Automation Rules - Get

Gets the automation rule.

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules/{automationRuleId}?api-version=2024-09-01

URI Parameters

Name In Required Type Description
automationRuleId
path True

string

Automation rule ID

resourceGroupName
path True

string

The name of the resource group. The name is case insensitive.

subscriptionId
path True

string

uuid

The ID of the target subscription. The value must be an UUID.

workspaceName
path True

string

The name of the workspace.

Regex pattern: ^[A-Za-z0-9][A-Za-z0-9-]+[A-Za-z0-9]$

api-version
query True

string

The API version to use for this operation.

Responses

Name Type Description
200 OK

AutomationRule

Ok

Other Status Codes

CloudError

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

AutomationRules_Get

Sample request

GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/automationRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5?api-version=2024-09-01

Sample response

{
  "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/automationRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
  "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
  "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
  "type": "Microsoft.SecurityInsights/automationRules",
  "properties": {
    "displayName": "Suspicious user sign-in events",
    "order": 1,
    "triggeringLogic": {
      "isEnabled": true,
      "triggersOn": "Incidents",
      "triggersWhen": "Created",
      "conditions": [
        {
          "conditionType": "Property",
          "conditionProperties": {
            "propertyName": "IncidentRelatedAnalyticRuleIds",
            "operator": "Contains",
            "propertyValues": [
              "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7",
              "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a"
            ]
          }
        }
      ]
    },
    "actions": [
      {
        "order": 1,
        "actionType": "AddIncidentTask",
        "actionConfiguration": {
          "title": "Reset user passwords",
          "description": "Reset passwords for compromised users."
        }
      }
    ],
    "lastModifiedTimeUtc": "2019-01-01T13:00:30Z",
    "createdTimeUtc": "2019-01-01T13:00:00Z",
    "lastModifiedBy": {
      "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
      "email": "john.doe@contoso.com",
      "name": "john doe",
      "userPrincipalName": "john@contoso.com"
    },
    "createdBy": {
      "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
      "email": "john.doe@contoso.com",
      "name": "john doe",
      "userPrincipalName": "john@contoso.com"
    }
  }
}

Definitions

Name Description
ActionType

The type of the automation rule action.

AddIncidentTaskActionProperties

Describes an automation rule action to add a task to an incident.

AutomationRule
AutomationRuleAddIncidentTaskAction

Describes an automation rule action to add a task to an incident

AutomationRuleBooleanCondition

Describes an automation rule condition with boolean operators.

AutomationRuleBooleanConditionSupportedOperator

Describes a boolean condition operator.

AutomationRuleModifyPropertiesAction

Describes an automation rule action to modify an object's properties

AutomationRulePropertyArrayChangedConditionSupportedArrayType
AutomationRulePropertyArrayChangedConditionSupportedChangeType
AutomationRulePropertyArrayChangedValuesCondition
AutomationRulePropertyArrayConditionSupportedArrayConditionType

Describes an array condition evaluation type.

AutomationRulePropertyArrayConditionSupportedArrayType

Describes an array condition evaluated array type.

AutomationRulePropertyArrayValuesCondition

Describes an automation rule condition on array properties.

AutomationRulePropertyChangedConditionSupportedChangedType
AutomationRulePropertyChangedConditionSupportedPropertyType
AutomationRulePropertyConditionSupportedOperator
AutomationRulePropertyConditionSupportedProperty

The property to evaluate in an automation rule property condition.

AutomationRulePropertyValuesChangedCondition
AutomationRulePropertyValuesCondition
AutomationRuleRunPlaybookAction

Describes an automation rule action to run a playbook

AutomationRuleTriggeringLogic

Describes automation rule triggering logic.

BooleanConditionProperties

Describes an automation rule condition that applies a boolean operator (e.g AND, OR) to conditions

ClientInfo

Information on the client (user or application) that made some action

CloudError

Error response structure.

CloudErrorBody

Error details.

ConditionType
createdByType

The type of identity that created the resource.

IncidentClassification

The reason the incident was closed

IncidentClassificationReason

The classification reason the incident was closed with

IncidentLabel

Represents an incident label

IncidentLabelType

The type of the label

IncidentOwnerInfo

Information on the user an incident is assigned to

IncidentPropertiesAction
IncidentSeverity

The severity of the incident

IncidentStatus

The status of the incident

OwnerType

The type of the owner the incident is assigned to.

PlaybookActionProperties
PropertyArrayChangedConditionProperties

Describes an automation rule condition that evaluates an array property's value change

PropertyArrayConditionProperties

Describes an automation rule condition that evaluates an array property's value

PropertyChangedConditionProperties

Describes an automation rule condition that evaluates a property's value change

PropertyConditionProperties

Describes an automation rule condition that evaluates a property's value

systemData

Metadata pertaining to creation and last modification of the resource.

triggersOn
triggersWhen

ActionType

The type of the automation rule action.

Value Description
AddIncidentTask

Add a task to an incident object

ModifyProperties

Modify an object's properties

RunPlaybook

Run a playbook on an object

AddIncidentTaskActionProperties

Describes an automation rule action to add a task to an incident.

Name Type Description
description

string

The description of the task.

title

string

The title of the task.

AutomationRule

Name Type Description
etag

string

Etag of the azure resource

id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

name

string

The name of the resource

properties.actions AutomationRuleAction[]:

The actions to execute when the automation rule is triggered.

properties.createdBy

ClientInfo

Information on the client (user or application) that made some action

properties.createdTimeUtc

string

The time the automation rule was created.

properties.displayName

string

The display name of the automation rule.

properties.lastModifiedBy

ClientInfo

Information on the client (user or application) that made some action

properties.lastModifiedTimeUtc

string

The last time the automation rule was updated.

properties.order

integer

The order of execution of the automation rule.

properties.triggeringLogic

AutomationRuleTriggeringLogic

Describes automation rule triggering logic.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

AutomationRuleAddIncidentTaskAction

Describes an automation rule action to add a task to an incident

Name Type Description
actionConfiguration

AddIncidentTaskActionProperties

Describes an automation rule action to add a task to an incident.

actionType string:

AddIncidentTask

The type of the automation rule action.

order

integer

AutomationRuleBooleanCondition

Describes an automation rule condition with boolean operators.

Name Type Description
innerConditions AutomationRuleCondition[]:

Describes an automation rule condition.

operator

AutomationRuleBooleanConditionSupportedOperator

Describes a boolean condition operator.

AutomationRuleBooleanConditionSupportedOperator

Describes a boolean condition operator.

Value Description
And

Evaluates as true if all the item conditions are evaluated as true

Or

Evaluates as true if at least one of the item conditions are evaluated as true

AutomationRuleModifyPropertiesAction

Describes an automation rule action to modify an object's properties

Name Type Description
actionConfiguration

IncidentPropertiesAction

actionType string:

ModifyProperties

The type of the automation rule action.

order

integer

AutomationRulePropertyArrayChangedConditionSupportedArrayType

Value Description
Alerts

Evaluate the condition on the alerts

Comments

Evaluate the condition on the comments

Labels

Evaluate the condition on the labels

Tactics

Evaluate the condition on the tactics

AutomationRulePropertyArrayChangedConditionSupportedChangeType

Value Description
Added

Evaluate the condition on items added to the array

AutomationRulePropertyArrayChangedValuesCondition

Name Type Description
arrayType

AutomationRulePropertyArrayChangedConditionSupportedArrayType

changeType

AutomationRulePropertyArrayChangedConditionSupportedChangeType

AutomationRulePropertyArrayConditionSupportedArrayConditionType

Describes an array condition evaluation type.

Value Description
AnyItem

Evaluate the condition as true if any item fulfills it

AutomationRulePropertyArrayConditionSupportedArrayType

Describes an array condition evaluated array type.

Value Description
CustomDetailValues

Evaluate the condition on a custom detail's values

CustomDetails

Evaluate the condition on the custom detail keys

AutomationRulePropertyArrayValuesCondition

Describes an automation rule condition on array properties.

Name Type Description
arrayConditionType

AutomationRulePropertyArrayConditionSupportedArrayConditionType

Describes an array condition evaluation type.

arrayType

AutomationRulePropertyArrayConditionSupportedArrayType

Describes an array condition evaluated array type.

itemConditions AutomationRuleCondition[]:

Describes an automation rule condition.

AutomationRulePropertyChangedConditionSupportedChangedType

Value Description
ChangedFrom

Evaluate the condition on the previous value of the property

ChangedTo

Evaluate the condition on the updated value of the property

AutomationRulePropertyChangedConditionSupportedPropertyType

Value Description
IncidentOwner

Evaluate the condition on the incident owner

IncidentSeverity

Evaluate the condition on the incident severity

IncidentStatus

Evaluate the condition on the incident status

AutomationRulePropertyConditionSupportedOperator

Value Description
Contains

Evaluates if the property contains at least one of the condition values

EndsWith

Evaluates if the property ends with any of the condition values

Equals

Evaluates if the property equals at least one of the condition values

NotContains

Evaluates if the property does not contain any of the condition values

NotEndsWith

Evaluates if the property does not end with any of the condition values

NotEquals

Evaluates if the property does not equal any of the condition values

NotStartsWith

Evaluates if the property does not start with any of the condition values

StartsWith

Evaluates if the property starts with any of the condition values

AutomationRulePropertyConditionSupportedProperty

The property to evaluate in an automation rule property condition.

Value Description
AccountAadTenantId

The account Azure Active Directory tenant id

AccountAadUserId

The account Azure Active Directory user id

AccountNTDomain

The account NetBIOS domain name

AccountName

The account name

AccountObjectGuid

The account unique identifier

AccountPUID

The account Azure Active Directory Passport User ID

AccountSid

The account security identifier

AccountUPNSuffix

The account user principal name suffix

AlertAnalyticRuleIds

The analytic rule ids of the alert

AlertProductNames

The name of the product of the alert

AzureResourceResourceId

The Azure resource id

AzureResourceSubscriptionId

The Azure resource subscription id

CloudApplicationAppId

The cloud application identifier

CloudApplicationAppName

The cloud application name

DNSDomainName

The dns record domain name

FileDirectory

The file directory full path

FileHashValue

The file hash value

FileName

The file name without path

HostAzureID

The host Azure resource id

HostNTDomain

The host NT domain

HostName

The host name without domain

HostNetBiosName

The host NetBIOS name

HostOSVersion

The host operating system

IPAddress

The IP address

IncidentCustomDetailsKey

The incident custom detail key

IncidentCustomDetailsValue

The incident custom detail value

IncidentDescription

The description of the incident

IncidentLabel

The labels of the incident

IncidentProviderName

The provider name of the incident

IncidentRelatedAnalyticRuleIds

The related Analytic rule ids of the incident

IncidentSeverity

The severity of the incident

IncidentStatus

The status of the incident

IncidentTactics

The tactics of the incident

IncidentTitle

The title of the incident

IncidentUpdatedBySource

The update source of the incident

IoTDeviceId

"The IoT device id

IoTDeviceModel

The IoT device model

IoTDeviceName

The IoT device name

IoTDeviceOperatingSystem

The IoT device operating system

IoTDeviceType

The IoT device type

IoTDeviceVendor

The IoT device vendor

MailMessageDeliveryAction

The mail message delivery action

MailMessageDeliveryLocation

The mail message delivery location

MailMessageP1Sender

The mail message P1 sender

MailMessageP2Sender

The mail message P2 sender

MailMessageRecipient

The mail message recipient

MailMessageSenderIP

The mail message sender IP address

MailMessageSubject

The mail message subject

MailboxDisplayName

The mailbox display name

MailboxPrimaryAddress

The mailbox primary address

MailboxUPN

The mailbox user principal name

MalwareCategory

The malware category

MalwareName

The malware name

ProcessCommandLine

The process execution command line

ProcessId

The process id

RegistryKey

The registry key path

RegistryValueData

The registry key value in string formatted representation

Url

The url

AutomationRulePropertyValuesChangedCondition

Name Type Description
changeType

AutomationRulePropertyChangedConditionSupportedChangedType

operator

AutomationRulePropertyConditionSupportedOperator

propertyName

AutomationRulePropertyChangedConditionSupportedPropertyType

propertyValues

string[]

AutomationRulePropertyValuesCondition

Name Type Description
operator

AutomationRulePropertyConditionSupportedOperator

propertyName

AutomationRulePropertyConditionSupportedProperty

The property to evaluate in an automation rule property condition.

propertyValues

string[]

AutomationRuleRunPlaybookAction

Describes an automation rule action to run a playbook

Name Type Description
actionConfiguration

PlaybookActionProperties

actionType string:

RunPlaybook

The type of the automation rule action.

order

integer

AutomationRuleTriggeringLogic

Describes automation rule triggering logic.

Name Type Description
conditions AutomationRuleCondition[]:

The conditions to evaluate to determine if the automation rule should be triggered on a given object.

expirationTimeUtc

string

Determines when the automation rule should automatically expire and be disabled.

isEnabled

boolean

Determines whether the automation rule is enabled or disabled.

triggersOn

triggersOn

triggersWhen

triggersWhen

BooleanConditionProperties

Describes an automation rule condition that applies a boolean operator (e.g AND, OR) to conditions

Name Type Description
conditionProperties

AutomationRuleBooleanCondition

Describes an automation rule condition with boolean operators.

conditionType string:

Boolean

ClientInfo

Information on the client (user or application) that made some action

Name Type Description
email

string

The email of the client.

name

string

The name of the client.

objectId

string

The object id of the client.

userPrincipalName

string

The user principal name of the client.

CloudError

Error response structure.

Name Type Description
error

CloudErrorBody

Error data

CloudErrorBody

Error details.

Name Type Description
code

string

An identifier for the error. Codes are invariant and are intended to be consumed programmatically.

message

string

A message describing the error, intended to be suitable for display in a user interface.

ConditionType

Value Description
Boolean

Apply a boolean operator (e.g AND, OR) to conditions

Property

Evaluate an object property value

PropertyArray

Evaluate an object array property value

PropertyArrayChanged

Evaluate an object array property changed value

PropertyChanged

Evaluate an object property changed value

createdByType

The type of identity that created the resource.

Value Description
Application
Key
ManagedIdentity
User

IncidentClassification

The reason the incident was closed

Value Description
BenignPositive

Incident was benign positive

FalsePositive

Incident was false positive

TruePositive

Incident was true positive

Undetermined

Incident classification was undetermined

IncidentClassificationReason

The classification reason the incident was closed with

Value Description
InaccurateData

Classification reason was inaccurate data

IncorrectAlertLogic

Classification reason was incorrect alert logic

SuspiciousActivity

Classification reason was suspicious activity

SuspiciousButExpected

Classification reason was suspicious but expected

IncidentLabel

Represents an incident label

Name Type Description
labelName

string

The name of the label

labelType

IncidentLabelType

The type of the label

IncidentLabelType

The type of the label

Value Description
AutoAssigned

Label automatically created by the system

User

Label manually created by a user

IncidentOwnerInfo

Information on the user an incident is assigned to

Name Type Description
assignedTo

string

The name of the user the incident is assigned to.

email

string

The email of the user the incident is assigned to.

objectId

string

The object id of the user the incident is assigned to.

ownerType

OwnerType

The type of the owner the incident is assigned to.

userPrincipalName

string

The user principal name of the user the incident is assigned to.

IncidentPropertiesAction

Name Type Description
classification

IncidentClassification

The reason the incident was closed

classificationComment

string

Describes the reason the incident was closed.

classificationReason

IncidentClassificationReason

The classification reason the incident was closed with

labels

IncidentLabel[]

List of labels to add to the incident.

owner

IncidentOwnerInfo

Information on the user an incident is assigned to

severity

IncidentSeverity

The severity of the incident

status

IncidentStatus

The status of the incident

IncidentSeverity

The severity of the incident

Value Description
High

High severity

Informational

Informational severity

Low

Low severity

Medium

Medium severity

IncidentStatus

The status of the incident

Value Description
Active

An active incident which is being handled

Closed

A non-active incident

New

An active incident which isn't being handled currently

OwnerType

The type of the owner the incident is assigned to.

Value Description
Group

The incident owner type is an AAD group

Unknown

The incident owner type is unknown

User

The incident owner type is an AAD user

PlaybookActionProperties

Name Type Description
logicAppResourceId

string

The resource id of the playbook resource.

tenantId

string

The tenant id of the playbook resource.

PropertyArrayChangedConditionProperties

Describes an automation rule condition that evaluates an array property's value change

Name Type Description
conditionProperties

AutomationRulePropertyArrayChangedValuesCondition

conditionType string:

PropertyArrayChanged

PropertyArrayConditionProperties

Describes an automation rule condition that evaluates an array property's value

Name Type Description
conditionProperties

AutomationRulePropertyArrayValuesCondition

Describes an automation rule condition on array properties.

conditionType string:

PropertyArray

PropertyChangedConditionProperties

Describes an automation rule condition that evaluates a property's value change

Name Type Description
conditionProperties

AutomationRulePropertyValuesChangedCondition

conditionType string:

PropertyChanged

PropertyConditionProperties

Describes an automation rule condition that evaluates a property's value

Name Type Description
conditionProperties

AutomationRulePropertyValuesCondition

conditionType string:

Property

systemData

Metadata pertaining to creation and last modification of the resource.

Name Type Description
createdAt

string

The timestamp of resource creation (UTC).

createdBy

string

The identity that created the resource.

createdByType

createdByType

The type of identity that created the resource.

lastModifiedAt

string

The timestamp of resource last modification (UTC)

lastModifiedBy

string

The identity that last modified the resource.

lastModifiedByType

createdByType

The type of identity that last modified the resource.

triggersOn

Value Description
Alerts

Trigger on Alerts

Incidents

Trigger on Incidents

triggersWhen

Value Description
Created

Trigger on created objects

Updated

Trigger on updated objects