Creates a new Microsoft Sentinel Automation Rule

Azure Public Test Date Azure Public Test Result

Azure US Gov Last Test Date Azure US Gov Last Test Result

Best Practice Check Cred Scan Check

Deploy To Azure Deploy To Azure US Gov Visualize

This sample template demonstrates how to create an Automation Rule in your Microsoft Sentinel workspace. This sample automation rule triggers on incident creation and looks for specific analytic rule ID, severity, tactics and title. If the incident matches these conditions, it then modifies incident status and adds a tag. For more information about automation rules, visit Automation in Azure Sentinel


In order to deploy this template successfully, you need to have an existing Microsoft Sentinel workspace. Optionally, you need an analytics rule ID. If you do not wish to target a specific analytic rule ID, you can remove that parameter and its condition from the azuredeploy.json file.

Tags: Microsoft.SecurityInsights/automationRules, Microsoft.OperationalInsights/workspaces, Microsoft.OperationalInsights/workspaces/providers/onboardingStates, Microsoft.OperationalInsights/workspaces/providers/alertRules