Microsoft Sentinel automation rules reference
This article contains reference information about the configuration of automation rules and the supported conditions and properties.
To learn more about automation rules, see Automate threat response in Microsoft Sentinel with automation rules.
For instructions on creating, managing, and using automation rules, see Create and use Microsoft Sentinel automation rules to manage response.
Supported entity properties
The following entities and entity properties can be used as conditions for automation rules:
This table shows the entity properties supported in the automation rules API. These are the entity properties whose values you can set as conditions for triggering an automation rule.
For the full list of supported properties, which includes incident properties, see Automation rule property condition supported properties in the Automation rules API documentation.
Name (in API) | Type | Description |
---|---|---|
AccountAadTenantId | string | The account Microsoft Entra ID tenant ID |
AccountAadUserId | string | The account Microsoft Entra ID user ID |
AccountName | string | The account name |
AccountNTDomain | string | The account NetBIOS domain name |
AccountPUID | string | The account Microsoft Entra ID Passport User ID |
AccountSid | string | The account security identifier |
AccountObjectGuid | string | The account object unique identifier |
AccountUPNSuffix | string | The account user principal name suffix |
AzureResourceResourceId | string | The Azure resource ID |
AzureResourceSubscriptionId | string | The Azure resource subscription ID |
CloudApplicationAppId | string | The cloud application identifier |
CloudApplicationAppName | string | The cloud application name |
DNSDomainName | string | The dns record domain name |
FileDirectory | string | The file directory full path |
FileName | string | The file name without path |
FileHashValue | string | The file hash value |
HostAzureID | string | The host Azure resource ID |
HostName | string | The host name without domain |
HostNetBiosName | string | The host NetBIOS name |
HostNTDomain | string | The host NT domain |
HostOSVersion | string | The host operating system |
IoTDeviceId | string | The IoT device ID |
IoTDeviceName | string | The IoT device name |
IoTDeviceType | string | The IoT device type |
IoTDeviceVendor | string | The IoT device vendor |
IoTDeviceModel | string | The IoT device model |
IoTDeviceOperatingSystem | string | The IoT device operating system |
IPAddress | string | The IP address |
MailboxDisplayName | string | The mailbox display name |
MailboxPrimaryAddress | string | The mailbox primary address |
MailboxUPN | string | The mailbox user principal name |
MailMessageDeliveryAction | string | The mail message delivery action |
MailMessageDeliveryLocation | string | The mail message delivery location |
MailMessageRecipient | string | The mail message recipient |
MailMessageSenderIP | string | The mail message sender IP address |
MailMessageSubject | string | The mail message subject |
MailMessageP1Sender | string | The mail message P1 sender (delegated sender) |
MailMessageP2Sender | string | The mail message P2 sender (original sender) |
MalwareCategory | string | The malware category |
MalwareName | string | The malware name |
ProcessCommandLine | string | The process execution command line |
ProcessId | string | The process ID |
RegistryKey | string | The registry key path |
RegistryValueData | string | The registry key value in string formatted representation |
Url | string | The url |