Редактиране

Споделяне чрез


Microsoft Sentinel automation rules reference

This article contains reference information about the configuration of automation rules and the supported conditions and properties.

To learn more about automation rules, see Automate threat response in Microsoft Sentinel with automation rules.

For instructions on creating, managing, and using automation rules, see Create and use Microsoft Sentinel automation rules to manage response.

Supported entity properties

The following entities and entity properties can be used as conditions for automation rules:

This table shows the entity properties supported in the automation rules API. These are the entity properties whose values you can set as conditions for triggering an automation rule.

For the full list of supported properties, which includes incident properties, see Automation rule property condition supported properties in the Automation rules API documentation.

Name (in API) Type Description
AccountAadTenantId string The account Microsoft Entra ID tenant ID
AccountAadUserId string The account Microsoft Entra ID user ID
AccountName string The account name
AccountNTDomain string The account NetBIOS domain name
AccountPUID string The account Microsoft Entra ID Passport User ID
AccountSid string The account security identifier
AccountObjectGuid string The account object unique identifier
AccountUPNSuffix string The account user principal name suffix
AzureResourceResourceId string The Azure resource ID
AzureResourceSubscriptionId string The Azure resource subscription ID
CloudApplicationAppId string The cloud application identifier
CloudApplicationAppName string The cloud application name
DNSDomainName string The dns record domain name
FileDirectory string The file directory full path
FileName string The file name without path
FileHashValue string The file hash value
HostAzureID string The host Azure resource ID
HostName string The host name without domain
HostNetBiosName string The host NetBIOS name
HostNTDomain string The host NT domain
HostOSVersion string The host operating system
IoTDeviceId string The IoT device ID
IoTDeviceName string The IoT device name
IoTDeviceType string The IoT device type
IoTDeviceVendor string The IoT device vendor
IoTDeviceModel string The IoT device model
IoTDeviceOperatingSystem string The IoT device operating system
IPAddress string The IP address
MailboxDisplayName string The mailbox display name
MailboxPrimaryAddress string The mailbox primary address
MailboxUPN string The mailbox user principal name
MailMessageDeliveryAction string The mail message delivery action
MailMessageDeliveryLocation string The mail message delivery location
MailMessageRecipient string The mail message recipient
MailMessageSenderIP string The mail message sender IP address
MailMessageSubject string The mail message subject
MailMessageP1Sender string The mail message P1 sender (delegated sender)
MailMessageP2Sender string The mail message P2 sender (original sender)
MalwareCategory string The malware category
MalwareName string The malware name
ProcessCommandLine string The process execution command line
ProcessId string The process ID
RegistryKey string The registry key path
RegistryValueData string The registry key value in string formatted representation
Url string The url