Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
Microsoft.SecurityInsights automationRules 2025-03-01
- Latest
- 2025-09-01
- 2025-07-01-preview
- 2025-06-01
- 2025-04-01-preview
- 2025-03-01
- 2025-01-01-preview
- 2024-10-01-preview
- 2024-09-01
- 2024-04-01-preview
- 2024-03-01
- 2024-01-01-preview
- 2023-12-01-preview
- 2023-11-01
- 2023-10-01-preview
- 2023-09-01-preview
- 2023-08-01-preview
- 2023-07-01-preview
- 2023-06-01-preview
- 2023-05-01-preview
- 2023-04-01-preview
- 2023-03-01-preview
- 2023-02-01
- 2023-02-01-preview
- 2022-12-01-preview
- 2022-11-01
- 2022-11-01-preview
- 2022-10-01-preview
- 2022-09-01-preview
- 2022-08-01
- 2022-08-01-preview
- 2022-07-01-preview
- 2022-06-01-preview
- 2022-05-01-preview
- 2022-04-01-preview
- 2022-01-01-preview
- 2021-10-01
- 2021-10-01-preview
- 2021-09-01-preview
- 2019-01-01-preview
Bicep resource definition
The automationRules resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/automationRules resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.SecurityInsights/automationRules@2025-03-01' = {
scope: resourceSymbolicName or scope
etag: 'string'
name: 'string'
properties: {
actions: [
{
order: int
actionType: 'string'
// For remaining properties, see AutomationRuleAction objects
}
]
displayName: 'string'
order: int
triggeringLogic: {
conditions: [
{
conditionType: 'string'
// For remaining properties, see AutomationRuleCondition objects
}
]
expirationTimeUtc: 'string'
isEnabled: bool
triggersOn: 'string'
triggersWhen: 'string'
}
}
}
AutomationRuleAction objects
Set the actionType property to specify the type of object.
For AddIncidentTask, use:
{
actionConfiguration: {
description: 'string'
title: 'string'
}
actionType: 'AddIncidentTask'
}
For ModifyProperties, use:
{
actionConfiguration: {
classification: 'string'
classificationComment: 'string'
classificationReason: 'string'
labels: [
{
labelName: 'string'
}
]
owner: {
assignedTo: 'string'
email: 'string'
objectId: 'string'
ownerType: 'string'
userPrincipalName: 'string'
}
severity: 'string'
status: 'string'
}
actionType: 'ModifyProperties'
}
For RunPlaybook, use:
{
actionConfiguration: {
logicAppResourceId: 'string'
tenantId: 'string'
}
actionType: 'RunPlaybook'
}
AutomationRuleCondition objects
Set the conditionType property to specify the type of object.
For Boolean, use:
{
conditionProperties: {
innerConditions: [
{
conditionType: 'string'
// For remaining properties, see AutomationRuleCondition objects
}
]
operator: 'string'
}
conditionType: 'Boolean'
}
For Property, use:
{
conditionProperties: {
operator: 'string'
propertyName: 'string'
propertyValues: [
'string'
]
}
conditionType: 'Property'
}
For PropertyArray, use:
{
conditionProperties: {
arrayConditionType: 'string'
arrayType: 'string'
itemConditions: [
{
conditionType: 'string'
// For remaining properties, see AutomationRuleCondition objects
}
]
}
conditionType: 'PropertyArray'
}
For PropertyArrayChanged, use:
{
conditionProperties: {
arrayType: 'string'
changeType: 'string'
}
conditionType: 'PropertyArrayChanged'
}
For PropertyChanged, use:
{
conditionProperties: {
changeType: 'string'
operator: 'string'
propertyName: 'string'
propertyValues: [
'string'
]
}
conditionType: 'PropertyChanged'
}
Property Values
Microsoft.SecurityInsights/automationRules
| Name | Description | Value |
|---|---|---|
| etag | Etag of the azure resource | string |
| name | The resource name | string (required) |
| properties | Automation rule properties | AutomationRuleProperties (required) |
| scope | Use when creating a resource at a scope that is different than the deployment scope. | Set this property to the symbolic name of a resource to apply the extension resource. |
AddIncidentTaskActionProperties
| Name | Description | Value |
|---|---|---|
| description | The description of the task. | string |
| title | The title of the task. | string (required) |
AutomationRuleAction
| Name | Description | Value |
|---|---|---|
| actionType | Set to 'AddIncidentTask' for type AutomationRuleAddIncidentTaskAction. Set to 'ModifyProperties' for type AutomationRuleModifyPropertiesAction. Set to 'RunPlaybook' for type AutomationRuleRunPlaybookAction. | 'AddIncidentTask' 'ModifyProperties' 'RunPlaybook' (required) |
| order | int (required) |
AutomationRuleAddIncidentTaskAction
| Name | Description | Value |
|---|---|---|
| actionConfiguration | Describes an automation rule action to add a task to an incident. | AddIncidentTaskActionProperties |
| actionType | The type of the automation rule action. | 'AddIncidentTask' (required) |
AutomationRuleBooleanCondition
| Name | Description | Value |
|---|---|---|
| innerConditions | AutomationRuleCondition[] | |
| operator | Describes a boolean condition operator. | 'And' 'Or' |
AutomationRuleCondition
| Name | Description | Value |
|---|---|---|
| conditionType | Set to 'Boolean' for type BooleanConditionProperties. Set to 'Property' for type PropertyConditionProperties. Set to 'PropertyArray' for type PropertyArrayConditionProperties. Set to 'PropertyArrayChanged' for type PropertyArrayChangedConditionProperties. Set to 'PropertyChanged' for type PropertyChangedConditionProperties. | 'Boolean' 'Property' 'PropertyArray' 'PropertyArrayChanged' 'PropertyChanged' (required) |
AutomationRuleModifyPropertiesAction
| Name | Description | Value |
|---|---|---|
| actionConfiguration | IncidentPropertiesAction | |
| actionType | The type of the automation rule action. | 'ModifyProperties' (required) |
AutomationRuleProperties
| Name | Description | Value |
|---|---|---|
| actions | The actions to execute when the automation rule is triggered. | AutomationRuleAction[] (required) |
| displayName | The display name of the automation rule. | string Constraints: Max length = 500 (required) |
| order | The order of execution of the automation rule. | int Constraints: Min value = 1 Max value = 1000 (required) |
| triggeringLogic | Describes automation rule triggering logic. | AutomationRuleTriggeringLogic (required) |
AutomationRulePropertyArrayChangedValuesCondition
| Name | Description | Value |
|---|---|---|
| arrayType | 'Alerts' 'Comments' 'Labels' 'Tactics' |
|
| changeType | 'Added' |
AutomationRulePropertyArrayValuesCondition
| Name | Description | Value |
|---|---|---|
| arrayConditionType | Describes an array condition evaluation type. | 'AnyItem' |
| arrayType | Describes an array condition evaluated array type. | 'CustomDetails' 'CustomDetailValues' |
| itemConditions | AutomationRuleCondition[] |
AutomationRulePropertyValuesChangedCondition
| Name | Description | Value |
|---|---|---|
| changeType | 'ChangedFrom' 'ChangedTo' |
|
| operator | 'Contains' 'EndsWith' 'Equals' 'NotContains' 'NotEndsWith' 'NotEquals' 'NotStartsWith' 'StartsWith' |
|
| propertyName | 'IncidentOwner' 'IncidentSeverity' 'IncidentStatus' |
|
| propertyValues | string[] |
AutomationRulePropertyValuesCondition
| Name | Description | Value |
|---|---|---|
| operator | 'Contains' 'EndsWith' 'Equals' 'NotContains' 'NotEndsWith' 'NotEquals' 'NotStartsWith' 'StartsWith' |
|
| propertyName | The property to evaluate in an automation rule property condition. | 'AccountAadTenantId' 'AccountAadUserId' 'AccountName' 'AccountNTDomain' 'AccountObjectGuid' 'AccountPUID' 'AccountSid' 'AccountUPNSuffix' 'AlertAnalyticRuleIds' 'AlertProductNames' 'AzureResourceResourceId' 'AzureResourceSubscriptionId' 'CloudApplicationAppId' 'CloudApplicationAppName' 'DNSDomainName' 'FileDirectory' 'FileHashValue' 'FileName' 'HostAzureID' 'HostName' 'HostNetBiosName' 'HostNTDomain' 'HostOSVersion' 'IncidentCustomDetailsKey' 'IncidentCustomDetailsValue' 'IncidentDescription' 'IncidentLabel' 'IncidentProviderName' 'IncidentRelatedAnalyticRuleIds' 'IncidentSeverity' 'IncidentStatus' 'IncidentTactics' 'IncidentTitle' 'IncidentUpdatedBySource' 'IoTDeviceId' 'IoTDeviceModel' 'IoTDeviceName' 'IoTDeviceOperatingSystem' 'IoTDeviceType' 'IoTDeviceVendor' 'IPAddress' 'MailboxDisplayName' 'MailboxPrimaryAddress' 'MailboxUPN' 'MailMessageDeliveryAction' 'MailMessageDeliveryLocation' 'MailMessageP1Sender' 'MailMessageP2Sender' 'MailMessageRecipient' 'MailMessageSenderIP' 'MailMessageSubject' 'MalwareCategory' 'MalwareName' 'ProcessCommandLine' 'ProcessId' 'RegistryKey' 'RegistryValueData' 'Url' |
| propertyValues | string[] |
AutomationRuleRunPlaybookAction
| Name | Description | Value |
|---|---|---|
| actionConfiguration | PlaybookActionProperties | |
| actionType | The type of the automation rule action. | 'RunPlaybook' (required) |
AutomationRuleTriggeringLogic
| Name | Description | Value |
|---|---|---|
| conditions | The conditions to evaluate to determine if the automation rule should be triggered on a given object. | AutomationRuleCondition[] |
| expirationTimeUtc | Determines when the automation rule should automatically expire and be disabled. | string |
| isEnabled | Determines whether the automation rule is enabled or disabled. | bool (required) |
| triggersOn | 'Alerts' 'Incidents' (required) |
|
| triggersWhen | 'Created' 'Updated' (required) |
BooleanConditionProperties
| Name | Description | Value |
|---|---|---|
| conditionProperties | Describes an automation rule condition with boolean operators. | AutomationRuleBooleanCondition |
| conditionType | 'Boolean' (required) |
IncidentLabel
| Name | Description | Value |
|---|---|---|
| labelName | The name of the label | string (required) |
IncidentOwnerInfo
| Name | Description | Value |
|---|---|---|
| assignedTo | The name of the user the incident is assigned to. | string |
| The email of the user the incident is assigned to. | string | |
| objectId | The object id of the user the incident is assigned to. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
| ownerType | The type of the owner the incident is assigned to. | 'Group' 'Unknown' 'User' |
| userPrincipalName | The user principal name of the user the incident is assigned to. | string |
IncidentPropertiesAction
| Name | Description | Value |
|---|---|---|
| classification | The reason the incident was closed | 'BenignPositive' 'FalsePositive' 'TruePositive' 'Undetermined' |
| classificationComment | Describes the reason the incident was closed. | string |
| classificationReason | The classification reason the incident was closed with | 'InaccurateData' 'IncorrectAlertLogic' 'SuspiciousActivity' 'SuspiciousButExpected' |
| labels | List of labels to add to the incident. | IncidentLabel[] |
| owner | Information on the user an incident is assigned to | IncidentOwnerInfo |
| severity | The severity of the incident | 'High' 'Informational' 'Low' 'Medium' |
| status | The status of the incident | 'Active' 'Closed' 'New' |
PlaybookActionProperties
| Name | Description | Value |
|---|---|---|
| logicAppResourceId | The resource id of the playbook resource. | string (required) |
| tenantId | The tenant id of the playbook resource. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
PropertyArrayChangedConditionProperties
| Name | Description | Value |
|---|---|---|
| conditionProperties | AutomationRulePropertyArrayChangedValuesCondition | |
| conditionType | 'PropertyArrayChanged' (required) |
PropertyArrayConditionProperties
| Name | Description | Value |
|---|---|---|
| conditionProperties | Describes an automation rule condition on array properties. | AutomationRulePropertyArrayValuesCondition |
| conditionType | 'PropertyArray' (required) |
PropertyChangedConditionProperties
| Name | Description | Value |
|---|---|---|
| conditionProperties | AutomationRulePropertyValuesChangedCondition | |
| conditionType | 'PropertyChanged' (required) |
PropertyConditionProperties
| Name | Description | Value |
|---|---|---|
| conditionProperties | AutomationRulePropertyValuesCondition | |
| conditionType | 'Property' (required) |
Usage Examples
Bicep Samples
A basic example of deploying Sentinel Automation Rule.
param resourceName string = 'acctest0001'
param location string = 'westeurope'
resource workspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = {
name: resourceName
location: location
properties: {
features: {
disableLocalAuth: false
enableLogAccessUsingOnlyResourcePermissions: true
}
publicNetworkAccessForIngestion: 'Enabled'
publicNetworkAccessForQuery: 'Enabled'
retentionInDays: 30
sku: {
name: 'PerGB2018'
}
workspaceCapping: {
dailyQuotaGb: -1
}
}
}
resource onboardingState 'Microsoft.SecurityInsights/onboardingStates@2023-06-01-preview' = {
name: 'default'
scope: workspace
properties: {
customerManagedKey: false
}
}
resource automationRule 'Microsoft.SecurityInsights/automationRules@2022-10-01-preview' = {
name: '3b862818-ad7b-409e-83be-8812f2a06d37'
scope: workspace
dependsOn: [
onboardingState
]
properties: {
actions: [
{
actionConfiguration: {
classification: ''
classificationComment: ''
classificationReason: ''
severity: ''
status: 'Active'
}
actionType: 'ModifyProperties'
order: 1
}
]
displayName: 'acctest-SentinelAutoRule-230630033910945846'
order: 1
triggeringLogic: {
isEnabled: true
triggersOn: 'Incidents'
triggersWhen: 'Created'
}
}
}
ARM template resource definition
The automationRules resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/automationRules resource, add the following JSON to your template.
{
"type": "Microsoft.SecurityInsights/automationRules",
"apiVersion": "2025-03-01",
"name": "string",
"etag": "string",
"properties": {
"actions": [ {
"order": "int",
"actionType": "string"
// For remaining properties, see AutomationRuleAction objects
} ],
"displayName": "string",
"order": "int",
"triggeringLogic": {
"conditions": [ {
"conditionType": "string"
// For remaining properties, see AutomationRuleCondition objects
} ],
"expirationTimeUtc": "string",
"isEnabled": "bool",
"triggersOn": "string",
"triggersWhen": "string"
}
}
}
AutomationRuleAction objects
Set the actionType property to specify the type of object.
For AddIncidentTask, use:
{
"actionConfiguration": {
"description": "string",
"title": "string"
},
"actionType": "AddIncidentTask"
}
For ModifyProperties, use:
{
"actionConfiguration": {
"classification": "string",
"classificationComment": "string",
"classificationReason": "string",
"labels": [
{
"labelName": "string"
}
],
"owner": {
"assignedTo": "string",
"email": "string",
"objectId": "string",
"ownerType": "string",
"userPrincipalName": "string"
},
"severity": "string",
"status": "string"
},
"actionType": "ModifyProperties"
}
For RunPlaybook, use:
{
"actionConfiguration": {
"logicAppResourceId": "string",
"tenantId": "string"
},
"actionType": "RunPlaybook"
}
AutomationRuleCondition objects
Set the conditionType property to specify the type of object.
For Boolean, use:
{
"conditionProperties": {
"innerConditions": [ {
"conditionType": "string"
// For remaining properties, see AutomationRuleCondition objects
} ],
"operator": "string"
},
"conditionType": "Boolean"
}
For Property, use:
{
"conditionProperties": {
"operator": "string",
"propertyName": "string",
"propertyValues": [ "string" ]
},
"conditionType": "Property"
}
For PropertyArray, use:
{
"conditionProperties": {
"arrayConditionType": "string",
"arrayType": "string",
"itemConditions": [ {
"conditionType": "string"
// For remaining properties, see AutomationRuleCondition objects
} ]
},
"conditionType": "PropertyArray"
}
For PropertyArrayChanged, use:
{
"conditionProperties": {
"arrayType": "string",
"changeType": "string"
},
"conditionType": "PropertyArrayChanged"
}
For PropertyChanged, use:
{
"conditionProperties": {
"changeType": "string",
"operator": "string",
"propertyName": "string",
"propertyValues": [ "string" ]
},
"conditionType": "PropertyChanged"
}
Property Values
Microsoft.SecurityInsights/automationRules
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2025-03-01' |
| etag | Etag of the azure resource | string |
| name | The resource name | string (required) |
| properties | Automation rule properties | AutomationRuleProperties (required) |
| type | The resource type | 'Microsoft.SecurityInsights/automationRules' |
AddIncidentTaskActionProperties
| Name | Description | Value |
|---|---|---|
| description | The description of the task. | string |
| title | The title of the task. | string (required) |
AutomationRuleAction
| Name | Description | Value |
|---|---|---|
| actionType | Set to 'AddIncidentTask' for type AutomationRuleAddIncidentTaskAction. Set to 'ModifyProperties' for type AutomationRuleModifyPropertiesAction. Set to 'RunPlaybook' for type AutomationRuleRunPlaybookAction. | 'AddIncidentTask' 'ModifyProperties' 'RunPlaybook' (required) |
| order | int (required) |
AutomationRuleAddIncidentTaskAction
| Name | Description | Value |
|---|---|---|
| actionConfiguration | Describes an automation rule action to add a task to an incident. | AddIncidentTaskActionProperties |
| actionType | The type of the automation rule action. | 'AddIncidentTask' (required) |
AutomationRuleBooleanCondition
| Name | Description | Value |
|---|---|---|
| innerConditions | AutomationRuleCondition[] | |
| operator | Describes a boolean condition operator. | 'And' 'Or' |
AutomationRuleCondition
| Name | Description | Value |
|---|---|---|
| conditionType | Set to 'Boolean' for type BooleanConditionProperties. Set to 'Property' for type PropertyConditionProperties. Set to 'PropertyArray' for type PropertyArrayConditionProperties. Set to 'PropertyArrayChanged' for type PropertyArrayChangedConditionProperties. Set to 'PropertyChanged' for type PropertyChangedConditionProperties. | 'Boolean' 'Property' 'PropertyArray' 'PropertyArrayChanged' 'PropertyChanged' (required) |
AutomationRuleModifyPropertiesAction
| Name | Description | Value |
|---|---|---|
| actionConfiguration | IncidentPropertiesAction | |
| actionType | The type of the automation rule action. | 'ModifyProperties' (required) |
AutomationRuleProperties
| Name | Description | Value |
|---|---|---|
| actions | The actions to execute when the automation rule is triggered. | AutomationRuleAction[] (required) |
| displayName | The display name of the automation rule. | string Constraints: Max length = 500 (required) |
| order | The order of execution of the automation rule. | int Constraints: Min value = 1 Max value = 1000 (required) |
| triggeringLogic | Describes automation rule triggering logic. | AutomationRuleTriggeringLogic (required) |
AutomationRulePropertyArrayChangedValuesCondition
| Name | Description | Value |
|---|---|---|
| arrayType | 'Alerts' 'Comments' 'Labels' 'Tactics' |
|
| changeType | 'Added' |
AutomationRulePropertyArrayValuesCondition
| Name | Description | Value |
|---|---|---|
| arrayConditionType | Describes an array condition evaluation type. | 'AnyItem' |
| arrayType | Describes an array condition evaluated array type. | 'CustomDetails' 'CustomDetailValues' |
| itemConditions | AutomationRuleCondition[] |
AutomationRulePropertyValuesChangedCondition
| Name | Description | Value |
|---|---|---|
| changeType | 'ChangedFrom' 'ChangedTo' |
|
| operator | 'Contains' 'EndsWith' 'Equals' 'NotContains' 'NotEndsWith' 'NotEquals' 'NotStartsWith' 'StartsWith' |
|
| propertyName | 'IncidentOwner' 'IncidentSeverity' 'IncidentStatus' |
|
| propertyValues | string[] |
AutomationRulePropertyValuesCondition
| Name | Description | Value |
|---|---|---|
| operator | 'Contains' 'EndsWith' 'Equals' 'NotContains' 'NotEndsWith' 'NotEquals' 'NotStartsWith' 'StartsWith' |
|
| propertyName | The property to evaluate in an automation rule property condition. | 'AccountAadTenantId' 'AccountAadUserId' 'AccountName' 'AccountNTDomain' 'AccountObjectGuid' 'AccountPUID' 'AccountSid' 'AccountUPNSuffix' 'AlertAnalyticRuleIds' 'AlertProductNames' 'AzureResourceResourceId' 'AzureResourceSubscriptionId' 'CloudApplicationAppId' 'CloudApplicationAppName' 'DNSDomainName' 'FileDirectory' 'FileHashValue' 'FileName' 'HostAzureID' 'HostName' 'HostNetBiosName' 'HostNTDomain' 'HostOSVersion' 'IncidentCustomDetailsKey' 'IncidentCustomDetailsValue' 'IncidentDescription' 'IncidentLabel' 'IncidentProviderName' 'IncidentRelatedAnalyticRuleIds' 'IncidentSeverity' 'IncidentStatus' 'IncidentTactics' 'IncidentTitle' 'IncidentUpdatedBySource' 'IoTDeviceId' 'IoTDeviceModel' 'IoTDeviceName' 'IoTDeviceOperatingSystem' 'IoTDeviceType' 'IoTDeviceVendor' 'IPAddress' 'MailboxDisplayName' 'MailboxPrimaryAddress' 'MailboxUPN' 'MailMessageDeliveryAction' 'MailMessageDeliveryLocation' 'MailMessageP1Sender' 'MailMessageP2Sender' 'MailMessageRecipient' 'MailMessageSenderIP' 'MailMessageSubject' 'MalwareCategory' 'MalwareName' 'ProcessCommandLine' 'ProcessId' 'RegistryKey' 'RegistryValueData' 'Url' |
| propertyValues | string[] |
AutomationRuleRunPlaybookAction
| Name | Description | Value |
|---|---|---|
| actionConfiguration | PlaybookActionProperties | |
| actionType | The type of the automation rule action. | 'RunPlaybook' (required) |
AutomationRuleTriggeringLogic
| Name | Description | Value |
|---|---|---|
| conditions | The conditions to evaluate to determine if the automation rule should be triggered on a given object. | AutomationRuleCondition[] |
| expirationTimeUtc | Determines when the automation rule should automatically expire and be disabled. | string |
| isEnabled | Determines whether the automation rule is enabled or disabled. | bool (required) |
| triggersOn | 'Alerts' 'Incidents' (required) |
|
| triggersWhen | 'Created' 'Updated' (required) |
BooleanConditionProperties
| Name | Description | Value |
|---|---|---|
| conditionProperties | Describes an automation rule condition with boolean operators. | AutomationRuleBooleanCondition |
| conditionType | 'Boolean' (required) |
IncidentLabel
| Name | Description | Value |
|---|---|---|
| labelName | The name of the label | string (required) |
IncidentOwnerInfo
| Name | Description | Value |
|---|---|---|
| assignedTo | The name of the user the incident is assigned to. | string |
| The email of the user the incident is assigned to. | string | |
| objectId | The object id of the user the incident is assigned to. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
| ownerType | The type of the owner the incident is assigned to. | 'Group' 'Unknown' 'User' |
| userPrincipalName | The user principal name of the user the incident is assigned to. | string |
IncidentPropertiesAction
| Name | Description | Value |
|---|---|---|
| classification | The reason the incident was closed | 'BenignPositive' 'FalsePositive' 'TruePositive' 'Undetermined' |
| classificationComment | Describes the reason the incident was closed. | string |
| classificationReason | The classification reason the incident was closed with | 'InaccurateData' 'IncorrectAlertLogic' 'SuspiciousActivity' 'SuspiciousButExpected' |
| labels | List of labels to add to the incident. | IncidentLabel[] |
| owner | Information on the user an incident is assigned to | IncidentOwnerInfo |
| severity | The severity of the incident | 'High' 'Informational' 'Low' 'Medium' |
| status | The status of the incident | 'Active' 'Closed' 'New' |
PlaybookActionProperties
| Name | Description | Value |
|---|---|---|
| logicAppResourceId | The resource id of the playbook resource. | string (required) |
| tenantId | The tenant id of the playbook resource. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
PropertyArrayChangedConditionProperties
| Name | Description | Value |
|---|---|---|
| conditionProperties | AutomationRulePropertyArrayChangedValuesCondition | |
| conditionType | 'PropertyArrayChanged' (required) |
PropertyArrayConditionProperties
| Name | Description | Value |
|---|---|---|
| conditionProperties | Describes an automation rule condition on array properties. | AutomationRulePropertyArrayValuesCondition |
| conditionType | 'PropertyArray' (required) |
PropertyChangedConditionProperties
| Name | Description | Value |
|---|---|---|
| conditionProperties | AutomationRulePropertyValuesChangedCondition | |
| conditionType | 'PropertyChanged' (required) |
PropertyConditionProperties
| Name | Description | Value |
|---|---|---|
| conditionProperties | AutomationRulePropertyValuesCondition | |
| conditionType | 'Property' (required) |
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template | Description |
|---|---|
| Creates a new Microsoft Sentinel Automation Rule 👁 Deploy to Azure |
This sample shows how to create a new automation rule in Microsoft Sentinel |
Terraform (AzAPI provider) resource definition
The automationRules resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/automationRules resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.SecurityInsights/automationRules@2025-03-01"
name = "string"
parent_id = "string"
body = {
etag = "string"
properties = {
actions = [
{
order = int
actionType = "string"
// For remaining properties, see AutomationRuleAction objects
}
]
displayName = "string"
order = int
triggeringLogic = {
conditions = [
{
conditionType = "string"
// For remaining properties, see AutomationRuleCondition objects
}
]
expirationTimeUtc = "string"
isEnabled = bool
triggersOn = "string"
triggersWhen = "string"
}
}
}
}
AutomationRuleAction objects
Set the actionType property to specify the type of object.
For AddIncidentTask, use:
{
actionConfiguration = {
description = "string"
title = "string"
}
actionType = "AddIncidentTask"
}
For ModifyProperties, use:
{
actionConfiguration = {
classification = "string"
classificationComment = "string"
classificationReason = "string"
labels = [
{
labelName = "string"
}
]
owner = {
assignedTo = "string"
email = "string"
objectId = "string"
ownerType = "string"
userPrincipalName = "string"
}
severity = "string"
status = "string"
}
actionType = "ModifyProperties"
}
For RunPlaybook, use:
{
actionConfiguration = {
logicAppResourceId = "string"
tenantId = "string"
}
actionType = "RunPlaybook"
}
AutomationRuleCondition objects
Set the conditionType property to specify the type of object.
For Boolean, use:
{
conditionProperties = {
innerConditions = [
{
conditionType = "string"
// For remaining properties, see AutomationRuleCondition objects
}
]
operator = "string"
}
conditionType = "Boolean"
}
For Property, use:
{
conditionProperties = {
operator = "string"
propertyName = "string"
propertyValues = [
"string"
]
}
conditionType = "Property"
}
For PropertyArray, use:
{
conditionProperties = {
arrayConditionType = "string"
arrayType = "string"
itemConditions = [
{
conditionType = "string"
// For remaining properties, see AutomationRuleCondition objects
}
]
}
conditionType = "PropertyArray"
}
For PropertyArrayChanged, use:
{
conditionProperties = {
arrayType = "string"
changeType = "string"
}
conditionType = "PropertyArrayChanged"
}
For PropertyChanged, use:
{
conditionProperties = {
changeType = "string"
operator = "string"
propertyName = "string"
propertyValues = [
"string"
]
}
conditionType = "PropertyChanged"
}
Property Values
Microsoft.SecurityInsights/automationRules
| Name | Description | Value |
|---|---|---|
| etag | Etag of the azure resource | string |
| name | The resource name | string (required) |
| parent_id | The ID of the resource to apply this extension resource to. | string (required) |
| properties | Automation rule properties | AutomationRuleProperties (required) |
| type | The resource type | "Microsoft.SecurityInsights/automationRules@2025-03-01" |
AddIncidentTaskActionProperties
| Name | Description | Value |
|---|---|---|
| description | The description of the task. | string |
| title | The title of the task. | string (required) |
AutomationRuleAction
| Name | Description | Value |
|---|---|---|
| actionType | Set to 'AddIncidentTask' for type AutomationRuleAddIncidentTaskAction. Set to 'ModifyProperties' for type AutomationRuleModifyPropertiesAction. Set to 'RunPlaybook' for type AutomationRuleRunPlaybookAction. | 'AddIncidentTask' 'ModifyProperties' 'RunPlaybook' (required) |
| order | int (required) |
AutomationRuleAddIncidentTaskAction
| Name | Description | Value |
|---|---|---|
| actionConfiguration | Describes an automation rule action to add a task to an incident. | AddIncidentTaskActionProperties |
| actionType | The type of the automation rule action. | 'AddIncidentTask' (required) |
AutomationRuleBooleanCondition
| Name | Description | Value |
|---|---|---|
| innerConditions | AutomationRuleCondition[] | |
| operator | Describes a boolean condition operator. | 'And' 'Or' |
AutomationRuleCondition
| Name | Description | Value |
|---|---|---|
| conditionType | Set to 'Boolean' for type BooleanConditionProperties. Set to 'Property' for type PropertyConditionProperties. Set to 'PropertyArray' for type PropertyArrayConditionProperties. Set to 'PropertyArrayChanged' for type PropertyArrayChangedConditionProperties. Set to 'PropertyChanged' for type PropertyChangedConditionProperties. | 'Boolean' 'Property' 'PropertyArray' 'PropertyArrayChanged' 'PropertyChanged' (required) |
AutomationRuleModifyPropertiesAction
| Name | Description | Value |
|---|---|---|
| actionConfiguration | IncidentPropertiesAction | |
| actionType | The type of the automation rule action. | 'ModifyProperties' (required) |
AutomationRuleProperties
| Name | Description | Value |
|---|---|---|
| actions | The actions to execute when the automation rule is triggered. | AutomationRuleAction[] (required) |
| displayName | The display name of the automation rule. | string Constraints: Max length = 500 (required) |
| order | The order of execution of the automation rule. | int Constraints: Min value = 1 Max value = 1000 (required) |
| triggeringLogic | Describes automation rule triggering logic. | AutomationRuleTriggeringLogic (required) |
AutomationRulePropertyArrayChangedValuesCondition
| Name | Description | Value |
|---|---|---|
| arrayType | 'Alerts' 'Comments' 'Labels' 'Tactics' |
|
| changeType | 'Added' |
AutomationRulePropertyArrayValuesCondition
| Name | Description | Value |
|---|---|---|
| arrayConditionType | Describes an array condition evaluation type. | 'AnyItem' |
| arrayType | Describes an array condition evaluated array type. | 'CustomDetails' 'CustomDetailValues' |
| itemConditions | AutomationRuleCondition[] |
AutomationRulePropertyValuesChangedCondition
| Name | Description | Value |
|---|---|---|
| changeType | 'ChangedFrom' 'ChangedTo' |
|
| operator | 'Contains' 'EndsWith' 'Equals' 'NotContains' 'NotEndsWith' 'NotEquals' 'NotStartsWith' 'StartsWith' |
|
| propertyName | 'IncidentOwner' 'IncidentSeverity' 'IncidentStatus' |
|
| propertyValues | string[] |
AutomationRulePropertyValuesCondition
| Name | Description | Value |
|---|---|---|
| operator | 'Contains' 'EndsWith' 'Equals' 'NotContains' 'NotEndsWith' 'NotEquals' 'NotStartsWith' 'StartsWith' |
|
| propertyName | The property to evaluate in an automation rule property condition. | 'AccountAadTenantId' 'AccountAadUserId' 'AccountName' 'AccountNTDomain' 'AccountObjectGuid' 'AccountPUID' 'AccountSid' 'AccountUPNSuffix' 'AlertAnalyticRuleIds' 'AlertProductNames' 'AzureResourceResourceId' 'AzureResourceSubscriptionId' 'CloudApplicationAppId' 'CloudApplicationAppName' 'DNSDomainName' 'FileDirectory' 'FileHashValue' 'FileName' 'HostAzureID' 'HostName' 'HostNetBiosName' 'HostNTDomain' 'HostOSVersion' 'IncidentCustomDetailsKey' 'IncidentCustomDetailsValue' 'IncidentDescription' 'IncidentLabel' 'IncidentProviderName' 'IncidentRelatedAnalyticRuleIds' 'IncidentSeverity' 'IncidentStatus' 'IncidentTactics' 'IncidentTitle' 'IncidentUpdatedBySource' 'IoTDeviceId' 'IoTDeviceModel' 'IoTDeviceName' 'IoTDeviceOperatingSystem' 'IoTDeviceType' 'IoTDeviceVendor' 'IPAddress' 'MailboxDisplayName' 'MailboxPrimaryAddress' 'MailboxUPN' 'MailMessageDeliveryAction' 'MailMessageDeliveryLocation' 'MailMessageP1Sender' 'MailMessageP2Sender' 'MailMessageRecipient' 'MailMessageSenderIP' 'MailMessageSubject' 'MalwareCategory' 'MalwareName' 'ProcessCommandLine' 'ProcessId' 'RegistryKey' 'RegistryValueData' 'Url' |
| propertyValues | string[] |
AutomationRuleRunPlaybookAction
| Name | Description | Value |
|---|---|---|
| actionConfiguration | PlaybookActionProperties | |
| actionType | The type of the automation rule action. | 'RunPlaybook' (required) |
AutomationRuleTriggeringLogic
| Name | Description | Value |
|---|---|---|
| conditions | The conditions to evaluate to determine if the automation rule should be triggered on a given object. | AutomationRuleCondition[] |
| expirationTimeUtc | Determines when the automation rule should automatically expire and be disabled. | string |
| isEnabled | Determines whether the automation rule is enabled or disabled. | bool (required) |
| triggersOn | 'Alerts' 'Incidents' (required) |
|
| triggersWhen | 'Created' 'Updated' (required) |
BooleanConditionProperties
| Name | Description | Value |
|---|---|---|
| conditionProperties | Describes an automation rule condition with boolean operators. | AutomationRuleBooleanCondition |
| conditionType | 'Boolean' (required) |
IncidentLabel
| Name | Description | Value |
|---|---|---|
| labelName | The name of the label | string (required) |
IncidentOwnerInfo
| Name | Description | Value |
|---|---|---|
| assignedTo | The name of the user the incident is assigned to. | string |
| The email of the user the incident is assigned to. | string | |
| objectId | The object id of the user the incident is assigned to. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
| ownerType | The type of the owner the incident is assigned to. | 'Group' 'Unknown' 'User' |
| userPrincipalName | The user principal name of the user the incident is assigned to. | string |
IncidentPropertiesAction
| Name | Description | Value |
|---|---|---|
| classification | The reason the incident was closed | 'BenignPositive' 'FalsePositive' 'TruePositive' 'Undetermined' |
| classificationComment | Describes the reason the incident was closed. | string |
| classificationReason | The classification reason the incident was closed with | 'InaccurateData' 'IncorrectAlertLogic' 'SuspiciousActivity' 'SuspiciousButExpected' |
| labels | List of labels to add to the incident. | IncidentLabel[] |
| owner | Information on the user an incident is assigned to | IncidentOwnerInfo |
| severity | The severity of the incident | 'High' 'Informational' 'Low' 'Medium' |
| status | The status of the incident | 'Active' 'Closed' 'New' |
PlaybookActionProperties
| Name | Description | Value |
|---|---|---|
| logicAppResourceId | The resource id of the playbook resource. | string (required) |
| tenantId | The tenant id of the playbook resource. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
PropertyArrayChangedConditionProperties
| Name | Description | Value |
|---|---|---|
| conditionProperties | AutomationRulePropertyArrayChangedValuesCondition | |
| conditionType | 'PropertyArrayChanged' (required) |
PropertyArrayConditionProperties
| Name | Description | Value |
|---|---|---|
| conditionProperties | Describes an automation rule condition on array properties. | AutomationRulePropertyArrayValuesCondition |
| conditionType | 'PropertyArray' (required) |
PropertyChangedConditionProperties
| Name | Description | Value |
|---|---|---|
| conditionProperties | AutomationRulePropertyValuesChangedCondition | |
| conditionType | 'PropertyChanged' (required) |
PropertyConditionProperties
| Name | Description | Value |
|---|---|---|
| conditionProperties | AutomationRulePropertyValuesCondition | |
| conditionType | 'Property' (required) |
Usage Examples
Terraform Samples
A basic example of deploying Sentinel Automation Rule.
terraform {
required_providers {
azapi = {
source = "Azure/azapi"
}
}
}
provider "azapi" {
skip_provider_registration = false
}
variable "resource_name" {
type = string
default = "acctest0001"
}
variable "location" {
type = string
default = "westeurope"
}
resource "azapi_resource" "resourceGroup" {
type = "Microsoft.Resources/resourceGroups@2020-06-01"
name = var.resource_name
location = var.location
}
resource "azapi_resource" "workspace" {
type = "Microsoft.OperationalInsights/workspaces@2022-10-01"
parent_id = azapi_resource.resourceGroup.id
name = var.resource_name
location = var.location
body = {
properties = {
features = {
disableLocalAuth = false
enableLogAccessUsingOnlyResourcePermissions = true
}
publicNetworkAccessForIngestion = "Enabled"
publicNetworkAccessForQuery = "Enabled"
retentionInDays = 30
sku = {
name = "PerGB2018"
}
workspaceCapping = {
dailyQuotaGb = -1
}
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
resource "azapi_resource" "onboardingState" {
type = "Microsoft.SecurityInsights/onboardingStates@2023-06-01-preview"
parent_id = azapi_resource.workspace.id
name = "default"
body = {
properties = {
customerManagedKey = false
}
}
}
resource "azapi_resource" "automationRule" {
type = "Microsoft.SecurityInsights/automationRules@2022-10-01-preview"
parent_id = azapi_resource.workspace.id
name = "3b862818-ad7b-409e-83be-8812f2a06d37"
body = {
properties = {
actions = [
{
actionConfiguration = {
classification = ""
classificationComment = ""
classificationReason = ""
severity = ""
status = "Active"
}
actionType = "ModifyProperties"
order = 1
},
]
displayName = "acctest-SentinelAutoRule-230630033910945846"
order = 1
triggeringLogic = {
isEnabled = true
triggersOn = "Incidents"
triggersWhen = "Created"
}
}
}
schema_validation_enabled = false
response_export_values = ["*"]
depends_on = [azapi_resource.onboardingState]
}
Feedback
Was this page helpful?