The azure-native:security:Automation resource, part of the Pulumi Azure Native provider, defines security automations that react to Microsoft Defender for Cloud events by triggering Logic Apps or other actions. This guide focuses on three capabilities: Logic App integration for security events, rule-based filtering by assessment properties, and automation activation control.
Security automations reference Logic App workflows that must exist separately and apply to specific subscription or resource group scopes. The examples are intentionally small. Combine them with your own Logic Apps, event filtering logic, and organizational scopes.
Trigger Logic Apps on any security assessment
Security teams often respond to all findings as they occur by invoking Logic Apps to create tickets, send notifications, or trigger remediation workflows.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const automation = new azure_native.security.Automation("automation", {
actions: [{
actionType: "LogicApp",
logicAppResourceId: "/subscriptions/e54a4a18-5b94-4f90-9471-bd3decad8a2e/resourceGroups/sample/providers/Microsoft.Logic/workflows/MyTest1",
uri: "https://exampleTriggerUri1.com",
}],
automationName: "exampleAutomation",
description: "An example of a security automation that triggers one LogicApp resource (myTest1) on any security assessment",
isEnabled: true,
location: "Central US",
resourceGroupName: "exampleResourceGroup",
scopes: [{
description: "A description that helps to identify this scope - for example: security assessments that relate to the resource group myResourceGroup within the subscription a5caac9c-5c04-49af-b3d0-e204f40345d5",
scopePath: "/subscriptions/a5caac9c-5c04-49af-b3d0-e204f40345d5/resourceGroups/myResourceGroup",
}],
sources: [{
eventSource: azure_native.security.EventSource.Assessments,
}],
tags: {},
});
import pulumi
import pulumi_azure_native as azure_native
automation = azure_native.security.Automation("automation",
actions=[{
"action_type": "LogicApp",
"logic_app_resource_id": "/subscriptions/e54a4a18-5b94-4f90-9471-bd3decad8a2e/resourceGroups/sample/providers/Microsoft.Logic/workflows/MyTest1",
"uri": "https://exampleTriggerUri1.com",
}],
automation_name="exampleAutomation",
description="An example of a security automation that triggers one LogicApp resource (myTest1) on any security assessment",
is_enabled=True,
location="Central US",
resource_group_name="exampleResourceGroup",
scopes=[{
"description": "A description that helps to identify this scope - for example: security assessments that relate to the resource group myResourceGroup within the subscription a5caac9c-5c04-49af-b3d0-e204f40345d5",
"scope_path": "/subscriptions/a5caac9c-5c04-49af-b3d0-e204f40345d5/resourceGroups/myResourceGroup",
}],
sources=[{
"event_source": azure_native.security.EventSource.ASSESSMENTS,
}],
tags={})
package main
import (
security "github.com/pulumi/pulumi-azure-native-sdk/security/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := security.NewAutomation(ctx, "automation", &security.AutomationArgs{
Actions: pulumi.Array{
security.AutomationActionLogicApp{
ActionType: "LogicApp",
LogicAppResourceId: "/subscriptions/e54a4a18-5b94-4f90-9471-bd3decad8a2e/resourceGroups/sample/providers/Microsoft.Logic/workflows/MyTest1",
Uri: "https://exampleTriggerUri1.com",
},
},
AutomationName: pulumi.String("exampleAutomation"),
Description: pulumi.String("An example of a security automation that triggers one LogicApp resource (myTest1) on any security assessment"),
IsEnabled: pulumi.Bool(true),
Location: pulumi.String("Central US"),
ResourceGroupName: pulumi.String("exampleResourceGroup"),
Scopes: security.AutomationScopeArray{
&security.AutomationScopeArgs{
Description: pulumi.String("A description that helps to identify this scope - for example: security assessments that relate to the resource group myResourceGroup within the subscription a5caac9c-5c04-49af-b3d0-e204f40345d5"),
ScopePath: pulumi.String("/subscriptions/a5caac9c-5c04-49af-b3d0-e204f40345d5/resourceGroups/myResourceGroup"),
},
},
Sources: security.AutomationSourceArray{
&security.AutomationSourceArgs{
EventSource: pulumi.String(security.EventSourceAssessments),
},
},
Tags: pulumi.StringMap{},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var automation = new AzureNative.Security.Automation("automation", new()
{
Actions = new[]
{
new AzureNative.Security.Inputs.AutomationActionLogicAppArgs
{
ActionType = "LogicApp",
LogicAppResourceId = "/subscriptions/e54a4a18-5b94-4f90-9471-bd3decad8a2e/resourceGroups/sample/providers/Microsoft.Logic/workflows/MyTest1",
Uri = "https://exampleTriggerUri1.com",
},
},
AutomationName = "exampleAutomation",
Description = "An example of a security automation that triggers one LogicApp resource (myTest1) on any security assessment",
IsEnabled = true,
Location = "Central US",
ResourceGroupName = "exampleResourceGroup",
Scopes = new[]
{
new AzureNative.Security.Inputs.AutomationScopeArgs
{
Description = "A description that helps to identify this scope - for example: security assessments that relate to the resource group myResourceGroup within the subscription a5caac9c-5c04-49af-b3d0-e204f40345d5",
ScopePath = "/subscriptions/a5caac9c-5c04-49af-b3d0-e204f40345d5/resourceGroups/myResourceGroup",
},
},
Sources = new[]
{
new AzureNative.Security.Inputs.AutomationSourceArgs
{
EventSource = AzureNative.Security.EventSource.Assessments,
},
},
Tags = null,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.security.Automation;
import com.pulumi.azurenative.security.AutomationArgs;
import com.pulumi.azurenative.security.inputs.AutomationScopeArgs;
import com.pulumi.azurenative.security.inputs.AutomationSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var automation = new Automation("automation", AutomationArgs.builder()
.actions(AutomationActionLogicAppArgs.builder()
.actionType("LogicApp")
.logicAppResourceId("/subscriptions/e54a4a18-5b94-4f90-9471-bd3decad8a2e/resourceGroups/sample/providers/Microsoft.Logic/workflows/MyTest1")
.uri("https://exampleTriggerUri1.com")
.build())
.automationName("exampleAutomation")
.description("An example of a security automation that triggers one LogicApp resource (myTest1) on any security assessment")
.isEnabled(true)
.location("Central US")
.resourceGroupName("exampleResourceGroup")
.scopes(AutomationScopeArgs.builder()
.description("A description that helps to identify this scope - for example: security assessments that relate to the resource group myResourceGroup within the subscription a5caac9c-5c04-49af-b3d0-e204f40345d5")
.scopePath("/subscriptions/a5caac9c-5c04-49af-b3d0-e204f40345d5/resourceGroups/myResourceGroup")
.build())
.sources(AutomationSourceArgs.builder()
.eventSource("Assessments")
.build())
.tags(Map.ofEntries(
))
.build());
}
}
resources:
automation:
type: azure-native:security:Automation
properties:
actions:
- actionType: LogicApp
logicAppResourceId: /subscriptions/e54a4a18-5b94-4f90-9471-bd3decad8a2e/resourceGroups/sample/providers/Microsoft.Logic/workflows/MyTest1
uri: https://exampleTriggerUri1.com
automationName: exampleAutomation
description: An example of a security automation that triggers one LogicApp resource (myTest1) on any security assessment
isEnabled: true
location: Central US
resourceGroupName: exampleResourceGroup
scopes:
- description: 'A description that helps to identify this scope - for example: security assessments that relate to the resource group myResourceGroup within the subscription a5caac9c-5c04-49af-b3d0-e204f40345d5'
scopePath: /subscriptions/a5caac9c-5c04-49af-b3d0-e204f40345d5/resourceGroups/myResourceGroup
sources:
- eventSource: Assessments
tags: {}
When Defender for Cloud generates a security assessment within the specified scope, the automation invokes the Logic App at the provided URI. The sources property defines which event types trigger the automation; here, eventSource is set to “Assessments” to capture all security findings. The scopes property limits where the automation applies, using scopePath to target a specific subscription and resource group. The actions property lists what happens when rules match; logicAppResourceId points to your workflow.
Filter assessments by severity using rule sets
High-severity findings often require immediate attention, while lower-severity issues follow different workflows. Rule sets filter events based on assessment properties before triggering actions.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const automation = new azure_native.security.Automation("automation", {
actions: [{
actionType: "LogicApp",
logicAppResourceId: "/subscriptions/e54a4a18-5b94-4f90-9471-bd3decad8a2e/resourceGroups/sample/providers/Microsoft.Logic/workflows/MyTest1",
uri: "https://exampleTriggerUri1.com",
}],
automationName: "exampleAutomation",
description: "An example of a security automation that triggers one LogicApp resource (myTest1) on any high severity security assessment",
isEnabled: true,
location: "Central US",
resourceGroupName: "exampleResourceGroup",
scopes: [{
description: "A description that helps to identify this scope - for example: security assessments that relate to the resource group myResourceGroup within the subscription a5caac9c-5c04-49af-b3d0-e204f40345d5",
scopePath: "/subscriptions/a5caac9c-5c04-49af-b3d0-e204f40345d5/resourceGroups/myResourceGroup",
}],
sources: [{
eventSource: azure_native.security.EventSource.Assessments,
ruleSets: [{
rules: [{
expectedValue: "High",
operator: azure_native.security.Operator.Equals,
propertyJPath: "properties.metadata.severity",
propertyType: azure_native.security.PropertyType.String,
}],
}],
}],
tags: {},
});
import pulumi
import pulumi_azure_native as azure_native
automation = azure_native.security.Automation("automation",
actions=[{
"action_type": "LogicApp",
"logic_app_resource_id": "/subscriptions/e54a4a18-5b94-4f90-9471-bd3decad8a2e/resourceGroups/sample/providers/Microsoft.Logic/workflows/MyTest1",
"uri": "https://exampleTriggerUri1.com",
}],
automation_name="exampleAutomation",
description="An example of a security automation that triggers one LogicApp resource (myTest1) on any high severity security assessment",
is_enabled=True,
location="Central US",
resource_group_name="exampleResourceGroup",
scopes=[{
"description": "A description that helps to identify this scope - for example: security assessments that relate to the resource group myResourceGroup within the subscription a5caac9c-5c04-49af-b3d0-e204f40345d5",
"scope_path": "/subscriptions/a5caac9c-5c04-49af-b3d0-e204f40345d5/resourceGroups/myResourceGroup",
}],
sources=[{
"event_source": azure_native.security.EventSource.ASSESSMENTS,
"rule_sets": [{
"rules": [{
"expected_value": "High",
"operator": azure_native.security.Operator.EQUALS,
"property_j_path": "properties.metadata.severity",
"property_type": azure_native.security.PropertyType.STRING,
}],
}],
}],
tags={})
package main
import (
security "github.com/pulumi/pulumi-azure-native-sdk/security/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := security.NewAutomation(ctx, "automation", &security.AutomationArgs{
Actions: pulumi.Array{
security.AutomationActionLogicApp{
ActionType: "LogicApp",
LogicAppResourceId: "/subscriptions/e54a4a18-5b94-4f90-9471-bd3decad8a2e/resourceGroups/sample/providers/Microsoft.Logic/workflows/MyTest1",
Uri: "https://exampleTriggerUri1.com",
},
},
AutomationName: pulumi.String("exampleAutomation"),
Description: pulumi.String("An example of a security automation that triggers one LogicApp resource (myTest1) on any high severity security assessment"),
IsEnabled: pulumi.Bool(true),
Location: pulumi.String("Central US"),
ResourceGroupName: pulumi.String("exampleResourceGroup"),
Scopes: security.AutomationScopeArray{
&security.AutomationScopeArgs{
Description: pulumi.String("A description that helps to identify this scope - for example: security assessments that relate to the resource group myResourceGroup within the subscription a5caac9c-5c04-49af-b3d0-e204f40345d5"),
ScopePath: pulumi.String("/subscriptions/a5caac9c-5c04-49af-b3d0-e204f40345d5/resourceGroups/myResourceGroup"),
},
},
Sources: security.AutomationSourceArray{
&security.AutomationSourceArgs{
EventSource: pulumi.String(security.EventSourceAssessments),
RuleSets: security.AutomationRuleSetArray{
&security.AutomationRuleSetArgs{
Rules: security.AutomationTriggeringRuleArray{
&security.AutomationTriggeringRuleArgs{
ExpectedValue: pulumi.String("High"),
Operator: pulumi.String(security.OperatorEquals),
PropertyJPath: pulumi.String("properties.metadata.severity"),
PropertyType: pulumi.String(security.PropertyTypeString),
},
},
},
},
},
},
Tags: pulumi.StringMap{},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var automation = new AzureNative.Security.Automation("automation", new()
{
Actions = new[]
{
new AzureNative.Security.Inputs.AutomationActionLogicAppArgs
{
ActionType = "LogicApp",
LogicAppResourceId = "/subscriptions/e54a4a18-5b94-4f90-9471-bd3decad8a2e/resourceGroups/sample/providers/Microsoft.Logic/workflows/MyTest1",
Uri = "https://exampleTriggerUri1.com",
},
},
AutomationName = "exampleAutomation",
Description = "An example of a security automation that triggers one LogicApp resource (myTest1) on any high severity security assessment",
IsEnabled = true,
Location = "Central US",
ResourceGroupName = "exampleResourceGroup",
Scopes = new[]
{
new AzureNative.Security.Inputs.AutomationScopeArgs
{
Description = "A description that helps to identify this scope - for example: security assessments that relate to the resource group myResourceGroup within the subscription a5caac9c-5c04-49af-b3d0-e204f40345d5",
ScopePath = "/subscriptions/a5caac9c-5c04-49af-b3d0-e204f40345d5/resourceGroups/myResourceGroup",
},
},
Sources = new[]
{
new AzureNative.Security.Inputs.AutomationSourceArgs
{
EventSource = AzureNative.Security.EventSource.Assessments,
RuleSets = new[]
{
new AzureNative.Security.Inputs.AutomationRuleSetArgs
{
Rules = new[]
{
new AzureNative.Security.Inputs.AutomationTriggeringRuleArgs
{
ExpectedValue = "High",
Operator = AzureNative.Security.Operator.EqualsValue,
PropertyJPath = "properties.metadata.severity",
PropertyType = AzureNative.Security.PropertyType.String,
},
},
},
},
},
},
Tags = null,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.security.Automation;
import com.pulumi.azurenative.security.AutomationArgs;
import com.pulumi.azurenative.security.inputs.AutomationScopeArgs;
import com.pulumi.azurenative.security.inputs.AutomationSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var automation = new Automation("automation", AutomationArgs.builder()
.actions(AutomationActionLogicAppArgs.builder()
.actionType("LogicApp")
.logicAppResourceId("/subscriptions/e54a4a18-5b94-4f90-9471-bd3decad8a2e/resourceGroups/sample/providers/Microsoft.Logic/workflows/MyTest1")
.uri("https://exampleTriggerUri1.com")
.build())
.automationName("exampleAutomation")
.description("An example of a security automation that triggers one LogicApp resource (myTest1) on any high severity security assessment")
.isEnabled(true)
.location("Central US")
.resourceGroupName("exampleResourceGroup")
.scopes(AutomationScopeArgs.builder()
.description("A description that helps to identify this scope - for example: security assessments that relate to the resource group myResourceGroup within the subscription a5caac9c-5c04-49af-b3d0-e204f40345d5")
.scopePath("/subscriptions/a5caac9c-5c04-49af-b3d0-e204f40345d5/resourceGroups/myResourceGroup")
.build())
.sources(AutomationSourceArgs.builder()
.eventSource("Assessments")
.ruleSets(AutomationRuleSetArgs.builder()
.rules(AutomationTriggeringRuleArgs.builder()
.expectedValue("High")
.operator("Equals")
.propertyJPath("properties.metadata.severity")
.propertyType("String")
.build())
.build())
.build())
.tags(Map.ofEntries(
))
.build());
}
}
resources:
automation:
type: azure-native:security:Automation
properties:
actions:
- actionType: LogicApp
logicAppResourceId: /subscriptions/e54a4a18-5b94-4f90-9471-bd3decad8a2e/resourceGroups/sample/providers/Microsoft.Logic/workflows/MyTest1
uri: https://exampleTriggerUri1.com
automationName: exampleAutomation
description: An example of a security automation that triggers one LogicApp resource (myTest1) on any high severity security assessment
isEnabled: true
location: Central US
resourceGroupName: exampleResourceGroup
scopes:
- description: 'A description that helps to identify this scope - for example: security assessments that relate to the resource group myResourceGroup within the subscription a5caac9c-5c04-49af-b3d0-e204f40345d5'
scopePath: /subscriptions/a5caac9c-5c04-49af-b3d0-e204f40345d5/resourceGroups/myResourceGroup
sources:
- eventSource: Assessments
ruleSets:
- rules:
- expectedValue: High
operator: Equals
propertyJPath: properties.metadata.severity
propertyType: String
tags: {}
The ruleSets property adds filtering logic to the event source. Each rule uses propertyJPath to specify which assessment field to evaluate (here, “properties.metadata.severity”), operator to define the comparison (Equals), and expectedValue to set the threshold (“High”). Only assessments matching all rules in at least one rule set trigger the Logic App. This extends the basic automation by adding conditional logic.
Control automation activation with isEnabled
Teams may need to temporarily pause automations during maintenance windows or testing without deleting the configuration.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const automation = new azure_native.security.Automation("automation", {
actions: [{
actionType: "LogicApp",
logicAppResourceId: "/subscriptions/e54a4a18-5b94-4f90-9471-bd3decad8a2e/resourceGroups/sample/providers/Microsoft.Logic/workflows/MyTest1",
uri: "https://exampleTriggerUri1.com",
}],
automationName: "exampleAutomation",
description: "An example of a security automation that triggers one LogicApp resource (myTest1) on any security assessment of type customAssessment",
isEnabled: false,
location: "Central US",
resourceGroupName: "exampleResourceGroup",
scopes: [{
description: "A description that helps to identify this scope - for example: security assessments that relate to the resource group myResourceGroup within the subscription a5caac9c-5c04-49af-b3d0-e204f40345d5",
scopePath: "/subscriptions/a5caac9c-5c04-49af-b3d0-e204f40345d5/resourceGroups/myResourceGroup",
}],
sources: [{
eventSource: azure_native.security.EventSource.Assessments,
ruleSets: [{
rules: [{
expectedValue: "customAssessment",
operator: azure_native.security.Operator.Equals,
propertyJPath: "$.Entity.AssessmentType",
propertyType: azure_native.security.PropertyType.String,
}],
}],
}],
tags: {},
});
import pulumi
import pulumi_azure_native as azure_native
automation = azure_native.security.Automation("automation",
actions=[{
"action_type": "LogicApp",
"logic_app_resource_id": "/subscriptions/e54a4a18-5b94-4f90-9471-bd3decad8a2e/resourceGroups/sample/providers/Microsoft.Logic/workflows/MyTest1",
"uri": "https://exampleTriggerUri1.com",
}],
automation_name="exampleAutomation",
description="An example of a security automation that triggers one LogicApp resource (myTest1) on any security assessment of type customAssessment",
is_enabled=False,
location="Central US",
resource_group_name="exampleResourceGroup",
scopes=[{
"description": "A description that helps to identify this scope - for example: security assessments that relate to the resource group myResourceGroup within the subscription a5caac9c-5c04-49af-b3d0-e204f40345d5",
"scope_path": "/subscriptions/a5caac9c-5c04-49af-b3d0-e204f40345d5/resourceGroups/myResourceGroup",
}],
sources=[{
"event_source": azure_native.security.EventSource.ASSESSMENTS,
"rule_sets": [{
"rules": [{
"expected_value": "customAssessment",
"operator": azure_native.security.Operator.EQUALS,
"property_j_path": "$.Entity.AssessmentType",
"property_type": azure_native.security.PropertyType.STRING,
}],
}],
}],
tags={})
package main
import (
security "github.com/pulumi/pulumi-azure-native-sdk/security/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := security.NewAutomation(ctx, "automation", &security.AutomationArgs{
Actions: pulumi.Array{
security.AutomationActionLogicApp{
ActionType: "LogicApp",
LogicAppResourceId: "/subscriptions/e54a4a18-5b94-4f90-9471-bd3decad8a2e/resourceGroups/sample/providers/Microsoft.Logic/workflows/MyTest1",
Uri: "https://exampleTriggerUri1.com",
},
},
AutomationName: pulumi.String("exampleAutomation"),
Description: pulumi.String("An example of a security automation that triggers one LogicApp resource (myTest1) on any security assessment of type customAssessment"),
IsEnabled: pulumi.Bool(false),
Location: pulumi.String("Central US"),
ResourceGroupName: pulumi.String("exampleResourceGroup"),
Scopes: security.AutomationScopeArray{
&security.AutomationScopeArgs{
Description: pulumi.String("A description that helps to identify this scope - for example: security assessments that relate to the resource group myResourceGroup within the subscription a5caac9c-5c04-49af-b3d0-e204f40345d5"),
ScopePath: pulumi.String("/subscriptions/a5caac9c-5c04-49af-b3d0-e204f40345d5/resourceGroups/myResourceGroup"),
},
},
Sources: security.AutomationSourceArray{
&security.AutomationSourceArgs{
EventSource: pulumi.String(security.EventSourceAssessments),
RuleSets: security.AutomationRuleSetArray{
&security.AutomationRuleSetArgs{
Rules: security.AutomationTriggeringRuleArray{
&security.AutomationTriggeringRuleArgs{
ExpectedValue: pulumi.String("customAssessment"),
Operator: pulumi.String(security.OperatorEquals),
PropertyJPath: pulumi.String("$.Entity.AssessmentType"),
PropertyType: pulumi.String(security.PropertyTypeString),
},
},
},
},
},
},
Tags: pulumi.StringMap{},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var automation = new AzureNative.Security.Automation("automation", new()
{
Actions = new[]
{
new AzureNative.Security.Inputs.AutomationActionLogicAppArgs
{
ActionType = "LogicApp",
LogicAppResourceId = "/subscriptions/e54a4a18-5b94-4f90-9471-bd3decad8a2e/resourceGroups/sample/providers/Microsoft.Logic/workflows/MyTest1",
Uri = "https://exampleTriggerUri1.com",
},
},
AutomationName = "exampleAutomation",
Description = "An example of a security automation that triggers one LogicApp resource (myTest1) on any security assessment of type customAssessment",
IsEnabled = false,
Location = "Central US",
ResourceGroupName = "exampleResourceGroup",
Scopes = new[]
{
new AzureNative.Security.Inputs.AutomationScopeArgs
{
Description = "A description that helps to identify this scope - for example: security assessments that relate to the resource group myResourceGroup within the subscription a5caac9c-5c04-49af-b3d0-e204f40345d5",
ScopePath = "/subscriptions/a5caac9c-5c04-49af-b3d0-e204f40345d5/resourceGroups/myResourceGroup",
},
},
Sources = new[]
{
new AzureNative.Security.Inputs.AutomationSourceArgs
{
EventSource = AzureNative.Security.EventSource.Assessments,
RuleSets = new[]
{
new AzureNative.Security.Inputs.AutomationRuleSetArgs
{
Rules = new[]
{
new AzureNative.Security.Inputs.AutomationTriggeringRuleArgs
{
ExpectedValue = "customAssessment",
Operator = AzureNative.Security.Operator.EqualsValue,
PropertyJPath = "$.Entity.AssessmentType",
PropertyType = AzureNative.Security.PropertyType.String,
},
},
},
},
},
},
Tags = null,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.security.Automation;
import com.pulumi.azurenative.security.AutomationArgs;
import com.pulumi.azurenative.security.inputs.AutomationScopeArgs;
import com.pulumi.azurenative.security.inputs.AutomationSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var automation = new Automation("automation", AutomationArgs.builder()
.actions(AutomationActionLogicAppArgs.builder()
.actionType("LogicApp")
.logicAppResourceId("/subscriptions/e54a4a18-5b94-4f90-9471-bd3decad8a2e/resourceGroups/sample/providers/Microsoft.Logic/workflows/MyTest1")
.uri("https://exampleTriggerUri1.com")
.build())
.automationName("exampleAutomation")
.description("An example of a security automation that triggers one LogicApp resource (myTest1) on any security assessment of type customAssessment")
.isEnabled(false)
.location("Central US")
.resourceGroupName("exampleResourceGroup")
.scopes(AutomationScopeArgs.builder()
.description("A description that helps to identify this scope - for example: security assessments that relate to the resource group myResourceGroup within the subscription a5caac9c-5c04-49af-b3d0-e204f40345d5")
.scopePath("/subscriptions/a5caac9c-5c04-49af-b3d0-e204f40345d5/resourceGroups/myResourceGroup")
.build())
.sources(AutomationSourceArgs.builder()
.eventSource("Assessments")
.ruleSets(AutomationRuleSetArgs.builder()
.rules(AutomationTriggeringRuleArgs.builder()
.expectedValue("customAssessment")
.operator("Equals")
.propertyJPath("$.Entity.AssessmentType")
.propertyType("String")
.build())
.build())
.build())
.tags(Map.ofEntries(
))
.build());
}
}
resources:
automation:
type: azure-native:security:Automation
properties:
actions:
- actionType: LogicApp
logicAppResourceId: /subscriptions/e54a4a18-5b94-4f90-9471-bd3decad8a2e/resourceGroups/sample/providers/Microsoft.Logic/workflows/MyTest1
uri: https://exampleTriggerUri1.com
automationName: exampleAutomation
description: An example of a security automation that triggers one LogicApp resource (myTest1) on any security assessment of type customAssessment
isEnabled: false
location: Central US
resourceGroupName: exampleResourceGroup
scopes:
- description: 'A description that helps to identify this scope - for example: security assessments that relate to the resource group myResourceGroup within the subscription a5caac9c-5c04-49af-b3d0-e204f40345d5'
scopePath: /subscriptions/a5caac9c-5c04-49af-b3d0-e204f40345d5/resourceGroups/myResourceGroup
sources:
- eventSource: Assessments
ruleSets:
- rules:
- expectedValue: customAssessment
operator: Equals
propertyJPath: $.Entity.AssessmentType
propertyType: String
tags: {}
The isEnabled property controls whether the automation processes events. Set it to false to pause the automation while preserving its configuration. The automation retains its sources, scopes, and actions; it simply stops evaluating events until you re-enable it.
Beyond these examples
These snippets focus on specific automation features: Logic App integration and event filtering, rule-based assessment filtering, and automation lifecycle control. They’re intentionally minimal rather than full security response workflows.
The examples reference pre-existing infrastructure such as Logic App workflows with HTTP trigger endpoints, and Azure subscriptions and resource groups. They focus on configuring the automation rather than provisioning the Logic Apps or defining organizational structure.
To keep things focused, common automation patterns are omitted, including:
- Multiple action types (EventHub, Workspace)
- Complex rule combinations (multiple rule sets, Contains/NotEquals operators)
- Alternative event sources (Alerts, RegulatoryComplianceAssessment, SubAssessments)
- Tags and metadata for organization
These omissions are intentional: the goal is to illustrate how each automation feature is wired, not provide drop-in security orchestration modules. See the Security Automation resource reference for all available configuration options.
Let's configure Azure Security Automations
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Event Sources & Triggers
What events can trigger a security automation?
Security automations can be triggered by security assessments. Configure this using the
eventSource property set to Assessments within the sources array.How do I filter which events trigger my automation?
Use
ruleSets within your sources configuration to filter events. Each rule specifies a propertyJPath, operator, expectedValue, and propertyType to match against event properties.How do I trigger an automation only for high-severity assessments?
Configure a rule with
propertyJPath set to properties.metadata.severity, operator set to Equals, and expectedValue set to High.Why are there different propertyJPath formats in the examples?
The examples show two formats:
properties.metadata.severity (without prefix) and $.Entity.AssessmentType (with JSONPath prefix). Both are valid for filtering different event properties.Actions & Responses
What actions can a security automation perform?
The examples demonstrate LogicApp actions, which require a
logicAppResourceId and uri. Configure these in the actions array with actionType set to LogicApp.What information do I need to configure a LogicApp action?
You need the LogicApp’s resource ID (full Azure resource path) and the trigger URI. Set these as
logicAppResourceId and uri properties in your action configuration.Scopes & Targeting
What's the scope of a security automation?
Automations apply to scopes defined in the
scopes array. You can scope to an entire subscription (/subscriptions/{id}) or a specific resource group (/subscriptions/{id}/resourceGroups/{name}).Can I apply an automation to multiple scopes?
Yes, the
scopes property is an array that accepts multiple scope definitions. Each scope can target different subscriptions or resource groups.Configuration & Lifecycle
How do I temporarily disable an automation without deleting it?
Set the
isEnabled property to false. This disables the automation while preserving its configuration for future use.What properties can't be changed after creating an automation?
The
automationName and resourceGroupName properties are immutable. Changing these requires recreating the automation resource.Which API version should I use for security automations?
The default API version is 2023-12-01-preview. Version 2019-01-01-preview is also available and can be accessed using the
pulumi package add CLI command with the desired API version.