Microsoft.SecurityInsights automationRules 2022-11-01-preview
- Latest
- 2023-02-01-preview
- 2022-12-01-preview
- 2022-11-01
- 2022-11-01-preview
- 2022-10-01-preview
- 2022-09-01-preview
- 2022-08-01
- 2022-08-01-preview
- 2022-07-01-preview
- 2022-06-01-preview
- 2022-05-01-preview
- 2022-04-01-preview
- 2022-01-01-preview
- 2021-10-01
- 2021-10-01-preview
- 2021-09-01-preview
- 2019-01-01-preview
Bicep resource definition
The automationRules resource type is an extension resource, which means you can apply it to another resource.
Use the scope
property on this resource to set the scope for this resource. See Set scope on extension resources in Bicep.
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/automationRules resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.SecurityInsights/automationRules@2022-11-01-preview' = {
name: 'string'
scope: resourceSymbolicName
etag: 'string'
properties: {
actions: [
{
order: int
actionType: 'string'
// For remaining properties, see AutomationRuleAction objects
}
]
displayName: 'string'
order: int
triggeringLogic: {
conditions: [
{
conditionType: 'string'
// For remaining properties, see AutomationRuleCondition objects
}
]
expirationTimeUtc: 'string'
isEnabled: bool
triggersOn: 'string'
triggersWhen: 'string'
}
}
}
AutomationRuleAction objects
Set the actionType property to specify the type of object.
For ModifyProperties, use:
actionType: 'ModifyProperties'
actionConfiguration: {
classification: 'string'
classificationComment: 'string'
classificationReason: 'string'
labels: [
{
labelName: 'string'
}
]
owner: {
assignedTo: 'string'
email: 'string'
objectId: 'string'
ownerType: 'string'
userPrincipalName: 'string'
}
severity: 'string'
status: 'string'
}
For RunPlaybook, use:
actionType: 'RunPlaybook'
actionConfiguration: {
logicAppResourceId: 'string'
tenantId: 'string'
}
AutomationRuleCondition objects
Set the conditionType property to specify the type of object.
For Boolean, use:
conditionType: 'Boolean'
conditionProperties: {
innerConditions: [
{
conditionType: 'string'
// For remaining properties, see AutomationRuleCondition objects
}
]
operator: 'string'
}
For Property, use:
conditionType: 'Property'
conditionProperties: {
operator: 'string'
propertyName: 'string'
propertyValues: [
'string'
]
}
For PropertyArray, use:
conditionType: 'PropertyArray'
conditionProperties: {
arrayConditionType: 'AnyItem'
arrayType: 'string'
itemConditions: [
{
conditionType: 'string'
// For remaining properties, see AutomationRuleCondition objects
}
]
}
For PropertyArrayChanged, use:
conditionType: 'PropertyArrayChanged'
conditionProperties: {
arrayType: 'string'
changeType: 'Added'
}
For PropertyChanged, use:
conditionType: 'PropertyChanged'
conditionProperties: {
changeType: 'string'
operator: 'string'
propertyName: 'string'
propertyValues: [
'string'
]
}
Property values
automationRules
Name | Description | Value |
---|---|---|
name | The resource name | string (required) |
scope | Use when creating an extension resource at a scope that is different than the deployment scope. | Target resource For Bicep, set this property to the symbolic name of the resource to apply the extension resource. |
etag | Etag of the azure resource | string |
properties | Automation rule properties | AutomationRuleProperties (required) |
AutomationRuleProperties
Name | Description | Value |
---|---|---|
actions | The actions to execute when the automation rule is triggered. | AutomationRuleAction[] (required) |
displayName | The display name of the automation rule. | string (required) |
order | The order of execution of the automation rule. | int (required) |
triggeringLogic | Describes automation rule triggering logic. | AutomationRuleTriggeringLogic (required) |
AutomationRuleAction
Name | Description | Value |
---|---|---|
order | int (required) | |
actionType | Set the object type | ModifyProperties RunPlaybook (required) |
AutomationRuleModifyPropertiesAction
Name | Description | Value |
---|---|---|
actionType | The type of the automation rule action. | 'ModifyProperties' (required) |
actionConfiguration | IncidentPropertiesAction |
IncidentPropertiesAction
Name | Description | Value |
---|---|---|
classification | The reason the incident was closed | 'BenignPositive' 'FalsePositive' 'TruePositive' 'Undetermined' |
classificationComment | Describes the reason the incident was closed. | string |
classificationReason | The classification reason the incident was closed with | 'InaccurateData' 'IncorrectAlertLogic' 'SuspiciousActivity' 'SuspiciousButExpected' |
labels | List of labels to add to the incident. | IncidentLabel[] |
owner | Information on the user an incident is assigned to | IncidentOwnerInfo |
severity | The severity of the incident | 'High' 'Informational' 'Low' 'Medium' |
status | The status of the incident | 'Active' 'Closed' 'New' |
IncidentLabel
Name | Description | Value |
---|---|---|
labelName | The name of the label | string (required) |
IncidentOwnerInfo
Name | Description | Value |
---|---|---|
assignedTo | The name of the user the incident is assigned to. | string |
The email of the user the incident is assigned to. | string | |
objectId | The object id of the user the incident is assigned to. | string |
ownerType | The type of the owner the incident is assigned to. | 'Group' 'Unknown' 'User' |
userPrincipalName | The user principal name of the user the incident is assigned to. | string |
AutomationRuleRunPlaybookAction
Name | Description | Value |
---|---|---|
actionType | The type of the automation rule action. | 'RunPlaybook' (required) |
actionConfiguration | PlaybookActionProperties |
PlaybookActionProperties
Name | Description | Value |
---|---|---|
logicAppResourceId | The resource id of the playbook resource. | string |
tenantId | The tenant id of the playbook resource. | string |
AutomationRuleTriggeringLogic
Name | Description | Value |
---|---|---|
conditions | The conditions to evaluate to determine if the automation rule should be triggered on a given object. | AutomationRuleCondition[] |
expirationTimeUtc | Determines when the automation rule should automatically expire and be disabled. | string |
isEnabled | Determines whether the automation rule is enabled or disabled. | bool (required) |
triggersOn | 'Alerts' 'Incidents' (required) |
|
triggersWhen | 'Created' 'Updated' (required) |
AutomationRuleCondition
Name | Description | Value |
---|---|---|
conditionType | Set the object type | Boolean Property PropertyArray PropertyArrayChanged PropertyChanged (required) |
BooleanConditionProperties
Name | Description | Value |
---|---|---|
conditionType | 'Boolean' (required) | |
conditionProperties | AutomationRuleBooleanCondition |
AutomationRuleBooleanCondition
Name | Description | Value |
---|---|---|
innerConditions | AutomationRuleCondition[] | |
operator | 'And' 'Or' |
PropertyConditionProperties
Name | Description | Value |
---|---|---|
conditionType | 'Property' (required) | |
conditionProperties | AutomationRulePropertyValuesCondition |
AutomationRulePropertyValuesCondition
Name | Description | Value |
---|---|---|
operator | 'Contains' 'EndsWith' 'Equals' 'NotContains' 'NotEndsWith' 'NotEquals' 'NotStartsWith' 'StartsWith' |
|
propertyName | The property to evaluate in an automation rule property condition. | 'AccountAadTenantId' 'AccountAadUserId' 'AccountNTDomain' 'AccountName' 'AccountObjectGuid' 'AccountPUID' 'AccountSid' 'AccountUPNSuffix' 'AlertAnalyticRuleIds' 'AlertProductNames' 'AzureResourceResourceId' 'AzureResourceSubscriptionId' 'CloudApplicationAppId' 'CloudApplicationAppName' 'DNSDomainName' 'FileDirectory' 'FileHashValue' 'FileName' 'HostAzureID' 'HostNTDomain' 'HostName' 'HostNetBiosName' 'HostOSVersion' 'IPAddress' 'IncidentCustomDetailsKey' 'IncidentCustomDetailsValue' 'IncidentDescription' 'IncidentLabel' 'IncidentProviderName' 'IncidentRelatedAnalyticRuleIds' 'IncidentSeverity' 'IncidentStatus' 'IncidentTactics' 'IncidentTitle' 'IncidentUpdatedBySource' 'IoTDeviceId' 'IoTDeviceModel' 'IoTDeviceName' 'IoTDeviceOperatingSystem' 'IoTDeviceType' 'IoTDeviceVendor' 'MailMessageDeliveryAction' 'MailMessageDeliveryLocation' 'MailMessageP1Sender' 'MailMessageP2Sender' 'MailMessageRecipient' 'MailMessageSenderIP' 'MailMessageSubject' 'MailboxDisplayName' 'MailboxPrimaryAddress' 'MailboxUPN' 'MalwareCategory' 'MalwareName' 'ProcessCommandLine' 'ProcessId' 'RegistryKey' 'RegistryValueData' 'Url' |
propertyValues | string[] |
PropertyArrayConditionProperties
Name | Description | Value |
---|---|---|
conditionType | 'PropertyArray' (required) | |
conditionProperties | AutomationRulePropertyArrayValuesCondition |
AutomationRulePropertyArrayValuesCondition
Name | Description | Value |
---|---|---|
arrayConditionType | 'AnyItem' | |
arrayType | 'CustomDetailValues' 'CustomDetails' |
|
itemConditions | AutomationRuleCondition[] |
PropertyArrayChangedConditionProperties
Name | Description | Value |
---|---|---|
conditionType | 'PropertyArrayChanged' (required) | |
conditionProperties | AutomationRulePropertyArrayChangedValuesCondition |
AutomationRulePropertyArrayChangedValuesCondition
Name | Description | Value |
---|---|---|
arrayType | 'Alerts' 'Comments' 'Labels' 'Tactics' |
|
changeType | 'Added' |
PropertyChangedConditionProperties
Name | Description | Value |
---|---|---|
conditionType | 'PropertyChanged' (required) | |
conditionProperties | AutomationRulePropertyValuesChangedCondition |
AutomationRulePropertyValuesChangedCondition
Name | Description | Value |
---|---|---|
changeType | 'ChangedFrom' 'ChangedTo' |
|
operator | 'Contains' 'EndsWith' 'Equals' 'NotContains' 'NotEndsWith' 'NotEquals' 'NotStartsWith' 'StartsWith' |
|
propertyName | 'IncidentOwner' 'IncidentSeverity' 'IncidentStatus' |
|
propertyValues | string[] |
Quickstart templates
The following quickstart templates deploy this resource type.
Template | Description |
---|---|
Creates a new Microsoft Sentinel Automation Rule |
This sample shows how to create a new automation rule in Microsoft Sentinel |
ARM template resource definition
The automationRules resource type is an extension resource, which means you can apply it to another resource.
Use the scope
property on this resource to set the scope for this resource. See Set scope on extension resources in ARM templates.
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/automationRules resource, add the following JSON to your template.
{
"type": "Microsoft.SecurityInsights/automationRules",
"apiVersion": "2022-11-01-preview",
"name": "string",
"scope": "string",
"etag": "string",
"properties": {
"actions": [
{
"order": "int",
"actionType": "string"
// For remaining properties, see AutomationRuleAction objects
}
],
"displayName": "string",
"order": "int",
"triggeringLogic": {
"conditions": [
{
"conditionType": "string"
// For remaining properties, see AutomationRuleCondition objects
}
],
"expirationTimeUtc": "string",
"isEnabled": "bool",
"triggersOn": "string",
"triggersWhen": "string"
}
}
}
AutomationRuleAction objects
Set the actionType property to specify the type of object.
For ModifyProperties, use:
"actionType": "ModifyProperties",
"actionConfiguration": {
"classification": "string",
"classificationComment": "string",
"classificationReason": "string",
"labels": [
{
"labelName": "string"
}
],
"owner": {
"assignedTo": "string",
"email": "string",
"objectId": "string",
"ownerType": "string",
"userPrincipalName": "string"
},
"severity": "string",
"status": "string"
}
For RunPlaybook, use:
"actionType": "RunPlaybook",
"actionConfiguration": {
"logicAppResourceId": "string",
"tenantId": "string"
}
AutomationRuleCondition objects
Set the conditionType property to specify the type of object.
For Boolean, use:
"conditionType": "Boolean",
"conditionProperties": {
"innerConditions": [
{
"conditionType": "string"
// For remaining properties, see AutomationRuleCondition objects
}
],
"operator": "string"
}
For Property, use:
"conditionType": "Property",
"conditionProperties": {
"operator": "string",
"propertyName": "string",
"propertyValues": [ "string" ]
}
For PropertyArray, use:
"conditionType": "PropertyArray",
"conditionProperties": {
"arrayConditionType": "AnyItem",
"arrayType": "string",
"itemConditions": [
{
"conditionType": "string"
// For remaining properties, see AutomationRuleCondition objects
}
]
}
For PropertyArrayChanged, use:
"conditionType": "PropertyArrayChanged",
"conditionProperties": {
"arrayType": "string",
"changeType": "Added"
}
For PropertyChanged, use:
"conditionType": "PropertyChanged",
"conditionProperties": {
"changeType": "string",
"operator": "string",
"propertyName": "string",
"propertyValues": [ "string" ]
}
Property values
automationRules
Name | Description | Value |
---|---|---|
type | The resource type | 'Microsoft.SecurityInsights/automationRules' |
apiVersion | The resource api version | '2022-11-01-preview' |
name | The resource name | string (required) |
scope | Use when creating an extension resource at a scope that is different than the deployment scope. | Target resource For JSON, set the value to the full name of the resource to apply the extension resource to. |
etag | Etag of the azure resource | string |
properties | Automation rule properties | AutomationRuleProperties (required) |
AutomationRuleProperties
Name | Description | Value |
---|---|---|
actions | The actions to execute when the automation rule is triggered. | AutomationRuleAction[] (required) |
displayName | The display name of the automation rule. | string (required) |
order | The order of execution of the automation rule. | int (required) |
triggeringLogic | Describes automation rule triggering logic. | AutomationRuleTriggeringLogic (required) |
AutomationRuleAction
Name | Description | Value |
---|---|---|
order | int (required) | |
actionType | Set the object type | ModifyProperties RunPlaybook (required) |
AutomationRuleModifyPropertiesAction
Name | Description | Value |
---|---|---|
actionType | The type of the automation rule action. | 'ModifyProperties' (required) |
actionConfiguration | IncidentPropertiesAction |
IncidentPropertiesAction
Name | Description | Value |
---|---|---|
classification | The reason the incident was closed | 'BenignPositive' 'FalsePositive' 'TruePositive' 'Undetermined' |
classificationComment | Describes the reason the incident was closed. | string |
classificationReason | The classification reason the incident was closed with | 'InaccurateData' 'IncorrectAlertLogic' 'SuspiciousActivity' 'SuspiciousButExpected' |
labels | List of labels to add to the incident. | IncidentLabel[] |
owner | Information on the user an incident is assigned to | IncidentOwnerInfo |
severity | The severity of the incident | 'High' 'Informational' 'Low' 'Medium' |
status | The status of the incident | 'Active' 'Closed' 'New' |
IncidentLabel
Name | Description | Value |
---|---|---|
labelName | The name of the label | string (required) |
IncidentOwnerInfo
Name | Description | Value |
---|---|---|
assignedTo | The name of the user the incident is assigned to. | string |
The email of the user the incident is assigned to. | string | |
objectId | The object id of the user the incident is assigned to. | string |
ownerType | The type of the owner the incident is assigned to. | 'Group' 'Unknown' 'User' |
userPrincipalName | The user principal name of the user the incident is assigned to. | string |
AutomationRuleRunPlaybookAction
Name | Description | Value |
---|---|---|
actionType | The type of the automation rule action. | 'RunPlaybook' (required) |
actionConfiguration | PlaybookActionProperties |
PlaybookActionProperties
Name | Description | Value |
---|---|---|
logicAppResourceId | The resource id of the playbook resource. | string |
tenantId | The tenant id of the playbook resource. | string |
AutomationRuleTriggeringLogic
Name | Description | Value |
---|---|---|
conditions | The conditions to evaluate to determine if the automation rule should be triggered on a given object. | AutomationRuleCondition[] |
expirationTimeUtc | Determines when the automation rule should automatically expire and be disabled. | string |
isEnabled | Determines whether the automation rule is enabled or disabled. | bool (required) |
triggersOn | 'Alerts' 'Incidents' (required) |
|
triggersWhen | 'Created' 'Updated' (required) |
AutomationRuleCondition
Name | Description | Value |
---|---|---|
conditionType | Set the object type | Boolean Property PropertyArray PropertyArrayChanged PropertyChanged (required) |
BooleanConditionProperties
Name | Description | Value |
---|---|---|
conditionType | 'Boolean' (required) | |
conditionProperties | AutomationRuleBooleanCondition |
AutomationRuleBooleanCondition
Name | Description | Value |
---|---|---|
innerConditions | AutomationRuleCondition[] | |
operator | 'And' 'Or' |
PropertyConditionProperties
Name | Description | Value |
---|---|---|
conditionType | 'Property' (required) | |
conditionProperties | AutomationRulePropertyValuesCondition |
AutomationRulePropertyValuesCondition
Name | Description | Value |
---|---|---|
operator | 'Contains' 'EndsWith' 'Equals' 'NotContains' 'NotEndsWith' 'NotEquals' 'NotStartsWith' 'StartsWith' |
|
propertyName | The property to evaluate in an automation rule property condition. | 'AccountAadTenantId' 'AccountAadUserId' 'AccountNTDomain' 'AccountName' 'AccountObjectGuid' 'AccountPUID' 'AccountSid' 'AccountUPNSuffix' 'AlertAnalyticRuleIds' 'AlertProductNames' 'AzureResourceResourceId' 'AzureResourceSubscriptionId' 'CloudApplicationAppId' 'CloudApplicationAppName' 'DNSDomainName' 'FileDirectory' 'FileHashValue' 'FileName' 'HostAzureID' 'HostNTDomain' 'HostName' 'HostNetBiosName' 'HostOSVersion' 'IPAddress' 'IncidentCustomDetailsKey' 'IncidentCustomDetailsValue' 'IncidentDescription' 'IncidentLabel' 'IncidentProviderName' 'IncidentRelatedAnalyticRuleIds' 'IncidentSeverity' 'IncidentStatus' 'IncidentTactics' 'IncidentTitle' 'IncidentUpdatedBySource' 'IoTDeviceId' 'IoTDeviceModel' 'IoTDeviceName' 'IoTDeviceOperatingSystem' 'IoTDeviceType' 'IoTDeviceVendor' 'MailMessageDeliveryAction' 'MailMessageDeliveryLocation' 'MailMessageP1Sender' 'MailMessageP2Sender' 'MailMessageRecipient' 'MailMessageSenderIP' 'MailMessageSubject' 'MailboxDisplayName' 'MailboxPrimaryAddress' 'MailboxUPN' 'MalwareCategory' 'MalwareName' 'ProcessCommandLine' 'ProcessId' 'RegistryKey' 'RegistryValueData' 'Url' |
propertyValues | string[] |
PropertyArrayConditionProperties
Name | Description | Value |
---|---|---|
conditionType | 'PropertyArray' (required) | |
conditionProperties | AutomationRulePropertyArrayValuesCondition |
AutomationRulePropertyArrayValuesCondition
Name | Description | Value |
---|---|---|
arrayConditionType | 'AnyItem' | |
arrayType | 'CustomDetailValues' 'CustomDetails' |
|
itemConditions | AutomationRuleCondition[] |
PropertyArrayChangedConditionProperties
Name | Description | Value |
---|---|---|
conditionType | 'PropertyArrayChanged' (required) | |
conditionProperties | AutomationRulePropertyArrayChangedValuesCondition |
AutomationRulePropertyArrayChangedValuesCondition
Name | Description | Value |
---|---|---|
arrayType | 'Alerts' 'Comments' 'Labels' 'Tactics' |
|
changeType | 'Added' |
PropertyChangedConditionProperties
Name | Description | Value |
---|---|---|
conditionType | 'PropertyChanged' (required) | |
conditionProperties | AutomationRulePropertyValuesChangedCondition |
AutomationRulePropertyValuesChangedCondition
Name | Description | Value |
---|---|---|
changeType | 'ChangedFrom' 'ChangedTo' |
|
operator | 'Contains' 'EndsWith' 'Equals' 'NotContains' 'NotEndsWith' 'NotEquals' 'NotStartsWith' 'StartsWith' |
|
propertyName | 'IncidentOwner' 'IncidentSeverity' 'IncidentStatus' |
|
propertyValues | string[] |
Quickstart templates
The following quickstart templates deploy this resource type.
Template | Description |
---|---|
Creates a new Microsoft Sentinel Automation Rule |
This sample shows how to create a new automation rule in Microsoft Sentinel |
Terraform (AzAPI provider) resource definition
The automationRules resource type is an extension resource, which means you can apply it to another resource.
Use the parent_id
property on this resource to set the scope for this resource.
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/automationRules resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.SecurityInsights/automationRules@2022-11-01-preview"
name = "string"
parent_id = "string"
body = jsonencode({
properties = {
actions = [
{
order = int
actionType = "string"
// For remaining properties, see AutomationRuleAction objects
}
]
displayName = "string"
order = int
triggeringLogic = {
conditions = [
{
conditionType = "string"
// For remaining properties, see AutomationRuleCondition objects
}
]
expirationTimeUtc = "string"
isEnabled = bool
triggersOn = "string"
triggersWhen = "string"
}
}
etag = "string"
})
}
AutomationRuleAction objects
Set the actionType property to specify the type of object.
For ModifyProperties, use:
actionType = "ModifyProperties"
actionConfiguration = {
classification = "string"
classificationComment = "string"
classificationReason = "string"
labels = [
{
labelName = "string"
}
]
owner = {
assignedTo = "string"
email = "string"
objectId = "string"
ownerType = "string"
userPrincipalName = "string"
}
severity = "string"
status = "string"
}
For RunPlaybook, use:
actionType = "RunPlaybook"
actionConfiguration = {
logicAppResourceId = "string"
tenantId = "string"
}
AutomationRuleCondition objects
Set the conditionType property to specify the type of object.
For Boolean, use:
conditionType = "Boolean"
conditionProperties = {
innerConditions = [
{
conditionType = "string"
// For remaining properties, see AutomationRuleCondition objects
}
]
operator = "string"
}
For Property, use:
conditionType = "Property"
conditionProperties = {
operator = "string"
propertyName = "string"
propertyValues = [
"string"
]
}
For PropertyArray, use:
conditionType = "PropertyArray"
conditionProperties = {
arrayConditionType = "AnyItem"
arrayType = "string"
itemConditions = [
{
conditionType = "string"
// For remaining properties, see AutomationRuleCondition objects
}
]
}
For PropertyArrayChanged, use:
conditionType = "PropertyArrayChanged"
conditionProperties = {
arrayType = "string"
changeType = "Added"
}
For PropertyChanged, use:
conditionType = "PropertyChanged"
conditionProperties = {
changeType = "string"
operator = "string"
propertyName = "string"
propertyValues = [
"string"
]
}
Property values
automationRules
Name | Description | Value |
---|---|---|
type | The resource type | "Microsoft.SecurityInsights/automationRules@2022-11-01-preview" |
name | The resource name | string (required) |
parent_id | The ID of the resource to apply this extension resource to. | string (required) |
etag | Etag of the azure resource | string |
properties | Automation rule properties | AutomationRuleProperties (required) |
AutomationRuleProperties
Name | Description | Value |
---|---|---|
actions | The actions to execute when the automation rule is triggered. | AutomationRuleAction[] (required) |
displayName | The display name of the automation rule. | string (required) |
order | The order of execution of the automation rule. | int (required) |
triggeringLogic | Describes automation rule triggering logic. | AutomationRuleTriggeringLogic (required) |
AutomationRuleAction
Name | Description | Value |
---|---|---|
order | int (required) | |
actionType | Set the object type | ModifyProperties RunPlaybook (required) |
AutomationRuleModifyPropertiesAction
Name | Description | Value |
---|---|---|
actionType | The type of the automation rule action. | "ModifyProperties" (required) |
actionConfiguration | IncidentPropertiesAction |
IncidentPropertiesAction
Name | Description | Value |
---|---|---|
classification | The reason the incident was closed | "BenignPositive" "FalsePositive" "TruePositive" "Undetermined" |
classificationComment | Describes the reason the incident was closed. | string |
classificationReason | The classification reason the incident was closed with | "InaccurateData" "IncorrectAlertLogic" "SuspiciousActivity" "SuspiciousButExpected" |
labels | List of labels to add to the incident. | IncidentLabel[] |
owner | Information on the user an incident is assigned to | IncidentOwnerInfo |
severity | The severity of the incident | "High" "Informational" "Low" "Medium" |
status | The status of the incident | "Active" "Closed" "New" |
IncidentLabel
Name | Description | Value |
---|---|---|
labelName | The name of the label | string (required) |
IncidentOwnerInfo
Name | Description | Value |
---|---|---|
assignedTo | The name of the user the incident is assigned to. | string |
The email of the user the incident is assigned to. | string | |
objectId | The object id of the user the incident is assigned to. | string |
ownerType | The type of the owner the incident is assigned to. | "Group" "Unknown" "User" |
userPrincipalName | The user principal name of the user the incident is assigned to. | string |
AutomationRuleRunPlaybookAction
Name | Description | Value |
---|---|---|
actionType | The type of the automation rule action. | "RunPlaybook" (required) |
actionConfiguration | PlaybookActionProperties |
PlaybookActionProperties
Name | Description | Value |
---|---|---|
logicAppResourceId | The resource id of the playbook resource. | string |
tenantId | The tenant id of the playbook resource. | string |
AutomationRuleTriggeringLogic
Name | Description | Value |
---|---|---|
conditions | The conditions to evaluate to determine if the automation rule should be triggered on a given object. | AutomationRuleCondition[] |
expirationTimeUtc | Determines when the automation rule should automatically expire and be disabled. | string |
isEnabled | Determines whether the automation rule is enabled or disabled. | bool (required) |
triggersOn | "Alerts" "Incidents" (required) |
|
triggersWhen | "Created" "Updated" (required) |
AutomationRuleCondition
Name | Description | Value |
---|---|---|
conditionType | Set the object type | Boolean Property PropertyArray PropertyArrayChanged PropertyChanged (required) |
BooleanConditionProperties
Name | Description | Value |
---|---|---|
conditionType | "Boolean" (required) | |
conditionProperties | AutomationRuleBooleanCondition |
AutomationRuleBooleanCondition
Name | Description | Value |
---|---|---|
innerConditions | AutomationRuleCondition[] | |
operator | "And" "Or" |
PropertyConditionProperties
Name | Description | Value |
---|---|---|
conditionType | "Property" (required) | |
conditionProperties | AutomationRulePropertyValuesCondition |
AutomationRulePropertyValuesCondition
Name | Description | Value |
---|---|---|
operator | "Contains" "EndsWith" "Equals" "NotContains" "NotEndsWith" "NotEquals" "NotStartsWith" "StartsWith" |
|
propertyName | The property to evaluate in an automation rule property condition. | "AccountAadTenantId" "AccountAadUserId" "AccountNTDomain" "AccountName" "AccountObjectGuid" "AccountPUID" "AccountSid" "AccountUPNSuffix" "AlertAnalyticRuleIds" "AlertProductNames" "AzureResourceResourceId" "AzureResourceSubscriptionId" "CloudApplicationAppId" "CloudApplicationAppName" "DNSDomainName" "FileDirectory" "FileHashValue" "FileName" "HostAzureID" "HostNTDomain" "HostName" "HostNetBiosName" "HostOSVersion" "IPAddress" "IncidentCustomDetailsKey" "IncidentCustomDetailsValue" "IncidentDescription" "IncidentLabel" "IncidentProviderName" "IncidentRelatedAnalyticRuleIds" "IncidentSeverity" "IncidentStatus" "IncidentTactics" "IncidentTitle" "IncidentUpdatedBySource" "IoTDeviceId" "IoTDeviceModel" "IoTDeviceName" "IoTDeviceOperatingSystem" "IoTDeviceType" "IoTDeviceVendor" "MailMessageDeliveryAction" "MailMessageDeliveryLocation" "MailMessageP1Sender" "MailMessageP2Sender" "MailMessageRecipient" "MailMessageSenderIP" "MailMessageSubject" "MailboxDisplayName" "MailboxPrimaryAddress" "MailboxUPN" "MalwareCategory" "MalwareName" "ProcessCommandLine" "ProcessId" "RegistryKey" "RegistryValueData" "Url" |
propertyValues | string[] |
PropertyArrayConditionProperties
Name | Description | Value |
---|---|---|
conditionType | "PropertyArray" (required) | |
conditionProperties | AutomationRulePropertyArrayValuesCondition |
AutomationRulePropertyArrayValuesCondition
Name | Description | Value |
---|---|---|
arrayConditionType | "AnyItem" | |
arrayType | "CustomDetailValues" "CustomDetails" |
|
itemConditions | AutomationRuleCondition[] |
PropertyArrayChangedConditionProperties
Name | Description | Value |
---|---|---|
conditionType | "PropertyArrayChanged" (required) | |
conditionProperties | AutomationRulePropertyArrayChangedValuesCondition |
AutomationRulePropertyArrayChangedValuesCondition
Name | Description | Value |
---|---|---|
arrayType | "Alerts" "Comments" "Labels" "Tactics" |
|
changeType | "Added" |
PropertyChangedConditionProperties
Name | Description | Value |
---|---|---|
conditionType | "PropertyChanged" (required) | |
conditionProperties | AutomationRulePropertyValuesChangedCondition |
AutomationRulePropertyValuesChangedCondition
Name | Description | Value |
---|---|---|
changeType | "ChangedFrom" "ChangedTo" |
|
operator | "Contains" "EndsWith" "Equals" "NotContains" "NotEndsWith" "NotEquals" "NotStartsWith" "StartsWith" |
|
propertyName | "IncidentOwner" "IncidentSeverity" "IncidentStatus" |
|
propertyValues | string[] |
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for