e.g. Making S3 Buckets Private in this case.
o Category: Select Security
o Importance: As you will be running this bot, you can choose whatever level of importance you prefer.
o Integration: Select Cloud integration (e.g. AWS, Azure, GCP or kubernetes resources) and the integration we connected earlier.
o All the other fields are not necessary but you could fill them if you would like.
? click on OK;
? select the fetcher that made earlier from the dropdown;
? click on OK;
? click on + on the side of the fetcher box;
? click on the pen and paper symbol (edit symbol) of the next box the appeared (evaluator box);
? click on +Rule;
? in the new line, in the first dropdown (from the left), select is Public Write;
? carrying to the other dropdowns in the same line as in Step 11, in the second dropdown, select equal;
? in the third field, enter True.
In this configuration example, now this rule takes all the cloud object storage buckets that our fetcher nodes brought for us and checks in those which buckets have thereis Public Write attribute set to True & then sends them to the action.
? click on OK;
? click on the + on the evaluator box;
? click on the edit symbol on the action box;
? select the automation we created earlier from the dropdown;
? click on OK;
? click on Create
There are two types of bots on the platform, event driven and scheduled bot where only scheduled bot can run manually.
Described is the procedure to create bot
? log into the application;
? select bots in the left-hand menu;
? select ‘new’ button in the right-hand side.
Described below is the procedure to create event driven bot
? Choose Event Driven Bot (with a Listener data source);
? fill in the required details, such as the name of the Bot, title, category, severity, etc.;
? fill in the integration details, which corresponds to the integration type and integration ID for the Automation in Event Driven Bots;
? after filling in the details, select the "OK" button at the bottom;
? select the desired Listener from the new window that appears, which displays all Listeners that have run/been called successfully at least once;
? add an Evaluator to the Bot by clicking the (+) button;
? add a rule to the Evaluator by clicking the (+) Rule button and selecting the attribute, operation, and value to be evaluated against;
? Click "OK" and save the Evaluator.
Described below is the procedure to create scheduled bot
? Choose Scheduled Bot (with a Fetcher data source);
? fill in the required details, such as the name of the Bot, title, category, severity, etc;
? fill in the integration details, which corresponds to the integration type and integration ID for the Automation in Scheduled Bots;
? after filling in the details, select the "OK" button at the bottom;
? select the desired Fetcher from the new window that appears, which displays all Fetchers that have run/been called successfully at least once;
? add an Evaluator to the Bot by clicking the (+) button;
? add a rule to the Evaluator by clicking the (+) Rule button and selecting the attribute, operation, and value to be evaluated against;
? click "OK" and save the Evaluator;
? to add Automations, click the (+) button on the Evaluator for the desired number of actions;
? edit the Action by choosing the Automation Type, either Take Action (Mutation) or Notify (Communication);
? select the Automation to run after the resource has passed through the Evaluator;
? update any required parameters for the Automation;
? if an approval is necessary, select the Approval Automation and the approval integration;
? click "OK" to save the Action details and "Save" to complete the Bot creation;
? to add Automations, click the (+) button on the Evaluator for the desired number of actions;
? edit the Action by choosing the Automation Type, either Take Action (Mutation) or Notify (Communication);
? select the Automation to run after the resource has passed through the Evaluator;
? update any required parameters for the Automation;
? if an approval is necessary, select the Approval Automation and the approval integration;
? Click "OK" to save the Action details and "Save" to complete the Bot creation.
Described below is the procedure for running a bot
? Go to the Bots page, by Clicking on the Bots in the left panel.
? Click on the three dots in the right of the box of the bot you want to run.
? Click on Run Now.
Automation is a building block for the bots. Any action to be taken as part of the bot execution are automations. Example: send message to teams’ channel, delete S3 bucket, update Azure Network Security Group Rule etc.
Automation can be viewed by
? Login to the platform
? from the left pane navigate to Bot Building Blocks -> Automations;
? list of existing automations will be presented;
? click on any of the Automations to see the details.
Process for creation of automation is as follows:
? From the left pane navigate to bot building blocks where list of existing automation will be presented;
? Click on + new;
? Automations are specific to integration types i.e. AWS, GCP, Conformity etc. Select the Integration Type from the dropdown. Fill in the details like
o Automation name: any meaningful name can be given to the automation.
o Clients: The automations require clients to operation. The selected clients will be prepared by the platform and will be passed to your code, all the authentication will be done by the platform system.
Example AWS: select s3, ec2 or any other available clients.
Example Azure: Compute Management Client, Resource Management Client etc.
o Automation type:
Mutation: This indicates that the automation will do certain activity which will mutate your resources like adding tags to resource, delete s3 bucket etc.
Communication: This type indicates that the automation will not do any mutation and only notify on different platforms like teams, sms, slack etc. This type is mostly needed if you are using a new communication integration which is not available in the platform by default.
o Parameters
The parameters are defined here and default value is provided. While building the bot, you can override the parameters.
The parameters will be passed on to the Autoamtion when executed. These are static params available to the automation.
Example: Teams Message default title and body is provided here but while building the bot I want to have a specific Title when the message is sent out to teams for that specific bot.
Example: The automation is adding a tag to aws resource, while building bot, you can specify the tag name and tag value.
o Approval
This indicates if the automation requires approval. In most mutation cases approval is required whereas in the case of communication the approval is not required. This depends on the mutation type of, example if you are just adding a new tag to resource approval is not required but when you are updating/deleting something it is advisable to have the approval enabled.
o Code
This is the Python code that will run when the automation is executed.
The sample code will be provided and the same format has to be used while building custom automation.
The function signature is as follows:
def execute(clients, params, resources=[], test=False):
### you code
? The functions parameters are:
1. clients: The same clients you selected above from the multiselect dropdown.
2. parmas: The same parameters defined while creating the automation.
3. resources: The list of resources the automation will act upon.
4. test: This is for testing purpose so you can define dry run for the automation while testing.
? The function must return list of resources with relevant details like the action succeed or failed.
The testing of an automation is provided. Here, to test the automation it is required to click on the name of the automation in left panel, then click on the test in the top right corner. After that select the integration needed to be tested with, select AWS integration. Input params if any and then click on run.
Below provided is the procedure to create a fetcher
? Click on fetcher shown in left sidebar;
? click on +New;
? then choose the integration type;
? give a name to the fetcher and select client;
? provide code under the code section;
? click on create.
Described below is the procedure to test a fetcher
? click on fetcher at the left sidebar;
? click on the fetcher wanted to tested;
? click on the test on the top right;
? then select the integration in which it is to be tested.
Describe below is the procedure to create a listener
? log in to the application;
? select listener from the side menu;
? select +new;
? select the webhook name and description;
? copy the secret and URL and use them in the third-party application.
A listener is automatically considered tested after it is called at least once.
Described below are the steps for using conformity listener
? Open the Conformity Dashboard.
? Select an account from the list of all accounts.
? Click on the Settings option.
? Go to the Communication Settings section.
? Click on the Update Communication Settings option.
? Click on the Configure option in the Webhooks section.
? If a Webhook Channel is present and you wish to use it for the listener, click on Configure Now. If not, click on Create Another Webhook Channel.
? Click on Configure Webhook.
? Copy and paste both the URL and secret token into their respective fields.
? Click on the Save button.
For accessing an API i.e., application programming interface authorization header is required. The general format for authorization is
Header - Authorization | Value - ApiKey ApiKeyId:ApiKeySecret
The command line interface can be used both in linux/MacOS and windows
For Linux/MacOS , following command is entered replacing API_URL, ApiKeyId, and ApiKeySecret with the relevant values:
curl API_URL --header "Authorization : ApiKey ApiKeyId:ApiKeySecret"
For Windows Using the Command Prompt (not Powershell), enter the following command, replacing API_URL, ApiKeyId, and ApiKeySecret with the relevant values:
curl API_URL -H "Authorization : ApiKey ApiKeyId:ApiKeySecret"
Postman application works both on Windows and Linux/MacOS. It simplifies each step of the API lifecycle and streamlines collaboration for better creation of API. In Postman application select GET as the request type and then enter the API URL, after that, in the headers section, enter Authorization as the key and ApiKey ApiKeyId:ApiKeySecret as the value and at last click SEND.
To interact with OpenAI API, setting up authorization using API key is required. Following are the steps for obtaining, adding and removing existing API key to the application:
Obtaining the API Key
? Visit the OpenAI website;
? Log in to account or sign up;
? Navigate to the API section to find API key.
Adding API key to the application
? Go to the account settings
o Visit the autobotAI;
o log in to account;
o navigate to account settings.
? Navigate to AI management
o In the account settings, find and click on the "AI Management" section.
? Select engine as Open AI
o Within the AI Management section, locate the option to select the engine;
o choose "Open AI" as your preferred engine.
? Enter API key and submit
o Look for the field to enter API key;
o paste or type OpenAI API key into the designated field;
o click on the "Submit" or "Save" button to save API key.
Removing existing API key
If API is already present and need to remove it then following steps are required:
? navigate to account setting
o Visit the autobotAI.
o log in to account;
o go to account settings.
? Access AI management
o Within the account settings, locate and click on the "AI Management" section.
? Remove existing API key
o Find an option such as "Remove Existing API Key" or a similar action;
o Click on the appropriate button to remove the existing API key.
? Confirmation
o Confirm the removal when prompted.
Cloud detection and response automation working is briefly described below:
o Cloud platform tools, security tools and monitoring & development tools are sent to fetcher and listeners;
o after the data has been executed by fetchers and listeners, it is sent to probabilistic evaluation and deterministic evaluation;
o after the data been evaluated are sent for user approval after which the tasks are executed and notification or real time notification are send.
React library which is front end development tool kit used by developers to handle the view layer of application, is connected with the auth service which is an identification verification mechanism for apps, website or software systems, design to authenticate the identity of user. Auth service sent is authenticate data to backend python FastAPI which is then bifurcated to MongoDB and DynamoDB. MongoDB is a NoSQL, document-oriented general purpose database management system, optimized for low latency, high throughput and high availability and stores data as collection of documents. On the other hand, DynamoDB is a fast and flexible NoSQL database suitable for all application that needs latency, ideal for document and key-value models. Both these databases also manage data from queue bot jobs from producers. While, the queue bot jobs from the consumer sides are managed by Kubernetes clusters and DynamoDB. Kubernetes clusters is a set of nodes that runs containerized applications. They allow the applications to be more easily developed, moved and managed.
Use cases to automate remediation findings from CSPM (cloud security posture management), KSPM (Kubernetes security posture management), and DSPM (Data security posture management) tools leverage advanced algorithms triggering context-aware remediation workflows. For critical production environments, the system escalates issues with urgent notifications requiring human approval, ensuring that changes are reviewed thoroughly to mitigate risks. This approach ensures that security postures are strengthened across all deployment stages, with human oversight preserved for critical decisions, thereby optimizing the balance between speed and security.
autobotAI provides flexibility to connect to any tools out there with API. It could be any security tool, cloud platform, custom application etc. it also allows the option to manage which user in org access/see which integration and takes action further enhancing the security and authentication purpose of the platform.
Describes below are the day 1 and day 2 operations of security use cases.
Day 1 operations
1. Identity and Access Management for AWS, Azure, GCP, K8S etc.
2. Deployment of Security controls and tools during provisioning OS and Cloud resporce provisioning.
3. DevSecOps Pipeline deployment automation.
4. OS hardening based on CIS compliance
5. Baseline Security Audit
6. Configuration of Code repository mearge rules as per the security best practice
Day 2 operations
1. Continuous Threat detection and response
2. Risk based automated Security Patch Management
3. Least privilege enforcement automation
4. Guided Threat hunting automation
5. Compliance violation remediation automation
6. IoC enrichment with multiple platform integration.
7. User Behavior Analytics based response automation.
8. Enriched Incedent Reporting and Alerting automation
Described below are the day 1 and day 2 operations of cloud use cases
Day 1 operation
1. Provisioning of Monitoring controls
2. Kubernetes cluster setup as per the business and security team’s guidelines
3. Deployment and configuration of network best practices setup for VPCs and vNETs
4. Configuration of backup and logging policy at cloud account level and enabling required services.
5. Cloud Access Management automation
6. OS golden image generation and delivery pipeline
Day 2 operation
1. Availability monitoring and response automation when application goes down.
2. Cost optimization of unused resources with approval system.
3. OS level Log storage cleanup.
4. Automated Data lifecycle policy enforcement at object storage.
5. Performance Monitoring based response automation to avoid application outage.
6. Disaster Recovery playbooks
7. Network Optimization and Security
8. Incident Response based on application Log Analytics.
In cloud native incident response automation, the findings from security command, GuardDuty findings and defender’s findings are fetched on NoCode fetcher which refers to a component that retrieves information from a specified source. This information can be used by automations to perform various tasks, such as updating security groups or sending messages. After this, the data executed is send to enrich findings to enrich telemetry for threat alert, these can be done by various apps for example by VIRUSTOTAL, abuseIPDB and ipinfo.io. and then to deterministic conditions to block IP address, here the data can be filtered and platform can be protected, it is then examined by security operation center (SOC) which detects and analyze the cyber threats.
In compromised key response automation, developer use GitHub public repository. The public repository is managed by 3rd party tool for secret detection and cloud native secret exposure detection. After the data have been comprehended by these it is fetched into AutobotAI listener which is then send for deterministic conditions to check permissions attached to identity. There is a provision to add permission boundary and disable the compromised key that are encrypted. The SOC team approves and notification is sent to the user.
In IAM Least Privilege Enforcement Automation, least privilege emphasizes on limiting user and process access to minimum required to perform their jobs. Data in the NoCode fetcher is fetched by the analyzers (AWS access analyzer, GCP policy Analyzer, Azure access review). AI. Here, identifies the context of identity and over permissive resources after that the impact of policy change risk is evaluated. CoudOps approves by enforcing the least privilege at IAM.
Provides just in time service with self-service app, with self-service portal, trigger workflow and nocode fetcher. Nocode fetcher receives its data from AWS identity centre, AWS IAM, Azure AD and GCP IAM. Data from fetcher validate business reason and impact analysis and go through deterministic condition filters which is then approved by IAM team.
Provides AWS cloud watch that notifies when the storage is full with listener-based trigger and deterministic condition to trigger action which is then send to cloudops team for approval. If there are any log related issues then the cleanup is also provided to deal with it. Provision for increasing EBS volume and filesystem extension is also present.
Threat Hunting and response automation with Amazon Security Lake. It integrates with Amazon Security Lake for streamlined incident response automation. Leveraging AI-driven workflows and enriched threat intelligence, empowers SOC teams to swiftly mitigate security threats with high-confidence, precise responses. Threat intelligence-integrated incident response automation streamlines the handling of security events and alerts by correlating, enriching, and prioritizing incoming data from various sources. By integrating threat intelligence (TI) feeds, the system enhances event context, automates containment, investigation, and remediation actions, and efficiently manages block lists. Additionally, it facilitates communication and coordination with IT, developers, and business owners for comprehensive incident management. This automation not only accelerates response times but also ensures that security measures are dynamically updated based on the latest threat intelligence, significantly improving the efficiency and effectiveness of SOC operations.
Risk base patch management automation, is an IT security strategy in which organizations prioritize the patching or remediation of software vulnerabilities according to the risk they pose to the organization, Automated patch management systems typically provide centralized control and reporting capabilities. In this system, the data is fetched in nocode fetcher through Amazon inspector, Trivy, Microsoft defender for cloud and GCP security command center. After which AI calculates the risk with context identified vulnerability and investigated in Jira, a ticket in Jira, or any other service desk platform, is an event that must be investigated or a work item that must be addressed, which is then approved by development team through AWS SSM patch deployment, Azure update manager and GCP OS patch management.
In compromised cloud identity incident response, it is a security approach used to detect and respond to threats targeting identities and identity-based systems. It combines advanced detection techniques with rapid response strategies to identify and mitigate risk to enhance the security of the system. This can be done by enabling or adding the permission boundary or disabling the compromised identities by SOC response team. Rotating keys saves the previous version of cryptic material to decrypt the data.
Referring to figure 1, that represents the flow diagram of interaction between present invention’s AWS account and customer/partner AWS account. The customer/partner AWS account has Cognito for authentication and SSO (single sign-on) which is an authentication scheme allowing a user to log in with single ID to any independent software. Platform backend provides with fargate for container agent-based automation, where containerizing of the agent avoids the rewriting of the application and automation bot backend and SQS queue. AWS DocumentDB for Bot data and AWS DynamoDB is for application data.
Referring to figure 2, that represents architecture of the platform in which a react library that is front end development tool kit used by developers to handle the view layer of application, is connected with the auth service which is an identification verification mechanism for apps, website or software systems, design to authenticate the identity of user. Auth service sent is authenticate data to backend python FastAPI which is then bifurcated MongoDB and DynamoDB. MongoDB is a NoSQL, document-oriented general purpose database management system. On the other hand, DynamoDB is a fast and flexible NoSQL database suitable for all application that needs latency, ideal for document and key-value models. Both these databases also manage data from queue bot jobs from producers. While, the queue bot jobs from the consumer sides are managed by Kubernetes clusters and DynamoDB. Kubernetes clusters is a set of nodes that runs containerized applications. They allow the applications to be more easily developed, moved and managed.
Referring to figure 3(a), that represents the operational investment of the system. The chart shows the operations without automation and operation with hyperautomation with respect to operational cost and time. The operations with automation require extra operational cost and technical debt for CCoE governance, team for cloud operation DevOps operations and security operations whereas with the help of Hyperautomations from autobot the operational cost reduced as after security adoption the platform utilizes self-service first approach (day 1 operation), X as a code and Automate day 2 operations thereby reducing the technical operations and operational cost.
Referring to Figure 3(b), that represents automation bot development process. Through a process of task mining, experts identify repetitive, time-consuming tasks within the security operations that are ripe for automation. It then involves the development of building blocks for the bot and later integrate each other for full bot development. Dissection involves the breaking down the requirement into small reusable automation and creating sprint around it, and then deploying the automation to customer’s requirement.
Referring to figure 4(a), that represents cloud detection and response automation integration and automation use case examples. Integration begins by choosing from a wide array of platforms such as AWS, Azure, GCP, Kubernetes, and more. Immediately start automating workflows across cloud operations and security tasks. autobotAI's generative AI capabilities design custom automation workflows that fit any specific needs, allowing for scalability and operational excellence. It can be automated using incident response, identity and access management (IAM), threat hunting, CSPM, KSPM, DSPM remediation and cloudops automating use cases through CCoE and SOC.
Referring to figure 4(b) that represents low level automation workflow overview with LLM agent integration and human approval. It seamlessly integrates AI into cloud management, enabling proactive actions that require user approval for optimal operational efficiency. Data from cloud platform tools, security tools, and monitoring & development tools are collected by fetchers and listeners. After collection, the data is processed by fetchers and listeners. The processed data then undergoes probabilistic and deterministic evaluation. Following evaluation, the results are presented for user approval. Approved actions are then executed, triggering real-time notifications. Regardless of user approval, data is shared on the collaboration platform.
Referring to figure 4(c), that represents the day 1 automation use case with self-service portal operational excellence advantage details for business. Day 1 includes the development and deployment including testing. The figure here shows the pathway to achieve the continuous quality with speed by clear focus on the DevTestOps and automation at the speed of Dev and right test infrastructure for Dev and test teams.
Further, the use of X as a code includes the requirement as code in which software product requirement are abstracted in human and machine-readable language. These codified requirements are used to generate test stubs to drive the development of the product. In pipeline as a code a software product entire release workflow i.e., built, test and deployment are codified into script. The codification of the pipelines, enable the development team to build complex workflow pipeline. Infrastructure as a code manage and provisions servers and network through machine readable definitions files, rather than physical hardware configuration or interactive configuration tools. Server code is the subset of infra code from where the configuration detail of the server is abstracted. This practice includes abstracting server configuration and dependencies in a script file enabling teams to replicate software development and production environment with much ease. In configuration as a code which is subset of server as a code, software configuration is are abstracted in script. Network as code is subset of infra as a code where network configuration, network infra and configuration details like DNS setting etc., is abstracted. In the database as code, database scheme, tables, events, triggers, keys and even data are treated as first class citizens and codified along with the code. Compliance as a code is an organizational capability to automate the implementation, verification, remediation, monitoring, and reporting to compliance status. This automation comes in form of scripts abstracting compliance requirement in code and integrating these compliance checks into release build pipelines.
Referring to figure 5, that represents day 2 cloud and security operations automation use cases that includes patch management which ensures that patches are deployed to all the endpoints in the network, regardless of the network's size or geographical location of the systems. Event driven security playbacks which helps in resolving various IT issues by automatically changing conditions and real time management. Changes in the system can be detected and monitored with the help of drift control automation. Also includes cloud platform event driven Ops, resource lifecycle management, disaster recovery, cost optimization and service availability automation. It includes the self-service provision with configuration as code through which software configuration is are abstracted in script, infrastructure as a code that manages and provisions servers and network through machine readable definitions files, rather than physical hardware configuration or interactive configuration tools. Policy as code is the idea of writing code in a high-level language to manage and automate policies. Security as code is the integration of automated security measures directly into the software development process, making it an integral part of the software development life cycle.
Referring to figure 6(a), that represents cloud native incident response automation with 3rd party threat intel source integration for detection enrichment automation, in this, the findings from security command, Amazon GuardDuty findings, security command center findings and Azure defender findings are fetched on NoCode fetcher which refers to a component that retrieves information from a specified source. This information can be used by automations to perform various tasks, such as updating security groups or sending messages. Following egress data security checks, enriched telemetry is generated for threat alerts. This enrichment can be performed by various applications like VIRUSTOTAL, abuseIPDB, and ipinfo.io. Deterministic evaluations then determine if IP addresses need blocking to protect the platform. Security analysts at the Security Operations Center (SOC) examine the enriched data to detect and analyze cyber threats. This process can involve updating network firewalls and DNS rules. Ultimately, the system ensures robust threat detection, prevention, and integrates with various platforms to provide a comprehensive view of the threat landscape. The execution outcome is then communicated to the collaboration platform.
Referring to figure 6(b), that represents example use case for incident response for compromised key response automation, in this, developer use GitHub public repository. The public repository is managed by third party tool for secret detection and cloud native secret exposure detection. The data is then sent to 3rd party tools for secret detection and cloud native secret exposure detection through AWS health service, security center and GCP security command center. After the data have been comprehended by these it is fetched into autobotAI listener which is then send for deterministic conditions to check permissions attached to identity, then the SOC team approves. There is a provision to add permission boundary and disable the compromised key that are encrypted after locating and disabling the key and notification is sent to notify the identity owner and further to the collaboration platform.
Referring to figure 7(a), that represents example use case like IAM least privilege enforcement automation. IAM least privilege enforcement automation, least privilege emphasizes on limiting user and process access to minimum required to perform their jobs. Data in the NoCode fetcher is fetched by the analyzers (AWS access analyzer, GCP policy Analyzer, Azure access review). AI to identify the context of identity, then identify over permissive resources and after that the impact of policy change risk is evaluated and CoudOps approves by enforcing the least privilege at IAM and notification is sent to the collaboration platform. The IAM-based automation uses cases focus on streamlining identity lifecycle processes, such as efficient onboarding/offboarding, strict contractor management, and disabling inactive accounts. They also aim to strengthen IAM posture through auditing, Just-in-Time access, and automated investigation of anomalies, alongside improves the response to service requests by optimizing access approvals, simplifying self-registration, and automating permission elevation, thereby enhancing the user experience for information employees.
Referring to figure 7(b), that represents an example of self-service-based automation as Just-in-time Access with Self-Service App developed in autobotAI platform. Just-in-time Access with Self-Service App is an automation use case provide self-service portal to users to trigger request based elevated access controls. AI-powered approvals ensure precise permissions, seamlessly integrated with AWS, Azure, GCP. Here, self-service portal grants permission to user and send to trigger workflow. No code fetcher that retrieves information from wide range of sources such as AWS and Azure. After validating business reason and impact analysis data is filtered through deterministic condition filters. The IAM team then reviews and approves the request, granting access for a designated timeframe with a pre-set revocation window. Upon execution, the collaboration platform receives notification.
Referring to figure 8(a), that represents shows example use case workflow for the availability operations automation by automating log clean up automation. This automation streamlines ensuring continuous application uptime. Upon detecting downtime, it automatically triggers a set of troubleshooting protocols. Monitoring tools like AWS CloudWatch alarms for storage fullness trigger listener-based actions. Data is then analyzed using deterministic conditions to trigger actions, after the cloud operations team (CloudOps) approval, the automated workflow promptly checks for issues like log storage constraints then cleanup. Else executes predefined Standard Operating Procedures to address these problems, such as increasing EBS volume, extending filesystem, and creating Jira tickets. This significantly reduces the workload on CloudOps and SecOps teams by swiftly identifying, resolving, and verifying the resolution of performance, scalability, or business impact issues. This minimizes downtime and maintains operational continuity. Collaboration platforms are then notified.
Referring to figure 8(b), that represents threat hunting and response automation with security lake. Amazon Security Lake serves as the foundation for this automated threat hunting and response process. It centralizes security data from various sources, including cloud platforms, security tools, and monitoring tools. NoCode fetchers within Security Lake then retrieve and enrich the collected data. Enrichment can involve leveraging external threat intelligence platforms like VIRUSTOTAL, AbuseIPDB, ipinfo.io, and ipstack to gain additional context about potential threats. Next, an AI model analyzes the enriched data, correlating it with resource context to assess risk. This allows the system to prioritize potential threats and identify those most likely to require action. Based on the risk assessment, deterministic conditions can trigger automatic blocking of malicious IP addresses. This helps prevent further attacks from those sources. However, for certain high-risk scenarios or complex situations, the system may require Security Operations Center (SOC) team approval. In such cases, the SOC team can review the findings and take further actions, including updating network and DNS firewall rules, isolating compromised instances using AWS Systems Manager (SSM), or transferring instance snapshots to dedicated forensics account for further investigation. Following response actions, the system generates notifications and relevant information is shared with collaboration platforms.
Referring to figure 9(a), that represents Risk Based Patch Management Automation. Various tools like Amazon Inspector, trivy, Microsoft Defender for Cloud, and GCP Security Command Center actively scan environment for vulnerabilities. A NoCode fetcher gathers the vulnerability data from these scanning tools. An AI model analyzes the collected data, considering factors like vulnerability severity, affected workloads, and potential exploitability to calculate a risk score for each vulnerability. This prioritizes critical vulnerabilities that require immediate attention. Deterministic conditions, based on pre-defined risk thresholds, can trigger automated patching for high-risk vulnerabilities. For lower-risk vulnerabilities or complex scenarios, the system creates a Jira ticket, notifying the development team for review and approval. Upon approval, the system leverages platform-specific tools like AWS SSM Patch Deployment, Azure Update Manager, or GCP OS Patch Management to deploy the necessary patches. Once patching is complete, the system sends notifications to keep all relevant parties informed. Finally, the system shares relevant information with collaboration platforms, ensuring transparency and facilitating communication across development and security teams.
Referring to figure 9(b), that represents compromised cloud identity incident response from native cloud security detection tools. Security tools like Amazon GuardDuty, Entra Identity Protection, or GCP Security Command Center continuously monitor for suspicious activity that indicate a compromised identity. Upon detection, an Autobot AI Listener triggers an investigation. Deterministic conditions analyze the detected findings, prioritizing potential threats based on predefined criteria. To gain a deeper understanding of the situation, the system enriches the findings with additional contextual details. For critical incidents, the system automatically seeks approval from the Security Operations Center (SOC) team. This allows them to analyze the enriched data and make informed decisions. Based on the approval, the system can take various actions to contain the threat. This might involve adding permission boundaries to restrict the compromised identity's access or disabling it altogether. To further mitigate risk, the system automatically rotates any compromised credentials associated with the identity. The system promptly notifies the owner of the compromised identity, raising awareness and allowing them to take any necessary steps. Finally, the system shares relevant information with collaboration platforms, ensuring all security teams are informed and can take coordinated action.
Referring to figure 10, that represents the flow chart of the process. The first step involved here is setting up the account by the user. After the creation of an account and signing in, it is up to the user to decide whether to create SaaS or deploy one’s own autobotAI Workspace. autobotAI Workspace offers a cloud-based automation platform powered by an AI engine. This allows users to build, deploy, and manage automation bots at scale, all within the secured boundaries of their AWS environment. For those looking for a hassle-free setup without diving deep into AWS configurations, autobotAI also offers a SaaS version. This option is ideal for smaller cloud environments and businesses looking for a quick start without infrastructure overhead. After this, the next step involves integrating your cloud accounts (AWS, Azure, GCP, kubernetes, openstack) and communication tools (MS Teams, Google Chat, slack Email, etc.), GenAI (openAI, Bedrook….), Linux/Windows and many more. This integration allows autobotAI to interact with your cloud resources and send notifications or gather approvals when necessary. After integrating cloud/security/communication tools, the next step is to manage bots. Management of bot includes building of bots, that can be built manually or with the help of AI. after the bots have been built, they are deployed to multiple integration and then publish to self-service portal and approved. There are two types of bots, schedule bots and a listener-based bots also called event driven bots. An event-driven bot is a type of bot that is triggered by specific events or actions taken by users whereas a scheduled bot is a type of chatbot that runs on a predetermined schedule or at specific intervals. The bot management also includes dynamic GenAI based notification and execution monitoring and traceability building block management like action and listener. After this, request for self-service and management is initiated. Regular review/monitor and update of bots to accommodate changes in cloud environment and operational needs and auditing trail is required. Compliance scan across several standards for different cloud platforms and various compliance standards like CIS, RBI, NIST and inventory search report is performed by the system. Users can view their inventory in various formats such as graph view, tree view, and even perform ad-hoc resource and dynamic inventory searches. Bots are created for compliance violation with the help of AI. Users can create/update or delete the account. The system is provided with role-based access, API kay management for 3rd party integration, subscription management and workspace management. The present system utilizes a library of pre-built components for building bots and allowing for efficient bot development. Library includes actions and ready to deploy bots published by autobotAI. The library displays varieties of bots that are ready for quick deployment. A fleet in autobotAI is a group of resources that can be managed and automated as a single unit.
Referring to figure 11(a) that represents NoCode, LowCode Drag-and-Drop Workflow Creation for creating an automation bot. Figure 11(a) shows the user interface for creating an automation bot using a no-code or low-code approach. The screen is divided into two main sections: the workflow canvas on the left and the node library on the right. The workflow canvas is where users can drag and drop pre-built nodes to create their automation workflows. Each node represents a specific action, such as sending an email or updating a database record. Users can connect these nodes together using lines to create a flowchart-like representation of their automation process. The node library, on the right side of the screen, is where users can access different types of nodes that they can add to their workflow. The nodes are organized into categories, such as "Data Operations" or "Communication". Users can browse through these categories and drag-and-drop the desired nodes onto the workflow canvas. Overall, this interface allows users with limited coding experience or no coding experience at all to create complex automation workflows without writing any code.

Referring to Figure 11(b) that represents Complex Cloud Operations and Security Operation Workflow Creation. Figure 11(b) shows a more advanced version of the workflow creation interface. In this case, the user is creating an automation that involves complex cloud operations and security checks. The screen is similar to the previous one, with a workflow canvas on the left and a node library on the right. However, the nodes in this case are much more sophisticated and represent specific actions related to cloud operations and security. For example, one of the nodes might represent a "Cloud Storage" action that allows users to upload or download files from a cloud storage service like AWS S3. Another node might represent a "Security Check" that scans uploaded files for malware or viruses. Users can drag and drop these nodes onto the workflow canvas and connect them together using lines to create a complex automation workflow. This would allow, for example, a user to automate the process of uploading files to cloud storage and then running security checks on those files to ensure they are free from malware.

Referring to figure 12(a) that represents a Custom Dashboard for Automation Execution and Security Violation. The figure 12(a) shows a custom dashboard that allows customers to build their own high-level view of automation executions and security violation dashboards. The dashboard is divided into several sections, each with its own set of widgets or charts that provide real-time data on various aspects of the automation workflow.
For example, one section might show a graph of recent automation execution times, allowing users to track how long their workflows are taking to complete. Another section might display a table showing security violation data, such as the number of malware threats detected in the past hour. Users can customize the dashboard by adding or removing widgets, rearranging sections, and even creating custom views using a drag-and-drop interface. This allows users to focus on specific aspects of their automation workflow and get real-time insights into how it's performing.

Referring to figure 12(b) that represents the Insight View User Interface for GRC-Based Task Mining. The figure 12(b) shows the Insight view user interface that highlights different GRC (Governance, Risk, and Compliance) based violations mapped with different compliance standards. The screen is divided into several sections, each showing a specific aspect of the automation workflow. The same view also provides visibility by mapping with customer’s IT tickets from JIRA or Freshservice type tool to effectively highlight what process or operations need to be prioritized to automate. The top section shows a table of all the GRC-based violations detected in the workflow, along with their corresponding compliance standards (e.g. HIPAA, GDPR). Users can click on each row to get more details about the violation and how it was detected.

Further, the top section shows a set of charts and graphs that provide insights into the automation workflow, such as the frequency of certain GRC-based violations or the effectiveness of specific security controls. Overall, this interface is designed for users who want to do task mining and process mining for automation workflow development. By analyzing GRC-based violations and mapping them to compliance standards, users can identify areas where they need to improve their workflows and ensure that they are compliant with relevant regulations.

The feature of insight gives users a comprehensive view into their cloud configurations and resources. Not only does it assist in identifying misconfigurations across multiple platforms, but it also provides an in-depth inventory of cloud and Kubernetes resources. First of all, it requires adding integration for each desired cloud platform and Kubernetes. And then by scheduling that enables schedule to fetch insights on compliance violations regularly.

The present invention provides a Hyperautomation with autobotAI simplifies cloud detection and response through a user-friendly, step-by-step process. a) Account Setup: Begin by creating a secure account, choosing between a SaaS (Software-as-a-Service) model or a dedicated workspace depending on organizational needs. b) Cloud and Communication Integration: Connect cloud accounts and configure preferred communication tools to ensure seamless information flow. c) Fleet Management: Establish and manage automated response teams (fleets). This involves defining the scope of each fleet, creating them, and assigning appropriate automation bots to handle specific tasks. d) Bot Creation and Management: Access the bot creation interface to define desired functionalities, then test bot's performance before deploying it. e) Insights and Scheduling: Leverage autobotAI's insights to monitor your automation effectiveness and optimize configurations. Additionally, schedule automated tasks to ensure proactive threat management.
The present invention provides convergence of cloud operations management with AIOps (Artificial Intelligence for cloud Operations). By combining the capabilities of hyperautomation and AI-driven decision-making. It manages and secures cloud infrastructure across multiple platforms.
The present invention includes features such as workspace isolation and a robust data privacy framework. It supports zero trust architecture, ensuring that your cloud operations remain source and compliant. It also aligns with the AIOps which uses artificial intelligence to automate and enhance IT operations by analyzing the vast amount of data generated by cloud platform, security tools and code repository.
Additionally, the present invention cost optimization feature by automating cost-related task. It enhances data privacy and permission trust boundary. Its workspace is architected with data privacy at its core. By deploying in an isolated AWS environment, the platform ensures that data stays within the user's control, adding an extra layer of protection. The permission boundary trust model ensures restricted access, allowing only necessary actions, thereby fortifying security.
So, accordingly, the present invention provides Hyperautomate with autobotAI Cloud detection and response automation platform designed to assist businesses in streamlining their cloud operations and security. Leveraging the power of generative AI, the platform offers automated solutions for common challenges in the cloud environment, making it easier for teams to manage resources, ensure security, and optimize costs. The said platform utilizes low code, no code or full custom code workflow to automate a vast array of IT and cloud security tasks. It also supports integration with major cloud platforms, communication tools and security solutions. The platform employs generative AI to offer intuitive workflow automation, include event-driven architecture for threat detection and response, identity and access management and compliance tracking. With the platform’s bot-centric design, users can easily create, manage, and deploy automation workflows tailored to specific operational needs. The present invention also provides with the cloud native incident response BotV2, emphasizing threat detection and prevention. Integration with top services and platform to provide a comprehensive view of the threat landscape.
In an exemplary embodiment, said the invention provides an Hyperautomate SoC and CCoE operations with LLM powered autobotAI platform comprising: a user interface for integrating with various cloud platforms, security solutions, and communication tools using no-code, low-code and full custom code workflow for automation processes and converges cloud operation management with AIOps (Artificial Intelligence for cloud Operations); a bot creation module; integration with major cloud platforms, communication tools and security solutions; a centralized user-friendly interface, an automation with drag and drop builder, compliance violation insight and real time notification; proactive security measures with capabilities like posture assessment, identity and access management automation, and compliance monitoring; generative AI to offer intuitive workflow automation, including event-driven architecture for threat detection and response, identity and access management; contextual awareness and event-driven architecture; the platform further comprises of cloud detection and response automation, cloud native incident response, risk-based patch management, IAM Least Privilege Enforcement Auditor, threat hunting and response automation, just-in-time Access with Self-Service App and compromised cloud identity incident response.
In another embodiment, said a bot creation module configured to build two types of bots: scheduled bots for running at predetermined intervals, and event-driven bots for triggering based on specific events or actions; said platform comprises a bot execution engine for managing and executing bots, including fetchers for gathering data from integrations, listeners for receiving data from external applications, and evaluators for filtering and processing data based on predefined rules.
In another embodiment, said platform consists of a data storage component for storing fetched data and bot execution results, an automation builder for designing and configuring custom automation workflows, a security module for secure bot execution with user approval workflows, role-based access control, and encryption, and an optional self-hosting capability for deployment within a user's workspace; said platform utilizes the no-code, low-code and full custom code workflow for automation processes and converges cloud operation management with AIOps (Artificial Intelligence for cloud Operations).
In another embodiment, said platform provides a centralized user-friendly interface with a customized 360 degrees view of cloud.
In another embodiment, said the bot creation module utilizes a library of pre-built components for building bots, including fetchers, listeners, and evaluators, allowing for efficient bot development.
In another embodiment, said a deployment option for choosing between a Software as a Service (SaaS) model for ease of access and a self-hosted workspace model for complete data and security control.
In another embodiment, said platform integrated with cloud platform tools, security tools, and monitoring & development tools for comprehensive data collection, enabling informed decision-making.
In another embodiment, said platform utilizes a combination of probabilistic and deterministic evaluation techniques for data analysis, ensuring both efficient pattern recognition and rule-based anomaly detection.
In another embodiment, said the cloud detection and response automation comprises steps of:
a) fetchers and listeners type nodes gather data from various sources: cloud platform tools, security tools, monitoring & development tools;
b) the collected data is processed by the fetchers and listeners;
c) the processed data undergoes two types of evaluation:
-probabilistic: Uses statistical models to predict potential issues or opportunities;
-deterministic: Applies predefined rules to identify specific situations;
d) the results of the evaluation are presented to the user for approval;
e) if the user approves an action: the action is executed in real-time, real-time notifications are triggered to inform the user of the outcome;
f) the collected data is shared on the collaboration platform.
In another embodiment, said cloud native incident response for efficient threat detection and prevention comprises steps of:
a) fetching security findings from various sources: security command center, Amazon GuardDuty, Security Command Center findings, Azure Defender findings; a NoCode fetcher retrieves this information;
b) the collected data undergoes egress data security checks;
c) enriched telemetry is generated for identified threats, this enrichment involves gathering additional information from external sources like: VIRUSTOTAL, abuseIPDB, ipinfo.io;
d) based on the enriched telemetry, a deterministic evaluation is performed to determine if specific IP addresses need to be blocked to protect the platform;
e) security analysts at the Security Operations Center (SOC) review the enriched data for threat detection and analysis;
f) based on the analysis, the SOC initiate actions such as: Updating network firewalls and Updating DNS rules;
g) the execution outcome of the automation process is communicated to a collaboration platform.
In another embodiment, said compromised key response automation comprises steps of:
a) developers use a public code repository platform like GitHub, a third-party secret detection tool continuously monitors this public repository;
b) scans for any exposed secrets or cloud-native secret vulnerabilities in the code;
c) discovered secrets and potential vulnerabilities are sent to security services: AWS Health Service, Security Center, GCP Security Command Center (or similar service of cloud provider);
d) these services analyze the data to determine the severity and potential impact;
e) the analyzed data is then forwarded to an automation platform (e.g., AutobotAI listener);
f) the automation platform checks for pre-defined conditions, such as:
permissions associated with the compromised identity;
g) the automation platform sends an alert to the Security Operations Center (SOC) team for approval;
h) the SOC team reviews the alert and verifies the compromised key;
i) if confirmed, the SOC team can take actions through the automation platform, including: adding permission boundaries and disabling the compromised key;
j) once the compromised key is disabled, the automation platform encrypts it for further security;
k) notification is sent to the owner of the identity associated with the compromised key and a collaboration platform to keep the team informed.
In another embodiment, said IAM Least Privilege Enforcement Automation comprises steps of:
a) analyzers specifically designed for each cloud platform (e.g., AWS Access Analyzer, GCP Policy Analyzer, Azure Access Review);
b) these analyzers scrutinize the collected data;
c) NoCode fetcher retrieves data for analysis;
d) an artificial intelligence is used to analyze the identities and understand their context within the system;
e) the potential impact and risk associated with changing these permissions are then evaluated.
f) CloudOps personnel review and approve the proposed least privilege adjustments;
g) upon approval, the automation enforces the least privilege principle within the identity and access management system;
h) collaboration platforms are notified to keep everyone informed about the changes.
In another embodiment, said just-in-time access with self-service platform comprises steps of:
a) a user logs in to the self-service portal;
b) the portal displays a list of pre-defined access requests or allows users to create custom requests;
c) the user selects the desired access level and specifies the resources they need access to;
d) the self-service portal acts as a "no-code fetcher," automatically retrieving relevant information from various sources like AWS and Azure;
e) the system filters the information through pre-defined conditions to assess the request's validity;
f) an AI engine analyzes the user's request, justification, and retrieved data;
g) the system presents the filtered data, justification, and AI recommendation to the IAM team for review;
h) the IAM team can approve the request, grant access with specific permissions, and define a designated timeframe for access;
i) the system automatically sets a pre-determined revocation window for access expiration;
j) notify the user and a collaboration platform about the access grant and its expiration timeframe.
In another embodiment, said availability operations automation comprises steps of:
a) monitoring tools, AWS CloudWatch alarms for storage full;
b) when an issue is detected (e.g., storage fullness), a listener triggers a set of pre-defined actions;
c) the system analyzes the data using deterministic conditions;
d) CloudOps approval required before further proceeding;
e) if the issue is simple and pre-defined (e.g., log storage constraints), the workflow automatically takes corrective actions: clean up unnecessary data;
f) if the issue is complex, the workflow executes pre-defined procedures: increase EBS volume size, extend filesystem and create Jira tickets for further investigation;
g) automating these tasks significantly reduces the workload on CloudOps and SecOps teams;
h) once the issue is resolved, collaboration platforms are notified, keeping relevant teams informed.
In another embodiment, said threat hunting and response automation with amazon security lake comprises steps of:
a) security lake acts as the core, collecting security data from various sources like cloud platforms, security tools, and monitoring tools;
b) within security lake, NoCode fetchers retrieve and enrich the collected data;
c) enrichment can involve using external threat intelligence platforms to gain additional context about potential threats;
d) an AI model analyzes the enriched data, considering resource context, to assess risk;
e) this allows the system to prioritize potential threats and identify those most likely to require action;
f) for high-risk or clear-cut cases (e.g., malicious IP addresses), deterministic conditions can trigger automatic blocking to prevent further attacks;
g) the system flags the case for the Security Operations Center (SOC) team approval;
h) updating network and DNS firewall rules;
i) isolating compromised instances using AWS Systems Manager (SSM);
j) transferring instance snapshots to dedicated forensics account for investigation;
k) following response actions, the system generates notifications;
l) information is shared with collaboration platforms.
In another embodiment, said risk-based patch management automation comprises steps of:
a) various security tools like Amazon Inspector, trivy, Microsoft Defender for Cloud, and GCP Security Command Center actively scan the environment for vulnerabilities;
b) a NoCode fetcher gathers the vulnerability data discovered by the scanning tools in step ‘a’;
c) an AI model analyzes the collected vulnerability data, the model calculates a risk score for each vulnerability;
d) deterministic conditions, based on pre-defined risk thresholds, are used to trigger automated patching;
e) for vulnerabilities with lower risk scores or in complex scenarios, the system creates a Jira ticket;
f) this ticket notifies the development team for review and approval before patching;
g) the system automatically deploys the patch using platform-specific tools: AWS: SSM Patch Deployment, Azure: Update Manager and GCP: OS Patch Management;
h) once patching is complete, the system sends notifications;
i) finally, the system shares relevant information with collaboration platforms.
In another embodiment, said creating an automation bot using a no-code/low-code drag-and-drop interface comprises steps of:
a) the screen is divided into two main sections 11(a): the workflow canvas on the left and the node library on the right;
b) the workflow canvas is where users can drag and drop pre-built nodes to create their automation workflows;
c) each node represents a specific action, such as sending an email or updating a database record;
d) users can connect these nodes together using lines to create a flowchart-like representation of their automation process;
e) the node library, on the right side of the screen, is where users can access different types of nodes that they can add to their workflow;
f) the nodes are organized into categories, such as "Data Operations" or "Communication" and users can browse through these categories and drag-and-drop the desired nodes onto the workflow canvas;
g) said interface allows users with limited coding experience or no coding experience at all to create complex automation workflows without writing any code.
In another embodiment, said compromised cloud identity incident response comprises steps of:
a) security tools like Amazon GuardDuty, Entra Identity Protection, or GCP Security Command Center are constantly on the lookout for suspicious activities that might indicate a compromised identity;
b) upon detecting suspicious activity, an automated system (Autobot AI Listener) initiates an investigation;
c) the system analyzes the detected findings based on predefined criteria, prioritizing potential threats based on their severity;
d) to gain a deeper understanding of the situation, the system gathers additional contextual details to enrich the initial findings;
e) for critical incidents, the system automatically seeks approval from the Security Operations Center (SOC) team;
f) based on the approval (or automatically for less critical incidents), the system takes various actions to contain the threat:
-restricting access: permission boundaries might be added to limit the compromised identity's access to resources, or
-disabling the identity: the compromised identity might be disabled entirely;
g) to further minimize risk, the system automatically rotates any compromised credentials associated with the compromised identity;
h) the system promptly notifies the owner;
i) finally, the system shares relevant information with collaboration platforms.
While particular embodiments of the present invention have been shown and described, it will be obvious to those skilled in the art that changes and modifications may be made without departing from this invention in its broader aspects and, therefore, the aim in the present invention is to cover all such changes and modifications as fall within the true spirit and scope of this invention.
Advantages of the Invention:
1. Efficiency and productivity: The platform reduces manual task by automating complex workflow.
2. Rapid response: The platform reduces MTTR (mean time to response) for incident detection and MTTR (mean time to remediate) for cloud misconfigurations.
3. Cost optimization: The platform automates cost-related task thus ensuring that companies don’t overspend on cloud resources.
4. Security: Data privacy and permission trust boundary Enhance Security. It enhances security posture and ensures compliance across multiple cloud environments.
5. Scalability: The platform can handle varying loads without the need to provision or manage servers.
6. Ease of automation: The power of Generative AI integrated into autobotAI simplifies the creation of automation workflows
7. Flexible: The platform’s flexibility allows for rapid adaptation to new cloud services and security threats.
8. Rapid Deployment: With autobotAI, businesses can fast-track the implementation of security automation, with the help of integrations and pre-built templates. This rapid deployment capability allows to quickly see the benefits of automation in action.
9. Enhanced Security Posture: By automating routine security tasks, autobotAI not only frees up the security team's time but also reduces the risk of human error. Continuous monitoring, real-time threat detection, and automated remediation keep the digital assets protected around the clock.
10. Insightful Analytics: With autobotAI, it is easy to gain access to actionable insights into security operations. The platform provides detailed analytics and reporting and helping to measure the effectiveness of the automation strategies and make data-driven decisions. , C , Claims:We Claim:
1. An Hyperautomate SoC and CCoE operations with LLM powered autobotAI comprising: a user interface for integrating with various cloud platforms, security solutions, and communication tools using no-code, low-code and full custom code workflow for automation processes and converges cloud operation management with AIOps (Artificial Intelligence for cloud Operations); a bot creation module; integration with major cloud platforms, communication tools and security solutions; a centralized user-friendly interface, an automation with drag and drop builder, compliance violation insight and real time notification; proactive security measures with capabilities like posture assessment, identity and access management automation, and compliance monitoring; generative AI to offer intuitive workflow automation, including event-driven architecture for threat detection and response, identity and access management; contextual awareness and event-driven architecture; the platform further comprises of cloud detection and response automation, cloud native incident response, risk-based patch management, IAM Least Privilege Enforcement Auditor, threat hunting and response automation, just-in-time Access with Self-Service App and compromised cloud identity incident response.
2. An Hyperautomate SoC and CCoE operations with LLM powered autobotAI as claimed in claim 1, wherein said a bot creation module configured to build two types of bots: scheduled bots for running at predetermined intervals, and event-driven bots for triggering based on specific events or actions; said platform comprises a bot execution engine for managing and executing bots, including fetchers for gathering data from integrations, listeners for receiving data from external applications, and evaluators for filtering and processing data based on predefined rules.
3. An Hyperautomate SoC and CCoE operations with LLM powered autobotAI as claimed in claim 1, wherein said platform consists of a data storage component for storing fetched data and bot execution results, an automation builder for designing and configuring custom automation workflows, a security module for secure bot execution with user approval workflows, role-based access control, and encryption, and an optional self-hosting capability for deployment within a user's workspace; said platform utilizes the no-code, low-code and full custom code workflow for automation processes and converges cloud operation management with AIOps (Artificial Intelligence for cloud Operations).
4. An Hyperautomate SoC and CCoE operations with LLM powered autobotAI as claimed in claim 1, wherein said platform provides a centralized user-friendly interface with a customized 360 degrees view of cloud.
5. An Hyperautomate SoC and CCoE operations with LLM powered autobotAI as claimed in claim 1, wherein said the bot creation module utilizes a library of pre-built components for building bots, including fetchers, listeners, and evaluators, allowing for efficient bot development.
6. An Hyperautomate SoC and CCoE operations with LLM powered autobotAI as claimed in claim 1, wherein said a deployment option for choosing between a Software as a Service (SaaS) model for ease of access and a self-hosted workspace model for complete data and security control.
7. An Hyperautomate SoC and CCoE operations with LLM powered autobotAI as claimed in claim 1, wherein said platform integrated with cloud platform tools, security tools, and monitoring & development tools for comprehensive data collection, enabling informed decision-making.
8. An Hyperautomate SoC and CCoE operations with LLM powered autobotAI as claimed in claim 1, wherein said platform utilizes a combination of probabilistic and deterministic evaluation techniques for data analysis, ensuring both efficient pattern recognition and rule-based anomaly detection.
9. An Hyperautomate SoC and CCoE operations with LLM powered autobotAI as claimed in claim 1, wherein said the cloud detection and response automation comprises steps of:
a) fetchers and listeners gather data from various sources: cloud platform tools, security tools, monitoring & development tools;
b) the collected data is processed by the fetchers and listeners;
c) the processed data undergoes two types of evaluation:
-probabilistic: Uses statistical models to predict potential issues or opportunities;
-deterministic: Applies predefined rules to identify specific situations;
d) the results of the evaluation are presented to the user for approval;
e) if the user approves an action: the action is executed in real-time, real-time notifications are triggered to inform the user of the outcome;
f) the collected data is shared on the collaboration platform.
10. An Hyperautomate SoC and CCoE operations with LLM powered autobotAI as claimed in claim 1, wherein said cloud native incident response for efficient threat detection and prevention comprises steps of:
a) fetching security findings from various sources: security command center, Amazon GuardDuty, Security Command Center findings, Azure Defender findings; a NoCode fetcher retrieves this information;
b) the collected data undergoes egress data security checks;
c) enriched telemetry is generated for identified threats, this enrichment involves gathering additional information from external sources like: VIRUSTOTAL, abuseIPDB, ipinfo.io;
d) based on the enriched telemetry, a deterministic evaluation is performed to determine if specific IP addresses need to be blocked to protect the platform;
e) security analysts at the Security Operations Center (SOC) review the enriched data for threat detection and analysis;
f) based on the analysis, the SOC initiate actions such as: Updating network firewalls and Updating DNS rules;
g) the execution outcome of the automation process is communicated to a collaboration platform.
11. An Hyperautomate SoC and CCoE operations with LLM powered autobotAI as claimed in claim 1, wherein said compromised key response automation comprises steps of:
a) developers use a public code repository platform like GitHub, a third-party secret detection tool continuously monitors this public repository;
b) scans for any exposed secrets or cloud-native secret vulnerabilities in the code;
c) discovered secrets and potential vulnerabilities are sent to security services: AWS Health Service, Security Center, GCP Security Command Center (or similar service of cloud provider);
d) these services analyze the data to determine the severity and potential impact;
e) the analyzed data is then forwarded to an automation platform (e.g., AutobotAI listener);
f) the automation platform checks for pre-defined conditions, such as:
permissions associated with the compromised identity;
g) the automation platform sends an alert to the Security Operations Center (SOC) team for approval;
h) the SOC team reviews the alert and verifies the compromised key;
i) if confirmed, the SOC team can take actions through the automation platform, including: adding permission boundaries and disabling the compromised key;
j) once the compromised key is disabled, the automation platform encrypts it for further security;
k) notification is sent to the owner of the identity associated with the compromised key and a collaboration platform to keep the team informed.
12. An Hyperautomate SoC and CCoE operations with LLM powered autobotAI as claimed in claim 1, wherein said IAM Least Privilege Enforcement Automation comprises steps of:
a) analyzers specifically designed for each cloud platform (e.g., AWS Access Analyzer, GCP Policy Analyzer, Azure Access Review);
b) these analyzers scrutinize the collected data;
c) NoCode fetcher retrieves data for analysis;
d) an artificial intelligence is used to analyze the identities and understand their context within the system;
e) the potential impact and risk associated with changing these permissions are then evaluated;
f) CloudOps personnel review and approve the proposed least privilege adjustments;
g) upon approval, the automation enforces the least privilege principle within the identity and access management system;
h) collaboration platforms are notified to keep everyone informed about the changes.
13. An Hyperautomate SoC and CCoE operations with LLM powered autobotAI as claimed in claim 1, wherein said just-in-time access with self-service platform comprises steps of:
a) a user logs in to the self-service portal;
b) the portal displays a list of pre-defined access requests or allows users to create custom requests;
c) the user selects the desired access level and specifies the resources they need access to;
d) the self-service portal acts as a "no-code fetcher," automatically retrieving relevant information from various sources like AWS and Azure;
e) the system filters the information through pre-defined conditions to assess the request's validity;
f) an AI engine analyzes the user's request, justification, and retrieved data;
g) the system presents the filtered data, justification, and AI recommendation to the IAM team for review;
h) the IAM team can approve the request, grant access with specific permissions, and define a designated timeframe for access;
i) the system automatically sets a pre-determined revocation window for access expiration;
j) notify the user and a collaboration platform about the access grant and its expiration timeframe.
14. An Hyperautomate SoC and CCoE operations with LLM powered autobotAI as claimed in claim 1, wherein said availability operations automation comprises steps of:
a) monitoring tools, AWS CloudWatch alarms for storage full;
b) when an issue is detected (e.g., storage fullness), a listener triggers a set of pre-defined actions;
c) the system analyzes the data using deterministic conditions;
d) CloudOps approval required before further proceeding;
e) if the issue is simple and pre-defined (e.g., log storage constraints), the workflow automatically takes corrective actions: clean up unnecessary data;
f) if the issue is complex, the workflow executes pre-defined procedures: increase EBS volume size, extend filesystem and create Jira tickets for further investigation;
g) automating these tasks significantly reduces the workload on CloudOps and SecOps teams;
h) once the issue is resolved, collaboration platforms are notified, keeping relevant teams informed.
15. An Hyperautomate SoC and CCoE operations with LLM powered autobotAI as claimed in claim 1, wherein said threat hunting and response automation with amazon security lake comprises steps of:
a) security lake acts as the core, collecting security data from various sources like cloud platforms, security tools, and monitoring tools;
b) within security lake, NoCode fetchers retrieve and enrich the collected data;
c) enrichment can involve using external threat intelligence platforms to gain additional context about potential threats;
d) an AI model analyzes the enriched data, considering resource context, to assess risk;
e) this allows the system to prioritize potential threats and identify those most likely to require action;
f) for high-risk or clear-cut cases (e.g., malicious IP addresses), deterministic conditions can trigger automatic blocking to prevent further attacks;
g) the system flags the case for the Security Operations Center (SOC) team approval;
h) updating network and DNS firewall rules;
i) isolating compromised instances using AWS Systems Manager (SSM);
j) transferring instance snapshots to dedicated forensics account for investigation;
k) following response actions, the system generates notifications;
l) information is shared with collaboration platforms.
16. An Hyperautomate SoC and CCoE operations with LLM powered autobotAI as claimed in claim 1, wherein said risk-based patch management automation comprises steps of:
a) various security tools like Amazon Inspector, trivy, Microsoft Defender for Cloud, and GCP Security Command Center actively scan the environment for vulnerabilities;
b) a NoCode fetcher gathers the vulnerability data discovered by the scanning tools in step ‘a’;
c) an AI model analyzes the collected vulnerability data, the model calculates a risk score for each vulnerability;
d) deterministic conditions, based on pre-defined risk thresholds, are used to trigger automated patching;
e) for vulnerabilities with lower risk scores or in complex scenarios, the system creates a Jira ticket;
f) this ticket notifies the development team for review and approval before patching;
g) the system automatically deploys the patch using platform-specific tools: AWS: SSM Patch Deployment, Azure: Update Manager and GCP: OS Patch Management;
h) once patching is complete, the system sends notifications;
i) finally, the system shares relevant information with collaboration platforms.
17. An Hyperautomate SoC and CCoE operations with LLM powered autobotAI as claimed in claim 1, wherein said creating an automation bot using a no-code/low-code drag-and-drop interface comprises steps of:
a) the screen is divided into two main sections 11(a): the workflow canvas on the left and the node library on the right;
b) the workflow canvas is where users can drag and drop pre-built nodes to create their automation workflows;
c) each node represents a specific action, such as sending an email or updating a database record;
d) users can connect these nodes together using lines to create a flowchart-like representation of their automation process;
e) the node library, on the right side of the screen, is where users can access different types of nodes that they can add to their workflow;
f) the nodes are organized into categories, such as "Data Operations" or "Communication" and users can browse through these categories and drag-and-drop the desired nodes onto the workflow canvas;
g) said interface allows users with limited coding experience or no coding experience at all to create complex automation workflows without writing any code.
18. An Hyperautomate SoC and CCoE operations with LLM powered autobotAI as claimed in claim 1, wherein said compromised cloud identity incident response comprises steps of:
a) security tools like Amazon GuardDuty, Entra Identity Protection, or GCP Security Command Center are constantly on the lookout for suspicious activities that might indicate a compromised identity;
b) upon detecting suspicious activity, an automated system (Autobot AI Listener) initiates an investigation;
c) the system analyzes the detected findings based on predefined criteria, prioritizing potential threats based on their severity;
d) to gain a deeper understanding of the situation, the system gathers additional contextual details to enrich the initial findings;
e) for critical incidents, the system automatically seeks approval from the Security Operations Center (SOC) team;
f) based on the approval (or automatically for less critical incidents), the system takes various actions to contain the threat:
-restricting access: permission boundaries might be added to limit the compromised identity's access to resources, or
-disabling the identity: the compromised identity might be disabled entirely;
g) to further minimize risk, the system automatically rotates any compromised credentials associated with the compromised identity;
h) the system promptly notifies the owner;
i) finally, the system shares relevant information with collaboration platforms.