Compliance automation by uploading Background check evidence on Drata

How to Automate: Compliance automation by uploading background check evidence on Drata in 10 minutes

Hugo David

Today in How to Automate, we are starting a series of Flows to learn how Mindflow can further help in Compliance automation.

In recent years, quite a number of compliance automation platforms have been created. They deliver incredible help and make compliance with information security standards frameworks, such as SOC 2 and ISO27001, easier than ever.

Organizations that yesterday had to review controls manually can now automate quite a number of them through platforms like Drata and Vanta, among others. It saves a massive amount of time to put the organization in conformity with such frameworks but also dramatically facilitates the continuous task of maintaining such compliance.

What benefits can an automation platform bring to this already incredible progress brought by compliance automation platforms? There are some tasks the Officer still has to perform manually. It especially revolves around reports, reviews, background checks, and notifications. For instance, depending on the service you use to perform your background checks, they may not be integrated yet with the compliance automation platform. Moreover, in the case you would be performing background checks on your own, you would have to upload the evidence to the compliance automation platform manually.

If you only have 1 or 2 arrivals per month, it doesn’t get time devouring. However, facing a high recruitment pace in a scale-up or in a large company, this process will likely take more and more time to be done, such as manually uploading any other evidence (third-party vendors’ reports and reviews, for instance).

This is where automation platforms, such as Mindflow, can bring further benefits to compliance automation platforms, working hand in hand to save even more time for Officers in charge of performing these tasks.

As said above, today we will focus on how you can fasten the uploads of background check evidence. To do so, we will create automation starting from Slack all the way to the successful upload of the evidence on Drata. We will thus orchestrate Drata and Slack.

Drata
Drata
slack integration mindflow
Slack

Compliance automation: Uploading background checks evidence on Drata

This Flow is quite easy and quick to put in place. Before starting, let’s see what we need!

Starters

Obviously, create the Flow! Choose a name that rocks, such as “Automatically upload background check evidence of an employee on Drata”! Then, choose your emoji! I chose a boar this time.

  1. Your Drata API, that is set with the correct scopes. To do so, go to https://app.drata.com/account-settings/api-keys and click Create an API Key. Fill in a Name, an expiration date, and an allowed IP address for additional security. Once done, select Custom under Access and tick the following fields: User compliance, User Documents by type, Personnel List, Personnel Details, and Personnel Background Check. Click Save.
  2. Drata API credentials are stored in Mindflow’s Vault.
Compliance automation background check - Drata
  1. A Slackbot with the scope “chat:write”, a command such as /backgroundcheck that you can create here https://api.slack.com/apps/YOUR WORKSPACE ID/slash-commands?
  2. The webhook URL to register. You can find it in the gear icon next to your Flow name. It is the second link starting from the bottom.
  3. Slack API credentials are stored in Mindflow’s Vault.
Compliance automation background check - Slack

Okay, you are set to begin the Flow building process! Here is a sneak peek at the final Flow.

Compliance automation background check - 1

Designing the compliance automation Flow.

The first thing you must do is trigger the Flow once from Slack to generate a log we can work on to design the Flow. Type the /backgroundcheck command. Once the Flow has been executed, let’s get our hands on it.

Slack steps: Gather the necessary data to send to Drata.

Create a Slack action by looking into the Slack library and selecting chat_postMessage. Configure the fields as such:

  1. Channel: type “/” to open the Data Picker tool. Select the step Slackbot 1.0 under TRIGGERS. Inside QUERY PARAMETERS, Pick the field channel_id.
  2. Click the little processor icon. It shows all the fields available for that action. Look for the field “Blocks”. Click the three dots icon on the left and turn the field into a JSON query space. Once done, I need you to paste the following JSON:
[
		{
			"type": "divider"
		},
		{
			"type": "section",
			"text": {
				"type": "mrkdwn",
				"text": "Please fill in the employee's First and Last names. Once done, click Enter"
			}
		},
		{
			"dispatch_action": true,
			"type": "input",
            "block_id": "",
			"element": {
				"type": "plain_text_input",
				"action_id": "plain_text_input-action"
			},
			"label": {
				"type": "plain_text",
				"text": "First and Last name",
				"emoji": true
			}
		}
	]

Now, find the line “block_id”: “”. Between the quotation marks, type “/” and select Resume execution ID inside FLOW. This will create an asynchronous step. The Flow will be on hold until the user has answered the message on Slack.

Ensure the credentials are filled in, and run the Flow once from Slack to generate logs.

Compliance automation background check - 2

This first Slack action will ask the user to fill in the employee’s First and Last names.

After this step, create another Slack action. This time, find the chat_delete. You have two fields to fill: Ts (timestamp), and Channel. For the first one, type “/”, select the Slack step, and select the execution under the resume execution.

Compliance automation background check - 8

In the body, find the field ts and Pick it. As for the Channel, “/” then select the Trigger and, inside QUERY PARAMETERS, select the field channel_id.

Compliance automation background check - 3

This Slack step will automatically delete the message once the user has filled it.

We now want to create another chat_postMessage action. Repeat the process depicted above until you have to fill in the Blocks. Here paste this:

[
		{
			"type": "divider"
		},
		{
			"type": "section",
			"text": {
				"type": "mrkdwn",
				"text": "Please submit the URL redirecting to the Background check. Once done, click Enter"
			}
		},
		{
			"dispatch_action": true,
			"type": "input",
            "block_id": "",
			"element": {
				"type": "plain_text_input",
				"action_id": "plain_text_input-action"
			},
			"label": {
				"type": "plain_text",
				"text": "URL",
				"emoji": true
			}
		}
	]

Repeat the same process as written above to create the resume | Execution ID pill. Once done, run the flow again from Slack.

This Slack step will ask the user to register the URL of the Background check.

As you have done after the first Slack step, create another chat_delete to automatically delete the last Slackbot message once the user has filled it.

Uploading the evidence to Drata.

Let’s see how we will use this data to create and configure Drata actions. Start by creating a first Drata action by querying either “Find personnel by search and filters” or “PersonnelPublicController_listPersonnel”. This step will help us get the employee id. Once created, find the field Q. It is the field used to fine-tune our research. Type “/” and find the Slack step “Ask for the employee’s First and Last names”. Select the resume execution. In QUERY PARAMETERS/payload/actions/0, find and pick the field value.

Compliance automation background check - 5

Run the Flow once from Slack and create another Drata action by looking for “Upload a background check evidence to a user” or “BackgroundcheckPublicController_updateBackgroundCheck”.

  1. URL: “/”, select the Slack step that is “Submit the Background Check URL”. Find and pick the field value inside QUERYPARAMETERS/payload/actions/0.
  2. Filed at: “/”, select the first Drata step and pick the field date in HEADERS.
  3. User id: “/”, select the Drata step, and pick the field id inside BODY/data/0.
Compliance automation background check - 7

The step is configured.

Notifying the user that the upload is complete

Finally, create an ephemeral post (shown only to a user) to notify the user that the upload is complete. To do so, create a Slack action by querying “chat_postEphemeral” or “Sends an ephemeral message to a user in a channel”.

  1. User: Get the field user_id inside the QUERY PARAMETERS in the Slackbot TRIGGER.
  2. Channel: Same. Get the field channel_id.
  3. Text: Type the text you feel like.

The Flow is complete!