Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Bicep resource definition
The automations resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Security/automations resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Security/automations@2023-12-01-preview' = {
etag: 'string'
kind: 'string'
location: 'string'
name: 'string'
properties: {
actions: [
{
actionType: 'string'
// For remaining properties, see AutomationAction objects
}
]
description: 'string'
isEnabled: bool
scopes: [
{
description: 'string'
scopePath: 'string'
}
]
sources: [
{
eventSource: 'string'
ruleSets: [
{
rules: [
{
expectedValue: 'string'
operator: 'string'
propertyJPath: 'string'
propertyType: 'string'
}
]
}
]
}
]
}
tags: {
{customized property}: 'string'
}
}
AutomationAction objects
Set the actionType property to specify the type of object.
For EventHub, use:
{
actionType: 'EventHub'
connectionString: 'string'
eventHubResourceId: 'string'
isTrustedServiceEnabled: bool
}
For LogicApp, use:
{
actionType: 'LogicApp'
logicAppResourceId: 'string'
uri: 'string'
}
For Workspace, use:
{
actionType: 'Workspace'
workspaceResourceId: 'string'
}
Property Values
Microsoft.Security/automations
| Name | Description | Value |
|---|---|---|
| etag | Entity tag is used for comparing two or more entities from the same requested resource. | string |
| kind | Kind of the resource | string |
| location | Location where the resource is stored | string |
| name | The resource name | string (required) |
| properties | Security automation data | AutomationProperties |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
AutomationAction
| Name | Description | Value |
|---|---|---|
| actionType | Set to 'EventHub' for type AutomationActionEventHub. Set to 'LogicApp' for type AutomationActionLogicApp. Set to 'Workspace' for type AutomationActionWorkspace. | 'EventHub' 'LogicApp' 'Workspace' (required) |
AutomationActionEventHub
| Name | Description | Value |
|---|---|---|
| actionType | The type of the action that will be triggered by the Automation | 'EventHub' (required) |
| connectionString | The target Event Hub connection string (it will not be included in any response). | string |
| eventHubResourceId | The target Event Hub Azure Resource ID. | string |
| isTrustedServiceEnabled | Indicates whether the trusted service is enabled or not. | bool |
AutomationActionLogicApp
| Name | Description | Value |
|---|---|---|
| actionType | The type of the action that will be triggered by the Automation | 'LogicApp' (required) |
| logicAppResourceId | The triggered Logic App Azure Resource ID. This can also reside on other subscriptions, given that you have permissions to trigger the Logic App | string |
| uri | The Logic App trigger URI endpoint (it will not be included in any response). | string |
AutomationActionWorkspace
| Name | Description | Value |
|---|---|---|
| actionType | The type of the action that will be triggered by the Automation | 'Workspace' (required) |
| workspaceResourceId | The fully qualified Log Analytics Workspace Azure Resource ID. | string |
AutomationProperties
| Name | Description | Value |
|---|---|---|
| actions | A collection of the actions which are triggered if all the configured rules evaluations, within at least one rule set, are true. | AutomationAction[] |
| description | The security automation description. | string |
| isEnabled | Indicates whether the security automation is enabled. | bool |
| scopes | A collection of scopes on which the security automations logic is applied. Supported scopes are the subscription itself or a resource group under that subscription. The automation will only apply on defined scopes. | AutomationScope[] |
| sources | A collection of the source event types which evaluate the security automation set of rules. | AutomationSource[] |
AutomationRuleSet
| Name | Description | Value |
|---|---|---|
| rules | AutomationTriggeringRule[] |
AutomationScope
| Name | Description | Value |
|---|---|---|
| description | The resources scope description. | string |
| scopePath | The resources scope path. Can be the subscription on which the automation is defined on or a resource group under that subscription (fully qualified Azure resource IDs). | string |
AutomationSource
| Name | Description | Value |
|---|---|---|
| eventSource | A valid event source type. | 'Alerts' 'Assessments' 'AssessmentsSnapshot' 'AttackPaths' 'AttackPathsSnapshot' 'RegulatoryComplianceAssessment' 'RegulatoryComplianceAssessmentSnapshot' 'SecureScoreControls' 'SecureScoreControlsSnapshot' 'SecureScores' 'SecureScoresSnapshot' 'SubAssessments' 'SubAssessmentsSnapshot' |
| ruleSets | A set of rules which evaluate upon event interception. A logical disjunction is applied between defined rule sets (logical 'or'). | AutomationRuleSet[] |
AutomationTriggeringRule
| Name | Description | Value |
|---|---|---|
| expectedValue | The expected value. | string |
| operator | A valid comparer operator to use. A case-insensitive comparison will be applied for String PropertyType. | 'Contains' 'EndsWith' 'Equals' 'GreaterThan' 'GreaterThanOrEqualTo' 'LesserThan' 'LesserThanOrEqualTo' 'NotEquals' 'StartsWith' |
| propertyJPath | The JPath of the entity model property that should be checked. | string |
| propertyType | The data type of the compared operands (string, integer, floating point number or a boolean [true/false]] | 'Boolean' 'Integer' 'Number' 'String' |
Tags
| Name | Description | Value |
|---|
Usage Examples
Bicep Samples
A basic example of deploying Security Center Automation and Continuous Export.
param resourceName string = 'acctest0001'
param location string = 'westeurope'
resource automation 'Microsoft.Security/automations@2019-01-01-preview' = {
name: 'ExportToWorkspace'
properties: {
actions: [
{
actionType: 'Workspace'
workspaceResourceId: workspace.id
}
]
isEnabled: true
scopes: [
{
description: 'Security Export for the subscription'
scopePath: resourceGroup().id
}
]
sources: [
{
eventSource: 'Assessments'
ruleSets: [
{
rules: [
{
expectedValue: 'Microsoft.Security/assessments'
operator: 'Contains'
propertyJPath: 'type'
propertyType: 'String'
}
]
}
]
}
{
eventSource: 'AssessmentsSnapshot'
ruleSets: [
{
rules: [
{
expectedValue: 'Microsoft.Security/assessments'
operator: 'Contains'
propertyJPath: 'type'
propertyType: 'String'
}
]
}
]
}
{
eventSource: 'SubAssessments'
}
{
eventSource: 'SubAssessmentsSnapshot'
}
{
eventSource: 'Alerts'
ruleSets: [
{
rules: [
{
expectedValue: 'low'
operator: 'Equals'
propertyJPath: 'Severity'
propertyType: 'String'
}
]
}
{
rules: [
{
expectedValue: 'medium'
operator: 'Equals'
propertyJPath: 'Severity'
propertyType: 'String'
}
]
}
{
rules: [
{
expectedValue: 'high'
operator: 'Equals'
propertyJPath: 'Severity'
propertyType: 'String'
}
]
}
{
rules: [
{
expectedValue: 'informational'
operator: 'Equals'
propertyJPath: 'Severity'
propertyType: 'String'
}
]
}
]
}
{
eventSource: 'SecureScores'
}
{
eventSource: 'SecureScoresSnapshot'
}
{
eventSource: 'SecureScoreControls'
}
{
eventSource: 'SecureScoreControlsSnapshot'
}
{
eventSource: 'RegulatoryComplianceAssessment'
}
{
eventSource: 'RegulatoryComplianceAssessmentSnapshot'
}
]
}
}
resource workspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = {
name: resourceName
location: location
properties: {
features: {
disableLocalAuth: false
enableLogAccessUsingOnlyResourcePermissions: true
}
publicNetworkAccessForIngestion: 'Enabled'
publicNetworkAccessForQuery: 'Enabled'
retentionInDays: 30
sku: {
name: 'PerGB2018'
}
workspaceCapping: {
dailyQuotaGb: -1
}
}
}
Azure Quickstart Samples
The following Azure Quickstart templates contain Bicep samples for deploying this resource type.
| Bicep File | Description |
|---|---|
| Create A Security Automation for specific Alerts | This template allows you to create an Azure Security Center Automation which triggers an empty logic app, which will be triggered by specific Security Center Alert |
ARM template resource definition
The automations resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Security/automations resource, add the following JSON to your template.
{
"type": "Microsoft.Security/automations",
"apiVersion": "2023-12-01-preview",
"name": "string",
"etag": "string",
"kind": "string",
"location": "string",
"properties": {
"actions": [ {
"actionType": "string"
// For remaining properties, see AutomationAction objects
} ],
"description": "string",
"isEnabled": "bool",
"scopes": [
{
"description": "string",
"scopePath": "string"
}
],
"sources": [
{
"eventSource": "string",
"ruleSets": [
{
"rules": [
{
"expectedValue": "string",
"operator": "string",
"propertyJPath": "string",
"propertyType": "string"
}
]
}
]
}
]
},
"tags": {
"{customized property}": "string"
}
}
AutomationAction objects
Set the actionType property to specify the type of object.
For EventHub, use:
{
"actionType": "EventHub",
"connectionString": "string",
"eventHubResourceId": "string",
"isTrustedServiceEnabled": "bool"
}
For LogicApp, use:
{
"actionType": "LogicApp",
"logicAppResourceId": "string",
"uri": "string"
}
For Workspace, use:
{
"actionType": "Workspace",
"workspaceResourceId": "string"
}
Property Values
Microsoft.Security/automations
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2023-12-01-preview' |
| etag | Entity tag is used for comparing two or more entities from the same requested resource. | string |
| kind | Kind of the resource | string |
| location | Location where the resource is stored | string |
| name | The resource name | string (required) |
| properties | Security automation data | AutomationProperties |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
| type | The resource type | 'Microsoft.Security/automations' |
AutomationAction
| Name | Description | Value |
|---|---|---|
| actionType | Set to 'EventHub' for type AutomationActionEventHub. Set to 'LogicApp' for type AutomationActionLogicApp. Set to 'Workspace' for type AutomationActionWorkspace. | 'EventHub' 'LogicApp' 'Workspace' (required) |
AutomationActionEventHub
| Name | Description | Value |
|---|---|---|
| actionType | The type of the action that will be triggered by the Automation | 'EventHub' (required) |
| connectionString | The target Event Hub connection string (it will not be included in any response). | string |
| eventHubResourceId | The target Event Hub Azure Resource ID. | string |
| isTrustedServiceEnabled | Indicates whether the trusted service is enabled or not. | bool |
AutomationActionLogicApp
| Name | Description | Value |
|---|---|---|
| actionType | The type of the action that will be triggered by the Automation | 'LogicApp' (required) |
| logicAppResourceId | The triggered Logic App Azure Resource ID. This can also reside on other subscriptions, given that you have permissions to trigger the Logic App | string |
| uri | The Logic App trigger URI endpoint (it will not be included in any response). | string |
AutomationActionWorkspace
| Name | Description | Value |
|---|---|---|
| actionType | The type of the action that will be triggered by the Automation | 'Workspace' (required) |
| workspaceResourceId | The fully qualified Log Analytics Workspace Azure Resource ID. | string |
AutomationProperties
| Name | Description | Value |
|---|---|---|
| actions | A collection of the actions which are triggered if all the configured rules evaluations, within at least one rule set, are true. | AutomationAction[] |
| description | The security automation description. | string |
| isEnabled | Indicates whether the security automation is enabled. | bool |
| scopes | A collection of scopes on which the security automations logic is applied. Supported scopes are the subscription itself or a resource group under that subscription. The automation will only apply on defined scopes. | AutomationScope[] |
| sources | A collection of the source event types which evaluate the security automation set of rules. | AutomationSource[] |
AutomationRuleSet
| Name | Description | Value |
|---|---|---|
| rules | AutomationTriggeringRule[] |
AutomationScope
| Name | Description | Value |
|---|---|---|
| description | The resources scope description. | string |
| scopePath | The resources scope path. Can be the subscription on which the automation is defined on or a resource group under that subscription (fully qualified Azure resource IDs). | string |
AutomationSource
| Name | Description | Value |
|---|---|---|
| eventSource | A valid event source type. | 'Alerts' 'Assessments' 'AssessmentsSnapshot' 'AttackPaths' 'AttackPathsSnapshot' 'RegulatoryComplianceAssessment' 'RegulatoryComplianceAssessmentSnapshot' 'SecureScoreControls' 'SecureScoreControlsSnapshot' 'SecureScores' 'SecureScoresSnapshot' 'SubAssessments' 'SubAssessmentsSnapshot' |
| ruleSets | A set of rules which evaluate upon event interception. A logical disjunction is applied between defined rule sets (logical 'or'). | AutomationRuleSet[] |
AutomationTriggeringRule
| Name | Description | Value |
|---|---|---|
| expectedValue | The expected value. | string |
| operator | A valid comparer operator to use. A case-insensitive comparison will be applied for String PropertyType. | 'Contains' 'EndsWith' 'Equals' 'GreaterThan' 'GreaterThanOrEqualTo' 'LesserThan' 'LesserThanOrEqualTo' 'NotEquals' 'StartsWith' |
| propertyJPath | The JPath of the entity model property that should be checked. | string |
| propertyType | The data type of the compared operands (string, integer, floating point number or a boolean [true/false]] | 'Boolean' 'Integer' 'Number' 'String' |
Tags
| Name | Description | Value |
|---|
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template | Description |
|---|---|
Create A Security Automation for a Recommendation |
This template allows you to create an Azure Security Center Automation which triggers an empty logic app, which will be triggered by a specific Security Center Recommendation and unhealthy state |
| Create A Security Automation for all Alerts |
This template allows you to create an Azure Security Center Automation which triggers an empty logic app, which will be triggered by any Security Center Alert |
| Create A Security Automation for any Recommendation |
This template allows you to create an Azure Security Center Automation which triggers an empty logic app, which will be triggered by any Security Center Recommendation and state |
| Create A Security Automation for specific Alerts |
This template allows you to create an Azure Security Center Automation which triggers an empty logic app, which will be triggered by specific Security Center Alert |
Terraform (AzAPI provider) resource definition
The automations resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Security/automations resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Security/automations@2023-12-01-preview"
name = "string"
parent_id = "string"
location = "string"
tags = {
{customized property} = "string"
}
body = {
etag = "string"
kind = "string"
properties = {
actions = [
{
actionType = "string"
// For remaining properties, see AutomationAction objects
}
]
description = "string"
isEnabled = bool
scopes = [
{
description = "string"
scopePath = "string"
}
]
sources = [
{
eventSource = "string"
ruleSets = [
{
rules = [
{
expectedValue = "string"
operator = "string"
propertyJPath = "string"
propertyType = "string"
}
]
}
]
}
]
}
}
}
AutomationAction objects
Set the actionType property to specify the type of object.
For EventHub, use:
{
actionType = "EventHub"
connectionString = "string"
eventHubResourceId = "string"
isTrustedServiceEnabled = bool
}
For LogicApp, use:
{
actionType = "LogicApp"
logicAppResourceId = "string"
uri = "string"
}
For Workspace, use:
{
actionType = "Workspace"
workspaceResourceId = "string"
}
Property Values
Microsoft.Security/automations
| Name | Description | Value |
|---|---|---|
| etag | Entity tag is used for comparing two or more entities from the same requested resource. | string |
| kind | Kind of the resource | string |
| location | Location where the resource is stored | string |
| name | The resource name | string (required) |
| properties | Security automation data | AutomationProperties |
| tags | Resource tags | Dictionary of tag names and values. |
| type | The resource type | "Microsoft.Security/automations@2023-12-01-preview" |
AutomationAction
| Name | Description | Value |
|---|---|---|
| actionType | Set to 'EventHub' for type AutomationActionEventHub. Set to 'LogicApp' for type AutomationActionLogicApp. Set to 'Workspace' for type AutomationActionWorkspace. | 'EventHub' 'LogicApp' 'Workspace' (required) |
AutomationActionEventHub
| Name | Description | Value |
|---|---|---|
| actionType | The type of the action that will be triggered by the Automation | 'EventHub' (required) |
| connectionString | The target Event Hub connection string (it will not be included in any response). | string |
| eventHubResourceId | The target Event Hub Azure Resource ID. | string |
| isTrustedServiceEnabled | Indicates whether the trusted service is enabled or not. | bool |
AutomationActionLogicApp
| Name | Description | Value |
|---|---|---|
| actionType | The type of the action that will be triggered by the Automation | 'LogicApp' (required) |
| logicAppResourceId | The triggered Logic App Azure Resource ID. This can also reside on other subscriptions, given that you have permissions to trigger the Logic App | string |
| uri | The Logic App trigger URI endpoint (it will not be included in any response). | string |
AutomationActionWorkspace
| Name | Description | Value |
|---|---|---|
| actionType | The type of the action that will be triggered by the Automation | 'Workspace' (required) |
| workspaceResourceId | The fully qualified Log Analytics Workspace Azure Resource ID. | string |
AutomationProperties
| Name | Description | Value |
|---|---|---|
| actions | A collection of the actions which are triggered if all the configured rules evaluations, within at least one rule set, are true. | AutomationAction[] |
| description | The security automation description. | string |
| isEnabled | Indicates whether the security automation is enabled. | bool |
| scopes | A collection of scopes on which the security automations logic is applied. Supported scopes are the subscription itself or a resource group under that subscription. The automation will only apply on defined scopes. | AutomationScope[] |
| sources | A collection of the source event types which evaluate the security automation set of rules. | AutomationSource[] |
AutomationRuleSet
| Name | Description | Value |
|---|---|---|
| rules | AutomationTriggeringRule[] |
AutomationScope
| Name | Description | Value |
|---|---|---|
| description | The resources scope description. | string |
| scopePath | The resources scope path. Can be the subscription on which the automation is defined on or a resource group under that subscription (fully qualified Azure resource IDs). | string |
AutomationSource
| Name | Description | Value |
|---|---|---|
| eventSource | A valid event source type. | 'Alerts' 'Assessments' 'AssessmentsSnapshot' 'AttackPaths' 'AttackPathsSnapshot' 'RegulatoryComplianceAssessment' 'RegulatoryComplianceAssessmentSnapshot' 'SecureScoreControls' 'SecureScoreControlsSnapshot' 'SecureScores' 'SecureScoresSnapshot' 'SubAssessments' 'SubAssessmentsSnapshot' |
| ruleSets | A set of rules which evaluate upon event interception. A logical disjunction is applied between defined rule sets (logical 'or'). | AutomationRuleSet[] |
AutomationTriggeringRule
| Name | Description | Value |
|---|---|---|
| expectedValue | The expected value. | string |
| operator | A valid comparer operator to use. A case-insensitive comparison will be applied for String PropertyType. | 'Contains' 'EndsWith' 'Equals' 'GreaterThan' 'GreaterThanOrEqualTo' 'LesserThan' 'LesserThanOrEqualTo' 'NotEquals' 'StartsWith' |
| propertyJPath | The JPath of the entity model property that should be checked. | string |
| propertyType | The data type of the compared operands (string, integer, floating point number or a boolean [true/false]] | 'Boolean' 'Integer' 'Number' 'String' |
Tags
| Name | Description | Value |
|---|
Usage Examples
Terraform Samples
A basic example of deploying Security Center Automation and Continuous Export.
terraform {
required_providers {
azapi = {
source = "Azure/azapi"
}
}
}
provider "azapi" {
skip_provider_registration = false
}
variable "resource_name" {
type = string
default = "acctest0001"
}
variable "location" {
type = string
default = "westeurope"
}
resource "azapi_resource" "resourceGroup" {
type = "Microsoft.Resources/resourceGroups@2020-06-01"
name = var.resource_name
location = var.location
}
resource "azapi_resource" "workspace" {
type = "Microsoft.OperationalInsights/workspaces@2022-10-01"
parent_id = azapi_resource.resourceGroup.id
name = var.resource_name
location = var.location
body = {
properties = {
features = {
disableLocalAuth = false
enableLogAccessUsingOnlyResourcePermissions = true
}
publicNetworkAccessForIngestion = "Enabled"
publicNetworkAccessForQuery = "Enabled"
retentionInDays = 30
sku = {
name = "PerGB2018"
}
workspaceCapping = {
dailyQuotaGb = -1
}
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
resource "azapi_resource" "automation" {
type = "Microsoft.Security/automations@2019-01-01-preview"
name = "ExportToWorkspace"
parent_id = azapi_resource.resourceGroup.id
location = azapi_resource.resourceGroup.location
body = {
properties = {
isEnabled = true,
scopes = [
{
description = "Security Export for the subscription",
scopePath = azapi_resource.resourceGroup.id
}
],
sources = [
{
eventSource = "Assessments",
ruleSets = [
{
rules = [
{
propertyJPath = "type",
propertyType = "String",
expectedValue = "Microsoft.Security/assessments",
operator = "Contains"
}
]
}
]
},
{
eventSource = "AssessmentsSnapshot",
ruleSets = [
{
rules = [
{
propertyJPath = "type",
propertyType = "String",
expectedValue = "Microsoft.Security/assessments",
operator = "Contains"
}
]
}
]
},
{
eventSource = "SubAssessments"
},
{
eventSource = "SubAssessmentsSnapshot"
},
{
eventSource = "Alerts",
ruleSets = [
{
rules = [
{
propertyJPath = "Severity",
propertyType = "String",
expectedValue = "low",
operator = "Equals"
}
]
},
{
rules = [
{
propertyJPath = "Severity",
propertyType = "String",
expectedValue = "medium",
operator = "Equals"
}
]
},
{
rules = [
{
propertyJPath = "Severity",
propertyType = "String",
expectedValue = "high",
operator = "Equals"
}
]
},
{
rules = [
{
propertyJPath = "Severity",
propertyType = "String",
expectedValue = "informational",
operator = "Equals"
}
]
}
]
},
{
eventSource = "SecureScores"
},
{
eventSource = "SecureScoresSnapshot"
},
{
eventSource = "SecureScoreControls"
},
{
eventSource = "SecureScoreControlsSnapshot"
},
{
eventSource = "RegulatoryComplianceAssessment"
},
{
eventSource = "RegulatoryComplianceAssessmentSnapshot"
}
],
actions = [
{
workspaceResourceId = azapi_resource.workspace.id
actionType = "Workspace"
}
]
}
}
}