Microsoft.Security automations

The automations resource type can be deployed to: Resource groups.

To learn about resource group deployments, see Bicep or ARM template.

Template format

To create a Microsoft.Security/automations resource, add the following Bicep or JSON to your template.

resource symbolicname 'Microsoft.Security/automations@2019-01-01-preview' = {
  name: 'string'
  location: 'string'
  tags: {
    tagName1: 'tagValue1'
    tagName2: 'tagValue2'
  }
  kind: 'string'
  etag: 'string'
  properties: {
    actions: [
      {
        actionType: 'string'
        // For remaining properties, see AutomationAction objects
      }
    ]
    description: 'string'
    isEnabled: bool
    scopes: [
      {
        description: 'string'
        scopePath: 'string'
      }
    ]
    sources: [
      {
        eventSource: 'string'
        ruleSets: [
          {
            rules: [
              {
                expectedValue: 'string'
                operator: 'string'
                propertyJPath: 'string'
                propertyType: 'string'
              }
            ]
          }
        ]
      }
    ]
  }
}

AutomationAction objects

Set the actionType property to specify the type of object.

For EventHub, use:

  actionType: 'EventHub'
  connectionString: 'string'
  eventHubResourceId: 'string'

For LogicApp, use:

  actionType: 'LogicApp'
  logicAppResourceId: 'string'
  uri: 'string'

For Workspace, use:

  actionType: 'Workspace'
  workspaceResourceId: 'string'

Property values

automations

Name Description Value
type The resource type

For Bicep, set this value in the resource declaration.
'Microsoft.Security/automations'
apiVersion The resource api version

For Bicep, set this value in the resource declaration.
'2019-01-01-preview'
name The resource name string (required)
location Location where the resource is stored string
tags A list of key value pairs that describe the resource. Dictionary of tag names and values. See Tags in templates
kind Kind of the resource string
etag Entity tag is used for comparing two or more entities from the same requested resource. string
properties A set of properties that defines the behavior of the automation configuration. To learn more about the supported security events data models schemas - please visit https://aka.ms/ASCAutomationSchemas. AutomationProperties

AutomationProperties

Name Description Value
actions A collection of the actions which are triggered if all the configured rules evaluations, within at least one rule set, are true. AutomationAction[]
description The security automation description. string
isEnabled Indicates whether the security automation is enabled. bool
scopes A collection of scopes on which the security automations logic is applied. Supported scopes are the subscription itself or a resource group under that subscription. The automation will only apply on defined scopes. AutomationScope[]
sources A collection of the source event types which evaluate the security automation set of rules. AutomationSource[]

AutomationAction

Name Description Value
actionType Set the object type EventHub
LogicApp
Workspace

AutomationActionEventHub

Name Description Value
actionType The type of the action that will be triggered by the Automation 'EventHub'
connectionString The target Event Hub connection string (it will not be included in any response). string
eventHubResourceId The target Event Hub Azure Resource ID. string

AutomationActionLogicApp

Name Description Value
actionType The type of the action that will be triggered by the Automation 'LogicApp'
logicAppResourceId The triggered Logic App Azure Resource ID. This can also reside on other subscriptions, given that you have permissions to trigger the Logic App string
uri The Logic App trigger URI endpoint (it will not be included in any response). string

AutomationActionWorkspace

Name Description Value
actionType The type of the action that will be triggered by the Automation 'Workspace'
workspaceResourceId The fully qualified Log Analytics Workspace Azure Resource ID. string

AutomationScope

Name Description Value
description The resources scope description. string
scopePath The resources scope path. Can be the subscription on which the automation is defined on or a resource group under that subscription (fully qualified Azure resource IDs). string

AutomationSource

Name Description Value
eventSource A valid event source type. 'Alerts'
'Assessments'
'RegulatoryComplianceAssessment'
'RegulatoryComplianceAssessmentSnapshot'
'SecureScoreControls'
'SecureScoreControlsSnapshot'
'SecureScores'
'SecureScoresSnapshot'
'SubAssessments'
ruleSets A set of rules which evaluate upon event interception. A logical disjunction is applied between defined rule sets (logical 'or'). AutomationRuleSet[]

AutomationRuleSet

Name Description Value
rules Array of AutomationTriggeringRule AutomationTriggeringRule[]

AutomationTriggeringRule

Name Description Value
expectedValue The expected value. string
operator A valid comparer operator to use. A case-insensitive comparison will be applied for String PropertyType. 'Contains'
'EndsWith'
'Equals'
'GreaterThan'
'GreaterThanOrEqualTo'
'LesserThan'
'LesserThanOrEqualTo'
'NotEquals'
'StartsWith'
propertyJPath The JPath of the entity model property that should be checked. string
propertyType The data type of the compared operands (string, integer, floating point number or a boolean [true/false]] 'Boolean'
'Integer'
'Number'
'String'

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Create A Security Automation for specific Alerts

Deploy to Azure
This template allows you to create an Azure Security Center Automation which triggers an empty logic app, which will be triggered by specific Security Center Alert
Create A Security Automation for all Alerts

Deploy to Azure
This template allows you to create an Azure Security Center Automation which triggers an empty logic app, which will be triggered by any Security Center Alert
Create A Security Automation for any Recommendation

Deploy to Azure
This template allows you to create an Azure Security Center Automation which triggers an empty logic app, which will be triggered by any Security Center Recommendation and state
Create A Security Automation for a Recommendation

Deploy to Azure
This template allows you to create an Azure Security Center Automation which triggers an empty logic app, which will be triggered by a specific Security Center Recommendation and unhealthy state