1. Packages
  2. Packages
  3. Azure Native
  4. API Docs
  5. securityinsights
  6. AutomationRule
This is the latest version of Azure Native. Use the Azure Native v2 docs if using the v2 version of this package.
Viewing docs for Azure Native v1.103.0 (Older version)
published on Monday, Mar 9, 2026 by Pulumi
Go to latest version
Schema (JSON)
pulumi/pulumi-azure-native

azure-native.securityinsights.AutomationRule

azure-native logo
This is the latest version of Azure Native. Use the Azure Native v2 docs if using the v2 version of this package.
Viewing docs for Azure Native v1.103.0 (Older version)
published on Monday, Mar 9, 2026 by Pulumi
Go to latest version
Schema (JSON)
pulumi/pulumi-azure-native

    Represents an automation rule. API Version: 2019-01-01-preview.

    Example Usage

    Creates or updates an automation rule.

    using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;

return await Deployment.RunAsync(() => 
{
    var automationRule = new AzureNative.SecurityInsights.AutomationRule("automationRule", new()
    {
        Actions = new[]
        {
            new AzureNative.SecurityInsights.Inputs.AutomationRuleModifyPropertiesActionArgs
            {
                ActionConfiguration = new AzureNative.SecurityInsights.Inputs.AutomationRuleModifyPropertiesActionActionConfigurationArgs
                {
                    Severity = "High",
                },
                ActionType = "ModifyProperties",
                Order = 1,
            },
            new AzureNative.SecurityInsights.Inputs.AutomationRuleRunPlaybookActionArgs
            {
                ActionConfiguration = new AzureNative.SecurityInsights.Inputs.AutomationRuleRunPlaybookActionActionConfigurationArgs
                {
                    LogicAppResourceId = "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/IncidentPlaybook",
                    TenantId = "ee48efaf-50c6-411b-9345-b2bdc3eb4abc",
                },
                ActionType = "RunPlaybook",
                Order = 2,
            },
        },
        AutomationRuleId = "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
        DisplayName = "High severity incidents escalation",
        OperationalInsightsResourceProvider = "Microsoft.OperationalInsights",
        Order = 1,
        ResourceGroupName = "myRg",
        TriggeringLogic = new AzureNative.SecurityInsights.Inputs.AutomationRuleTriggeringLogicArgs
        {
            Conditions = new[]
            {
                
                {
                    { "conditionProperties", new AzureNative.SecurityInsights.Inputs.AutomationRulePropertyValuesConditionConditionPropertiesArgs
                    {
                        Operator = "Contains",
                        PropertyName = "IncidentRelatedAnalyticRuleIds",
                        PropertyValues = new[]
                        {
                            "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7",
                            "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a",
                        },
                    } },
                    { "conditionType", "Property" },
                },
            },
            IsEnabled = true,
            TriggersOn = "Incidents",
            TriggersWhen = "Created",
        },
        WorkspaceName = "myWorkspace",
    });

});

    package main

import (
	securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := securityinsights.NewAutomationRule(ctx, "automationRule", &securityinsights.AutomationRuleArgs{
			Actions: pulumi.AnyArray{
				securityinsights.AutomationRuleModifyPropertiesAction{
					ActionConfiguration: securityinsights.AutomationRuleModifyPropertiesActionActionConfiguration{
						Severity: "High",
					},
					ActionType: "ModifyProperties",
					Order:      1,
				},
				securityinsights.AutomationRuleRunPlaybookAction{
					ActionConfiguration: securityinsights.AutomationRuleRunPlaybookActionActionConfiguration{
						LogicAppResourceId: "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/IncidentPlaybook",
						TenantId:           "ee48efaf-50c6-411b-9345-b2bdc3eb4abc",
					},
					ActionType: "RunPlaybook",
					Order:      2,
				},
			},
			AutomationRuleId:                    pulumi.String("73e01a99-5cd7-4139-a149-9f2736ff2ab5"),
			DisplayName:                         pulumi.String("High severity incidents escalation"),
			OperationalInsightsResourceProvider: pulumi.String("Microsoft.OperationalInsights"),
			Order:                               pulumi.Int(1),
			ResourceGroupName:                   pulumi.String("myRg"),
			TriggeringLogic: securityinsights.AutomationRuleTriggeringLogicResponse{
				Conditions: []securityinsights.AutomationRulePropertyValuesConditionArgs{
					{
						ConditionProperties: {
							Operator:     pulumi.String("Contains"),
							PropertyName: pulumi.String("IncidentRelatedAnalyticRuleIds"),
							PropertyValues: pulumi.StringArray{
								pulumi.String("/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7"),
								pulumi.String("/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a"),
							},
						},
						ConditionType: pulumi.String("Property"),
					},
				},
				IsEnabled:    pulumi.Bool(true),
				TriggersOn:   pulumi.String("Incidents"),
				TriggersWhen: pulumi.String("Created"),
			},
			WorkspaceName: pulumi.String("myWorkspace"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

    package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.AutomationRule;
import com.pulumi.azurenative.securityinsights.AutomationRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var automationRule = new AutomationRule("automationRule", AutomationRuleArgs.builder()        
            .actions(            
                Map.ofEntries(
                    Map.entry("actionConfiguration", Map.of("severity", "High")),
                    Map.entry("actionType", "ModifyProperties"),
                    Map.entry("order", 1)
                ),
                Map.ofEntries(
                    Map.entry("actionConfiguration", Map.ofEntries(
                        Map.entry("logicAppResourceId", "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/IncidentPlaybook"),
                        Map.entry("tenantId", "ee48efaf-50c6-411b-9345-b2bdc3eb4abc")
                    )),
                    Map.entry("actionType", "RunPlaybook"),
                    Map.entry("order", 2)
                ))
            .automationRuleId("73e01a99-5cd7-4139-a149-9f2736ff2ab5")
            .displayName("High severity incidents escalation")
            .operationalInsightsResourceProvider("Microsoft.OperationalInsights")
            .order(1)
            .resourceGroupName("myRg")
            .triggeringLogic(Map.ofEntries(
                Map.entry("conditions", Map.ofEntries(
                    Map.entry("conditionProperties", Map.ofEntries(
                        Map.entry("operator", "Contains"),
                        Map.entry("propertyName", "IncidentRelatedAnalyticRuleIds"),
                        Map.entry("propertyValues",                         
                            "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7",
                            "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a")
                    )),
                    Map.entry("conditionType", "Property")
                )),
                Map.entry("isEnabled", true),
                Map.entry("triggersOn", "Incidents"),
                Map.entry("triggersWhen", "Created")
            ))
            .workspaceName("myWorkspace")
            .build());

    }
}

    import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";

const automationRule = new azure_native.securityinsights.AutomationRule("automationRule", {
    actions: [
        {
            actionConfiguration: {
                severity: "High",
            },
            actionType: "ModifyProperties",
            order: 1,
        },
        {
            actionConfiguration: {
                logicAppResourceId: "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/IncidentPlaybook",
                tenantId: "ee48efaf-50c6-411b-9345-b2bdc3eb4abc",
            },
            actionType: "RunPlaybook",
            order: 2,
        },
    ],
    automationRuleId: "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
    displayName: "High severity incidents escalation",
    operationalInsightsResourceProvider: "Microsoft.OperationalInsights",
    order: 1,
    resourceGroupName: "myRg",
    triggeringLogic: {
        conditions: [{
            conditionProperties: {
                operator: "Contains",
                propertyName: "IncidentRelatedAnalyticRuleIds",
                propertyValues: [
                    "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7",
                    "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a",
                ],
            },
            conditionType: "Property",
        }],
        isEnabled: true,
        triggersOn: "Incidents",
        triggersWhen: "Created",
    },
    workspaceName: "myWorkspace",
});

    import pulumi
import pulumi_azure_native as azure_native

automation_rule = azure_native.securityinsights.AutomationRule("automationRule",
    actions=[
        azure_native.securityinsights.AutomationRuleModifyPropertiesActionArgs(
            action_configuration=azure_native.securityinsights.AutomationRuleModifyPropertiesActionActionConfigurationArgs(
                severity="High",
            ),
            action_type="ModifyProperties",
            order=1,
        ),
        azure_native.securityinsights.AutomationRuleRunPlaybookActionArgs(
            action_configuration=azure_native.securityinsights.AutomationRuleRunPlaybookActionActionConfigurationArgs(
                logic_app_resource_id="/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/IncidentPlaybook",
                tenant_id="ee48efaf-50c6-411b-9345-b2bdc3eb4abc",
            ),
            action_type="RunPlaybook",
            order=2,
        ),
    ],
    automation_rule_id="73e01a99-5cd7-4139-a149-9f2736ff2ab5",
    display_name="High severity incidents escalation",
    operational_insights_resource_provider="Microsoft.OperationalInsights",
    order=1,
    resource_group_name="myRg",
    triggering_logic=azure_native.securityinsights.AutomationRuleTriggeringLogicResponseArgs(
        conditions=[azure_native.securityinsights.AutomationRulePropertyValuesConditionResponseArgs(
            condition_properties=azure_native.securityinsights.AutomationRulePropertyValuesConditionConditionPropertiesArgs(
                operator="Contains",
                property_name="IncidentRelatedAnalyticRuleIds",
                property_values=[
                    "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7",
                    "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a",
                ],
            ),
            condition_type="Property",
        )],
        is_enabled=True,
        triggers_on="Incidents",
        triggers_when="Created",
    ),
    workspace_name="myWorkspace")

    resources:
  automationRule:
    type: azure-native:securityinsights:AutomationRule
    properties:
      actions:
        - actionConfiguration:
            severity: High
          actionType: ModifyProperties
          order: 1
        - actionConfiguration:
            logicAppResourceId: /subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/IncidentPlaybook
            tenantId: ee48efaf-50c6-411b-9345-b2bdc3eb4abc
          actionType: RunPlaybook
          order: 2
      automationRuleId: 73e01a99-5cd7-4139-a149-9f2736ff2ab5
      displayName: High severity incidents escalation
      operationalInsightsResourceProvider: Microsoft.OperationalInsights
      order: 1
      resourceGroupName: myRg
      triggeringLogic:
        conditions:
          - conditionProperties:
              operator: Contains
              propertyName: IncidentRelatedAnalyticRuleIds
              propertyValues:
                - /subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7
                - /subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a
            conditionType: Property
        isEnabled: true
        triggersOn: Incidents
        triggersWhen: Created
      workspaceName: myWorkspace

    Create AutomationRule Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new AutomationRule(name: string, args: AutomationRuleArgs, opts?: CustomResourceOptions);
    @overload
def AutomationRule(resource_name: str,
                   args: AutomationRuleArgs,
                   opts: Optional[ResourceOptions] = None)

@overload
def AutomationRule(resource_name: str,
                   opts: Optional[ResourceOptions] = None,
                   actions: Optional[Sequence[Union[AutomationRuleModifyPropertiesActionArgs, AutomationRuleRunPlaybookActionArgs]]] = None,
                   display_name: Optional[str] = None,
                   operational_insights_resource_provider: Optional[str] = None,
                   order: Optional[int] = None,
                   resource_group_name: Optional[str] = None,
                   triggering_logic: Optional[AutomationRuleTriggeringLogicArgs] = None,
                   workspace_name: Optional[str] = None,
                   automation_rule_id: Optional[str] = None)
    func NewAutomationRule(ctx *Context, name string, args AutomationRuleArgs, opts ...ResourceOption) (*AutomationRule, error)
    public AutomationRule(string name, AutomationRuleArgs args, CustomResourceOptions? opts = null)
    public AutomationRule(String name, AutomationRuleArgs args)
public AutomationRule(String name, AutomationRuleArgs args, CustomResourceOptions options)

    type: azure-native:securityinsights:AutomationRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

    Parameters

    name string
    The unique name of the resource.
    args AutomationRuleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args AutomationRuleArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args AutomationRuleArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args AutomationRuleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args AutomationRuleArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var automationRuleResource = new AzureNative.SecurityInsights.AutomationRule("automationRuleResource", new()
{
    Actions = new[]
    {
        new AzureNative.SecurityInsights.Inputs.AutomationRuleModifyPropertiesActionArgs
        {
            ActionConfiguration = new AzureNative.SecurityInsights.Inputs.AutomationRuleModifyPropertiesActionActionConfigurationArgs
            {
                Classification = "string",
                ClassificationComment = "string",
                ClassificationReason = "string",
                Labels = new[]
                {
                    new AzureNative.SecurityInsights.Inputs.IncidentLabelArgs
                    {
                        LabelName = "string",
                    },
                },
                Owner = new AzureNative.SecurityInsights.Inputs.IncidentOwnerInfoArgs
                {
                    AssignedTo = "string",
                    Email = "string",
                    ObjectId = "string",
                    UserPrincipalName = "string",
                },
                Severity = "string",
                Status = "string",
            },
            ActionType = "ModifyProperties",
            Order = 0,
        },
    },
    DisplayName = "string",
    OperationalInsightsResourceProvider = "string",
    Order = 0,
    ResourceGroupName = "string",
    TriggeringLogic = new AzureNative.SecurityInsights.Inputs.AutomationRuleTriggeringLogicArgs
    {
        IsEnabled = false,
        TriggersOn = "string",
        TriggersWhen = "string",
        Conditions = new[]
        {
            new AzureNative.SecurityInsights.Inputs.AutomationRulePropertyValuesConditionArgs
            {
                ConditionProperties = new AzureNative.SecurityInsights.Inputs.AutomationRulePropertyValuesConditionConditionPropertiesArgs
                {
                    Operator = "string",
                    PropertyName = "string",
                    PropertyValues = new[]
                    {
                        "string",
                    },
                },
                ConditionType = "Property",
            },
        },
        ExpirationTimeUtc = "string",
    },
    WorkspaceName = "string",
    AutomationRuleId = "string",
});

    example, err := securityinsights.NewAutomationRule(ctx, "automationRuleResource", &securityinsights.AutomationRuleArgs{
	Actions: pulumi.Array{
		securityinsights.AutomationRuleModifyPropertiesAction{
			ActionConfiguration: securityinsights.AutomationRuleModifyPropertiesActionActionConfiguration{
				Classification:        "string",
				ClassificationComment: "string",
				ClassificationReason:  "string",
				Labels: []securityinsights.IncidentLabel{
					{
						LabelName: "string",
					},
				},
				Owner: securityinsights.IncidentOwnerInfo{
					AssignedTo:        "string",
					Email:             "string",
					ObjectId:          "string",
					UserPrincipalName: "string",
				},
				Severity: "string",
				Status:   "string",
			},
			ActionType: "ModifyProperties",
			Order:      0,
		},
	},
	DisplayName:                         pulumi.String("string"),
	OperationalInsightsResourceProvider: pulumi.String("string"),
	Order:                               pulumi.Int(0),
	ResourceGroupName:                   pulumi.String("string"),
	TriggeringLogic: &securityinsights.AutomationRuleTriggeringLogicArgs{
		IsEnabled:    pulumi.Bool(false),
		TriggersOn:   pulumi.String("string"),
		TriggersWhen: pulumi.String("string"),
		Conditions: securityinsights.AutomationRulePropertyValuesConditionArray{
			&securityinsights.AutomationRulePropertyValuesConditionArgs{
				ConditionProperties: &securityinsights.AutomationRulePropertyValuesConditionConditionPropertiesArgs{
					Operator:     pulumi.String("string"),
					PropertyName: pulumi.String("string"),
					PropertyValues: pulumi.StringArray{
						pulumi.String("string"),
					},
				},
				ConditionType: pulumi.String("Property"),
			},
		},
		ExpirationTimeUtc: pulumi.String("string"),
	},
	WorkspaceName:    pulumi.String("string"),
	AutomationRuleId: pulumi.String("string"),
})

    var automationRuleResource = new AutomationRule("automationRuleResource", AutomationRuleArgs.builder()
    .actions(AutomationRuleModifyPropertiesActionArgs.builder()
        .actionConfiguration(AutomationRuleModifyPropertiesActionActionConfigurationArgs.builder()
            .classification("string")
            .classificationComment("string")
            .classificationReason("string")
            .labels(IncidentLabelArgs.builder()
                .labelName("string")
                .build())
            .owner(IncidentOwnerInfoArgs.builder()
                .assignedTo("string")
                .email("string")
                .objectId("string")
                .userPrincipalName("string")
                .build())
            .severity("string")
            .status("string")
            .build())
        .actionType("ModifyProperties")
        .order(0)
        .build())
    .displayName("string")
    .operationalInsightsResourceProvider("string")
    .order(0)
    .resourceGroupName("string")
    .triggeringLogic(AutomationRuleTriggeringLogicArgs.builder()
        .isEnabled(false)
        .triggersOn("string")
        .triggersWhen("string")
        .conditions(Map.ofEntries(
            Map.entry("conditionProperties", AutomationRulePropertyValuesConditionConditionPropertiesArgs.builder()
                .operator("string")
                .propertyName("string")
                .propertyValues("string")
                .build()),
            Map.entry("conditionType", "Property")
        ))
        .expirationTimeUtc("string")
        .build())
    .workspaceName("string")
    .automationRuleId("string")
    .build());

    automation_rule_resource = azure_native.securityinsights.AutomationRule("automationRuleResource",
    actions=[{
        "action_configuration": {
            "classification": "string",
            "classification_comment": "string",
            "classification_reason": "string",
            "labels": [{
                "label_name": "string",
            }],
            "owner": {
                "assigned_to": "string",
                "email": "string",
                "object_id": "string",
                "user_principal_name": "string",
            },
            "severity": "string",
            "status": "string",
        },
        "action_type": "ModifyProperties",
        "order": 0,
    }],
    display_name="string",
    operational_insights_resource_provider="string",
    order=0,
    resource_group_name="string",
    triggering_logic={
        "is_enabled": False,
        "triggers_on": "string",
        "triggers_when": "string",
        "conditions": [{
            "condition_properties": {
                "operator": "string",
                "property_name": "string",
                "property_values": ["string"],
            },
            "condition_type": "Property",
        }],
        "expiration_time_utc": "string",
    },
    workspace_name="string",
    automation_rule_id="string")

    const automationRuleResource = new azure_native.securityinsights.AutomationRule("automationRuleResource", {
    actions: [{
        actionConfiguration: {
            classification: "string",
            classificationComment: "string",
            classificationReason: "string",
            labels: [{
                labelName: "string",
            }],
            owner: {
                assignedTo: "string",
                email: "string",
                objectId: "string",
                userPrincipalName: "string",
            },
            severity: "string",
            status: "string",
        },
        actionType: "ModifyProperties",
        order: 0,
    }],
    displayName: "string",
    operationalInsightsResourceProvider: "string",
    order: 0,
    resourceGroupName: "string",
    triggeringLogic: {
        isEnabled: false,
        triggersOn: "string",
        triggersWhen: "string",
        conditions: [{
            conditionProperties: {
                operator: "string",
                propertyName: "string",
                propertyValues: ["string"],
            },
            conditionType: "Property",
        }],
        expirationTimeUtc: "string",
    },
    workspaceName: "string",
    automationRuleId: "string",
});

    type: azure-native:securityinsights:AutomationRule
properties:
    actions:
        - actionConfiguration:
            classification: string
            classificationComment: string
            classificationReason: string
            labels:
                - labelName: string
            owner:
                assignedTo: string
                email: string
                objectId: string
                userPrincipalName: string
            severity: string
            status: string
          actionType: ModifyProperties
          order: 0
    automationRuleId: string
    displayName: string
    operationalInsightsResourceProvider: string
    order: 0
    resourceGroupName: string
    triggeringLogic:
        conditions:
            - conditionProperties:
                operator: string
                propertyName: string
                propertyValues:
                    - string
              conditionType: Property
        expirationTimeUtc: string
        isEnabled: false
        triggersOn: string
        triggersWhen: string
    workspaceName: string

    AutomationRule Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The AutomationRule resource accepts the following input properties:

    Actions List<Union<Pulumi.AzureNative.SecurityInsights.Inputs.AutomationRuleModifyPropertiesAction, Pulumi.AzureNative.SecurityInsights.Inputs.AutomationRuleRunPlaybookActionArgs>>
    The actions to execute when the automation rule is triggered
    DisplayName string
    The display name of the automation rule
    OperationalInsightsResourceProvider string
    The namespace of workspaces resource provider- Microsoft.OperationalInsights.
    Order int
    The order of execution of the automation rule
    ResourceGroupName string
    The name of the resource group within the user's subscription. The name is case insensitive.
    TriggeringLogic Pulumi.AzureNative.SecurityInsights.Inputs.AutomationRuleTriggeringLogic
    The triggering logic of the automation rule
    WorkspaceName string
    The name of the workspace.
    AutomationRuleId string
    Automation rule ID
    Actions []interface{}
    The actions to execute when the automation rule is triggered
    DisplayName string
    The display name of the automation rule
    OperationalInsightsResourceProvider string
    The namespace of workspaces resource provider- Microsoft.OperationalInsights.
    Order int
    The order of execution of the automation rule
    ResourceGroupName string
    The name of the resource group within the user's subscription. The name is case insensitive.
    TriggeringLogic AutomationRuleTriggeringLogicArgs
    The triggering logic of the automation rule
    WorkspaceName string
    The name of the workspace.
    AutomationRuleId string
    Automation rule ID
    actions List<Either<AutomationRuleModifyPropertiesAction,AutomationRuleRunPlaybookActionArgs>>
    The actions to execute when the automation rule is triggered
    displayName String
    The display name of the automation rule
    operationalInsightsResourceProvider String
    The namespace of workspaces resource provider- Microsoft.OperationalInsights.
    order Integer
    The order of execution of the automation rule
    resourceGroupName String
    The name of the resource group within the user's subscription. The name is case insensitive.
    triggeringLogic AutomationRuleTriggeringLogic
    The triggering logic of the automation rule
    workspaceName String
    The name of the workspace.
    automationRuleId String
    Automation rule ID
    actions (AutomationRuleModifyPropertiesAction | AutomationRuleRunPlaybookActionArgs)[]
    The actions to execute when the automation rule is triggered
    displayName string
    The display name of the automation rule
    operationalInsightsResourceProvider string
    The namespace of workspaces resource provider- Microsoft.OperationalInsights.
    order number
    The order of execution of the automation rule
    resourceGroupName string
    The name of the resource group within the user's subscription. The name is case insensitive.
    triggeringLogic AutomationRuleTriggeringLogic
    The triggering logic of the automation rule
    workspaceName string
    The name of the workspace.
    automationRuleId string
    Automation rule ID
    actions Sequence[Union[AutomationRuleModifyPropertiesActionArgs, AutomationRuleRunPlaybookActionArgs]]
    The actions to execute when the automation rule is triggered
    display_name str
    The display name of the automation rule
    operational_insights_resource_provider str
    The namespace of workspaces resource provider- Microsoft.OperationalInsights.
    order int
    The order of execution of the automation rule
    resource_group_name str
    The name of the resource group within the user's subscription. The name is case insensitive.
    triggering_logic AutomationRuleTriggeringLogicArgs
    The triggering logic of the automation rule
    workspace_name str
    The name of the workspace.
    automation_rule_id str
    Automation rule ID
    actions List<Property Map | Property Map>
    The actions to execute when the automation rule is triggered
    displayName String
    The display name of the automation rule
    operationalInsightsResourceProvider String
    The namespace of workspaces resource provider- Microsoft.OperationalInsights.
    order Number
    The order of execution of the automation rule
    resourceGroupName String
    The name of the resource group within the user's subscription. The name is case insensitive.
    triggeringLogic Property Map
    The triggering logic of the automation rule
    workspaceName String
    The name of the workspace.
    automationRuleId String
    Automation rule ID

    Outputs

    All input properties are implicitly available as output properties. Additionally, the AutomationRule resource produces the following output properties:

    CreatedBy Pulumi.AzureNative.SecurityInsights.Outputs.ClientInfoResponse
    Describes the client that created the automation rule
    CreatedTimeUtc string
    The time the automation rule was created
    Id string
    The provider-assigned unique ID for this managed resource.
    LastModifiedBy Pulumi.AzureNative.SecurityInsights.Outputs.ClientInfoResponse
    Describes the client that last updated the automation rule
    LastModifiedTimeUtc string
    The last time the automation rule was updated
    Name string
    Azure resource name
    Type string
    Azure resource type
    Etag string
    Etag of the azure resource
    CreatedBy ClientInfoResponse
    Describes the client that created the automation rule
    CreatedTimeUtc string
    The time the automation rule was created
    Id string
    The provider-assigned unique ID for this managed resource.
    LastModifiedBy ClientInfoResponse
    Describes the client that last updated the automation rule
    LastModifiedTimeUtc string
    The last time the automation rule was updated
    Name string
    Azure resource name
    Type string
    Azure resource type
    Etag string
    Etag of the azure resource
    createdBy ClientInfoResponse
    Describes the client that created the automation rule
    createdTimeUtc String
    The time the automation rule was created
    id String
    The provider-assigned unique ID for this managed resource.
    lastModifiedBy ClientInfoResponse
    Describes the client that last updated the automation rule
    lastModifiedTimeUtc String
    The last time the automation rule was updated
    name String
    Azure resource name
    type String
    Azure resource type
    etag String
    Etag of the azure resource
    createdBy ClientInfoResponse
    Describes the client that created the automation rule
    createdTimeUtc string
    The time the automation rule was created
    id string
    The provider-assigned unique ID for this managed resource.
    lastModifiedBy ClientInfoResponse
    Describes the client that last updated the automation rule
    lastModifiedTimeUtc string
    The last time the automation rule was updated
    name string
    Azure resource name
    type string
    Azure resource type
    etag string
    Etag of the azure resource
    created_by ClientInfoResponse
    Describes the client that created the automation rule
    created_time_utc str
    The time the automation rule was created
    id str
    The provider-assigned unique ID for this managed resource.
    last_modified_by ClientInfoResponse
    Describes the client that last updated the automation rule
    last_modified_time_utc str
    The last time the automation rule was updated
    name str
    Azure resource name
    type str
    Azure resource type
    etag str
    Etag of the azure resource
    createdBy Property Map
    Describes the client that created the automation rule
    createdTimeUtc String
    The time the automation rule was created
    id String
    The provider-assigned unique ID for this managed resource.
    lastModifiedBy Property Map
    Describes the client that last updated the automation rule
    lastModifiedTimeUtc String
    The last time the automation rule was updated
    name String
    Azure resource name
    type String
    Azure resource type
    etag String
    Etag of the azure resource

    Supporting Types

    AutomationRuleModifyPropertiesAction, AutomationRuleModifyPropertiesActionArgs

    Describes an automation rule action to modify an object's properties
    ActionConfiguration Pulumi.AzureNative.SecurityInsights.Inputs.AutomationRuleModifyPropertiesActionActionConfiguration
    The configuration of the modify properties automation rule action
    Order int
    The order of execution of the automation rule action
    ActionConfiguration AutomationRuleModifyPropertiesActionActionConfiguration
    The configuration of the modify properties automation rule action
    Order int
    The order of execution of the automation rule action
    actionConfiguration AutomationRuleModifyPropertiesActionActionConfiguration
    The configuration of the modify properties automation rule action
    order Integer
    The order of execution of the automation rule action
    actionConfiguration AutomationRuleModifyPropertiesActionActionConfiguration
    The configuration of the modify properties automation rule action
    order number
    The order of execution of the automation rule action
    action_configuration AutomationRuleModifyPropertiesActionActionConfiguration
    The configuration of the modify properties automation rule action
    order int
    The order of execution of the automation rule action
    actionConfiguration Property Map
    The configuration of the modify properties automation rule action
    order Number
    The order of execution of the automation rule action

    AutomationRuleModifyPropertiesActionActionConfiguration, AutomationRuleModifyPropertiesActionActionConfigurationArgs

    The configuration of the modify properties automation rule action
    Classification string | Pulumi.AzureNative.SecurityInsights.IncidentClassification
    The reason the incident was closed
    ClassificationComment string
    Describes the reason the incident was closed
    ClassificationReason string | Pulumi.AzureNative.SecurityInsights.IncidentClassificationReason
    The classification reason to close the incident with
    Labels List<Pulumi.AzureNative.SecurityInsights.Inputs.IncidentLabel>
    List of labels to add to the incident
    Owner Pulumi.AzureNative.SecurityInsights.Inputs.IncidentOwnerInfo
    Describes a user that the incident is assigned to
    Severity string | Pulumi.AzureNative.SecurityInsights.IncidentSeverity
    The severity of the incident
    Status string | Pulumi.AzureNative.SecurityInsights.IncidentStatus
    The status of the incident
    Classification string | IncidentClassification
    The reason the incident was closed
    ClassificationComment string
    Describes the reason the incident was closed
    ClassificationReason string | IncidentClassificationReason
    The classification reason to close the incident with
    Labels []IncidentLabel
    List of labels to add to the incident
    Owner IncidentOwnerInfo
    Describes a user that the incident is assigned to
    Severity string | IncidentSeverity
    The severity of the incident
    Status string | IncidentStatus
    The status of the incident
    classification String | IncidentClassification
    The reason the incident was closed
    classificationComment String
    Describes the reason the incident was closed
    classificationReason String | IncidentClassificationReason
    The classification reason to close the incident with
    labels List<IncidentLabel>
    List of labels to add to the incident
    owner IncidentOwnerInfo
    Describes a user that the incident is assigned to
    severity String | IncidentSeverity
    The severity of the incident
    status String | IncidentStatus
    The status of the incident
    classification string | IncidentClassification
    The reason the incident was closed
    classificationComment string
    Describes the reason the incident was closed
    classificationReason string | IncidentClassificationReason
    The classification reason to close the incident with
    labels IncidentLabel[]
    List of labels to add to the incident
    owner IncidentOwnerInfo
    Describes a user that the incident is assigned to
    severity string | IncidentSeverity
    The severity of the incident
    status string | IncidentStatus
    The status of the incident
    classification str | IncidentClassification
    The reason the incident was closed
    classification_comment str
    Describes the reason the incident was closed
    classification_reason str | IncidentClassificationReason
    The classification reason to close the incident with
    labels Sequence[IncidentLabel]
    List of labels to add to the incident
    owner IncidentOwnerInfo
    Describes a user that the incident is assigned to
    severity str | IncidentSeverity
    The severity of the incident
    status str | IncidentStatus
    The status of the incident
    classification String | "Undetermined" | "TruePositive" | "BenignPositive" | "FalsePositive"
    The reason the incident was closed
    classificationComment String
    Describes the reason the incident was closed
    classificationReason String | "SuspiciousActivity" | "SuspiciousButExpected" | "IncorrectAlertLogic" | "InaccurateData"
    The classification reason to close the incident with
    labels List<Property Map>
    List of labels to add to the incident
    owner Property Map
    Describes a user that the incident is assigned to
    severity String | "High" | "Medium" | "Low" | "Informational"
    The severity of the incident
    status String | "New" | "Active" | "Closed"
    The status of the incident

    AutomationRuleModifyPropertiesActionResponse, AutomationRuleModifyPropertiesActionResponseArgs

    Describes an automation rule action to modify an object's properties
    ActionConfiguration Pulumi.AzureNative.SecurityInsights.Inputs.AutomationRuleModifyPropertiesActionResponseActionConfiguration
    The configuration of the modify properties automation rule action
    Order int
    The order of execution of the automation rule action
    ActionConfiguration AutomationRuleModifyPropertiesActionResponseActionConfiguration
    The configuration of the modify properties automation rule action
    Order int
    The order of execution of the automation rule action
    actionConfiguration AutomationRuleModifyPropertiesActionResponseActionConfiguration
    The configuration of the modify properties automation rule action
    order Integer
    The order of execution of the automation rule action
    actionConfiguration AutomationRuleModifyPropertiesActionResponseActionConfiguration
    The configuration of the modify properties automation rule action
    order number
    The order of execution of the automation rule action
    action_configuration AutomationRuleModifyPropertiesActionResponseActionConfiguration
    The configuration of the modify properties automation rule action
    order int
    The order of execution of the automation rule action
    actionConfiguration Property Map
    The configuration of the modify properties automation rule action
    order Number
    The order of execution of the automation rule action

    AutomationRuleModifyPropertiesActionResponseActionConfiguration, AutomationRuleModifyPropertiesActionResponseActionConfigurationArgs

    The configuration of the modify properties automation rule action
    Classification string
    The reason the incident was closed
    ClassificationComment string
    Describes the reason the incident was closed
    ClassificationReason string
    The classification reason to close the incident with
    Labels List<Pulumi.AzureNative.SecurityInsights.Inputs.IncidentLabelResponse>
    List of labels to add to the incident
    Owner Pulumi.AzureNative.SecurityInsights.Inputs.IncidentOwnerInfoResponse
    Describes a user that the incident is assigned to
    Severity string
    The severity of the incident
    Status string
    The status of the incident
    Classification string
    The reason the incident was closed
    ClassificationComment string
    Describes the reason the incident was closed
    ClassificationReason string
    The classification reason to close the incident with
    Labels []IncidentLabelResponse
    List of labels to add to the incident
    Owner IncidentOwnerInfoResponse
    Describes a user that the incident is assigned to
    Severity string
    The severity of the incident
    Status string
    The status of the incident
    classification String
    The reason the incident was closed
    classificationComment String
    Describes the reason the incident was closed
    classificationReason String
    The classification reason to close the incident with
    labels List<IncidentLabelResponse>
    List of labels to add to the incident
    owner IncidentOwnerInfoResponse
    Describes a user that the incident is assigned to
    severity String
    The severity of the incident
    status String
    The status of the incident
    classification string
    The reason the incident was closed
    classificationComment string
    Describes the reason the incident was closed
    classificationReason string
    The classification reason to close the incident with
    labels IncidentLabelResponse[]
    List of labels to add to the incident
    owner IncidentOwnerInfoResponse
    Describes a user that the incident is assigned to
    severity string
    The severity of the incident
    status string
    The status of the incident
    classification str
    The reason the incident was closed
    classification_comment str
    Describes the reason the incident was closed
    classification_reason str
    The classification reason to close the incident with
    labels Sequence[IncidentLabelResponse]
    List of labels to add to the incident
    owner IncidentOwnerInfoResponse
    Describes a user that the incident is assigned to
    severity str
    The severity of the incident
    status str
    The status of the incident
    classification String
    The reason the incident was closed
    classificationComment String
    Describes the reason the incident was closed
    classificationReason String
    The classification reason to close the incident with
    labels List<Property Map>
    List of labels to add to the incident
    owner Property Map
    Describes a user that the incident is assigned to
    severity String
    The severity of the incident
    status String
    The status of the incident

    AutomationRulePropertyConditionSupportedOperator, AutomationRulePropertyConditionSupportedOperatorArgs

    EqualsValue
    Equals Evaluates if the property equals at least one of the condition values
    NotEquals
    NotEquals Evaluates if the property does not equal any of the condition values
    Contains
    Contains Evaluates if the property contains at least one of the condition values
    NotContains
    NotContains Evaluates if the property does not contain any of the condition values
    StartsWith
    StartsWith Evaluates if the property starts with any of the condition values
    NotStartsWith
    NotStartsWith Evaluates if the property does not start with any of the condition values
    EndsWith
    EndsWith Evaluates if the property ends with any of the condition values
    NotEndsWith
    NotEndsWith Evaluates if the property does not end with any of the condition values
    AutomationRulePropertyConditionSupportedOperatorEquals
    Equals Evaluates if the property equals at least one of the condition values
    AutomationRulePropertyConditionSupportedOperatorNotEquals
    NotEquals Evaluates if the property does not equal any of the condition values
    AutomationRulePropertyConditionSupportedOperatorContains
    Contains Evaluates if the property contains at least one of the condition values
    AutomationRulePropertyConditionSupportedOperatorNotContains
    NotContains Evaluates if the property does not contain any of the condition values
    AutomationRulePropertyConditionSupportedOperatorStartsWith
    StartsWith Evaluates if the property starts with any of the condition values
    AutomationRulePropertyConditionSupportedOperatorNotStartsWith
    NotStartsWith Evaluates if the property does not start with any of the condition values
    AutomationRulePropertyConditionSupportedOperatorEndsWith
    EndsWith Evaluates if the property ends with any of the condition values
    AutomationRulePropertyConditionSupportedOperatorNotEndsWith
    NotEndsWith Evaluates if the property does not end with any of the condition values
    Equals
    Equals Evaluates if the property equals at least one of the condition values
    NotEquals
    NotEquals Evaluates if the property does not equal any of the condition values
    Contains
    Contains Evaluates if the property contains at least one of the condition values
    NotContains
    NotContains Evaluates if the property does not contain any of the condition values
    StartsWith
    StartsWith Evaluates if the property starts with any of the condition values
    NotStartsWith
    NotStartsWith Evaluates if the property does not start with any of the condition values
    EndsWith
    EndsWith Evaluates if the property ends with any of the condition values
    NotEndsWith
    NotEndsWith Evaluates if the property does not end with any of the condition values
    Equals
    Equals Evaluates if the property equals at least one of the condition values
    NotEquals
    NotEquals Evaluates if the property does not equal any of the condition values
    Contains
    Contains Evaluates if the property contains at least one of the condition values
    NotContains
    NotContains Evaluates if the property does not contain any of the condition values
    StartsWith
    StartsWith Evaluates if the property starts with any of the condition values
    NotStartsWith
    NotStartsWith Evaluates if the property does not start with any of the condition values
    EndsWith
    EndsWith Evaluates if the property ends with any of the condition values
    NotEndsWith
    NotEndsWith Evaluates if the property does not end with any of the condition values
    EQUALS
    Equals Evaluates if the property equals at least one of the condition values
    NOT_EQUALS
    NotEquals Evaluates if the property does not equal any of the condition values
    CONTAINS
    Contains Evaluates if the property contains at least one of the condition values
    NOT_CONTAINS
    NotContains Evaluates if the property does not contain any of the condition values
    STARTS_WITH
    StartsWith Evaluates if the property starts with any of the condition values
    NOT_STARTS_WITH
    NotStartsWith Evaluates if the property does not start with any of the condition values
    ENDS_WITH
    EndsWith Evaluates if the property ends with any of the condition values
    NOT_ENDS_WITH
    NotEndsWith Evaluates if the property does not end with any of the condition values
    "Equals"
    Equals Evaluates if the property equals at least one of the condition values
    "NotEquals"
    NotEquals Evaluates if the property does not equal any of the condition values
    "Contains"
    Contains Evaluates if the property contains at least one of the condition values
    "NotContains"
    NotContains Evaluates if the property does not contain any of the condition values
    "StartsWith"
    StartsWith Evaluates if the property starts with any of the condition values
    "NotStartsWith"
    NotStartsWith Evaluates if the property does not start with any of the condition values
    "EndsWith"
    EndsWith Evaluates if the property ends with any of the condition values
    "NotEndsWith"
    NotEndsWith Evaluates if the property does not end with any of the condition values

    AutomationRulePropertyConditionSupportedProperty, AutomationRulePropertyConditionSupportedPropertyArgs

    IncidentTitle
    IncidentTitle The title of the incident
    IncidentDescription
    IncidentDescription The description of the incident
    IncidentSeverity
    IncidentSeverity The severity of the incident
    IncidentStatus
    IncidentStatus The status of the incident
    IncidentTactics
    IncidentTactics The tactics of the incident
    IncidentRelatedAnalyticRuleIds
    IncidentRelatedAnalyticRuleIds The related Analytic rule ids of the incident
    IncidentProviderName
    IncidentProviderName The provider name of the incident
    AccountAadTenantId
    AccountAadTenantId The account Azure Active Directory tenant id
    AccountAadUserId
    AccountAadUserId The account Azure Active Directory user id.
    AccountName
    AccountName The account name
    AccountNTDomain
    AccountNTDomain The account NetBIOS domain name
    AccountPUID
    AccountPUID The account Azure Active Directory Passport User ID
    AccountSid
    AccountSid The account security identifier
    AccountObjectGuid
    AccountObjectGuid The account unique identifier
    AccountUPNSuffix
    AccountUPNSuffix The account user principal name suffix
    AzureResourceResourceId
    AzureResourceResourceId The Azure resource id
    AzureResourceSubscriptionId
    AzureResourceSubscriptionId The Azure resource subscription id
    CloudApplicationAppId
    CloudApplicationAppId The cloud application identifier
    CloudApplicationAppName
    CloudApplicationAppName The cloud application name
    DNSDomainName
    DNSDomainName The dns record domain name
    FileDirectory
    FileDirectory The file directory full path
    FileName
    FileName The file name without path
    FileHashValue
    FileHashValue The file hash value
    HostAzureID
    HostAzureID The host Azure resource id
    HostName
    HostName The host name without domain
    HostNetBiosName
    HostNetBiosName The host NetBIOS name
    HostNTDomain
    HostNTDomain The host NT domain
    HostOSVersion
    HostOSVersion The host operating system
    IoTDeviceId
    IoTDeviceId The IoT device id
    IoTDeviceName
    IoTDeviceName The IoT device name
    IoTDeviceType
    IoTDeviceType The IoT device type
    IoTDeviceVendor
    IoTDeviceVendor The IoT device vendor
    IoTDeviceModel
    IoTDeviceModel The IoT device model
    IoTDeviceOperatingSystem
    IoTDeviceOperatingSystem The IoT device operating system
    IPAddress
    IPAddress The IP address
    MailboxDisplayName
    MailboxDisplayName The mailbox display name
    MailboxPrimaryAddress
    MailboxPrimaryAddress The mailbox primary address
    MailboxUPN
    MailboxUPN The mailbox user principal name
    MailMessageDeliveryAction
    MailMessageDeliveryAction The mail message delivery action
    MailMessageDeliveryLocation
    MailMessageDeliveryLocation The mail message delivery location
    MailMessageRecipient
    MailMessageRecipient The mail message recipient
    MailMessageSenderIP
    MailMessageSenderIP The mail message sender IP address
    MailMessageSubject
    MailMessageSubject The mail message subject
    MailMessageP1Sender
    MailMessageP1Sender The mail message P1 sender
    MailMessageP2Sender
    MailMessageP2Sender The mail message P2 sender
    MalwareCategory
    MalwareCategory The malware category
    MalwareName
    MalwareName The malware name
    ProcessCommandLine
    ProcessCommandLine The process execution command line
    ProcessId
    ProcessId The process id
    RegistryKey
    RegistryKey The registry key path
    RegistryValueData
    RegistryValueData The registry key value in string formatted representation
    Url
    Url The url
    AutomationRulePropertyConditionSupportedPropertyIncidentTitle
    IncidentTitle The title of the incident
    AutomationRulePropertyConditionSupportedPropertyIncidentDescription
    IncidentDescription The description of the incident
    AutomationRulePropertyConditionSupportedPropertyIncidentSeverity
    IncidentSeverity The severity of the incident
    AutomationRulePropertyConditionSupportedPropertyIncidentStatus
    IncidentStatus The status of the incident
    AutomationRulePropertyConditionSupportedPropertyIncidentTactics
    IncidentTactics The tactics of the incident
    AutomationRulePropertyConditionSupportedPropertyIncidentRelatedAnalyticRuleIds
    IncidentRelatedAnalyticRuleIds The related Analytic rule ids of the incident
    AutomationRulePropertyConditionSupportedPropertyIncidentProviderName
    IncidentProviderName The provider name of the incident
    AutomationRulePropertyConditionSupportedPropertyAccountAadTenantId
    AccountAadTenantId The account Azure Active Directory tenant id
    AutomationRulePropertyConditionSupportedPropertyAccountAadUserId
    AccountAadUserId The account Azure Active Directory user id.
    AutomationRulePropertyConditionSupportedPropertyAccountName
    AccountName The account name
    AutomationRulePropertyConditionSupportedPropertyAccountNTDomain
    AccountNTDomain The account NetBIOS domain name
    AutomationRulePropertyConditionSupportedPropertyAccountPUID
    AccountPUID The account Azure Active Directory Passport User ID
    AutomationRulePropertyConditionSupportedPropertyAccountSid
    AccountSid The account security identifier
    AutomationRulePropertyConditionSupportedPropertyAccountObjectGuid
    AccountObjectGuid The account unique identifier
    AutomationRulePropertyConditionSupportedPropertyAccountUPNSuffix
    AccountUPNSuffix The account user principal name suffix
    AutomationRulePropertyConditionSupportedPropertyAzureResourceResourceId
    AzureResourceResourceId The Azure resource id
    AutomationRulePropertyConditionSupportedPropertyAzureResourceSubscriptionId
    AzureResourceSubscriptionId The Azure resource subscription id
    AutomationRulePropertyConditionSupportedPropertyCloudApplicationAppId
    CloudApplicationAppId The cloud application identifier
    AutomationRulePropertyConditionSupportedPropertyCloudApplicationAppName
    CloudApplicationAppName The cloud application name
    AutomationRulePropertyConditionSupportedPropertyDNSDomainName
    DNSDomainName The dns record domain name
    AutomationRulePropertyConditionSupportedPropertyFileDirectory
    FileDirectory The file directory full path
    AutomationRulePropertyConditionSupportedPropertyFileName
    FileName The file name without path
    AutomationRulePropertyConditionSupportedPropertyFileHashValue
    FileHashValue The file hash value
    AutomationRulePropertyConditionSupportedPropertyHostAzureID
    HostAzureID The host Azure resource id
    AutomationRulePropertyConditionSupportedPropertyHostName
    HostName The host name without domain
    AutomationRulePropertyConditionSupportedPropertyHostNetBiosName
    HostNetBiosName The host NetBIOS name
    AutomationRulePropertyConditionSupportedPropertyHostNTDomain
    HostNTDomain The host NT domain
    AutomationRulePropertyConditionSupportedPropertyHostOSVersion
    HostOSVersion The host operating system
    AutomationRulePropertyConditionSupportedPropertyIoTDeviceId
    IoTDeviceId The IoT device id
    AutomationRulePropertyConditionSupportedPropertyIoTDeviceName
    IoTDeviceName The IoT device name
    AutomationRulePropertyConditionSupportedPropertyIoTDeviceType
    IoTDeviceType The IoT device type
    AutomationRulePropertyConditionSupportedPropertyIoTDeviceVendor
    IoTDeviceVendor The IoT device vendor
    AutomationRulePropertyConditionSupportedPropertyIoTDeviceModel
    IoTDeviceModel The IoT device model
    AutomationRulePropertyConditionSupportedPropertyIoTDeviceOperatingSystem
    IoTDeviceOperatingSystem The IoT device operating system
    AutomationRulePropertyConditionSupportedPropertyIPAddress
    IPAddress The IP address
    AutomationRulePropertyConditionSupportedPropertyMailboxDisplayName
    MailboxDisplayName The mailbox display name
    AutomationRulePropertyConditionSupportedPropertyMailboxPrimaryAddress
    MailboxPrimaryAddress The mailbox primary address
    AutomationRulePropertyConditionSupportedPropertyMailboxUPN
    MailboxUPN The mailbox user principal name
    AutomationRulePropertyConditionSupportedPropertyMailMessageDeliveryAction
    MailMessageDeliveryAction The mail message delivery action
    AutomationRulePropertyConditionSupportedPropertyMailMessageDeliveryLocation
    MailMessageDeliveryLocation The mail message delivery location
    AutomationRulePropertyConditionSupportedPropertyMailMessageRecipient
    MailMessageRecipient The mail message recipient
    AutomationRulePropertyConditionSupportedPropertyMailMessageSenderIP
    MailMessageSenderIP The mail message sender IP address
    AutomationRulePropertyConditionSupportedPropertyMailMessageSubject
    MailMessageSubject The mail message subject
    AutomationRulePropertyConditionSupportedPropertyMailMessageP1Sender
    MailMessageP1Sender The mail message P1 sender
    AutomationRulePropertyConditionSupportedPropertyMailMessageP2Sender
    MailMessageP2Sender The mail message P2 sender
    AutomationRulePropertyConditionSupportedPropertyMalwareCategory
    MalwareCategory The malware category
    AutomationRulePropertyConditionSupportedPropertyMalwareName
    MalwareName The malware name
    AutomationRulePropertyConditionSupportedPropertyProcessCommandLine
    ProcessCommandLine The process execution command line
    AutomationRulePropertyConditionSupportedPropertyProcessId
    ProcessId The process id
    AutomationRulePropertyConditionSupportedPropertyRegistryKey
    RegistryKey The registry key path
    AutomationRulePropertyConditionSupportedPropertyRegistryValueData
    RegistryValueData The registry key value in string formatted representation
    AutomationRulePropertyConditionSupportedPropertyUrl
    Url The url
    IncidentTitle
    IncidentTitle The title of the incident
    IncidentDescription
    IncidentDescription The description of the incident
    IncidentSeverity
    IncidentSeverity The severity of the incident
    IncidentStatus
    IncidentStatus The status of the incident
    IncidentTactics
    IncidentTactics The tactics of the incident
    IncidentRelatedAnalyticRuleIds
    IncidentRelatedAnalyticRuleIds The related Analytic rule ids of the incident
    IncidentProviderName
    IncidentProviderName The provider name of the incident
    AccountAadTenantId
    AccountAadTenantId The account Azure Active Directory tenant id
    AccountAadUserId
    AccountAadUserId The account Azure Active Directory user id.
    AccountName
    AccountName The account name
    AccountNTDomain
    AccountNTDomain The account NetBIOS domain name
    AccountPUID
    AccountPUID The account Azure Active Directory Passport User ID
    AccountSid
    AccountSid The account security identifier
    AccountObjectGuid
    AccountObjectGuid The account unique identifier
    AccountUPNSuffix
    AccountUPNSuffix The account user principal name suffix
    AzureResourceResourceId
    AzureResourceResourceId The Azure resource id
    AzureResourceSubscriptionId
    AzureResourceSubscriptionId The Azure resource subscription id
    CloudApplicationAppId
    CloudApplicationAppId The cloud application identifier
    CloudApplicationAppName
    CloudApplicationAppName The cloud application name
    DNSDomainName
    DNSDomainName The dns record domain name
    FileDirectory
    FileDirectory The file directory full path
    FileName
    FileName The file name without path
    FileHashValue
    FileHashValue The file hash value
    HostAzureID
    HostAzureID The host Azure resource id
    HostName
    HostName The host name without domain
    HostNetBiosName
    HostNetBiosName The host NetBIOS name
    HostNTDomain
    HostNTDomain The host NT domain
    HostOSVersion
    HostOSVersion The host operating system
    IoTDeviceId
    IoTDeviceId The IoT device id
    IoTDeviceName
    IoTDeviceName The IoT device name
    IoTDeviceType
    IoTDeviceType The IoT device type
    IoTDeviceVendor
    IoTDeviceVendor The IoT device vendor
    IoTDeviceModel
    IoTDeviceModel The IoT device model
    IoTDeviceOperatingSystem
    IoTDeviceOperatingSystem The IoT device operating system
    IPAddress
    IPAddress The IP address
    MailboxDisplayName
    MailboxDisplayName The mailbox display name
    MailboxPrimaryAddress
    MailboxPrimaryAddress The mailbox primary address
    MailboxUPN
    MailboxUPN The mailbox user principal name
    MailMessageDeliveryAction
    MailMessageDeliveryAction The mail message delivery action
    MailMessageDeliveryLocation
    MailMessageDeliveryLocation The mail message delivery location
    MailMessageRecipient
    MailMessageRecipient The mail message recipient
    MailMessageSenderIP
    MailMessageSenderIP The mail message sender IP address
    MailMessageSubject
    MailMessageSubject The mail message subject
    MailMessageP1Sender
    MailMessageP1Sender The mail message P1 sender
    MailMessageP2Sender
    MailMessageP2Sender The mail message P2 sender
    MalwareCategory
    MalwareCategory The malware category
    MalwareName
    MalwareName The malware name
    ProcessCommandLine
    ProcessCommandLine The process execution command line
    ProcessId
    ProcessId The process id
    RegistryKey
    RegistryKey The registry key path
    RegistryValueData
    RegistryValueData The registry key value in string formatted representation
    Url
    Url The url
    IncidentTitle
    IncidentTitle The title of the incident
    IncidentDescription
    IncidentDescription The description of the incident
    IncidentSeverity
    IncidentSeverity The severity of the incident
    IncidentStatus
    IncidentStatus The status of the incident
    IncidentTactics
    IncidentTactics The tactics of the incident
    IncidentRelatedAnalyticRuleIds
    IncidentRelatedAnalyticRuleIds The related Analytic rule ids of the incident
    IncidentProviderName
    IncidentProviderName The provider name of the incident
    AccountAadTenantId
    AccountAadTenantId The account Azure Active Directory tenant id
    AccountAadUserId
    AccountAadUserId The account Azure Active Directory user id.
    AccountName
    AccountName The account name
    AccountNTDomain
    AccountNTDomain The account NetBIOS domain name
    AccountPUID
    AccountPUID The account Azure Active Directory Passport User ID
    AccountSid
    AccountSid The account security identifier
    AccountObjectGuid
    AccountObjectGuid The account unique identifier
    AccountUPNSuffix
    AccountUPNSuffix The account user principal name suffix
    AzureResourceResourceId
    AzureResourceResourceId The Azure resource id
    AzureResourceSubscriptionId
    AzureResourceSubscriptionId The Azure resource subscription id
    CloudApplicationAppId
    CloudApplicationAppId The cloud application identifier
    CloudApplicationAppName
    CloudApplicationAppName The cloud application name
    DNSDomainName
    DNSDomainName The dns record domain name
    FileDirectory
    FileDirectory The file directory full path
    FileName
    FileName The file name without path
    FileHashValue
    FileHashValue The file hash value
    HostAzureID
    HostAzureID The host Azure resource id
    HostName
    HostName The host name without domain
    HostNetBiosName
    HostNetBiosName The host NetBIOS name
    HostNTDomain
    HostNTDomain The host NT domain
    HostOSVersion
    HostOSVersion The host operating system
    IoTDeviceId
    IoTDeviceId The IoT device id
    IoTDeviceName
    IoTDeviceName The IoT device name
    IoTDeviceType
    IoTDeviceType The IoT device type
    IoTDeviceVendor
    IoTDeviceVendor The IoT device vendor
    IoTDeviceModel
    IoTDeviceModel The IoT device model
    IoTDeviceOperatingSystem
    IoTDeviceOperatingSystem The IoT device operating system
    IPAddress
    IPAddress The IP address
    MailboxDisplayName
    MailboxDisplayName The mailbox display name
    MailboxPrimaryAddress
    MailboxPrimaryAddress The mailbox primary address
    MailboxUPN
    MailboxUPN The mailbox user principal name
    MailMessageDeliveryAction
    MailMessageDeliveryAction The mail message delivery action
    MailMessageDeliveryLocation
    MailMessageDeliveryLocation The mail message delivery location
    MailMessageRecipient
    MailMessageRecipient The mail message recipient
    MailMessageSenderIP
    MailMessageSenderIP The mail message sender IP address
    MailMessageSubject
    MailMessageSubject The mail message subject
    MailMessageP1Sender
    MailMessageP1Sender The mail message P1 sender
    MailMessageP2Sender
    MailMessageP2Sender The mail message P2 sender
    MalwareCategory
    MalwareCategory The malware category
    MalwareName
    MalwareName The malware name
    ProcessCommandLine
    ProcessCommandLine The process execution command line
    ProcessId
    ProcessId The process id
    RegistryKey
    RegistryKey The registry key path
    RegistryValueData
    RegistryValueData The registry key value in string formatted representation
    Url
    Url The url
    INCIDENT_TITLE
    IncidentTitle The title of the incident
    INCIDENT_DESCRIPTION
    IncidentDescription The description of the incident
    INCIDENT_SEVERITY
    IncidentSeverity The severity of the incident
    INCIDENT_STATUS
    IncidentStatus The status of the incident
    INCIDENT_TACTICS
    IncidentTactics The tactics of the incident
    INCIDENT_RELATED_ANALYTIC_RULE_IDS
    IncidentRelatedAnalyticRuleIds The related Analytic rule ids of the incident
    INCIDENT_PROVIDER_NAME
    IncidentProviderName The provider name of the incident
    ACCOUNT_AAD_TENANT_ID
    AccountAadTenantId The account Azure Active Directory tenant id
    ACCOUNT_AAD_USER_ID
    AccountAadUserId The account Azure Active Directory user id.
    ACCOUNT_NAME
    AccountName The account name
    ACCOUNT_NT_DOMAIN
    AccountNTDomain The account NetBIOS domain name
    ACCOUNT_PUID
    AccountPUID The account Azure Active Directory Passport User ID
    ACCOUNT_SID
    AccountSid The account security identifier
    ACCOUNT_OBJECT_GUID
    AccountObjectGuid The account unique identifier
    ACCOUNT_UPN_SUFFIX
    AccountUPNSuffix The account user principal name suffix
    AZURE_RESOURCE_RESOURCE_ID
    AzureResourceResourceId The Azure resource id
    AZURE_RESOURCE_SUBSCRIPTION_ID
    AzureResourceSubscriptionId The Azure resource subscription id
    CLOUD_APPLICATION_APP_ID
    CloudApplicationAppId The cloud application identifier
    CLOUD_APPLICATION_APP_NAME
    CloudApplicationAppName The cloud application name
    DNS_DOMAIN_NAME
    DNSDomainName The dns record domain name
    FILE_DIRECTORY
    FileDirectory The file directory full path
    FILE_NAME
    FileName The file name without path
    FILE_HASH_VALUE
    FileHashValue The file hash value
    HOST_AZURE_ID
    HostAzureID The host Azure resource id
    HOST_NAME
    HostName The host name without domain
    HOST_NET_BIOS_NAME
    HostNetBiosName The host NetBIOS name
    HOST_NT_DOMAIN
    HostNTDomain The host NT domain
    HOST_OS_VERSION
    HostOSVersion The host operating system
    IO_T_DEVICE_ID
    IoTDeviceId The IoT device id
    IO_T_DEVICE_NAME
    IoTDeviceName The IoT device name
    IO_T_DEVICE_TYPE
    IoTDeviceType The IoT device type
    IO_T_DEVICE_VENDOR
    IoTDeviceVendor The IoT device vendor
    IO_T_DEVICE_MODEL
    IoTDeviceModel The IoT device model
    IO_T_DEVICE_OPERATING_SYSTEM
    IoTDeviceOperatingSystem The IoT device operating system
    IP_ADDRESS
    IPAddress The IP address
    MAILBOX_DISPLAY_NAME
    MailboxDisplayName The mailbox display name
    MAILBOX_PRIMARY_ADDRESS
    MailboxPrimaryAddress The mailbox primary address
    MAILBOX_UPN
    MailboxUPN The mailbox user principal name
    MAIL_MESSAGE_DELIVERY_ACTION
    MailMessageDeliveryAction The mail message delivery action
    MAIL_MESSAGE_DELIVERY_LOCATION
    MailMessageDeliveryLocation The mail message delivery location
    MAIL_MESSAGE_RECIPIENT
    MailMessageRecipient The mail message recipient
    MAIL_MESSAGE_SENDER_IP
    MailMessageSenderIP The mail message sender IP address
    MAIL_MESSAGE_SUBJECT
    MailMessageSubject The mail message subject
    MAIL_MESSAGE_P1_SENDER
    MailMessageP1Sender The mail message P1 sender
    MAIL_MESSAGE_P2_SENDER
    MailMessageP2Sender The mail message P2 sender
    MALWARE_CATEGORY
    MalwareCategory The malware category
    MALWARE_NAME
    MalwareName The malware name
    PROCESS_COMMAND_LINE
    ProcessCommandLine The process execution command line
    PROCESS_ID
    ProcessId The process id
    REGISTRY_KEY
    RegistryKey The registry key path
    REGISTRY_VALUE_DATA
    RegistryValueData The registry key value in string formatted representation
    URL
    Url The url
    "IncidentTitle"
    IncidentTitle The title of the incident
    "IncidentDescription"
    IncidentDescription The description of the incident
    "IncidentSeverity"
    IncidentSeverity The severity of the incident
    "IncidentStatus"
    IncidentStatus The status of the incident
    "IncidentTactics"
    IncidentTactics The tactics of the incident
    "IncidentRelatedAnalyticRuleIds"
    IncidentRelatedAnalyticRuleIds The related Analytic rule ids of the incident
    "IncidentProviderName"
    IncidentProviderName The provider name of the incident
    "AccountAadTenantId"
    AccountAadTenantId The account Azure Active Directory tenant id
    "AccountAadUserId"
    AccountAadUserId The account Azure Active Directory user id.
    "AccountName"
    AccountName The account name
    "AccountNTDomain"
    AccountNTDomain The account NetBIOS domain name
    "AccountPUID"
    AccountPUID The account Azure Active Directory Passport User ID
    "AccountSid"
    AccountSid The account security identifier
    "AccountObjectGuid"
    AccountObjectGuid The account unique identifier
    "AccountUPNSuffix"
    AccountUPNSuffix The account user principal name suffix
    "AzureResourceResourceId"
    AzureResourceResourceId The Azure resource id
    "AzureResourceSubscriptionId"
    AzureResourceSubscriptionId The Azure resource subscription id
    "CloudApplicationAppId"
    CloudApplicationAppId The cloud application identifier
    "CloudApplicationAppName"
    CloudApplicationAppName The cloud application name
    "DNSDomainName"
    DNSDomainName The dns record domain name
    "FileDirectory"
    FileDirectory The file directory full path
    "FileName"
    FileName The file name without path
    "FileHashValue"
    FileHashValue The file hash value
    "HostAzureID"
    HostAzureID The host Azure resource id
    "HostName"
    HostName The host name without domain
    "HostNetBiosName"
    HostNetBiosName The host NetBIOS name
    "HostNTDomain"
    HostNTDomain The host NT domain
    "HostOSVersion"
    HostOSVersion The host operating system
    "IoTDeviceId"
    IoTDeviceId The IoT device id
    "IoTDeviceName"
    IoTDeviceName The IoT device name
    "IoTDeviceType"
    IoTDeviceType The IoT device type
    "IoTDeviceVendor"
    IoTDeviceVendor The IoT device vendor
    "IoTDeviceModel"
    IoTDeviceModel The IoT device model
    "IoTDeviceOperatingSystem"
    IoTDeviceOperatingSystem The IoT device operating system
    "IPAddress"
    IPAddress The IP address
    "MailboxDisplayName"
    MailboxDisplayName The mailbox display name
    "MailboxPrimaryAddress"
    MailboxPrimaryAddress The mailbox primary address
    "MailboxUPN"
    MailboxUPN The mailbox user principal name
    "MailMessageDeliveryAction"
    MailMessageDeliveryAction The mail message delivery action
    "MailMessageDeliveryLocation"
    MailMessageDeliveryLocation The mail message delivery location
    "MailMessageRecipient"
    MailMessageRecipient The mail message recipient
    "MailMessageSenderIP"
    MailMessageSenderIP The mail message sender IP address
    "MailMessageSubject"
    MailMessageSubject The mail message subject
    "MailMessageP1Sender"
    MailMessageP1Sender The mail message P1 sender
    "MailMessageP2Sender"
    MailMessageP2Sender The mail message P2 sender
    "MalwareCategory"
    MalwareCategory The malware category
    "MalwareName"
    MalwareName The malware name
    "ProcessCommandLine"
    ProcessCommandLine The process execution command line
    "ProcessId"
    ProcessId The process id
    "RegistryKey"
    RegistryKey The registry key path
    "RegistryValueData"
    RegistryValueData The registry key value in string formatted representation
    "Url"
    Url The url

    AutomationRulePropertyValuesCondition, AutomationRulePropertyValuesConditionArgs

    Describes an automation rule condition that evaluates a property's value
    ConditionProperties AutomationRulePropertyValuesConditionConditionProperties
    The configuration of the automation rule condition
    conditionProperties AutomationRulePropertyValuesConditionConditionProperties
    The configuration of the automation rule condition
    conditionProperties AutomationRulePropertyValuesConditionConditionProperties
    The configuration of the automation rule condition
    condition_properties AutomationRulePropertyValuesConditionConditionProperties
    The configuration of the automation rule condition
    conditionProperties Property Map
    The configuration of the automation rule condition

    AutomationRulePropertyValuesConditionConditionProperties, AutomationRulePropertyValuesConditionConditionPropertiesArgs

    The configuration of the automation rule condition
    Operator string | Pulumi.AzureNative.SecurityInsights.AutomationRulePropertyConditionSupportedOperator
    The operator to use for evaluation the condition
    PropertyName string | Pulumi.AzureNative.SecurityInsights.AutomationRulePropertyConditionSupportedProperty
    The property to evaluate
    PropertyValues List<string>
    The values to use for evaluating the condition
    Operator string | AutomationRulePropertyConditionSupportedOperator
    The operator to use for evaluation the condition
    PropertyName string | AutomationRulePropertyConditionSupportedProperty
    The property to evaluate
    PropertyValues []string
    The values to use for evaluating the condition
    operator String | AutomationRulePropertyConditionSupportedOperator
    The operator to use for evaluation the condition
    propertyName String | AutomationRulePropertyConditionSupportedProperty
    The property to evaluate
    propertyValues List<String>
    The values to use for evaluating the condition
    operator string | AutomationRulePropertyConditionSupportedOperator
    The operator to use for evaluation the condition
    propertyName string | AutomationRulePropertyConditionSupportedProperty
    The property to evaluate
    propertyValues string[]
    The values to use for evaluating the condition
    operator str | AutomationRulePropertyConditionSupportedOperator
    The operator to use for evaluation the condition
    property_name str | AutomationRulePropertyConditionSupportedProperty
    The property to evaluate
    property_values Sequence[str]
    The values to use for evaluating the condition
    operator String | "Equals" | "NotEquals" | "Contains" | "NotContains" | "StartsWith" | "NotStartsWith" | "EndsWith" | "NotEndsWith"
    The operator to use for evaluation the condition
    propertyName String | "IncidentTitle" | "IncidentDescription" | "IncidentSeverity" | "IncidentStatus" | "IncidentTactics" | "IncidentRelatedAnalyticRuleIds" | "IncidentProviderName" | "AccountAadTenantId" | "AccountAadUserId" | "AccountName" | "AccountNTDomain" | "AccountPUID" | "AccountSid" | "AccountObjectGuid" | "AccountUPNSuffix" | "AzureResourceResourceId" | "AzureResourceSubscriptionId" | "CloudApplicationAppId" | "CloudApplicationAppName" | "DNSDomainName" | "FileDirectory" | "FileName" | "FileHashValue" | "HostAzureID" | "HostName" | "HostNetBiosName" | "HostNTDomain" | "HostOSVersion" | "IoTDeviceId" | "IoTDeviceName" | "IoTDeviceType" | "IoTDeviceVendor" | "IoTDeviceModel" | "IoTDeviceOperatingSystem" | "IPAddress" | "MailboxDisplayName" | "MailboxPrimaryAddress" | "MailboxUPN" | "MailMessageDeliveryAction" | "MailMessageDeliveryLocation" | "MailMessageRecipient" | "MailMessageSenderIP" | "MailMessageSubject" | "MailMessageP1Sender" | "MailMessageP2Sender" | "MalwareCategory" | "MalwareName" | "ProcessCommandLine" | "ProcessId" | "RegistryKey" | "RegistryValueData" | "Url"
    The property to evaluate
    propertyValues List<String>
    The values to use for evaluating the condition

    AutomationRulePropertyValuesConditionResponse, AutomationRulePropertyValuesConditionResponseArgs

    Describes an automation rule condition that evaluates a property's value
    conditionProperties Property Map
    The configuration of the automation rule condition

    AutomationRulePropertyValuesConditionResponseConditionProperties, AutomationRulePropertyValuesConditionResponseConditionPropertiesArgs

    The configuration of the automation rule condition
    Operator string
    The operator to use for evaluation the condition
    PropertyName string
    The property to evaluate
    PropertyValues List<string>
    The values to use for evaluating the condition
    Operator string
    The operator to use for evaluation the condition
    PropertyName string
    The property to evaluate
    PropertyValues []string
    The values to use for evaluating the condition
    operator String
    The operator to use for evaluation the condition
    propertyName String
    The property to evaluate
    propertyValues List<String>
    The values to use for evaluating the condition
    operator string
    The operator to use for evaluation the condition
    propertyName string
    The property to evaluate
    propertyValues string[]
    The values to use for evaluating the condition
    operator str
    The operator to use for evaluation the condition
    property_name str
    The property to evaluate
    property_values Sequence[str]
    The values to use for evaluating the condition
    operator String
    The operator to use for evaluation the condition
    propertyName String
    The property to evaluate
    propertyValues List<String>
    The values to use for evaluating the condition

    AutomationRuleRunPlaybookAction, AutomationRuleRunPlaybookActionArgs

    Describes an automation rule action to run a playbook
    ActionConfiguration Pulumi.AzureNative.SecurityInsights.Inputs.AutomationRuleRunPlaybookActionActionConfiguration
    The configuration of the run playbook automation rule action
    Order int
    The order of execution of the automation rule action
    ActionConfiguration AutomationRuleRunPlaybookActionActionConfiguration
    The configuration of the run playbook automation rule action
    Order int
    The order of execution of the automation rule action
    actionConfiguration AutomationRuleRunPlaybookActionActionConfiguration
    The configuration of the run playbook automation rule action
    order Integer
    The order of execution of the automation rule action
    actionConfiguration AutomationRuleRunPlaybookActionActionConfiguration
    The configuration of the run playbook automation rule action
    order number
    The order of execution of the automation rule action
    action_configuration AutomationRuleRunPlaybookActionActionConfiguration
    The configuration of the run playbook automation rule action
    order int
    The order of execution of the automation rule action
    actionConfiguration Property Map
    The configuration of the run playbook automation rule action
    order Number
    The order of execution of the automation rule action

    AutomationRuleRunPlaybookActionActionConfiguration, AutomationRuleRunPlaybookActionActionConfigurationArgs

    The configuration of the run playbook automation rule action
    LogicAppResourceId string
    The resource id of the playbook resource
    TenantId string
    The tenant id of the playbook resource
    LogicAppResourceId string
    The resource id of the playbook resource
    TenantId string
    The tenant id of the playbook resource
    logicAppResourceId String
    The resource id of the playbook resource
    tenantId String
    The tenant id of the playbook resource
    logicAppResourceId string
    The resource id of the playbook resource
    tenantId string
    The tenant id of the playbook resource
    logic_app_resource_id str
    The resource id of the playbook resource
    tenant_id str
    The tenant id of the playbook resource
    logicAppResourceId String
    The resource id of the playbook resource
    tenantId String
    The tenant id of the playbook resource

    AutomationRuleRunPlaybookActionResponse, AutomationRuleRunPlaybookActionResponseArgs

    Describes an automation rule action to run a playbook
    ActionConfiguration Pulumi.AzureNative.SecurityInsights.Inputs.AutomationRuleRunPlaybookActionResponseActionConfiguration
    The configuration of the run playbook automation rule action
    Order int
    The order of execution of the automation rule action
    ActionConfiguration AutomationRuleRunPlaybookActionResponseActionConfiguration
    The configuration of the run playbook automation rule action
    Order int
    The order of execution of the automation rule action
    actionConfiguration AutomationRuleRunPlaybookActionResponseActionConfiguration
    The configuration of the run playbook automation rule action
    order Integer
    The order of execution of the automation rule action
    actionConfiguration AutomationRuleRunPlaybookActionResponseActionConfiguration
    The configuration of the run playbook automation rule action
    order number
    The order of execution of the automation rule action
    action_configuration AutomationRuleRunPlaybookActionResponseActionConfiguration
    The configuration of the run playbook automation rule action
    order int
    The order of execution of the automation rule action
    actionConfiguration Property Map
    The configuration of the run playbook automation rule action
    order Number
    The order of execution of the automation rule action

    AutomationRuleRunPlaybookActionResponseActionConfiguration, AutomationRuleRunPlaybookActionResponseActionConfigurationArgs

    The configuration of the run playbook automation rule action
    LogicAppResourceId string
    The resource id of the playbook resource
    TenantId string
    The tenant id of the playbook resource
    LogicAppResourceId string
    The resource id of the playbook resource
    TenantId string
    The tenant id of the playbook resource
    logicAppResourceId String
    The resource id of the playbook resource
    tenantId String
    The tenant id of the playbook resource
    logicAppResourceId string
    The resource id of the playbook resource
    tenantId string
    The tenant id of the playbook resource
    logic_app_resource_id str
    The resource id of the playbook resource
    tenant_id str
    The tenant id of the playbook resource
    logicAppResourceId String
    The resource id of the playbook resource
    tenantId String
    The tenant id of the playbook resource

    AutomationRuleTriggeringLogic, AutomationRuleTriggeringLogicArgs

    Describes automation rule triggering logic
    IsEnabled bool
    Determines whether the automation rule is enabled or disabled.
    TriggersOn string | Pulumi.AzureNative.SecurityInsights.TriggersOn
    The type of object the automation rule triggers on
    TriggersWhen string | Pulumi.AzureNative.SecurityInsights.TriggersWhen
    The type of event the automation rule triggers on
    Conditions List<Pulumi.AzureNative.SecurityInsights.Inputs.AutomationRulePropertyValuesCondition>
    The conditions to evaluate to determine if the automation rule should be triggered on a given object
    ExpirationTimeUtc string
    Determines when the automation rule should automatically expire and be disabled.
    IsEnabled bool
    Determines whether the automation rule is enabled or disabled.
    TriggersOn string | TriggersOn
    The type of object the automation rule triggers on
    TriggersWhen string | TriggersWhen
    The type of event the automation rule triggers on
    Conditions []AutomationRulePropertyValuesCondition
    The conditions to evaluate to determine if the automation rule should be triggered on a given object
    ExpirationTimeUtc string
    Determines when the automation rule should automatically expire and be disabled.
    isEnabled Boolean
    Determines whether the automation rule is enabled or disabled.
    triggersOn String | TriggersOn
    The type of object the automation rule triggers on
    triggersWhen String | TriggersWhen
    The type of event the automation rule triggers on
    conditions List<AutomationRulePropertyValuesCondition>
    The conditions to evaluate to determine if the automation rule should be triggered on a given object
    expirationTimeUtc String
    Determines when the automation rule should automatically expire and be disabled.
    isEnabled boolean
    Determines whether the automation rule is enabled or disabled.
    triggersOn string | TriggersOn
    The type of object the automation rule triggers on
    triggersWhen string | TriggersWhen
    The type of event the automation rule triggers on
    conditions AutomationRulePropertyValuesCondition[]
    The conditions to evaluate to determine if the automation rule should be triggered on a given object
    expirationTimeUtc string
    Determines when the automation rule should automatically expire and be disabled.
    is_enabled bool
    Determines whether the automation rule is enabled or disabled.
    triggers_on str | TriggersOn
    The type of object the automation rule triggers on
    triggers_when str | TriggersWhen
    The type of event the automation rule triggers on
    conditions Sequence[AutomationRulePropertyValuesCondition]
    The conditions to evaluate to determine if the automation rule should be triggered on a given object
    expiration_time_utc str
    Determines when the automation rule should automatically expire and be disabled.
    isEnabled Boolean
    Determines whether the automation rule is enabled or disabled.
    triggersOn String | "Incidents"
    The type of object the automation rule triggers on
    triggersWhen String | "Created"
    The type of event the automation rule triggers on
    conditions List<Property Map>
    The conditions to evaluate to determine if the automation rule should be triggered on a given object
    expirationTimeUtc String
    Determines when the automation rule should automatically expire and be disabled.

    AutomationRuleTriggeringLogicResponse, AutomationRuleTriggeringLogicResponseArgs

    Describes automation rule triggering logic
    IsEnabled bool
    Determines whether the automation rule is enabled or disabled.
    TriggersOn string
    The type of object the automation rule triggers on
    TriggersWhen string
    The type of event the automation rule triggers on
    Conditions List<Pulumi.AzureNative.SecurityInsights.Inputs.AutomationRulePropertyValuesConditionResponse>
    The conditions to evaluate to determine if the automation rule should be triggered on a given object
    ExpirationTimeUtc string
    Determines when the automation rule should automatically expire and be disabled.
    IsEnabled bool
    Determines whether the automation rule is enabled or disabled.
    TriggersOn string
    The type of object the automation rule triggers on
    TriggersWhen string
    The type of event the automation rule triggers on
    Conditions []AutomationRulePropertyValuesConditionResponse
    The conditions to evaluate to determine if the automation rule should be triggered on a given object
    ExpirationTimeUtc string
    Determines when the automation rule should automatically expire and be disabled.
    isEnabled Boolean
    Determines whether the automation rule is enabled or disabled.
    triggersOn String
    The type of object the automation rule triggers on
    triggersWhen String
    The type of event the automation rule triggers on
    conditions List<AutomationRulePropertyValuesConditionResponse>
    The conditions to evaluate to determine if the automation rule should be triggered on a given object
    expirationTimeUtc String
    Determines when the automation rule should automatically expire and be disabled.
    isEnabled boolean
    Determines whether the automation rule is enabled or disabled.
    triggersOn string
    The type of object the automation rule triggers on
    triggersWhen string
    The type of event the automation rule triggers on
    conditions AutomationRulePropertyValuesConditionResponse[]
    The conditions to evaluate to determine if the automation rule should be triggered on a given object
    expirationTimeUtc string
    Determines when the automation rule should automatically expire and be disabled.
    is_enabled bool
    Determines whether the automation rule is enabled or disabled.
    triggers_on str
    The type of object the automation rule triggers on
    triggers_when str
    The type of event the automation rule triggers on
    conditions Sequence[AutomationRulePropertyValuesConditionResponse]
    The conditions to evaluate to determine if the automation rule should be triggered on a given object
    expiration_time_utc str
    Determines when the automation rule should automatically expire and be disabled.
    isEnabled Boolean
    Determines whether the automation rule is enabled or disabled.
    triggersOn String
    The type of object the automation rule triggers on
    triggersWhen String
    The type of event the automation rule triggers on
    conditions List<Property Map>
    The conditions to evaluate to determine if the automation rule should be triggered on a given object
    expirationTimeUtc String
    Determines when the automation rule should automatically expire and be disabled.

    ClientInfoResponse, ClientInfoResponseArgs

    Information on the client (user or application) that made some action
    Email string
    The email of the client.
    Name string
    The name of the client.
    ObjectId string
    The object id of the client.
    UserPrincipalName string
    The user principal name of the client.
    Email string
    The email of the client.
    Name string
    The name of the client.
    ObjectId string
    The object id of the client.
    UserPrincipalName string
    The user principal name of the client.
    email String
    The email of the client.
    name String
    The name of the client.
    objectId String
    The object id of the client.
    userPrincipalName String
    The user principal name of the client.
    email string
    The email of the client.
    name string
    The name of the client.
    objectId string
    The object id of the client.
    userPrincipalName string
    The user principal name of the client.
    email str
    The email of the client.
    name str
    The name of the client.
    object_id str
    The object id of the client.
    user_principal_name str
    The user principal name of the client.
    email String
    The email of the client.
    name String
    The name of the client.
    objectId String
    The object id of the client.
    userPrincipalName String
    The user principal name of the client.

    IncidentClassification, IncidentClassificationArgs

    Undetermined
    Undetermined Incident classification was undetermined
    TruePositive
    TruePositive Incident was true positive
    BenignPositive
    BenignPositive Incident was benign positive
    FalsePositive
    FalsePositive Incident was false positive
    IncidentClassificationUndetermined
    Undetermined Incident classification was undetermined
    IncidentClassificationTruePositive
    TruePositive Incident was true positive
    IncidentClassificationBenignPositive
    BenignPositive Incident was benign positive
    IncidentClassificationFalsePositive
    FalsePositive Incident was false positive
    Undetermined
    Undetermined Incident classification was undetermined
    TruePositive
    TruePositive Incident was true positive
    BenignPositive
    BenignPositive Incident was benign positive
    FalsePositive
    FalsePositive Incident was false positive
    Undetermined
    Undetermined Incident classification was undetermined
    TruePositive
    TruePositive Incident was true positive
    BenignPositive
    BenignPositive Incident was benign positive
    FalsePositive
    FalsePositive Incident was false positive
    UNDETERMINED
    Undetermined Incident classification was undetermined
    TRUE_POSITIVE
    TruePositive Incident was true positive
    BENIGN_POSITIVE
    BenignPositive Incident was benign positive
    FALSE_POSITIVE
    FalsePositive Incident was false positive
    "Undetermined"
    Undetermined Incident classification was undetermined
    "TruePositive"
    TruePositive Incident was true positive
    "BenignPositive"
    BenignPositive Incident was benign positive
    "FalsePositive"
    FalsePositive Incident was false positive

    IncidentClassificationReason, IncidentClassificationReasonArgs

    SuspiciousActivity
    SuspiciousActivity Classification reason was suspicious activity
    SuspiciousButExpected
    SuspiciousButExpected Classification reason was suspicious but expected
    IncorrectAlertLogic
    IncorrectAlertLogic Classification reason was incorrect alert logic
    InaccurateData
    InaccurateData Classification reason was inaccurate data
    IncidentClassificationReasonSuspiciousActivity
    SuspiciousActivity Classification reason was suspicious activity
    IncidentClassificationReasonSuspiciousButExpected
    SuspiciousButExpected Classification reason was suspicious but expected
    IncidentClassificationReasonIncorrectAlertLogic
    IncorrectAlertLogic Classification reason was incorrect alert logic
    IncidentClassificationReasonInaccurateData
    InaccurateData Classification reason was inaccurate data
    SuspiciousActivity
    SuspiciousActivity Classification reason was suspicious activity
    SuspiciousButExpected
    SuspiciousButExpected Classification reason was suspicious but expected
    IncorrectAlertLogic
    IncorrectAlertLogic Classification reason was incorrect alert logic
    InaccurateData
    InaccurateData Classification reason was inaccurate data
    SuspiciousActivity
    SuspiciousActivity Classification reason was suspicious activity
    SuspiciousButExpected
    SuspiciousButExpected Classification reason was suspicious but expected
    IncorrectAlertLogic
    IncorrectAlertLogic Classification reason was incorrect alert logic
    InaccurateData
    InaccurateData Classification reason was inaccurate data
    SUSPICIOUS_ACTIVITY
    SuspiciousActivity Classification reason was suspicious activity
    SUSPICIOUS_BUT_EXPECTED
    SuspiciousButExpected Classification reason was suspicious but expected
    INCORRECT_ALERT_LOGIC
    IncorrectAlertLogic Classification reason was incorrect alert logic
    INACCURATE_DATA
    InaccurateData Classification reason was inaccurate data
    "SuspiciousActivity"
    SuspiciousActivity Classification reason was suspicious activity
    "SuspiciousButExpected"
    SuspiciousButExpected Classification reason was suspicious but expected
    "IncorrectAlertLogic"
    IncorrectAlertLogic Classification reason was incorrect alert logic
    "InaccurateData"
    InaccurateData Classification reason was inaccurate data

    IncidentLabel, IncidentLabelArgs

    Represents an incident label
    LabelName string
    The name of the label
    LabelName string
    The name of the label
    labelName String
    The name of the label
    labelName string
    The name of the label
    label_name str
    The name of the label
    labelName String
    The name of the label

    IncidentLabelResponse, IncidentLabelResponseArgs

    Represents an incident label
    LabelName string
    The name of the label
    LabelType string
    The type of the label
    LabelName string
    The name of the label
    LabelType string
    The type of the label
    labelName String
    The name of the label
    labelType String
    The type of the label
    labelName string
    The name of the label
    labelType string
    The type of the label
    label_name str
    The name of the label
    label_type str
    The type of the label
    labelName String
    The name of the label
    labelType String
    The type of the label

    IncidentOwnerInfo, IncidentOwnerInfoArgs

    Information on the user an incident is assigned to
    AssignedTo string
    The name of the user the incident is assigned to.
    Email string
    The email of the user the incident is assigned to.
    ObjectId string
    The object id of the user the incident is assigned to.
    UserPrincipalName string
    The user principal name of the user the incident is assigned to.
    AssignedTo string
    The name of the user the incident is assigned to.
    Email string
    The email of the user the incident is assigned to.
    ObjectId string
    The object id of the user the incident is assigned to.
    UserPrincipalName string
    The user principal name of the user the incident is assigned to.
    assignedTo String
    The name of the user the incident is assigned to.
    email String
    The email of the user the incident is assigned to.
    objectId String
    The object id of the user the incident is assigned to.
    userPrincipalName String
    The user principal name of the user the incident is assigned to.
    assignedTo string
    The name of the user the incident is assigned to.
    email string
    The email of the user the incident is assigned to.
    objectId string
    The object id of the user the incident is assigned to.
    userPrincipalName string
    The user principal name of the user the incident is assigned to.
    assigned_to str
    The name of the user the incident is assigned to.
    email str
    The email of the user the incident is assigned to.
    object_id str
    The object id of the user the incident is assigned to.
    user_principal_name str
    The user principal name of the user the incident is assigned to.
    assignedTo String
    The name of the user the incident is assigned to.
    email String
    The email of the user the incident is assigned to.
    objectId String
    The object id of the user the incident is assigned to.
    userPrincipalName String
    The user principal name of the user the incident is assigned to.

    IncidentOwnerInfoResponse, IncidentOwnerInfoResponseArgs

    Information on the user an incident is assigned to
    AssignedTo string
    The name of the user the incident is assigned to.
    Email string
    The email of the user the incident is assigned to.
    ObjectId string
    The object id of the user the incident is assigned to.
    UserPrincipalName string
    The user principal name of the user the incident is assigned to.
    AssignedTo string
    The name of the user the incident is assigned to.
    Email string
    The email of the user the incident is assigned to.
    ObjectId string
    The object id of the user the incident is assigned to.
    UserPrincipalName string
    The user principal name of the user the incident is assigned to.
    assignedTo String
    The name of the user the incident is assigned to.
    email String
    The email of the user the incident is assigned to.
    objectId String
    The object id of the user the incident is assigned to.
    userPrincipalName String
    The user principal name of the user the incident is assigned to.
    assignedTo string
    The name of the user the incident is assigned to.
    email string
    The email of the user the incident is assigned to.
    objectId string
    The object id of the user the incident is assigned to.
    userPrincipalName string
    The user principal name of the user the incident is assigned to.
    assigned_to str
    The name of the user the incident is assigned to.
    email str
    The email of the user the incident is assigned to.
    object_id str
    The object id of the user the incident is assigned to.
    user_principal_name str
    The user principal name of the user the incident is assigned to.
    assignedTo String
    The name of the user the incident is assigned to.
    email String
    The email of the user the incident is assigned to.
    objectId String
    The object id of the user the incident is assigned to.
    userPrincipalName String
    The user principal name of the user the incident is assigned to.

    IncidentSeverity, IncidentSeverityArgs

    High
    High High severity
    Medium
    Medium Medium severity
    Low
    Low Low severity
    Informational
    Informational Informational severity
    IncidentSeverityHigh
    High High severity
    IncidentSeverityMedium
    Medium Medium severity
    IncidentSeverityLow
    Low Low severity
    IncidentSeverityInformational
    Informational Informational severity
    High
    High High severity
    Medium
    Medium Medium severity
    Low
    Low Low severity
    Informational
    Informational Informational severity
    High
    High High severity
    Medium
    Medium Medium severity
    Low
    Low Low severity
    Informational
    Informational Informational severity
    HIGH
    High High severity
    MEDIUM
    Medium Medium severity
    LOW
    Low Low severity
    INFORMATIONAL
    Informational Informational severity
    "High"
    High High severity
    "Medium"
    Medium Medium severity
    "Low"
    Low Low severity
    "Informational"
    Informational Informational severity

    IncidentStatus, IncidentStatusArgs

    New
    New An active incident which isn't being handled currently
    Active
    Active An active incident which is being handled
    Closed
    Closed A non-active incident
    IncidentStatusNew
    New An active incident which isn't being handled currently
    IncidentStatusActive
    Active An active incident which is being handled
    IncidentStatusClosed
    Closed A non-active incident
    New
    New An active incident which isn't being handled currently
    Active
    Active An active incident which is being handled
    Closed
    Closed A non-active incident
    New
    New An active incident which isn't being handled currently
    Active
    Active An active incident which is being handled
    Closed
    Closed A non-active incident
    NEW
    New An active incident which isn't being handled currently
    ACTIVE
    Active An active incident which is being handled
    CLOSED
    Closed A non-active incident
    "New"
    New An active incident which isn't being handled currently
    "Active"
    Active An active incident which is being handled
    "Closed"
    Closed A non-active incident

    TriggersOn, TriggersOnArgs

    Incidents
    Incidents Trigger on Incidents
    TriggersOnIncidents
    Incidents Trigger on Incidents
    Incidents
    Incidents Trigger on Incidents
    Incidents
    Incidents Trigger on Incidents
    INCIDENTS
    Incidents Trigger on Incidents
    "Incidents"
    Incidents Trigger on Incidents

    TriggersWhen, TriggersWhenArgs

    Created
    Created Trigger on created objects
    TriggersWhenCreated
    Created Trigger on created objects
    Created
    Created Trigger on created objects
    Created
    Created Trigger on created objects
    CREATED
    Created Trigger on created objects
    "Created"
    Created Trigger on created objects

    Import

    An existing resource can be imported using its type token, name, and identifier, e.g.

    $ pulumi import azure-native:securityinsights:AutomationRule 73e01a99-5cd7-4139-a149-9f2736ff2ab5 /subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Azure Native pulumi/pulumi-azure-native
    License
    Apache-2.0
    azure-native logo
    This is the latest version of Azure Native. Use the Azure Native v2 docs if using the v2 version of this package.
    Viewing docs for Azure Native v1.103.0 (Older version)
    published on Monday, Mar 9, 2026 by Pulumi
    Go to latest version
    Schema (JSON)
    pulumi/pulumi-azure-native
      Try Pulumi Cloud free. Your team will thank you.