Automations - Get

Reference

Service:: Defender for Cloud

API Version:: 2023-12-01-preview

Retrieves information about the model of a security automation.

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/automations/{automationName}?api-version=2023-12-01-preview

URI Parameters

Name	In	Required	Type	Description
automationName	path	True	string	The security automation name.
resourceGroupName	path	True	string	The name of the resource group within the user's subscription. The name is case insensitive. Regex pattern: `^[-\w\._]+$`
subscriptionId	path	True	string	Azure subscription ID Regex pattern: `^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$`
api-version	query	True	string	API version for the operation

Responses

Name	Type	Description
200 OK	Automation	OK
Other Status Codes	CloudError	Error response that describes why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name	Description
user_impersonation	impersonate your user account

Examples

Retrieve a security automation

Sample request

GET https://management.azure.com/subscriptions/a5caac9c-5c04-49af-b3d0-e204f40345d5/resourceGroups/exampleResourceGroup/providers/Microsoft.Security/automations/exampleAutomation?api-version=2023-12-01-preview


/**
 * Samples for Automations GetByResourceGroup.
 */
public final class Main {
    /*
     * x-ms-original-file:
     * specification/security/resource-manager/Microsoft.Security/preview/2023-12-01-preview/examples/Automations/
     * GetAutomationResourceGroup_example.json
     */
    /**
     * Sample code: Retrieve a security automation.
     * 
     * @param manager Entry point to SecurityManager.
     */
    public static void retrieveASecurityAutomation(com.azure.resourcemanager.security.SecurityManager manager) {
        manager.automations().getByResourceGroupWithResponse("exampleResourceGroup", "exampleAutomation",
            com.azure.core.util.Context.NONE);
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

package armsecurity_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity"
)

// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/9ac34f238dd6b9071f486b57e9f9f1a0c43ec6f6/specification/security/resource-manager/Microsoft.Security/preview/2023-12-01-preview/examples/Automations/GetAutomationResourceGroup_example.json
func ExampleAutomationsClient_Get() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armsecurity.NewClientFactory("<subscription-id>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	res, err := clientFactory.NewAutomationsClient().Get(ctx, "exampleResourceGroup", "exampleAutomation", nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res.Automation = armsecurity.Automation{
	// 	Location: to.Ptr("Central US"),
	// 	Etag: to.Ptr("etag value"),
	// 	Name: to.Ptr("exampleAutomation"),
	// 	Type: to.Ptr("Microsoft.Security/automations"),
	// 	ID: to.Ptr("/subscriptions/a5caac9c-5c04-49af-b3d0-e204f40345d5/resourceGroups/exampleResourceGroup/providers/Microsoft.Security/automations/exampleAutomation"),
	// 	Tags: map[string]*string{
	// 	},
	// 	Properties: &armsecurity.AutomationProperties{
	// 		Description: to.Ptr("An example of a security automation that triggers one LogicApp resource (myTest1) on any security assessment of type customAssessment"),
	// 		Actions: []armsecurity.AutomationActionClassification{
	// 			&armsecurity.AutomationActionLogicApp{
	// 				ActionType: to.Ptr(armsecurity.ActionTypeLogicApp),
	// 				LogicAppResourceID: to.Ptr("/subscriptions/e54a4a18-5b94-4f90-9471-bd3decad8a2e/resourceGroups/sample/providers/Microsoft.Logic/workflows/MyTest1"),
	// 		}},
	// 		IsEnabled: to.Ptr(true),
	// 		Scopes: []*armsecurity.AutomationScope{
	// 			{
	// 				Description: to.Ptr("A description that helps to identify this scope - for example: security assessments that relate to the resource group myResourceGroup within the subscription a5caac9c-5c04-49af-b3d0-e204f40345d5"),
	// 				ScopePath: to.Ptr("/subscriptions/a5caac9c-5c04-49af-b3d0-e204f40345d5/resourceGroups/myResourceGroup"),
	// 		}},
	// 		Sources: []*armsecurity.AutomationSource{
	// 			{
	// 				EventSource: to.Ptr(armsecurity.EventSourceAssessments),
	// 				RuleSets: []*armsecurity.AutomationRuleSet{
	// 					{
	// 						Rules: []*armsecurity.AutomationTriggeringRule{
	// 							{
	// 								ExpectedValue: to.Ptr("customAssessment"),
	// 								Operator: to.Ptr(armsecurity.OperatorEquals),
	// 								PropertyJPath: to.Ptr("$.Entity.AssessmentType"),
	// 								PropertyType: to.Ptr(armsecurity.PropertyTypeString),
	// 						}},
	// 				}},
	// 		}},
	// 	},
	// }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

const { SecurityCenter } = require("@azure/arm-security");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to Retrieves information about the model of a security automation.
 *
 * @summary Retrieves information about the model of a security automation.
 * x-ms-original-file: specification/security/resource-manager/Microsoft.Security/preview/2023-12-01-preview/examples/Automations/GetAutomationResourceGroup_example.json
 */
async function retrieveASecurityAutomation() {
  const subscriptionId =
    process.env["SECURITY_SUBSCRIPTION_ID"] || "a5caac9c-5c04-49af-b3d0-e204f40345d5";
  const resourceGroupName = process.env["SECURITY_RESOURCE_GROUP"] || "exampleResourceGroup";
  const automationName = "exampleAutomation";
  const credential = new DefaultAzureCredential();
  const client = new SecurityCenter(credential, subscriptionId);
  const result = await client.automations.get(resourceGroupName, automationName);
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample response

Status code:: 200

{
  "id": "/subscriptions/a5caac9c-5c04-49af-b3d0-e204f40345d5/resourceGroups/exampleResourceGroup/providers/Microsoft.Security/automations/exampleAutomation",
  "name": "exampleAutomation",
  "type": "Microsoft.Security/automations",
  "etag": "etag value",
  "location": "Central US",
  "tags": {},
  "properties": {
    "description": "An example of a security automation that triggers one LogicApp resource (myTest1) on any security assessment of type customAssessment",
    "isEnabled": true,
    "scopes": [
      {
        "description": "A description that helps to identify this scope - for example: security assessments that relate to the resource group myResourceGroup within the subscription a5caac9c-5c04-49af-b3d0-e204f40345d5",
        "scopePath": "/subscriptions/a5caac9c-5c04-49af-b3d0-e204f40345d5/resourceGroups/myResourceGroup"
      }
    ],
    "sources": [
      {
        "eventSource": "Assessments",
        "ruleSets": [
          {
            "rules": [
              {
                "propertyJPath": "$.Entity.AssessmentType",
                "propertyType": "String",
                "expectedValue": "customAssessment",
                "operator": "Equals"
              }
            ]
          }
        ]
      }
    ],
    "actions": [
      {
        "logicAppResourceId": "/subscriptions/e54a4a18-5b94-4f90-9471-bd3decad8a2e/resourceGroups/sample/providers/Microsoft.Logic/workflows/MyTest1",
        "actionType": "LogicApp"
      }
    ]
  }
}

Definitions

Name	Description
Automation	The security automation resource.
AutomationActionEventHub	The target Event Hub to which event data will be exported. To learn more about Microsoft Defender for Cloud continuous export capabilities, visit https://aka.ms/ASCExportLearnMore
AutomationActionLogicApp	The logic app action that should be triggered. To learn more about Microsoft Defender for Cloud's Workflow Automation capabilities, visit https://aka.ms/ASCWorkflowAutomationLearnMore
AutomationActionWorkspace	The Log Analytics Workspace to which event data will be exported. Security alerts data will reside in the 'SecurityAlert' table and the assessments data will reside in the 'SecurityRecommendation' table (under the 'Security'/'SecurityCenterFree' solutions). Note that in order to view the data in the workspace, the Security Center Log Analytics free/standard solution needs to be enabled on that workspace. To learn more about Microsoft Defender for Cloud continuous export capabilities, visit https://aka.ms/ASCExportLearnMore
AutomationRuleSet	A rule set which evaluates all its rules upon an event interception. Only when all the included rules in the rule set will be evaluated as 'true', will the event trigger the defined actions.
AutomationScope	A single automation scope.
AutomationSource	The source event types which evaluate the security automation set of rules. For example - security alerts and security assessments. To learn more about the supported security events data models schemas - please visit https://aka.ms/ASCAutomationSchemas.
AutomationTriggeringRule	A rule which is evaluated upon event interception. The rule is configured by comparing a specific value from the event model to an expected value. This comparison is done by using one of the supported operators set.
CloudError	Common error response for all Azure Resource Manager APIs to return error details for failed operations. (This also follows the OData error response format.).
CloudErrorBody	The error detail.
ErrorAdditionalInfo	The resource management error additional info.
EventSource	A valid event source type.
Operator	A valid comparer operator to use. A case-insensitive comparison will be applied for String PropertyType.
PropertyType	The data type of the compared operands (string, integer, floating point number or a boolean [true/false]]

Automation

The security automation resource.

Name	Type	Description
etag	string	Entity tag is used for comparing two or more entities from the same requested resource.
id	string	Resource Id
kind	string	Kind of the resource
location	string	Location where the resource is stored
name	string	Resource name
properties.actions	AutomationAction[]: AutomationActionEventHub[] AutomationActionLogicApp[] AutomationActionWorkspace[]	A collection of the actions which are triggered if all the configured rules evaluations, within at least one rule set, are true.
properties.description	string	The security automation description.
properties.isEnabled	boolean	Indicates whether the security automation is enabled.
properties.scopes	AutomationScope[]	A collection of scopes on which the security automations logic is applied. Supported scopes are the subscription itself or a resource group under that subscription. The automation will only apply on defined scopes.
properties.sources	AutomationSource[]	A collection of the source event types which evaluate the security automation set of rules.
tags	object	A list of key value pairs that describe the resource.
type	string	Resource type

AutomationActionEventHub

The target Event Hub to which event data will be exported. To learn more about Microsoft Defender for Cloud continuous export capabilities, visit https://aka.ms/ASCExportLearnMore

Name	Type	Description
actionType	string: EventHub	The type of the action that will be triggered by the Automation
connectionString	string	The target Event Hub connection string (it will not be included in any response).
eventHubResourceId	string	The target Event Hub Azure Resource ID.
isTrustedServiceEnabled	boolean	Indicates whether the trusted service is enabled or not.
sasPolicyName	string	The target Event Hub SAS policy name.

AutomationActionLogicApp

The logic app action that should be triggered. To learn more about Microsoft Defender for Cloud's Workflow Automation capabilities, visit https://aka.ms/ASCWorkflowAutomationLearnMore

Name	Type	Description
actionType	string: LogicApp	The type of the action that will be triggered by the Automation
logicAppResourceId	string	The triggered Logic App Azure Resource ID. This can also reside on other subscriptions, given that you have permissions to trigger the Logic App
uri	string	The Logic App trigger URI endpoint (it will not be included in any response).

AutomationActionWorkspace

The Log Analytics Workspace to which event data will be exported. Security alerts data will reside in the 'SecurityAlert' table and the assessments data will reside in the 'SecurityRecommendation' table (under the 'Security'/'SecurityCenterFree' solutions). Note that in order to view the data in the workspace, the Security Center Log Analytics free/standard solution needs to be enabled on that workspace. To learn more about Microsoft Defender for Cloud continuous export capabilities, visit https://aka.ms/ASCExportLearnMore

Name	Type	Description
actionType	string: Workspace	The type of the action that will be triggered by the Automation
workspaceResourceId	string	The fully qualified Log Analytics Workspace Azure Resource ID.

AutomationRuleSet

A rule set which evaluates all its rules upon an event interception. Only when all the included rules in the rule set will be evaluated as 'true', will the event trigger the defined actions.

Name	Type	Description
rules	AutomationTriggeringRule[]	A rule which is evaluated upon event interception. The rule is configured by comparing a specific value from the event model to an expected value. This comparison is done by using one of the supported operators set.

AutomationScope

A single automation scope.

Name	Type	Description
description	string	The resources scope description.
scopePath	string	The resources scope path. Can be the subscription on which the automation is defined on or a resource group under that subscription (fully qualified Azure resource IDs).

AutomationSource

The source event types which evaluate the security automation set of rules. For example - security alerts and security assessments. To learn more about the supported security events data models schemas - please visit https://aka.ms/ASCAutomationSchemas.

Name	Type	Description
eventSource	EventSource	A valid event source type.
ruleSets	AutomationRuleSet[]	A set of rules which evaluate upon event interception. A logical disjunction is applied between defined rule sets (logical 'or').

AutomationTriggeringRule

A rule which is evaluated upon event interception. The rule is configured by comparing a specific value from the event model to an expected value. This comparison is done by using one of the supported operators set.

Name	Type	Description
expectedValue	string	The expected value.
operator	Operator	A valid comparer operator to use. A case-insensitive comparison will be applied for String PropertyType.
propertyJPath	string	The JPath of the entity model property that should be checked.
propertyType	PropertyType	The data type of the compared operands (string, integer, floating point number or a boolean [true/false]]

CloudError

Common error response for all Azure Resource Manager APIs to return error details for failed operations. (This also follows the OData error response format.).

Name	Type	Description
error.additionalInfo	ErrorAdditionalInfo[]	The error additional info.
error.code	string	The error code.
error.details	CloudErrorBody[]	The error details.
error.message	string	The error message.
error.target	string	The error target.

CloudErrorBody

The error detail.

Name	Type	Description
additionalInfo	ErrorAdditionalInfo[]	The error additional info.
code	string	The error code.
details	CloudErrorBody[]	The error details.
message	string	The error message.
target	string	The error target.

ErrorAdditionalInfo

The resource management error additional info.

Name	Type	Description
info	object	The additional info.
type	string	The additional info type.

EventSource

A valid event source type.

Name	Type	Description
Alerts	string
Assessments	string
AssessmentsSnapshot	string
AttackPaths	string
AttackPathsSnapshot	string
RegulatoryComplianceAssessment	string
RegulatoryComplianceAssessmentSnapshot	string
SecureScoreControls	string
SecureScoreControlsSnapshot	string
SecureScores	string
SecureScoresSnapshot	string
SubAssessments	string
SubAssessmentsSnapshot	string

Operator

A valid comparer operator to use. A case-insensitive comparison will be applied for String PropertyType.

Name	Type	Description
Contains	string	Applies only for non-decimal operands
EndsWith	string	Applies only for non-decimal operands
Equals	string	Applies for decimal and non-decimal operands
GreaterThan	string	Applies only for decimal operands
GreaterThanOrEqualTo	string	Applies only for decimal operands
LesserThan	string	Applies only for decimal operands
LesserThanOrEqualTo	string	Applies only for decimal operands
NotEquals	string	Applies for decimal and non-decimal operands
StartsWith	string	Applies only for non-decimal operands

PropertyType

The data type of the compared operands (string, integer, floating point number or a boolean [true/false]]

Name	Type	Description
Boolean	string
Integer	string
Number	string
String	string

Share via

Automations - Get

URI Parameters

Responses

Security

azure_auth

Scopes

Examples

Retrieve a security automation

Sample request

Sample response

Definitions

Automation

AutomationActionEventHub

AutomationActionLogicApp

AutomationActionWorkspace

AutomationRuleSet

AutomationScope

AutomationSource

AutomationTriggeringRule

CloudError

CloudErrorBody

ErrorAdditionalInfo

EventSource

Operator

PropertyType

Additional resources