Automation Rules - Get
Gets the automation rule.
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules/{automationRuleId}?api-version=2025-09-01URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
automation
|
path | True |
string |
Automation rule ID |
|
resource
|
path | True |
string minLength: 1maxLength: 90 |
The name of the resource group. The name is case insensitive. |
|
subscription
|
path | True |
string (uuid) |
The ID of the target subscription. The value must be an UUID. |
|
workspace
|
path | True |
string minLength: 1maxLength: 90 pattern: ^[A-Za-z0-9][A-Za-z0-9-]+[A-Za-z0-9]$ |
The name of the workspace. |
|
api-version
|
query | True |
string minLength: 1 |
The API version to use for this operation. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
Ok |
|
| Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| user_impersonation | impersonate your user account |
Examples
AutomationRules_Get
Sample request
GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/automationRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5?api-version=2025-09-01
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/automationRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"type": "Microsoft.SecurityInsights/automationRules",
"properties": {
"displayName": "Suspicious user sign-in events",
"order": 1,
"triggeringLogic": {
"isEnabled": true,
"triggersOn": "Incidents",
"triggersWhen": "Created",
"conditions": [
{
"conditionType": "Property",
"conditionProperties": {
"propertyName": "IncidentRelatedAnalyticRuleIds",
"operator": "Contains",
"propertyValues": [
"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7",
"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a"
]
}
}
]
},
"actions": [
{
"order": 1,
"actionType": "AddIncidentTask",
"actionConfiguration": {
"title": "Reset user passwords",
"description": "Reset passwords for compromised users."
}
}
],
"lastModifiedTimeUtc": "2019-01-01T13:00:30Z",
"createdTimeUtc": "2019-01-01T13:00:00Z",
"lastModifiedBy": {
"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
"email": "john.doe@contoso.com",
"name": "john doe",
"userPrincipalName": "john@contoso.com"
},
"createdBy": {
"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
"email": "john.doe@contoso.com",
"name": "john doe",
"userPrincipalName": "john@contoso.com"
}
}
}Definitions
| Name | Description |
|---|---|
|
Action |
The type of the automation rule action. |
|
Add |
Describes an automation rule action to add a task to an incident. |
|
Automation |
|
|
Automation |
Describes an automation rule action to add a task to an incident |
|
Automation |
Describes an automation rule condition with boolean operators. |
|
Automation |
Describes a boolean condition operator. |
|
Automation |
Describes an automation rule action to modify an object's properties |
|
Automation |
|
|
Automation |
|
|
Automation |
|
|
Automation |
Describes an array condition evaluation type. |
|
Automation |
Describes an array condition evaluated array type. |
|
Automation |
Describes an automation rule condition on array properties. |
|
Automation |
|
|
Automation |
|
|
Automation |
|
|
Automation |
The property to evaluate in an automation rule property condition. |
|
Automation |
|
|
Automation |
|
|
Automation |
Describes an automation rule action to run a playbook |
|
Automation |
Describes automation rule triggering logic. |
|
Boolean |
Describes an automation rule condition that applies a boolean operator (e.g AND, OR) to conditions |
|
Client |
Information on the client (user or application) that made some action |
|
Cloud |
Error response structure. |
|
Cloud |
Error details. |
|
Condition |
|
|
created |
The type of identity that created the resource. |
|
Incident |
The reason the incident was closed |
|
Incident |
The classification reason the incident was closed with |
|
Incident |
Represents an incident label |
|
Incident |
The type of the label |
|
Incident |
Information on the user an incident is assigned to |
|
Incident |
|
|
Incident |
The severity of the incident |
|
Incident |
The status of the incident |
|
Owner |
The type of the owner the incident is assigned to. |
|
Playbook |
|
|
Property |
Describes an automation rule condition that evaluates an array property's value change |
|
Property |
Describes an automation rule condition that evaluates an array property's value |
|
Property |
Describes an automation rule condition that evaluates a property's value change |
|
Property |
Describes an automation rule condition that evaluates a property's value |
|
system |
Metadata pertaining to creation and last modification of the resource. |
|
triggers |
|
|
triggers |
ActionType
The type of the automation rule action.
| Value | Description |
|---|---|
| ModifyProperties |
Modify an object's properties |
| RunPlaybook |
Run a playbook on an object |
| AddIncidentTask |
Add a task to an incident object |
AddIncidentTaskActionProperties
Describes an automation rule action to add a task to an incident.
| Name | Type | Description |
|---|---|---|
| description |
string |
The description of the task. |
| title |
string |
The title of the task. |
AutomationRule
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string (arm-id) |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| name |
string |
The name of the resource |
| properties.actions | AutomationRuleAction[]: |
The actions to execute when the automation rule is triggered. |
| properties.createdBy |
Information on the client (user or application) that made some action |
|
| properties.createdTimeUtc |
string (date-time) |
The time the automation rule was created. |
| properties.displayName |
string maxLength: 500 |
The display name of the automation rule. |
| properties.lastModifiedBy |
Information on the client (user or application) that made some action |
|
| properties.lastModifiedTimeUtc |
string (date-time) |
The last time the automation rule was updated. |
| properties.order |
integer (int32) minimum: 1maximum: 1000 |
The order of execution of the automation rule. |
| properties.triggeringLogic |
Describes automation rule triggering logic. |
|
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
AutomationRuleAddIncidentTaskAction
Describes an automation rule action to add a task to an incident
| Name | Type | Description |
|---|---|---|
| actionConfiguration |
Describes an automation rule action to add a task to an incident. |
|
| actionType |
string:
Add |
The type of the automation rule action. |
| order |
integer (int32) |
AutomationRuleBooleanCondition
Describes an automation rule condition with boolean operators.
| Name | Type | Description |
|---|---|---|
| innerConditions | AutomationRuleCondition[]: |
Describes an automation rule condition. |
| operator |
Describes a boolean condition operator. |
AutomationRuleBooleanConditionSupportedOperator
Describes a boolean condition operator.
| Value | Description |
|---|---|
| And |
Evaluates as true if all the item conditions are evaluated as true |
| Or |
Evaluates as true if at least one of the item conditions are evaluated as true |
AutomationRuleModifyPropertiesAction
Describes an automation rule action to modify an object's properties
| Name | Type | Description |
|---|---|---|
| actionConfiguration | ||
| actionType |
string:
Modify |
The type of the automation rule action. |
| order |
integer (int32) |
AutomationRulePropertyArrayChangedConditionSupportedArrayType
| Value | Description |
|---|---|
| Alerts |
Evaluate the condition on the alerts |
| Labels |
Evaluate the condition on the labels |
| Tactics |
Evaluate the condition on the tactics |
| Comments |
Evaluate the condition on the comments |
AutomationRulePropertyArrayChangedConditionSupportedChangeType
| Value | Description |
|---|---|
| Added |
Evaluate the condition on items added to the array |
AutomationRulePropertyArrayChangedValuesCondition
| Name | Type | Description |
|---|---|---|
| arrayType |
Automation |
|
| changeType |
Automation |
AutomationRulePropertyArrayConditionSupportedArrayConditionType
Describes an array condition evaluation type.
| Value | Description |
|---|---|
| AnyItem |
Evaluate the condition as true if any item fulfills it |
| AllItems |
Evaluate the condition as true if all the items fulfill it |
AutomationRulePropertyArrayConditionSupportedArrayType
Describes an array condition evaluated array type.
| Value | Description |
|---|---|
| CustomDetails |
Evaluate the condition on the custom detail keys |
| CustomDetailValues |
Evaluate the condition on a custom detail's values |
AutomationRulePropertyArrayValuesCondition
Describes an automation rule condition on array properties.
| Name | Type | Description |
|---|---|---|
| arrayConditionType |
Automation |
Describes an array condition evaluation type. |
| arrayType |
Describes an array condition evaluated array type. |
|
| itemConditions | AutomationRuleCondition[]: |
Describes an automation rule condition. |
AutomationRulePropertyChangedConditionSupportedChangedType
| Value | Description |
|---|---|
| ChangedFrom |
Evaluate the condition on the previous value of the property |
| ChangedTo |
Evaluate the condition on the updated value of the property |
AutomationRulePropertyChangedConditionSupportedPropertyType
| Value | Description |
|---|---|
| IncidentSeverity |
Evaluate the condition on the incident severity |
| IncidentStatus |
Evaluate the condition on the incident status |
| IncidentOwner |
Evaluate the condition on the incident owner |
AutomationRulePropertyConditionSupportedOperator
| Value | Description |
|---|---|
| Equals |
Evaluates if the property equals at least one of the condition values |
| NotEquals |
Evaluates if the property does not equal any of the condition values |
| Contains |
Evaluates if the property contains at least one of the condition values |
| NotContains |
Evaluates if the property does not contain any of the condition values |
| StartsWith |
Evaluates if the property starts with any of the condition values |
| NotStartsWith |
Evaluates if the property does not start with any of the condition values |
| EndsWith |
Evaluates if the property ends with any of the condition values |
| NotEndsWith |
Evaluates if the property does not end with any of the condition values |
AutomationRulePropertyConditionSupportedProperty
The property to evaluate in an automation rule property condition.
| Value | Description |
|---|---|
| IncidentTitle |
The title of the incident |
| IncidentDescription |
The description of the incident |
| IncidentSeverity |
The severity of the incident |
| IncidentStatus |
The status of the incident |
| IncidentRelatedAnalyticRuleIds |
The related Analytic rule ids of the incident |
| IncidentTactics |
The tactics of the incident |
| IncidentLabel |
The labels of the incident |
| IncidentProviderName |
The provider name of the incident |
| IncidentUpdatedBySource |
The update source of the incident |
| IncidentCustomDetailsKey |
The incident custom detail key |
| IncidentCustomDetailsValue |
The incident custom detail value |
| AccountAadTenantId |
The account Azure Active Directory tenant id |
| AccountAadUserId |
The account Azure Active Directory user id |
| AccountName |
The account name |
| AccountNTDomain |
The account NetBIOS domain name |
| AccountPUID |
The account Azure Active Directory Passport User ID |
| AccountSid |
The account security identifier |
| AccountObjectGuid |
The account unique identifier |
| AccountUPNSuffix |
The account user principal name suffix |
| AlertProductNames |
The name of the product of the alert |
| AlertAnalyticRuleIds |
The analytic rule ids of the alert |
| AzureResourceResourceId |
The Azure resource id |
| AzureResourceSubscriptionId |
The Azure resource subscription id |
| CloudApplicationAppId |
The cloud application identifier |
| CloudApplicationAppName |
The cloud application name |
| DNSDomainName |
The dns record domain name |
| FileDirectory |
The file directory full path |
| FileName |
The file name without path |
| FileHashValue |
The file hash value |
| HostAzureID |
The host Azure resource id |
| HostName |
The host name without domain |
| HostNetBiosName |
The host NetBIOS name |
| HostNTDomain |
The host NT domain |
| HostOSVersion |
The host operating system |
| IoTDeviceId |
"The IoT device id |
| IoTDeviceName |
The IoT device name |
| IoTDeviceType |
The IoT device type |
| IoTDeviceVendor |
The IoT device vendor |
| IoTDeviceModel |
The IoT device model |
| IoTDeviceOperatingSystem |
The IoT device operating system |
| IPAddress |
The IP address |
| MailboxDisplayName |
The mailbox display name |
| MailboxPrimaryAddress |
The mailbox primary address |
| MailboxUPN |
The mailbox user principal name |
| MailMessageDeliveryAction |
The mail message delivery action |
| MailMessageDeliveryLocation |
The mail message delivery location |
| MailMessageRecipient |
The mail message recipient |
| MailMessageSenderIP |
The mail message sender IP address |
| MailMessageSubject |
The mail message subject |
| MailMessageP1Sender |
The mail message P1 sender |
| MailMessageP2Sender |
The mail message P2 sender |
| MalwareCategory |
The malware category |
| MalwareName |
The malware name |
| ProcessCommandLine |
The process execution command line |
| ProcessId |
The process id |
| RegistryKey |
The registry key path |
| RegistryValueData |
The registry key value in string formatted representation |
| Url |
The url |
AutomationRulePropertyValuesChangedCondition
| Name | Type | Description |
|---|---|---|
| changeType | ||
| operator | ||
| propertyName | ||
| propertyValues |
string[] |
AutomationRulePropertyValuesCondition
| Name | Type | Description |
|---|---|---|
| operator | ||
| propertyName |
The property to evaluate in an automation rule property condition. |
|
| propertyValues |
string[] |
AutomationRuleRunPlaybookAction
Describes an automation rule action to run a playbook
| Name | Type | Description |
|---|---|---|
| actionConfiguration | ||
| actionType |
string:
Run |
The type of the automation rule action. |
| order |
integer (int32) |
AutomationRuleTriggeringLogic
Describes automation rule triggering logic.
| Name | Type | Description |
|---|---|---|
| conditions | AutomationRuleCondition[]: |
The conditions to evaluate to determine if the automation rule should be triggered on a given object. |
| expirationTimeUtc |
string (date-time) |
Determines when the automation rule should automatically expire and be disabled. |
| isEnabled |
boolean |
Determines whether the automation rule is enabled or disabled. |
| triggersOn | ||
| triggersWhen |
BooleanConditionProperties
Describes an automation rule condition that applies a boolean operator (e.g AND, OR) to conditions
| Name | Type | Description |
|---|---|---|
| conditionProperties |
Describes an automation rule condition with boolean operators. |
|
| conditionType |
string:
Boolean |
ClientInfo
Information on the client (user or application) that made some action
| Name | Type | Description |
|---|---|---|
|
string |
The email of the client. |
|
| name |
string |
The name of the client. |
| objectId |
string (uuid) |
The object id of the client. |
| userPrincipalName |
string |
The user principal name of the client. |
CloudError
Error response structure.
| Name | Type | Description |
|---|---|---|
| error |
Error data |
CloudErrorBody
Error details.
| Name | Type | Description |
|---|---|---|
| code |
string |
An identifier for the error. Codes are invariant and are intended to be consumed programmatically. |
| message |
string |
A message describing the error, intended to be suitable for display in a user interface. |
ConditionType
| Value | Description |
|---|---|
| Property |
Evaluate an object property value |
| PropertyArray |
Evaluate an object array property value |
| PropertyChanged |
Evaluate an object property changed value |
| PropertyArrayChanged |
Evaluate an object array property changed value |
| Boolean |
Apply a boolean operator (e.g AND, OR) to conditions |
createdByType
The type of identity that created the resource.
| Value | Description |
|---|---|
| User | |
| Application | |
| ManagedIdentity | |
| Key |
IncidentClassification
The reason the incident was closed
| Value | Description |
|---|---|
| Undetermined |
Incident classification was undetermined |
| TruePositive |
Incident was true positive |
| BenignPositive |
Incident was benign positive |
| FalsePositive |
Incident was false positive |
IncidentClassificationReason
The classification reason the incident was closed with
| Value | Description |
|---|---|
| SuspiciousActivity |
Classification reason was suspicious activity |
| SuspiciousButExpected |
Classification reason was suspicious but expected |
| IncorrectAlertLogic |
Classification reason was incorrect alert logic |
| InaccurateData |
Classification reason was inaccurate data |
IncidentLabel
Represents an incident label
| Name | Type | Description |
|---|---|---|
| labelName |
string |
The name of the label |
| labelType |
The type of the label |
IncidentLabelType
The type of the label
| Value | Description |
|---|---|
| User |
Label manually created by a user |
| AutoAssigned |
Label automatically created by the system |
IncidentOwnerInfo
Information on the user an incident is assigned to
| Name | Type | Description |
|---|---|---|
| assignedTo |
string |
The name of the user the incident is assigned to. |
|
string |
The email of the user the incident is assigned to. |
|
| objectId |
string (uuid) |
The object id of the user the incident is assigned to. |
| ownerType |
The type of the owner the incident is assigned to. |
|
| userPrincipalName |
string |
The user principal name of the user the incident is assigned to. |
IncidentPropertiesAction
| Name | Type | Description |
|---|---|---|
| classification |
The reason the incident was closed |
|
| classificationComment |
string |
Describes the reason the incident was closed. |
| classificationReason |
The classification reason the incident was closed with |
|
| labels |
List of labels to add to the incident. |
|
| owner |
Information on the user an incident is assigned to |
|
| severity |
The severity of the incident |
|
| status |
The status of the incident |
IncidentSeverity
The severity of the incident
| Value | Description |
|---|---|
| High |
High severity |
| Medium |
Medium severity |
| Low |
Low severity |
| Informational |
Informational severity |
IncidentStatus
The status of the incident
| Value | Description |
|---|---|
| New |
An active incident which isn't being handled currently |
| Active |
An active incident which is being handled |
| Closed |
A non-active incident |
OwnerType
The type of the owner the incident is assigned to.
| Value | Description |
|---|---|
| Unknown |
The incident owner type is unknown |
| User |
The incident owner type is an AAD user |
| Group |
The incident owner type is an AAD group |
PlaybookActionProperties
| Name | Type | Description |
|---|---|---|
| logicAppResourceId |
string (arm-id) |
The resource id of the playbook resource. |
| tenantId |
string (uuid) |
The tenant id of the playbook resource. |
PropertyArrayChangedConditionProperties
Describes an automation rule condition that evaluates an array property's value change
| Name | Type | Description |
|---|---|---|
| conditionProperties | ||
| conditionType |
string:
Property |
PropertyArrayConditionProperties
Describes an automation rule condition that evaluates an array property's value
| Name | Type | Description |
|---|---|---|
| conditionProperties |
Describes an automation rule condition on array properties. |
|
| conditionType |
string:
Property |
PropertyChangedConditionProperties
Describes an automation rule condition that evaluates a property's value change
| Name | Type | Description |
|---|---|---|
| conditionProperties | ||
| conditionType |
string:
Property |
PropertyConditionProperties
Describes an automation rule condition that evaluates a property's value
| Name | Type | Description |
|---|---|---|
| conditionProperties | ||
| conditionType |
string:
Property |
systemData
Metadata pertaining to creation and last modification of the resource.
| Name | Type | Description |
|---|---|---|
| createdAt |
string (date-time) |
The timestamp of resource creation (UTC). |
| createdBy |
string |
The identity that created the resource. |
| createdByType |
The type of identity that created the resource. |
|
| lastModifiedAt |
string (date-time) |
The timestamp of resource last modification (UTC) |
| lastModifiedBy |
string |
The identity that last modified the resource. |
| lastModifiedByType |
The type of identity that last modified the resource. |
triggersOn
| Value | Description |
|---|---|
| Incidents |
Trigger on Incidents |
| Alerts |
Trigger on Alerts |
triggersWhen
| Value | Description |
|---|---|
| Created |
Trigger on created objects |
| Updated |
Trigger on updated objects |