Automation Rules - Create Or Update

Creates or updates the automation rule.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules/{automationRuleId}?api-version=2024-03-01

URI Parameters

Name In Required Type Description
automationRuleId
path True

string

Automation rule ID

resourceGroupName
path True

string

The name of the resource group. The name is case insensitive.

subscriptionId
path True

string

uuid

The ID of the target subscription. The value must be an UUID.

workspaceName
path True

string

The name of the workspace.

Regex pattern: ^[A-Za-z0-9][A-Za-z0-9-]+[A-Za-z0-9]$

api-version
query True

string

The API version to use for this operation.

Request Body

Name Required Type Description
properties.actions True AutomationRuleAction[]:

The actions to execute when the automation rule is triggered.

properties.displayName True

string

The display name of the automation rule.

properties.order True

integer

The order of execution of the automation rule.

properties.triggeringLogic True

AutomationRuleTriggeringLogic

Describes automation rule triggering logic.

etag

string

Etag of the azure resource

Responses

Name Type Description
200 OK

AutomationRule

Ok

201 Created

AutomationRule

Created

Other Status Codes

CloudError

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

AutomationRules_CreateOrUpdate

Sample request

PUT https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/automationRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5?api-version=2024-03-01

Sample response

{
  "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/automationRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
  "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
  "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
  "type": "Microsoft.SecurityInsights/automationRules",
  "properties": {
    "displayName": "Suspicious user sign-in events",
    "order": 1,
    "triggeringLogic": {
      "isEnabled": true,
      "triggersOn": "Incidents",
      "triggersWhen": "Created",
      "conditions": [
        {
          "conditionType": "Property",
          "conditionProperties": {
            "propertyName": "IncidentRelatedAnalyticRuleIds",
            "operator": "Contains",
            "propertyValues": [
              "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7",
              "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a"
            ]
          }
        }
      ]
    },
    "actions": [
      {
        "order": 1,
        "actionType": "AddIncidentTask",
        "actionConfiguration": {
          "title": "Reset user passwords",
          "description": "Reset passwords for compromised users."
        }
      }
    ],
    "lastModifiedTimeUtc": "2019-01-01T13:00:30Z",
    "createdTimeUtc": "2019-01-01T13:00:00Z",
    "lastModifiedBy": {
      "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
      "email": "john.doe@contoso.com",
      "name": "john doe",
      "userPrincipalName": "john@contoso.com"
    },
    "createdBy": {
      "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
      "email": "john.doe@contoso.com",
      "name": "john doe",
      "userPrincipalName": "john@contoso.com"
    }
  }
}
{
  "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/automationRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
  "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
  "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
  "type": "Microsoft.SecurityInsights/automationRules",
  "properties": {
    "displayName": "Suspicious user sign-in events",
    "order": 1,
    "triggeringLogic": {
      "isEnabled": true,
      "triggersOn": "Incidents",
      "triggersWhen": "Created",
      "conditions": [
        {
          "conditionType": "Property",
          "conditionProperties": {
            "propertyName": "IncidentRelatedAnalyticRuleIds",
            "operator": "Contains",
            "propertyValues": [
              "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7",
              "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a"
            ]
          }
        }
      ]
    },
    "actions": [
      {
        "order": 1,
        "actionType": "AddIncidentTask",
        "actionConfiguration": {
          "title": "Reset user passwords",
          "description": "Reset passwords for compromised users."
        }
      }
    ],
    "lastModifiedTimeUtc": "2019-01-01T13:00:30Z",
    "createdTimeUtc": "2019-01-01T13:00:00Z",
    "lastModifiedBy": {
      "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
      "email": "john.doe@contoso.com",
      "name": "john doe",
      "userPrincipalName": "john@contoso.com"
    },
    "createdBy": {
      "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
      "email": "john.doe@contoso.com",
      "name": "john doe",
      "userPrincipalName": "john@contoso.com"
    }
  }
}

Definitions

Name Description
ActionType

The type of the automation rule action.

AddIncidentTaskActionProperties

Describes an automation rule action to add a task to an incident.

AutomationRule
AutomationRuleAddIncidentTaskAction

Describes an automation rule action to add a task to an incident

AutomationRuleBooleanCondition

Describes an automation rule condition with boolean operators.

AutomationRuleBooleanConditionSupportedOperator

Describes a boolean condition operator.

AutomationRuleModifyPropertiesAction

Describes an automation rule action to modify an object's properties

AutomationRulePropertyArrayChangedConditionSupportedArrayType
AutomationRulePropertyArrayChangedConditionSupportedChangeType
AutomationRulePropertyArrayChangedValuesCondition
AutomationRulePropertyArrayConditionSupportedArrayConditionType

Describes an array condition evaluation type.

AutomationRulePropertyArrayConditionSupportedArrayType

Describes an array condition evaluated array type.

AutomationRulePropertyArrayValuesCondition

Describes an automation rule condition on array properties.

AutomationRulePropertyChangedConditionSupportedChangedType
AutomationRulePropertyChangedConditionSupportedPropertyType
AutomationRulePropertyConditionSupportedOperator
AutomationRulePropertyConditionSupportedProperty

The property to evaluate in an automation rule property condition.

AutomationRulePropertyValuesChangedCondition
AutomationRulePropertyValuesCondition
AutomationRuleRunPlaybookAction

Describes an automation rule action to run a playbook

AutomationRuleTriggeringLogic

Describes automation rule triggering logic.

BooleanConditionProperties

Describes an automation rule condition that applies a boolean operator (e.g AND, OR) to conditions

ClientInfo

Information on the client (user or application) that made some action

CloudError

Error response structure.

CloudErrorBody

Error details.

ConditionType
createdByType

The type of identity that created the resource.

IncidentClassification

The reason the incident was closed

IncidentClassificationReason

The classification reason the incident was closed with

IncidentLabel

Represents an incident label

IncidentLabelType

The type of the label

IncidentOwnerInfo

Information on the user an incident is assigned to

IncidentPropertiesAction
IncidentSeverity

The severity of the incident

IncidentStatus

The status of the incident

OwnerType

The type of the owner the incident is assigned to.

PlaybookActionProperties
PropertyArrayChangedConditionProperties

Describes an automation rule condition that evaluates an array property's value change

PropertyArrayConditionProperties

Describes an automation rule condition that evaluates an array property's value

PropertyChangedConditionProperties

Describes an automation rule condition that evaluates a property's value change

PropertyConditionProperties

Describes an automation rule condition that evaluates a property's value

systemData

Metadata pertaining to creation and last modification of the resource.

triggersOn
triggersWhen

ActionType

The type of the automation rule action.

Name Type Description
AddIncidentTask

string

Add a task to an incident object

ModifyProperties

string

Modify an object's properties

RunPlaybook

string

Run a playbook on an object

AddIncidentTaskActionProperties

Describes an automation rule action to add a task to an incident.

Name Type Description
description

string

The description of the task.

title

string

The title of the task.

AutomationRule

Name Type Description
etag

string

Etag of the azure resource

id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

name

string

The name of the resource

properties.actions AutomationRuleAction[]:

The actions to execute when the automation rule is triggered.

properties.createdBy

ClientInfo

Information on the client (user or application) that made some action

properties.createdTimeUtc

string

The time the automation rule was created.

properties.displayName

string

The display name of the automation rule.

properties.lastModifiedBy

ClientInfo

Information on the client (user or application) that made some action

properties.lastModifiedTimeUtc

string

The last time the automation rule was updated.

properties.order

integer

The order of execution of the automation rule.

properties.triggeringLogic

AutomationRuleTriggeringLogic

Describes automation rule triggering logic.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

AutomationRuleAddIncidentTaskAction

Describes an automation rule action to add a task to an incident

Name Type Description
actionConfiguration

AddIncidentTaskActionProperties

Describes an automation rule action to add a task to an incident.

actionType string:

AddIncidentTask

The type of the automation rule action.

order

integer

AutomationRuleBooleanCondition

Describes an automation rule condition with boolean operators.

Name Type Description
innerConditions AutomationRuleCondition[]:

Describes an automation rule condition.

operator

AutomationRuleBooleanConditionSupportedOperator

Describes a boolean condition operator.

AutomationRuleBooleanConditionSupportedOperator

Describes a boolean condition operator.

Name Type Description
And

string

Evaluates as true if all the item conditions are evaluated as true

Or

string

Evaluates as true if at least one of the item conditions are evaluated as true

AutomationRuleModifyPropertiesAction

Describes an automation rule action to modify an object's properties

Name Type Description
actionConfiguration

IncidentPropertiesAction

actionType string:

ModifyProperties

The type of the automation rule action.

order

integer

AutomationRulePropertyArrayChangedConditionSupportedArrayType

Name Type Description
Alerts

string

Evaluate the condition on the alerts

Comments

string

Evaluate the condition on the comments

Labels

string

Evaluate the condition on the labels

Tactics

string

Evaluate the condition on the tactics

AutomationRulePropertyArrayChangedConditionSupportedChangeType

Name Type Description
Added

string

Evaluate the condition on items added to the array

AutomationRulePropertyArrayChangedValuesCondition

Name Type Description
arrayType

AutomationRulePropertyArrayChangedConditionSupportedArrayType

changeType

AutomationRulePropertyArrayChangedConditionSupportedChangeType

AutomationRulePropertyArrayConditionSupportedArrayConditionType

Describes an array condition evaluation type.

Name Type Description
AnyItem

string

Evaluate the condition as true if any item fulfills it

AutomationRulePropertyArrayConditionSupportedArrayType

Describes an array condition evaluated array type.

Name Type Description
CustomDetailValues

string

Evaluate the condition on a custom detail's values

CustomDetails

string

Evaluate the condition on the custom detail keys

AutomationRulePropertyArrayValuesCondition

Describes an automation rule condition on array properties.

Name Type Description
arrayConditionType

AutomationRulePropertyArrayConditionSupportedArrayConditionType

Describes an array condition evaluation type.

arrayType

AutomationRulePropertyArrayConditionSupportedArrayType

Describes an array condition evaluated array type.

itemConditions AutomationRuleCondition[]:

Describes an automation rule condition.

AutomationRulePropertyChangedConditionSupportedChangedType

Name Type Description
ChangedFrom

string

Evaluate the condition on the previous value of the property

ChangedTo

string

Evaluate the condition on the updated value of the property

AutomationRulePropertyChangedConditionSupportedPropertyType

Name Type Description
IncidentOwner

string

Evaluate the condition on the incident owner

IncidentSeverity

string

Evaluate the condition on the incident severity

IncidentStatus

string

Evaluate the condition on the incident status

AutomationRulePropertyConditionSupportedOperator

Name Type Description
Contains

string

Evaluates if the property contains at least one of the condition values

EndsWith

string

Evaluates if the property ends with any of the condition values

Equals

string

Evaluates if the property equals at least one of the condition values

NotContains

string

Evaluates if the property does not contain any of the condition values

NotEndsWith

string

Evaluates if the property does not end with any of the condition values

NotEquals

string

Evaluates if the property does not equal any of the condition values

NotStartsWith

string

Evaluates if the property does not start with any of the condition values

StartsWith

string

Evaluates if the property starts with any of the condition values

AutomationRulePropertyConditionSupportedProperty

The property to evaluate in an automation rule property condition.

Name Type Description
AccountAadTenantId

string

The account Azure Active Directory tenant id

AccountAadUserId

string

The account Azure Active Directory user id

AccountNTDomain

string

The account NetBIOS domain name

AccountName

string

The account name

AccountObjectGuid

string

The account unique identifier

AccountPUID

string

The account Azure Active Directory Passport User ID

AccountSid

string

The account security identifier

AccountUPNSuffix

string

The account user principal name suffix

AlertAnalyticRuleIds

string

The analytic rule ids of the alert

AlertProductNames

string

The name of the product of the alert

AzureResourceResourceId

string

The Azure resource id

AzureResourceSubscriptionId

string

The Azure resource subscription id

CloudApplicationAppId

string

The cloud application identifier

CloudApplicationAppName

string

The cloud application name

DNSDomainName

string

The dns record domain name

FileDirectory

string

The file directory full path

FileHashValue

string

The file hash value

FileName

string

The file name without path

HostAzureID

string

The host Azure resource id

HostNTDomain

string

The host NT domain

HostName

string

The host name without domain

HostNetBiosName

string

The host NetBIOS name

HostOSVersion

string

The host operating system

IPAddress

string

The IP address

IncidentCustomDetailsKey

string

The incident custom detail key

IncidentCustomDetailsValue

string

The incident custom detail value

IncidentDescription

string

The description of the incident

IncidentLabel

string

The labels of the incident

IncidentProviderName

string

The provider name of the incident

IncidentRelatedAnalyticRuleIds

string

The related Analytic rule ids of the incident

IncidentSeverity

string

The severity of the incident

IncidentStatus

string

The status of the incident

IncidentTactics

string

The tactics of the incident

IncidentTitle

string

The title of the incident

IncidentUpdatedBySource

string

The update source of the incident

IoTDeviceId

string

"The IoT device id

IoTDeviceModel

string

The IoT device model

IoTDeviceName

string

The IoT device name

IoTDeviceOperatingSystem

string

The IoT device operating system

IoTDeviceType

string

The IoT device type

IoTDeviceVendor

string

The IoT device vendor

MailMessageDeliveryAction

string

The mail message delivery action

MailMessageDeliveryLocation

string

The mail message delivery location

MailMessageP1Sender

string

The mail message P1 sender

MailMessageP2Sender

string

The mail message P2 sender

MailMessageRecipient

string

The mail message recipient

MailMessageSenderIP

string

The mail message sender IP address

MailMessageSubject

string

The mail message subject

MailboxDisplayName

string

The mailbox display name

MailboxPrimaryAddress

string

The mailbox primary address

MailboxUPN

string

The mailbox user principal name

MalwareCategory

string

The malware category

MalwareName

string

The malware name

ProcessCommandLine

string

The process execution command line

ProcessId

string

The process id

RegistryKey

string

The registry key path

RegistryValueData

string

The registry key value in string formatted representation

Url

string

The url

AutomationRulePropertyValuesChangedCondition

Name Type Description
changeType

AutomationRulePropertyChangedConditionSupportedChangedType

operator

AutomationRulePropertyConditionSupportedOperator

propertyName

AutomationRulePropertyChangedConditionSupportedPropertyType

propertyValues

string[]

AutomationRulePropertyValuesCondition

Name Type Description
operator

AutomationRulePropertyConditionSupportedOperator

propertyName

AutomationRulePropertyConditionSupportedProperty

The property to evaluate in an automation rule property condition.

propertyValues

string[]

AutomationRuleRunPlaybookAction

Describes an automation rule action to run a playbook

Name Type Description
actionConfiguration

PlaybookActionProperties

actionType string:

RunPlaybook

The type of the automation rule action.

order

integer

AutomationRuleTriggeringLogic

Describes automation rule triggering logic.

Name Type Description
conditions AutomationRuleCondition[]:

The conditions to evaluate to determine if the automation rule should be triggered on a given object.

expirationTimeUtc

string

Determines when the automation rule should automatically expire and be disabled.

isEnabled

boolean

Determines whether the automation rule is enabled or disabled.

triggersOn

triggersOn

triggersWhen

triggersWhen

BooleanConditionProperties

Describes an automation rule condition that applies a boolean operator (e.g AND, OR) to conditions

Name Type Description
conditionProperties

AutomationRuleBooleanCondition

Describes an automation rule condition with boolean operators.

conditionType string:

Boolean

ClientInfo

Information on the client (user or application) that made some action

Name Type Description
email

string

The email of the client.

name

string

The name of the client.

objectId

string

The object id of the client.

userPrincipalName

string

The user principal name of the client.

CloudError

Error response structure.

Name Type Description
error

CloudErrorBody

Error data

CloudErrorBody

Error details.

Name Type Description
code

string

An identifier for the error. Codes are invariant and are intended to be consumed programmatically.

message

string

A message describing the error, intended to be suitable for display in a user interface.

ConditionType

Name Type Description
Boolean

string

Apply a boolean operator (e.g AND, OR) to conditions

Property

string

Evaluate an object property value

PropertyArray

string

Evaluate an object array property value

PropertyArrayChanged

string

Evaluate an object array property changed value

PropertyChanged

string

Evaluate an object property changed value

createdByType

The type of identity that created the resource.

Name Type Description
Application

string

Key

string

ManagedIdentity

string

User

string

IncidentClassification

The reason the incident was closed

Name Type Description
BenignPositive

string

Incident was benign positive

FalsePositive

string

Incident was false positive

TruePositive

string

Incident was true positive

Undetermined

string

Incident classification was undetermined

IncidentClassificationReason

The classification reason the incident was closed with

Name Type Description
InaccurateData

string

Classification reason was inaccurate data

IncorrectAlertLogic

string

Classification reason was incorrect alert logic

SuspiciousActivity

string

Classification reason was suspicious activity

SuspiciousButExpected

string

Classification reason was suspicious but expected

IncidentLabel

Represents an incident label

Name Type Description
labelName

string

The name of the label

labelType

IncidentLabelType

The type of the label

IncidentLabelType

The type of the label

Name Type Description
AutoAssigned

string

Label automatically created by the system

User

string

Label manually created by a user

IncidentOwnerInfo

Information on the user an incident is assigned to

Name Type Description
assignedTo

string

The name of the user the incident is assigned to.

email

string

The email of the user the incident is assigned to.

objectId

string

The object id of the user the incident is assigned to.

ownerType

OwnerType

The type of the owner the incident is assigned to.

userPrincipalName

string

The user principal name of the user the incident is assigned to.

IncidentPropertiesAction

Name Type Description
classification

IncidentClassification

The reason the incident was closed

classificationComment

string

Describes the reason the incident was closed.

classificationReason

IncidentClassificationReason

The classification reason the incident was closed with

labels

IncidentLabel[]

List of labels to add to the incident.

owner

IncidentOwnerInfo

Information on the user an incident is assigned to

severity

IncidentSeverity

The severity of the incident

status

IncidentStatus

The status of the incident

IncidentSeverity

The severity of the incident

Name Type Description
High

string

High severity

Informational

string

Informational severity

Low

string

Low severity

Medium

string

Medium severity

IncidentStatus

The status of the incident

Name Type Description
Active

string

An active incident which is being handled

Closed

string

A non-active incident

New

string

An active incident which isn't being handled currently

OwnerType

The type of the owner the incident is assigned to.

Name Type Description
Group

string

The incident owner type is an AAD group

Unknown

string

The incident owner type is unknown

User

string

The incident owner type is an AAD user

PlaybookActionProperties

Name Type Description
logicAppResourceId

string

The resource id of the playbook resource.

tenantId

string

The tenant id of the playbook resource.

PropertyArrayChangedConditionProperties

Describes an automation rule condition that evaluates an array property's value change

Name Type Description
conditionProperties

AutomationRulePropertyArrayChangedValuesCondition

conditionType string:

PropertyArrayChanged

PropertyArrayConditionProperties

Describes an automation rule condition that evaluates an array property's value

Name Type Description
conditionProperties

AutomationRulePropertyArrayValuesCondition

Describes an automation rule condition on array properties.

conditionType string:

PropertyArray

PropertyChangedConditionProperties

Describes an automation rule condition that evaluates a property's value change

Name Type Description
conditionProperties

AutomationRulePropertyValuesChangedCondition

conditionType string:

PropertyChanged

PropertyConditionProperties

Describes an automation rule condition that evaluates a property's value

Name Type Description
conditionProperties

AutomationRulePropertyValuesCondition

conditionType string:

Property

systemData

Metadata pertaining to creation and last modification of the resource.

Name Type Description
createdAt

string

The timestamp of resource creation (UTC).

createdBy

string

The identity that created the resource.

createdByType

createdByType

The type of identity that created the resource.

lastModifiedAt

string

The timestamp of resource last modification (UTC)

lastModifiedBy

string

The identity that last modified the resource.

lastModifiedByType

createdByType

The type of identity that last modified the resource.

triggersOn

Name Type Description
Alerts

string

Trigger on Alerts

Incidents

string

Trigger on Incidents

triggersWhen

Name Type Description
Created

string

Trigger on created objects

Updated

string

Trigger on updated objects