Home
%3CLINGO-SUB%20id%3D%22lingo-sub-1155619%22%20slang%3D%22en-US%22%3EUsing%20Azure%20Security%20Center%20API%20for%20Workflow%20Automation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1155619%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fworkflow-automation%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EWorkflow%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fworkflow-automation%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%26nbsp%3BAutomation%3C%2FA%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Eis%20a%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Enew%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Security%20Center%20feature%20(preview)%20that%20can%20trigger%20Logic%20Apps%20on%20security%20alerts%20and%20recommendations.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EI%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3En%20this%20blog%20post%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bwe%20will%20demonstrate%20how%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bwe%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bcan%20use%20API%20to%20build%20and%20answer%20more%20unique%20triggering%20scenario%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Es.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3EScenario%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EContoso%20organization%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Es%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bleverage%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Es%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3BAzure%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ES%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Eecurity%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EC%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Eenter%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Ein%20a%20large%20scale.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EOne%20of%20the%20security%20department%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Es%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Buse%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Es%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3BAzure%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ES%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Eecurity%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EC%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Eenter%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Eto%20manage%20the%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EProtection%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Band%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Especifically%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Eresponsible%20for%20Defender%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Eantimalware%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Balerts%20and%20findings.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EThis%20department%20wants%20to%20receive%20email%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%E2%80%99s%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3Eonly%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3Eon%20alerts%20that%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3Eare%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Brelated%20to%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3ED%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3Eefender%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3Eantimalware%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3EBefore%20implementing%20this%20scenario%20via%20API%2C%20let%E2%80%99s%20review%20the%20experience%20in%20the%20Azure%20Security%20Center%20dashboard.%20Follow%20the%20steps%20below%20to%20get%20started%3A%26nbsp%3B%26nbsp%3B%3C%2FU%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%2C%20Calibri_MSFontService%2C%20sans-serif%22%20data-listid%3D%221%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOpen%20Azure%20Security%20Center%2C%20and%20on%20the%20left%20navigation%20pane%2C%20click%20on%20Workflow%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bautomation%20(Preview)%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%2C%20Calibri_MSFontService%2C%20sans-serif%22%20data-listid%3D%221%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOn%20the%20Workflow%20automation%20blade%2C%20click%20the%20%2B%20Add%20workflow%20automation%20button.%20The%20blade%20below%20appears%3A%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22add_new1.GIF%22%20style%3D%22width%3A%20608px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F169406iE2E5B869032A882A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22add_new1.GIF%22%20alt%3D%22add_new1.GIF%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW42701898%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW42701898%20BCX0%22%3E3.%20Under%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TrackedChange%20SCXW42701898%20BCX0%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW42701898%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW42701898%20BCX0%22%3ETriggers%20conditions%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW42701898%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW42701898%20BCX0%22%3E%2C%20you%20can%20see%20that%20the%20automation%20can%20be%20triggered%20by%20alerts%20or%20recommendations.%20Under%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TrackedChange%20SCXW42701898%20BCX0%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW42701898%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW42701898%20BCX0%22%3EAlert%20severity%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW42701898%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW42701898%20BCX0%22%3E%2C%20you%20can%20also%20select%20the%20severity%20level%20that%20you%20want%20to%20target.%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW42701898%20BCX0%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22select_thread.GIF%22%20style%3D%22width%3A%20789px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F169401i77364E30DBF23355%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22select_thread.GIF%22%20alt%3D%22select_thread.GIF%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAs%20you%20could%20see%2C%20the%20options%20available%20via%20Azure%20Security%20Center%20dashboard%20are%20very%20straight%20forward.%20Now%20let%E2%80%99s%20see%20how%20to%20create%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ea%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bworkflow%20automation%20via%20API.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3EWorkflow%20Automation%20via%20API%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWorkflow%20Automation%20feature%20is%20currently%20in%20public%20preview%20stages%2C%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Eit%20will%20be%20become%20GA%20in%20the%20coming%20months%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%20and%20part%20of%20it%20we'll%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Brelease%20a%20full%20API%20interface%20that%20will%20include%20PowerShell%2C%20Azure%20CLI.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAs%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ementioned%20earlier%2C%20for%20this%20scenario%20we%20need%20to%20build%20a%20workflow%20automation%20that%20will%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Etrigger%20only%20when%20Antimalware%20detection%20arrives%20in%20ASC%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20To%20accomplish%20this%20task%20via%20API%2C%20we%20will%20leverage%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Fsecuritycenter%2Fautomations%2Fcreateorupdate%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Eworkflow%20automation%20API%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EThe%20advantage%20of%20using%20this%20API%20is%20that%20we%20have%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Emore%20granular%20filtering%20options.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThe%20filtering%20options%20that%20will%20be%20used%20for%20this%20scenario%20are%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%2C%20Calibri_MSFontService%2C%20sans-serif%22%20data-listid%3D%223%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFilter%20on%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EASC%20alert%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Es%20only%3C%2FSPAN%3E%26nbsp%3B%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%2C%20Calibri_MSFontService%2C%20sans-serif%22%20data-listid%3D%223%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFilter%20on%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EA%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3ElertVendor%26nbsp%3B%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EMicrosoft%20Antimalware%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAlthough%20we%20will%20leverage%20only%20those%20two%20filtering%20options%2C%20there%20are%20much%20more%20available%2C%20as%20shown%20in%20the%20list%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ebelow%20(list%20reference%20can%20be%20found%20in%20our%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Security-Center%2Ftree%2Fmaster%2FPowershell%2520scripts%2FWorkflow%2520automation%2520and%2520export%2520data%2520types%2520schemas%23security-alerts-objects-schema%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EGitHub%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Security-Center%2Ftree%2Fmaster%2FPowershell%2520scripts%2FWorkflow%2520automation%2520and%2520export%2520data%2520types%2520schemas%23security-alerts-objects-schema%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%26nbsp%3BRepo%3C%2FA%3E)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CCODE%3E-%20%3CSTRONG%3EAlertName%3C%2FSTRONG%3E%20-%20Alert%20display%20name%0A-%20%3CSTRONG%3ESeverity%3C%2FSTRONG%3E%20-%20The%20alert%20severity%20(High%2FMedium%2FLow%2FInformational)%0A-%20%3CSTRONG%3EAlertType%3C%2FSTRONG%3E%20-%20unique%20alert%20identifier%0A-%20%3CSTRONG%3EConfidenceLevel%3C%2FSTRONG%3E%20-%20(Optional)%20The%20confidence%20level%20of%20this%20alert%20(High%2FLow)%0A-%20%3CSTRONG%3EConfidenceScore%3C%2FSTRONG%3E%20-%20(Optional)%20Numeric%20confidence%20indicator%20of%20the%20security%20alert%0A-%20%3CSTRONG%3EDescription%3C%2FSTRONG%3E%20-%20Description%20text%20for%20the%20alert%0A-%20%3CSTRONG%3EDisplayName%3C%2FSTRONG%3E%20-%20The%20alert's%20display%20name%0A-%20%3CSTRONG%3EEndTime%3C%2FSTRONG%3E%20-%20The%20impact%20end%20time%20of%20the%20alert%20(the%20time%20of%20the%20last%20event%20contributing%20to%20the%20alert)%0A-%20%3CSTRONG%3EEntities%3C%2FSTRONG%3E%20-%20A%20list%20of%20entities%20related%20to%20the%20alert.%20This%20list%20can%20hold%20a%20mixture%20of%20entities%20of%20diverse%20types%0A-%20%3CSTRONG%3EExtendedLinks%3C%2FSTRONG%3E%20-%20(Optional)%20A%20bag%20for%20all%20links%20related%20to%20the%20alert.%20This%20bag%20can%20hold%20a%20mixture%20of%20links%20for%20diverse%20types%0A-%20%3CSTRONG%3EExtendedProperties%3C%2FSTRONG%3E%20-%20A%20bag%20of%20additional%20fields%20which%20are%20relevant%20to%20the%20alert%0A-%20%3CSTRONG%3EIsIncident%3C%2FSTRONG%3E%20-%20Determines%20if%20the%20alert%20is%20an%20incident%20or%20a%20regular%20alert.%20An%20incident%20is%20a%20security%20alert%20that%20aggregates%20multiple%20alerts%20into%20one%20security%20incident%0A-%20%3CSTRONG%3EProcessingEndTime%3C%2FSTRONG%3E%20-%20UTC%20timestamp%20in%20which%20the%20alert%20was%20created%0A-%20%3CSTRONG%3EProductComponentName%3C%2FSTRONG%3E%20-%20(Optional)%20The%20name%20of%20a%20component%20inside%20the%20product%20which%20generated%20the%20alert.%0A-%20%3CSTRONG%3EProductName%3C%2FSTRONG%3E%20-%20constant%20('Azure%20Security%20Center')%0A-%20%3CSTRONG%3EProviderName%3C%2FSTRONG%3E%20-%20unused%0A-%20%3CSTRONG%3ERemediationSteps%3C%2FSTRONG%3E%20-%20Manual%20action%20items%20to%20take%20to%20remediate%20the%20security%20threat%0A-%20%3CSTRONG%3EResourceId%3C%2FSTRONG%3E%20-%20Full%20identifier%20of%20the%20affected%20resource%0A-%20%3CSTRONG%3ESourceComputerId%3C%2FSTRONG%3E%20-%20a%20unique%20GUID%20for%20the%20affected%20server%20(if%20the%20alert%20is%20generated%20on%20the%20server)%0A-%20%3CSTRONG%3ESourceSystem%3C%2FSTRONG%3E%20-%20unused%0A-%20%3CSTRONG%3EStartTime%3C%2FSTRONG%3E%20-%20The%20impact%20start%20time%20of%20the%20alert%20(the%20time%20of%20the%20first%20event%20contributing%20to%20the%20alert)%0A-%20%3CSTRONG%3ESystemAlertId%3C%2FSTRONG%3E%20-%20Unique%20identifier%20of%20this%20security%20alert%20instance%0A-%20%3CSTRONG%3ETenantId%3C%2FSTRONG%3E%20-%20the%20identifier%20of%20the%20parent%20Azure%20Active%20directory%20tenant%20of%20the%20subscription%20under%20which%20the%20scanned%20resource%20resides%0A-%20%3CSTRONG%3ETimeGenerated%3C%2FSTRONG%3E%20-%20UTC%20timestamp%20on%20which%20the%20assessment%20took%20place%20(Security%20Center's%20scan%20time)%20(identical%20to%20DiscoveredTimeUTC)%0A-%20%3CSTRONG%3EType%3C%2FSTRONG%3E%20-%20constant%20('SecurityAlert')%0A-%20%3CSTRONG%3EVendorName%3C%2FSTRONG%3E%20-%20The%20name%20of%20the%20vendor%20that%20provided%20the%20alert%20(e.g.%20'Microsoft')%0A-%20%3CSTRONG%3EVendorOriginalId%3C%2FSTRONG%3E%20-%20unused%0A-%20%3CSTRONG%3EWorkspaceResourceGroup%3C%2FSTRONG%3E%20-%20in%20case%20the%20alert%20is%20generated%20on%20a%20VM%2C%20Server%2C%20VMSS%20or%20App%20Service%20instance%20that%20reports%20to%20a%20workspace%2C%20contains%20that%20workspace%20resource%20group%20name%0A-%20%3CSTRONG%3EWorkspaceSubscriptionId%3C%2FSTRONG%3E%20-%20in%20case%20the%20alert%20is%20generated%20on%20a%20VM%2C%20Server%2C%20VMSS%20or%20App%20Service%20instance%20that%20reports%20to%20a%20workspace%2C%20contains%20that%20workspace%20subscriptionId%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20class%3D%22TrackedChange%20SCXW203304577%20BCX0%22%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW203304577%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW203304577%20BCX0%22%3EThe%20f%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW203304577%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW203304577%20BCX0%22%3Eirst%20step%20to%20configure%20this%20workflow%20automation%20via%20API%20is%20to%20build%20the%20Rest%20API%20payload.%26nbsp%3B%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW203304577%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW203304577%20BCX0%22%3EFollow%20this%20documentation%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20class%3D%22Hyperlink%20SCXW203304577%20BCX0%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Fsecuritycenter%2Fautomations%2Fcreateorupdate%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW203304577%20BCX0%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW203304577%20BCX0%22%20data-ccp-charstyle%3D%22Hyperlink%22%3ECreate%20or%20update%20API%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW203304577%20BCX0%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW203304577%20BCX0%22%20data-ccp-charstyle%3D%22Hyperlink%22%3E.%20In%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW203304577%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW203304577%20BCX0%22%3Erequest%20body%20enter%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CSTRONG%3Ethis%20relevant%20information%3C%2FSTRONG%3E%3C%2FFONT%3E%3CSPAN%20class%3D%22TextRun%20SCXW203304577%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW203304577%20BCX0%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%20border%3D%221%22%20width%3D%22100%25%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22100%25%22%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%7B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%20%22properties%22%3A%20%7B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CSPAN%20data-contrast%3D%22auto%22%3E%22description%22%3A%20%22%3C%2FSPAN%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESend%20Email%20only%20on%20Antimalware%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%22%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22isEnabled%22%3A%20true%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22metadata%22%3A%20%7B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22scopes%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CSPAN%20data-contrast%3D%22auto%22%3E%22description%22%3A%20%22%3C%2FSPAN%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESend%20email%20on%20Alerts%20from%20the%20Anti%20malware%20detection%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%22%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22scopePath%22%3A%20%22%2Fsubscriptions%2F6b1ceacd-5731-xxxx-8f96-2078dd96fd96%22%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22sources%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CSPAN%20data-contrast%3D%22auto%22%3E%22eventSource%22%3A%20%22%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CFONT%20color%3D%22%23FF0000%22%3EAlerts%3C%2FFONT%3E%22%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22ruleSets%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22rules%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CSPAN%20data-contrast%3D%22auto%22%3E%22propertyJPath%22%3A%20%22%3C%2FSPAN%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EVendorName%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%22%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22propertyType%22%3A%20%22String%22%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CSPAN%20data-contrast%3D%22auto%22%3E%22expectedValue%22%3A%20%22%3C%2FSPAN%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EMicrosoft%20Antimalware%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%22%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22operator%22%3A%20%22Equals%22%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22actions%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CSPAN%20data-contrast%3D%22auto%22%3E%22logicAppResourceId%22%3A%20%22%3C%2FSPAN%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2Fsubscriptions%2F6b1ceacd-xxx-xxxx96-2078dd96fd96%2FresourceGroups%2FASC-Playbook%2Fproviders%2FMicrosoft.Logic%2Fworkflows%2FASC-Alert-To-ServiceNow%2FlogicApp%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%22%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%22uri%22%3A%20%22%3CA%20href%3D%22https%3A%2F%2FexampleTriggerUri1.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2FexampleTriggerUri1.com%3C%2FA%3E%22%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22actionType%22%3A%20%22LogicApp%22%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%20%7D%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%20%3CSPAN%20data-contrast%3D%22auto%22%3E%22id%22%3A%20%22%3C%2FSPAN%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2Fsubscriptions%2F6b1ceacd-5731-xxxx-xxxx-2078dd96fd96%2Fresourcegroups%2Fcxe-yanivsh%2Fproviders%2FMicrosoft.Security%2Fautomations%2FAntiMalwareAlerts%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%22%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%20%3CSPAN%20data-contrast%3D%22auto%22%3E%22name%22%3A%20%22%3C%2FSPAN%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAntiMalwareAlerts%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%22%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%20%22type%22%3A%20%22Microsoft.Security%2Fautomations%22%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%20%22location%22%3A%20%22West%20Europe%22%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%7D%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22TextRun%20SCXW203304577%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW203304577%20BCX0%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW115507472%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW115507472%20BCX0%22%3EAfter%20the%20successful%20put%20request%2C%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW115507472%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW115507472%20BCX0%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eopen%20ASC%20portal%20and%20navigate%20to%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW115507472%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW115507472%20BCX0%22%3EWorkflow%20automation%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW115507472%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW115507472%20BCX0%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eblade%20and%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW115507472%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW115507472%20BCX0%22%3Enotice%20to%20the%20newly%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW115507472%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW115507472%20BCX0%22%3Eautomation%20item%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW115507472%20BCX0%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW115507472%20BCX0%22%3E.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW115507472%20BCX0%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22blade1.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F169479iE5638BC1BBC4D565%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22blade1.jpg%22%20alt%3D%22blade1.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIt%20is%20important%20to%20mention%20that%20once%20a%20specific%20automation%20item%20created%20through%20an%20API%20request%2C%20you%20will%20have%20some%20editing%20limitation%20in%20the%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BUI%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%20so%20our%20recommendation%20is%20that%20if%20we%20need%20to%20edit%20this%20specific%20item%2C%20it%20should%20be%20done%20via%20the%20API.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EHappy%20automation%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EReviewers%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F124214%22%20target%3D%22_blank%22%3E%40Yuri%20Diogenes%3C%2FA%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%40Yoav%20Francis%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1155619%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fworkflow-automation%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EWorkflow%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fworkflow-automation%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%26nbsp%3BAutomation%3C%2FA%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Eis%20a%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Enew%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Security%20Center%20feature%20(preview)%20that%20can%20trigger%20Logic%20Apps%20on%20security%20alerts%20and%20recommendations.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Open_Pic.GIF%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F169405i5A56F17E777514E0%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Open_Pic.GIF%22%20alt%3D%22Open_Pic.GIF%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EI%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3En%20this%20blog%20post%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bwe%20will%20demonstrate%20how%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bwe%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bcan%20use%20API%20to%20build%20and%20answer%20more%20unique%20triggering%20scenario%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Es.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1155619%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAutomation%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Security%20Center%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELogic%20Apps%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

 

Workflow Automation is a new Azure Security Center feature (preview) that can trigger Logic Apps on security alerts and recommendations.   

In this blog post, we will demonstrate how we can use API to build and answer more unique triggering scenarios. 

 

Scenario 

Contoso organizations leverages Azure Security Center in a large scale. One of the security departments uses Azure Security Center to manage the Protection and specifically responsible for Defender antimalware alerts and findings. This department wants to receive email’s only on alerts that are related to Defender antimalware. 

 

Before implementing this scenario via API, let’s review the experience in the Azure Security Center dashboard. Follow the steps below to get started:  

  1. Open Azure Security Center, and on the left navigation pane, click on Workflow automation (Preview) 
  2. On the Workflow automation blade, click the + Add workflow automation button. The blade below appears:

add_new1.GIF

 

3. Under Triggers conditions, you can see that the automation can be triggered by alerts or recommendations. Under Alert severity, you can also select the severity level that you want to target.  

select_thread.GIF

 

As you could see, the options available via Azure Security Center dashboard are very straight forward. Now let’s see how to create a workflow automation via API. 

 

Workflow Automation via API 

 

Workflow Automation feature is currently in public preview stages, it will be become GA in the coming months, and part of it we'll release a full API interface that will include PowerShell, Azure CLI. 

As mentioned earlier, for this scenario we need to build a workflow automation that will trigger only when Antimalware detection arrives in ASC. To accomplish this task via API, we will leverage the workflow automation API.

The advantage of using this API is that we have more granular filtering options. 

The filtering options that will be used for this scenario are:  

  1. Filter on ASC alerts only  
  2. Filter on AlertVendor = Microsoft Antimalware  

Although we will leverage only those two filtering options, there are much more available, as shown in the list below (list reference can be found in our GitHub Repo) 

 

- AlertName - Alert display name
- Severity - The alert severity (High/Medium/Low/Informational)
- AlertType - unique alert identifier
- ConfidenceLevel - (Optional) The confidence level of this alert (High/Low)
- ConfidenceScore - (Optional) Numeric confidence indicator of the security alert
- Description - Description text for the alert
- DisplayName - The alert's display name
- EndTime - The impact end time of the alert (the time of the last event contributing to the alert)
- Entities - A list of entities related to the alert. This list can hold a mixture of entities of diverse types
- ExtendedLinks - (Optional) A bag for all links related to the alert. This bag can hold a mixture of links for diverse types
- ExtendedProperties - A bag of additional fields which are relevant to the alert
- IsIncident - Determines if the alert is an incident or a regular alert. An incident is a security alert that aggregates multiple alerts into one security incident
- ProcessingEndTime - UTC timestamp in which the alert was created
- ProductComponentName - (Optional) The name of a component inside the product which generated the alert.
- ProductName - constant ('Azure Security Center')
- ProviderName - unused
- RemediationSteps - Manual action items to take to remediate the security threat
- ResourceId - Full identifier of the affected resource
- SourceComputerId - a unique GUID for the affected server (if the alert is generated on the server)
- SourceSystem - unused
- StartTime - The impact start time of the alert (the time of the first event contributing to the alert)
- SystemAlertId - Unique identifier of this security alert instance
- TenantId - the identifier of the parent Azure Active directory tenant of the subscription under which the scanned resource resides
- TimeGenerated - UTC timestamp on which the assessment took place (Security Center's scan time) (identical to DiscoveredTimeUTC)
- Type - constant ('SecurityAlert')
- VendorName - The name of the vendor that provided the alert (e.g. 'Microsoft')
- VendorOriginalId - unused
- WorkspaceResourceGroup - in case the alert is generated on a VM, Server, VMSS or App Service instance that reports to a workspace, contains that workspace resource group name
- WorkspaceSubscriptionId - in case the alert is generated on a VM, Server, VMSS or App Service instance that reports to a workspace, contains that workspace subscriptionId

The first step to configure this workflow automation via API is to build the Rest API payload.  Follow this documentation Create or update API. In the request body enter this relevant information 

 

 

{ 

  "properties": { 

    "description": "Send Email only on Antimalware", 

    "isEnabled": true, 

    "metadata": { 

    }, 

    "scopes": [ 

      { 

        "description": "Send email on Alerts from the Anti malware detection", 

        "scopePath": "/subscriptions/6b1ceacd-5731-xxxx-8f96-2078dd96fd96" 

      } 

    ], 

    "sources": [ 

      { 

        "eventSource": "Alerts", 

        "ruleSets": [ 

          { 

            "rules": [ 

              { 

                "propertyJPath": "VendorName", 

                "propertyType": "String", 

                "expectedValue": "Microsoft Antimalware", 

                "operator": "Equals" 

              } 

            ] 

          } 

        ] 

      } 

    ], 

    "actions": [ 

      { 

        "logicAppResourceId": "/subscriptions/6b1ceacd-xxx-xxxx96-2078dd96fd96/resourceGroups/ASC-Playbook/providers/Microsoft.Logic/workflows/ASC-Alert-To-ServiceNow/logicApp", 

"uri": "https://exampleTriggerUri1.com", 

        "actionType": "LogicApp" 

          

      } 

    ] 

  }, 

  "id": "/subscriptions/6b1ceacd-5731-xxxx-xxxx-2078dd96fd96/resourcegroups/cxe-yanivsh/providers/Microsoft.Security/automations/AntiMalwareAlerts", 

  "name": "AntiMalwareAlerts", 

  "type": "Microsoft.Security/automations", 

  "location": "West Europe" 

} 

 

 

After the successful put request, open ASC portal and navigate to the Workflow automation blade and notice to the newly automation item. 

 

blade1.jpg

 

It is important to mention that once a specific automation item created through an API request, you will have some editing limitation in the UI, so our recommendation is that if we need to edit this specific item, it should be done via the API.

 

Happy automation :smile:

 

Reviewers:

@Yuri Diogenes 

@Yoav Francis