Microsoft.Security automations
Bicep resource definition
The automations resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Security/automations resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Security/automations@2023-12-01-preview' = {
etag: 'string'
kind: 'string'
location: 'string'
name: 'string'
properties: {
actions: [
{
actionType: 'string'
// For remaining properties, see AutomationAction objects
}
]
description: 'string'
isEnabled: bool
scopes: [
{
description: 'string'
scopePath: 'string'
}
]
sources: [
{
eventSource: 'string'
ruleSets: [
{
rules: [
{
expectedValue: 'string'
operator: 'string'
propertyJPath: 'string'
propertyType: 'string'
}
]
}
]
}
]
}
tags: {
{customized property}: 'string'
}
}
AutomationAction objects
Set the actionType property to specify the type of object.
For EventHub, use:
{
actionType: 'EventHub'
connectionString: 'string'
eventHubResourceId: 'string'
isTrustedServiceEnabled: bool
}
For LogicApp, use:
{
actionType: 'LogicApp'
logicAppResourceId: 'string'
uri: 'string'
}
For Workspace, use:
{
actionType: 'Workspace'
workspaceResourceId: 'string'
}
Property values
AutomationAction
| Name | Description | Value |
|---|---|---|
| actionType | Set to 'EventHub' for type AutomationActionEventHub. Set to 'LogicApp' for type AutomationActionLogicApp. Set to 'Workspace' for type AutomationActionWorkspace. | 'EventHub' 'LogicApp' 'Workspace' (required) |
AutomationActionEventHub
| Name | Description | Value |
|---|---|---|
| actionType | The type of the action that will be triggered by the Automation | 'EventHub' (required) |
| connectionString | The target Event Hub connection string (it will not be included in any response). | string |
| eventHubResourceId | The target Event Hub Azure Resource ID. | string |
| isTrustedServiceEnabled | Indicates whether the trusted service is enabled or not. | bool |
AutomationActionLogicApp
| Name | Description | Value |
|---|---|---|
| actionType | The type of the action that will be triggered by the Automation | 'LogicApp' (required) |
| logicAppResourceId | The triggered Logic App Azure Resource ID. This can also reside on other subscriptions, given that you have permissions to trigger the Logic App | string |
| uri | The Logic App trigger URI endpoint (it will not be included in any response). | string |
AutomationActionWorkspace
| Name | Description | Value |
|---|---|---|
| actionType | The type of the action that will be triggered by the Automation | 'Workspace' (required) |
| workspaceResourceId | The fully qualified Log Analytics Workspace Azure Resource ID. | string |
AutomationProperties
| Name | Description | Value |
|---|---|---|
| actions | A collection of the actions which are triggered if all the configured rules evaluations, within at least one rule set, are true. | AutomationAction[] |
| description | The security automation description. | string |
| isEnabled | Indicates whether the security automation is enabled. | bool |
| scopes | A collection of scopes on which the security automations logic is applied. Supported scopes are the subscription itself or a resource group under that subscription. The automation will only apply on defined scopes. | AutomationScope[] |
| sources | A collection of the source event types which evaluate the security automation set of rules. | AutomationSource[] |
AutomationRuleSet
| Name | Description | Value |
|---|---|---|
| rules | AutomationTriggeringRule[] |
AutomationScope
| Name | Description | Value |
|---|---|---|
| description | The resources scope description. | string |
| scopePath | The resources scope path. Can be the subscription on which the automation is defined on or a resource group under that subscription (fully qualified Azure resource IDs). | string |
AutomationSource
| Name | Description | Value |
|---|---|---|
| eventSource | A valid event source type. | 'Alerts' 'Assessments' 'AssessmentsSnapshot' 'AttackPaths' 'AttackPathsSnapshot' 'RegulatoryComplianceAssessment' 'RegulatoryComplianceAssessmentSnapshot' 'SecureScoreControls' 'SecureScoreControlsSnapshot' 'SecureScores' 'SecureScoresSnapshot' 'SubAssessments' 'SubAssessmentsSnapshot' |
| ruleSets | A set of rules which evaluate upon event interception. A logical disjunction is applied between defined rule sets (logical 'or'). | AutomationRuleSet[] |
AutomationTriggeringRule
| Name | Description | Value |
|---|---|---|
| expectedValue | The expected value. | string |
| operator | A valid comparer operator to use. A case-insensitive comparison will be applied for String PropertyType. | 'Contains' 'EndsWith' 'Equals' 'GreaterThan' 'GreaterThanOrEqualTo' 'LesserThan' 'LesserThanOrEqualTo' 'NotEquals' 'StartsWith' |
| propertyJPath | The JPath of the entity model property that should be checked. | string |
| propertyType | The data type of the compared operands (string, integer, floating point number or a boolean [true/false]] | 'Boolean' 'Integer' 'Number' 'String' |
Microsoft.Security/automations
| Name | Description | Value |
|---|---|---|
| etag | Entity tag is used for comparing two or more entities from the same requested resource. | string |
| kind | Kind of the resource | string |
| location | Location where the resource is stored | string |
| name | The resource name | string (required) |
| properties | Security automation data | AutomationProperties |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
Tags
| Name | Description | Value |
|---|
Quickstart samples
The following quickstart samples deploy this resource type.
| Bicep File | Description |
|---|---|
| Create A Security Automation for specific Alerts | This template allows you to create an Azure Security Center Automation which triggers an empty logic app, which will be triggered by specific Security Center Alert |
ARM template resource definition
The automations resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Security/automations resource, add the following JSON to your template.
{
"type": "Microsoft.Security/automations",
"apiVersion": "2023-12-01-preview",
"name": "string",
"etag": "string",
"kind": "string",
"location": "string",
"properties": {
"actions": [ {
"actionType": "string"
// For remaining properties, see AutomationAction objects
} ],
"description": "string",
"isEnabled": "bool",
"scopes": [
{
"description": "string",
"scopePath": "string"
}
],
"sources": [
{
"eventSource": "string",
"ruleSets": [
{
"rules": [
{
"expectedValue": "string",
"operator": "string",
"propertyJPath": "string",
"propertyType": "string"
}
]
}
]
}
]
},
"tags": {
"{customized property}": "string"
}
}
AutomationAction objects
Set the actionType property to specify the type of object.
For EventHub, use:
{
"actionType": "EventHub",
"connectionString": "string",
"eventHubResourceId": "string",
"isTrustedServiceEnabled": "bool"
}
For LogicApp, use:
{
"actionType": "LogicApp",
"logicAppResourceId": "string",
"uri": "string"
}
For Workspace, use:
{
"actionType": "Workspace",
"workspaceResourceId": "string"
}
Property values
AutomationAction
| Name | Description | Value |
|---|---|---|
| actionType | Set to 'EventHub' for type AutomationActionEventHub. Set to 'LogicApp' for type AutomationActionLogicApp. Set to 'Workspace' for type AutomationActionWorkspace. | 'EventHub' 'LogicApp' 'Workspace' (required) |
AutomationActionEventHub
| Name | Description | Value |
|---|---|---|
| actionType | The type of the action that will be triggered by the Automation | 'EventHub' (required) |
| connectionString | The target Event Hub connection string (it will not be included in any response). | string |
| eventHubResourceId | The target Event Hub Azure Resource ID. | string |
| isTrustedServiceEnabled | Indicates whether the trusted service is enabled or not. | bool |
AutomationActionLogicApp
| Name | Description | Value |
|---|---|---|
| actionType | The type of the action that will be triggered by the Automation | 'LogicApp' (required) |
| logicAppResourceId | The triggered Logic App Azure Resource ID. This can also reside on other subscriptions, given that you have permissions to trigger the Logic App | string |
| uri | The Logic App trigger URI endpoint (it will not be included in any response). | string |
AutomationActionWorkspace
| Name | Description | Value |
|---|---|---|
| actionType | The type of the action that will be triggered by the Automation | 'Workspace' (required) |
| workspaceResourceId | The fully qualified Log Analytics Workspace Azure Resource ID. | string |
AutomationProperties
| Name | Description | Value |
|---|---|---|
| actions | A collection of the actions which are triggered if all the configured rules evaluations, within at least one rule set, are true. | AutomationAction[] |
| description | The security automation description. | string |
| isEnabled | Indicates whether the security automation is enabled. | bool |
| scopes | A collection of scopes on which the security automations logic is applied. Supported scopes are the subscription itself or a resource group under that subscription. The automation will only apply on defined scopes. | AutomationScope[] |
| sources | A collection of the source event types which evaluate the security automation set of rules. | AutomationSource[] |
AutomationRuleSet
| Name | Description | Value |
|---|---|---|
| rules | AutomationTriggeringRule[] |
AutomationScope
| Name | Description | Value |
|---|---|---|
| description | The resources scope description. | string |
| scopePath | The resources scope path. Can be the subscription on which the automation is defined on or a resource group under that subscription (fully qualified Azure resource IDs). | string |
AutomationSource
| Name | Description | Value |
|---|---|---|
| eventSource | A valid event source type. | 'Alerts' 'Assessments' 'AssessmentsSnapshot' 'AttackPaths' 'AttackPathsSnapshot' 'RegulatoryComplianceAssessment' 'RegulatoryComplianceAssessmentSnapshot' 'SecureScoreControls' 'SecureScoreControlsSnapshot' 'SecureScores' 'SecureScoresSnapshot' 'SubAssessments' 'SubAssessmentsSnapshot' |
| ruleSets | A set of rules which evaluate upon event interception. A logical disjunction is applied between defined rule sets (logical 'or'). | AutomationRuleSet[] |
AutomationTriggeringRule
| Name | Description | Value |
|---|---|---|
| expectedValue | The expected value. | string |
| operator | A valid comparer operator to use. A case-insensitive comparison will be applied for String PropertyType. | 'Contains' 'EndsWith' 'Equals' 'GreaterThan' 'GreaterThanOrEqualTo' 'LesserThan' 'LesserThanOrEqualTo' 'NotEquals' 'StartsWith' |
| propertyJPath | The JPath of the entity model property that should be checked. | string |
| propertyType | The data type of the compared operands (string, integer, floating point number or a boolean [true/false]] | 'Boolean' 'Integer' 'Number' 'String' |
Microsoft.Security/automations
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2023-12-01-preview' |
| etag | Entity tag is used for comparing two or more entities from the same requested resource. | string |
| kind | Kind of the resource | string |
| location | Location where the resource is stored | string |
| name | The resource name | string (required) |
| properties | Security automation data | AutomationProperties |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
| type | The resource type | 'Microsoft.Security/automations' |
Tags
| Name | Description | Value |
|---|
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
Create A Security Automation for a Recommendation |
This template allows you to create an Azure Security Center Automation which triggers an empty logic app, which will be triggered by a specific Security Center Recommendation and unhealthy state |
| Create A Security Automation for all Alerts |
This template allows you to create an Azure Security Center Automation which triggers an empty logic app, which will be triggered by any Security Center Alert |
| Create A Security Automation for any Recommendation |
This template allows you to create an Azure Security Center Automation which triggers an empty logic app, which will be triggered by any Security Center Recommendation and state |
| Create A Security Automation for specific Alerts |
This template allows you to create an Azure Security Center Automation which triggers an empty logic app, which will be triggered by specific Security Center Alert |
Terraform (AzAPI provider) resource definition
The automations resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Security/automations resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Security/automations@2023-12-01-preview"
name = "string"
etag = "string"
kind = "string"
location = "string"
body = jsonencode({
properties = {
actions = [
{
actionType = "string"
// For remaining properties, see AutomationAction objects
}
]
description = "string"
isEnabled = bool
scopes = [
{
description = "string"
scopePath = "string"
}
]
sources = [
{
eventSource = "string"
ruleSets = [
{
rules = [
{
expectedValue = "string"
operator = "string"
propertyJPath = "string"
propertyType = "string"
}
]
}
]
}
]
}
})
tags = {
{customized property} = "string"
}
}
AutomationAction objects
Set the actionType property to specify the type of object.
For EventHub, use:
{
actionType = "EventHub"
connectionString = "string"
eventHubResourceId = "string"
isTrustedServiceEnabled = bool
}
For LogicApp, use:
{
actionType = "LogicApp"
logicAppResourceId = "string"
uri = "string"
}
For Workspace, use:
{
actionType = "Workspace"
workspaceResourceId = "string"
}
Property values
AutomationAction
| Name | Description | Value |
|---|---|---|
| actionType | Set to 'EventHub' for type AutomationActionEventHub. Set to 'LogicApp' for type AutomationActionLogicApp. Set to 'Workspace' for type AutomationActionWorkspace. | 'EventHub' 'LogicApp' 'Workspace' (required) |
AutomationActionEventHub
| Name | Description | Value |
|---|---|---|
| actionType | The type of the action that will be triggered by the Automation | 'EventHub' (required) |
| connectionString | The target Event Hub connection string (it will not be included in any response). | string |
| eventHubResourceId | The target Event Hub Azure Resource ID. | string |
| isTrustedServiceEnabled | Indicates whether the trusted service is enabled or not. | bool |
AutomationActionLogicApp
| Name | Description | Value |
|---|---|---|
| actionType | The type of the action that will be triggered by the Automation | 'LogicApp' (required) |
| logicAppResourceId | The triggered Logic App Azure Resource ID. This can also reside on other subscriptions, given that you have permissions to trigger the Logic App | string |
| uri | The Logic App trigger URI endpoint (it will not be included in any response). | string |
AutomationActionWorkspace
| Name | Description | Value |
|---|---|---|
| actionType | The type of the action that will be triggered by the Automation | 'Workspace' (required) |
| workspaceResourceId | The fully qualified Log Analytics Workspace Azure Resource ID. | string |
AutomationProperties
| Name | Description | Value |
|---|---|---|
| actions | A collection of the actions which are triggered if all the configured rules evaluations, within at least one rule set, are true. | AutomationAction[] |
| description | The security automation description. | string |
| isEnabled | Indicates whether the security automation is enabled. | bool |
| scopes | A collection of scopes on which the security automations logic is applied. Supported scopes are the subscription itself or a resource group under that subscription. The automation will only apply on defined scopes. | AutomationScope[] |
| sources | A collection of the source event types which evaluate the security automation set of rules. | AutomationSource[] |
AutomationRuleSet
| Name | Description | Value |
|---|---|---|
| rules | AutomationTriggeringRule[] |
AutomationScope
| Name | Description | Value |
|---|---|---|
| description | The resources scope description. | string |
| scopePath | The resources scope path. Can be the subscription on which the automation is defined on or a resource group under that subscription (fully qualified Azure resource IDs). | string |
AutomationSource
| Name | Description | Value |
|---|---|---|
| eventSource | A valid event source type. | 'Alerts' 'Assessments' 'AssessmentsSnapshot' 'AttackPaths' 'AttackPathsSnapshot' 'RegulatoryComplianceAssessment' 'RegulatoryComplianceAssessmentSnapshot' 'SecureScoreControls' 'SecureScoreControlsSnapshot' 'SecureScores' 'SecureScoresSnapshot' 'SubAssessments' 'SubAssessmentsSnapshot' |
| ruleSets | A set of rules which evaluate upon event interception. A logical disjunction is applied between defined rule sets (logical 'or'). | AutomationRuleSet[] |
AutomationTriggeringRule
| Name | Description | Value |
|---|---|---|
| expectedValue | The expected value. | string |
| operator | A valid comparer operator to use. A case-insensitive comparison will be applied for String PropertyType. | 'Contains' 'EndsWith' 'Equals' 'GreaterThan' 'GreaterThanOrEqualTo' 'LesserThan' 'LesserThanOrEqualTo' 'NotEquals' 'StartsWith' |
| propertyJPath | The JPath of the entity model property that should be checked. | string |
| propertyType | The data type of the compared operands (string, integer, floating point number or a boolean [true/false]] | 'Boolean' 'Integer' 'Number' 'String' |
Microsoft.Security/automations
| Name | Description | Value |
|---|---|---|
| etag | Entity tag is used for comparing two or more entities from the same requested resource. | string |
| kind | Kind of the resource | string |
| location | Location where the resource is stored | string |
| name | The resource name | string (required) |
| properties | Security automation data | AutomationProperties |
| tags | Resource tags | Dictionary of tag names and values. |
| type | The resource type | "Microsoft.Security/automations@2023-12-01-preview" |
Tags
| Name | Description | Value |
|---|