Microsoft.Security automations 2019-01-01-preview

Template format

To create a Microsoft.Security/automations resource, add the following JSON to the resources section of your template.

{
  "name": "string",
  "type": "Microsoft.Security/automations",
  "apiVersion": "2019-01-01-preview",
  "location": "string",
  "kind": "string",
  "tags": {},
  "properties": {
    "description": "string",
    "isEnabled": "boolean",
    "scopes": [
      {
        "description": "string",
        "scopePath": "string"
      }
    ],
    "sources": [
      {
        "eventSource": "string",
        "ruleSets": [
          {
            "rules": [
              {
                "propertyJPath": "string",
                "propertyType": "string",
                "expectedValue": "string",
                "operator": "string"
              }
            ]
          }
        ]
      }
    ],
    "actions": [
      {
        "actionType": "string"
      }
    ]
  }
}

Property values

The following tables describe the values you need to set in the schema.

Microsoft.Security/automations object

Note

In Bicep, type and apiVersion are specified in the first line of the resource declaration. Use the format <type>@<apiVersion>. Don't set those properties in the resource body.

Name Type Required Value
name string Yes The security automation name.
type enum Yes For JSON - Microsoft.Security/automations
apiVersion enum Yes For JSON - 2019-01-01-preview
location string No Location where the resource is stored
kind string No Kind of the resource
tags object No A list of key value pairs that describe the resource.
properties object Yes Security automation data - AutomationProperties object

AutomationProperties object

Name Type Required Value
description string No The security automation description.
isEnabled boolean No Indicates whether the security automation is enabled.
scopes array No A collection of scopes on which the security automations logic is applied. Supported scopes are the subscription itself or a resource group under that subscription. The automation will only apply on defined scopes. - AutomationScope object
sources array No A collection of the source event types which evaluate the security automation set of rules. - AutomationSource object
actions array No A collection of the actions which are triggered if all the configured rules evaluations, within at least one rule set, are true. - AutomationAction object

AutomationScope object

Name Type Required Value
description string No The resources scope description.
scopePath string No The resources scope path. Can be the subscription on which the automation is defined on or a resource group under that subscription (fully qualified Azure resource IDs).

AutomationSource object

Name Type Required Value
eventSource enum No A valid event source type. - Assessments, SubAssessments, Alerts, SecureScores, SecureScoresSnapshot, SecureScoreControls, SecureScoreControlsSnapshot, RegulatoryComplianceAssessment, RegulatoryComplianceAssessmentSnapshot
ruleSets array No A set of rules which evaluate upon event interception. A logical disjunction is applied between defined rule sets (logical 'or'). - AutomationRuleSet object

AutomationAction object

Name Type Required Value
actionType string Yes

AutomationRuleSet object

Name Type Required Value
rules array No AutomationTriggeringRule object

AutomationTriggeringRule object

Name Type Required Value
propertyJPath string No The JPath of the entity model property that should be checked.
propertyType enum No The data type of the compared operands (string, integer, floating point number or a boolean [true/false]]. - String, Integer, Number, Boolean
expectedValue string No The expected value.
operator enum No A valid comparer operator to use. A case-insensitive comparison will be applied for String PropertyType. - Equals, GreaterThan, GreaterThanOrEqualTo, LesserThan, LesserThanOrEqualTo, NotEquals, Contains, StartsWith, EndsWith

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Create A Security Automation for specific Alerts

Deploy to Azure
This template allows you to create an Azure Security Center Automation which triggers an empty logic app, which will be triggered by specific Security Center Alert
Create A Security Automation for all Alerts

Deploy to Azure
This template allows you to create an Azure Security Center Automation which triggers an empty logic app, which will be triggered by any Security Center Alert
Create A Security Automation for any Recommendation

Deploy to Azure
This template allows you to create an Azure Security Center Automation which triggers an empty logic app, which will be triggered by any Security Center Recommendation and state
Create A Security Automation for a Recommendation

Deploy to Azure
This template allows you to create an Azure Security Center Automation which triggers an empty logic app, which will be triggered by a specific Security Center Recommendation and unhealthy state