Automation Rules - Create Or Update
Creates or updates the automation rule.
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules/{automationRuleId}?api-version=2024-03-01
URI Parameters
Name | In | Required | Type | Description |
---|---|---|---|---|
automation
|
path | True |
string |
Automation rule ID |
resource
|
path | True |
string |
The name of the resource group. The name is case insensitive. |
subscription
|
path | True |
string uuid |
The ID of the target subscription. The value must be an UUID. |
workspace
|
path | True |
string |
The name of the workspace. Regex pattern: |
api-version
|
query | True |
string |
The API version to use for this operation. |
Request Body
Name | Required | Type | Description |
---|---|---|---|
properties.actions | True | AutomationRuleAction[]: |
The actions to execute when the automation rule is triggered. |
properties.displayName | True |
string |
The display name of the automation rule. |
properties.order | True |
integer |
The order of execution of the automation rule. |
properties.triggeringLogic | True |
Describes automation rule triggering logic. |
|
etag |
string |
Etag of the azure resource |
Responses
Name | Type | Description |
---|---|---|
200 OK |
Ok |
|
201 Created |
Created |
|
Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
Name | Description |
---|---|
user_impersonation | impersonate your user account |
Examples
AutomationRules_CreateOrUpdate
Sample request
PUT https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/automationRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5?api-version=2024-03-01
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/automationRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"type": "Microsoft.SecurityInsights/automationRules",
"properties": {
"displayName": "Suspicious user sign-in events",
"order": 1,
"triggeringLogic": {
"isEnabled": true,
"triggersOn": "Incidents",
"triggersWhen": "Created",
"conditions": [
{
"conditionType": "Property",
"conditionProperties": {
"propertyName": "IncidentRelatedAnalyticRuleIds",
"operator": "Contains",
"propertyValues": [
"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7",
"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a"
]
}
}
]
},
"actions": [
{
"order": 1,
"actionType": "AddIncidentTask",
"actionConfiguration": {
"title": "Reset user passwords",
"description": "Reset passwords for compromised users."
}
}
],
"lastModifiedTimeUtc": "2019-01-01T13:00:30Z",
"createdTimeUtc": "2019-01-01T13:00:00Z",
"lastModifiedBy": {
"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
"email": "john.doe@contoso.com",
"name": "john doe",
"userPrincipalName": "john@contoso.com"
},
"createdBy": {
"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
"email": "john.doe@contoso.com",
"name": "john doe",
"userPrincipalName": "john@contoso.com"
}
}
}
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/automationRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"type": "Microsoft.SecurityInsights/automationRules",
"properties": {
"displayName": "Suspicious user sign-in events",
"order": 1,
"triggeringLogic": {
"isEnabled": true,
"triggersOn": "Incidents",
"triggersWhen": "Created",
"conditions": [
{
"conditionType": "Property",
"conditionProperties": {
"propertyName": "IncidentRelatedAnalyticRuleIds",
"operator": "Contains",
"propertyValues": [
"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7",
"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a"
]
}
}
]
},
"actions": [
{
"order": 1,
"actionType": "AddIncidentTask",
"actionConfiguration": {
"title": "Reset user passwords",
"description": "Reset passwords for compromised users."
}
}
],
"lastModifiedTimeUtc": "2019-01-01T13:00:30Z",
"createdTimeUtc": "2019-01-01T13:00:00Z",
"lastModifiedBy": {
"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
"email": "john.doe@contoso.com",
"name": "john doe",
"userPrincipalName": "john@contoso.com"
},
"createdBy": {
"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
"email": "john.doe@contoso.com",
"name": "john doe",
"userPrincipalName": "john@contoso.com"
}
}
}
Definitions
Name | Description |
---|---|
Action |
The type of the automation rule action. |
Add |
Describes an automation rule action to add a task to an incident. |
Automation |
|
Automation |
Describes an automation rule action to add a task to an incident |
Automation |
Describes an automation rule condition with boolean operators. |
Automation |
Describes a boolean condition operator. |
Automation |
Describes an automation rule action to modify an object's properties |
Automation |
|
Automation |
|
Automation |
|
Automation |
Describes an array condition evaluation type. |
Automation |
Describes an array condition evaluated array type. |
Automation |
Describes an automation rule condition on array properties. |
Automation |
|
Automation |
|
Automation |
|
Automation |
The property to evaluate in an automation rule property condition. |
Automation |
|
Automation |
|
Automation |
Describes an automation rule action to run a playbook |
Automation |
Describes automation rule triggering logic. |
Boolean |
Describes an automation rule condition that applies a boolean operator (e.g AND, OR) to conditions |
Client |
Information on the client (user or application) that made some action |
Cloud |
Error response structure. |
Cloud |
Error details. |
Condition |
|
created |
The type of identity that created the resource. |
Incident |
The reason the incident was closed |
Incident |
The classification reason the incident was closed with |
Incident |
Represents an incident label |
Incident |
The type of the label |
Incident |
Information on the user an incident is assigned to |
Incident |
|
Incident |
The severity of the incident |
Incident |
The status of the incident |
Owner |
The type of the owner the incident is assigned to. |
Playbook |
|
Property |
Describes an automation rule condition that evaluates an array property's value change |
Property |
Describes an automation rule condition that evaluates an array property's value |
Property |
Describes an automation rule condition that evaluates a property's value change |
Property |
Describes an automation rule condition that evaluates a property's value |
system |
Metadata pertaining to creation and last modification of the resource. |
triggers |
|
triggers |
ActionType
The type of the automation rule action.
Name | Type | Description |
---|---|---|
AddIncidentTask |
string |
Add a task to an incident object |
ModifyProperties |
string |
Modify an object's properties |
RunPlaybook |
string |
Run a playbook on an object |
AddIncidentTaskActionProperties
Describes an automation rule action to add a task to an incident.
Name | Type | Description |
---|---|---|
description |
string |
The description of the task. |
title |
string |
The title of the task. |
AutomationRule
Name | Type | Description |
---|---|---|
etag |
string |
Etag of the azure resource |
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
name |
string |
The name of the resource |
properties.actions | AutomationRuleAction[]: |
The actions to execute when the automation rule is triggered. |
properties.createdBy |
Information on the client (user or application) that made some action |
|
properties.createdTimeUtc |
string |
The time the automation rule was created. |
properties.displayName |
string |
The display name of the automation rule. |
properties.lastModifiedBy |
Information on the client (user or application) that made some action |
|
properties.lastModifiedTimeUtc |
string |
The last time the automation rule was updated. |
properties.order |
integer |
The order of execution of the automation rule. |
properties.triggeringLogic |
Describes automation rule triggering logic. |
|
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
AutomationRuleAddIncidentTaskAction
Describes an automation rule action to add a task to an incident
Name | Type | Description |
---|---|---|
actionConfiguration |
Describes an automation rule action to add a task to an incident. |
|
actionType |
string:
Add |
The type of the automation rule action. |
order |
integer |
AutomationRuleBooleanCondition
Describes an automation rule condition with boolean operators.
Name | Type | Description |
---|---|---|
innerConditions | AutomationRuleCondition[]: |
Describes an automation rule condition. |
operator |
Describes a boolean condition operator. |
AutomationRuleBooleanConditionSupportedOperator
Describes a boolean condition operator.
Name | Type | Description |
---|---|---|
And |
string |
Evaluates as true if all the item conditions are evaluated as true |
Or |
string |
Evaluates as true if at least one of the item conditions are evaluated as true |
AutomationRuleModifyPropertiesAction
Describes an automation rule action to modify an object's properties
Name | Type | Description |
---|---|---|
actionConfiguration | ||
actionType |
string:
Modify |
The type of the automation rule action. |
order |
integer |
AutomationRulePropertyArrayChangedConditionSupportedArrayType
Name | Type | Description |
---|---|---|
Alerts |
string |
Evaluate the condition on the alerts |
Comments |
string |
Evaluate the condition on the comments |
Labels |
string |
Evaluate the condition on the labels |
Tactics |
string |
Evaluate the condition on the tactics |
AutomationRulePropertyArrayChangedConditionSupportedChangeType
Name | Type | Description |
---|---|---|
Added |
string |
Evaluate the condition on items added to the array |
AutomationRulePropertyArrayChangedValuesCondition
Name | Type | Description |
---|---|---|
arrayType |
Automation |
|
changeType |
Automation |
AutomationRulePropertyArrayConditionSupportedArrayConditionType
Describes an array condition evaluation type.
Name | Type | Description |
---|---|---|
AnyItem |
string |
Evaluate the condition as true if any item fulfills it |
AutomationRulePropertyArrayConditionSupportedArrayType
Describes an array condition evaluated array type.
Name | Type | Description |
---|---|---|
CustomDetailValues |
string |
Evaluate the condition on a custom detail's values |
CustomDetails |
string |
Evaluate the condition on the custom detail keys |
AutomationRulePropertyArrayValuesCondition
Describes an automation rule condition on array properties.
Name | Type | Description |
---|---|---|
arrayConditionType |
Automation |
Describes an array condition evaluation type. |
arrayType |
Describes an array condition evaluated array type. |
|
itemConditions | AutomationRuleCondition[]: |
Describes an automation rule condition. |
AutomationRulePropertyChangedConditionSupportedChangedType
Name | Type | Description |
---|---|---|
ChangedFrom |
string |
Evaluate the condition on the previous value of the property |
ChangedTo |
string |
Evaluate the condition on the updated value of the property |
AutomationRulePropertyChangedConditionSupportedPropertyType
Name | Type | Description |
---|---|---|
IncidentOwner |
string |
Evaluate the condition on the incident owner |
IncidentSeverity |
string |
Evaluate the condition on the incident severity |
IncidentStatus |
string |
Evaluate the condition on the incident status |
AutomationRulePropertyConditionSupportedOperator
Name | Type | Description |
---|---|---|
Contains |
string |
Evaluates if the property contains at least one of the condition values |
EndsWith |
string |
Evaluates if the property ends with any of the condition values |
Equals |
string |
Evaluates if the property equals at least one of the condition values |
NotContains |
string |
Evaluates if the property does not contain any of the condition values |
NotEndsWith |
string |
Evaluates if the property does not end with any of the condition values |
NotEquals |
string |
Evaluates if the property does not equal any of the condition values |
NotStartsWith |
string |
Evaluates if the property does not start with any of the condition values |
StartsWith |
string |
Evaluates if the property starts with any of the condition values |
AutomationRulePropertyConditionSupportedProperty
The property to evaluate in an automation rule property condition.
Name | Type | Description |
---|---|---|
AccountAadTenantId |
string |
The account Azure Active Directory tenant id |
AccountAadUserId |
string |
The account Azure Active Directory user id |
AccountNTDomain |
string |
The account NetBIOS domain name |
AccountName |
string |
The account name |
AccountObjectGuid |
string |
The account unique identifier |
AccountPUID |
string |
The account Azure Active Directory Passport User ID |
AccountSid |
string |
The account security identifier |
AccountUPNSuffix |
string |
The account user principal name suffix |
AlertAnalyticRuleIds |
string |
The analytic rule ids of the alert |
AlertProductNames |
string |
The name of the product of the alert |
AzureResourceResourceId |
string |
The Azure resource id |
AzureResourceSubscriptionId |
string |
The Azure resource subscription id |
CloudApplicationAppId |
string |
The cloud application identifier |
CloudApplicationAppName |
string |
The cloud application name |
DNSDomainName |
string |
The dns record domain name |
FileDirectory |
string |
The file directory full path |
FileHashValue |
string |
The file hash value |
FileName |
string |
The file name without path |
HostAzureID |
string |
The host Azure resource id |
HostNTDomain |
string |
The host NT domain |
HostName |
string |
The host name without domain |
HostNetBiosName |
string |
The host NetBIOS name |
HostOSVersion |
string |
The host operating system |
IPAddress |
string |
The IP address |
IncidentCustomDetailsKey |
string |
The incident custom detail key |
IncidentCustomDetailsValue |
string |
The incident custom detail value |
IncidentDescription |
string |
The description of the incident |
IncidentLabel |
string |
The labels of the incident |
IncidentProviderName |
string |
The provider name of the incident |
IncidentRelatedAnalyticRuleIds |
string |
The related Analytic rule ids of the incident |
IncidentSeverity |
string |
The severity of the incident |
IncidentStatus |
string |
The status of the incident |
IncidentTactics |
string |
The tactics of the incident |
IncidentTitle |
string |
The title of the incident |
IncidentUpdatedBySource |
string |
The update source of the incident |
IoTDeviceId |
string |
"The IoT device id |
IoTDeviceModel |
string |
The IoT device model |
IoTDeviceName |
string |
The IoT device name |
IoTDeviceOperatingSystem |
string |
The IoT device operating system |
IoTDeviceType |
string |
The IoT device type |
IoTDeviceVendor |
string |
The IoT device vendor |
MailMessageDeliveryAction |
string |
The mail message delivery action |
MailMessageDeliveryLocation |
string |
The mail message delivery location |
MailMessageP1Sender |
string |
The mail message P1 sender |
MailMessageP2Sender |
string |
The mail message P2 sender |
MailMessageRecipient |
string |
The mail message recipient |
MailMessageSenderIP |
string |
The mail message sender IP address |
MailMessageSubject |
string |
The mail message subject |
MailboxDisplayName |
string |
The mailbox display name |
MailboxPrimaryAddress |
string |
The mailbox primary address |
MailboxUPN |
string |
The mailbox user principal name |
MalwareCategory |
string |
The malware category |
MalwareName |
string |
The malware name |
ProcessCommandLine |
string |
The process execution command line |
ProcessId |
string |
The process id |
RegistryKey |
string |
The registry key path |
RegistryValueData |
string |
The registry key value in string formatted representation |
Url |
string |
The url |
AutomationRulePropertyValuesChangedCondition
Name | Type | Description |
---|---|---|
changeType | ||
operator | ||
propertyName | ||
propertyValues |
string[] |
AutomationRulePropertyValuesCondition
Name | Type | Description |
---|---|---|
operator | ||
propertyName |
The property to evaluate in an automation rule property condition. |
|
propertyValues |
string[] |
AutomationRuleRunPlaybookAction
Describes an automation rule action to run a playbook
Name | Type | Description |
---|---|---|
actionConfiguration | ||
actionType |
string:
Run |
The type of the automation rule action. |
order |
integer |
AutomationRuleTriggeringLogic
Describes automation rule triggering logic.
Name | Type | Description |
---|---|---|
conditions | AutomationRuleCondition[]: |
The conditions to evaluate to determine if the automation rule should be triggered on a given object. |
expirationTimeUtc |
string |
Determines when the automation rule should automatically expire and be disabled. |
isEnabled |
boolean |
Determines whether the automation rule is enabled or disabled. |
triggersOn | ||
triggersWhen |
BooleanConditionProperties
Describes an automation rule condition that applies a boolean operator (e.g AND, OR) to conditions
Name | Type | Description |
---|---|---|
conditionProperties |
Describes an automation rule condition with boolean operators. |
|
conditionType |
string:
Boolean |
ClientInfo
Information on the client (user or application) that made some action
Name | Type | Description |
---|---|---|
string |
The email of the client. |
|
name |
string |
The name of the client. |
objectId |
string |
The object id of the client. |
userPrincipalName |
string |
The user principal name of the client. |
CloudError
Error response structure.
Name | Type | Description |
---|---|---|
error |
Error data |
CloudErrorBody
Error details.
Name | Type | Description |
---|---|---|
code |
string |
An identifier for the error. Codes are invariant and are intended to be consumed programmatically. |
message |
string |
A message describing the error, intended to be suitable for display in a user interface. |
ConditionType
Name | Type | Description |
---|---|---|
Boolean |
string |
Apply a boolean operator (e.g AND, OR) to conditions |
Property |
string |
Evaluate an object property value |
PropertyArray |
string |
Evaluate an object array property value |
PropertyArrayChanged |
string |
Evaluate an object array property changed value |
PropertyChanged |
string |
Evaluate an object property changed value |
createdByType
The type of identity that created the resource.
Name | Type | Description |
---|---|---|
Application |
string |
|
Key |
string |
|
ManagedIdentity |
string |
|
User |
string |
IncidentClassification
The reason the incident was closed
Name | Type | Description |
---|---|---|
BenignPositive |
string |
Incident was benign positive |
FalsePositive |
string |
Incident was false positive |
TruePositive |
string |
Incident was true positive |
Undetermined |
string |
Incident classification was undetermined |
IncidentClassificationReason
The classification reason the incident was closed with
Name | Type | Description |
---|---|---|
InaccurateData |
string |
Classification reason was inaccurate data |
IncorrectAlertLogic |
string |
Classification reason was incorrect alert logic |
SuspiciousActivity |
string |
Classification reason was suspicious activity |
SuspiciousButExpected |
string |
Classification reason was suspicious but expected |
IncidentLabel
Represents an incident label
Name | Type | Description |
---|---|---|
labelName |
string |
The name of the label |
labelType |
The type of the label |
IncidentLabelType
The type of the label
Name | Type | Description |
---|---|---|
AutoAssigned |
string |
Label automatically created by the system |
User |
string |
Label manually created by a user |
IncidentOwnerInfo
Information on the user an incident is assigned to
Name | Type | Description |
---|---|---|
assignedTo |
string |
The name of the user the incident is assigned to. |
string |
The email of the user the incident is assigned to. |
|
objectId |
string |
The object id of the user the incident is assigned to. |
ownerType |
The type of the owner the incident is assigned to. |
|
userPrincipalName |
string |
The user principal name of the user the incident is assigned to. |
IncidentPropertiesAction
Name | Type | Description |
---|---|---|
classification |
The reason the incident was closed |
|
classificationComment |
string |
Describes the reason the incident was closed. |
classificationReason |
The classification reason the incident was closed with |
|
labels |
List of labels to add to the incident. |
|
owner |
Information on the user an incident is assigned to |
|
severity |
The severity of the incident |
|
status |
The status of the incident |
IncidentSeverity
The severity of the incident
Name | Type | Description |
---|---|---|
High |
string |
High severity |
Informational |
string |
Informational severity |
Low |
string |
Low severity |
Medium |
string |
Medium severity |
IncidentStatus
The status of the incident
Name | Type | Description |
---|---|---|
Active |
string |
An active incident which is being handled |
Closed |
string |
A non-active incident |
New |
string |
An active incident which isn't being handled currently |
OwnerType
The type of the owner the incident is assigned to.
Name | Type | Description |
---|---|---|
Group |
string |
The incident owner type is an AAD group |
Unknown |
string |
The incident owner type is unknown |
User |
string |
The incident owner type is an AAD user |
PlaybookActionProperties
Name | Type | Description |
---|---|---|
logicAppResourceId |
string |
The resource id of the playbook resource. |
tenantId |
string |
The tenant id of the playbook resource. |
PropertyArrayChangedConditionProperties
Describes an automation rule condition that evaluates an array property's value change
Name | Type | Description |
---|---|---|
conditionProperties | ||
conditionType |
string:
Property |
PropertyArrayConditionProperties
Describes an automation rule condition that evaluates an array property's value
Name | Type | Description |
---|---|---|
conditionProperties |
Describes an automation rule condition on array properties. |
|
conditionType |
string:
Property |
PropertyChangedConditionProperties
Describes an automation rule condition that evaluates a property's value change
Name | Type | Description |
---|---|---|
conditionProperties | ||
conditionType |
string:
Property |
PropertyConditionProperties
Describes an automation rule condition that evaluates a property's value
Name | Type | Description |
---|---|---|
conditionProperties | ||
conditionType |
string:
Property |
systemData
Metadata pertaining to creation and last modification of the resource.
Name | Type | Description |
---|---|---|
createdAt |
string |
The timestamp of resource creation (UTC). |
createdBy |
string |
The identity that created the resource. |
createdByType |
The type of identity that created the resource. |
|
lastModifiedAt |
string |
The timestamp of resource last modification (UTC) |
lastModifiedBy |
string |
The identity that last modified the resource. |
lastModifiedByType |
The type of identity that last modified the resource. |
triggersOn
Name | Type | Description |
---|---|---|
Alerts |
string |
Trigger on Alerts |
Incidents |
string |
Trigger on Incidents |
triggersWhen
Name | Type | Description |
---|---|---|
Created |
string |
Trigger on created objects |
Updated |
string |
Trigger on updated objects |