Creates a new Microsoft Sentinel Automation Rule
This sample template demonstrates how to create an Automation Rule in your Microsoft Sentinel workspace. This sample automation rule triggers on incident creation and looks for specific analytic rule ID, severity, tactics and title. If the incident matches these conditions, it then modifies incident status and adds a tag. For more information about automation rules, visit Automation in Azure Sentinel
Prerequisites
In order to deploy this template successfully, you need to have an existing Microsoft Sentinel workspace. Optionally, you need an analytics rule ID. If you do not wish to target a specific analytic rule ID, you can remove that parameter and its condition from the azuredeploy.json file.
Tags: Microsoft.SecurityInsights/automationRules, Microsoft.OperationalInsights/workspaces, Microsoft.OperationalInsights/workspaces/providers/onboardingStates, Microsoft.OperationalInsights/workspaces/providers/alertRules