Sign In

SA1.3 Your First Automation Rule

5 hours · Module 1 · Free
YOUR FIRST AUTOMATION RULE — AiTM TRIAGE ACCELERATIONTRIGGER:When Microsoft Sentinel incident is createdCONDITIONS:Analytics rule name CONTAINS "AiTM" OR "credential phishing" OR "token theft"ACTIONS:① Change severity → High ② Add tag "aitm-triage" ③ Assign owner → SOC Tier 2 QueueSTEP-BY-STEP BUILD — 5 MINUTES TO DEPLOYEDStep 1: Sentinel → Automation → Create automation ruleStep 2: Name: "SA-Rule-AiTM-Triage-Acceleration" | Trigger: When incident is createdStep 3: Condition: Analytics rule name → Contains → "AiTM" (add OR conditions for variants)Step 4: Actions: Change severity → High | Add tag → "aitm-triage" | Assign owner → queueStep 5: Order: 100 | Status: Enabled | Expiration: None | Apply → SaveDone. Every AiTM incident is now instantly High severity, tagged, and routed to Tier 2. Zero code. Zero Logic Apps.

Figure SA1.3 — Your first automation rule: AiTM triage acceleration. 5 minutes from start to deployed.

Operational Objective
Theory is complete. You understand automation rules, their capabilities, their limitations, and the four production patterns. Now you build one. This sub walks through the creation of your first production automation rule — an AiTM triage acceleration rule that changes severity, adds a tag, and assigns the incident to the correct queue. You will deploy it in under 5 minutes.
Deliverable: A deployed, active Sentinel automation rule that accelerates AiTM triage by normalising severity, tagging, and routing. Your first production automation.
⏱ Estimated completion: 20 minutes

Building the rule — step by step

Open your Sentinel workspace in the Azure portal. Navigate to Configuration → Automation. Click “Create” and select “Automation rule.”

Rule name. Use a naming convention from the start. The naming convention for this course is: SA-Rule-{Purpose}-{Target}. For this rule: SA-Rule-AiTM-Triage-Acceleration. The prefix SA-Rule distinguishes automation rules from playbooks (SA-Playbook) in the list view. The purpose and target make the rule’s function clear without opening it.

Trigger. Select “When incident is created.” This fires the rule once when the incident first appears in the queue — not on every update, which would cause the severity change and tag addition to re-execute on every analyst comment or status change.

Conditions. Click “Add condition” and select “Analytics rule name.” Set the operator to “Contains” and enter “AiTM.” If your AiTM detection uses a different name (many organisations name their rules differently), adjust accordingly. Click “Add condition” again with OR logic if you have multiple analytics rules that detect AiTM variants — “Contains ‘credential phishing’” OR “Contains ’token theft’” OR “Contains ‘session hijack.’”

The condition should be specific enough to target the correct alert type but broad enough to catch all variants. Testing after deployment will confirm whether the conditions match the expected incidents.

Actions. Add three actions in sequence:

Action 1: “Change severity” → set to “High.” AiTM incidents at NE are always High severity regardless of the detection’s default classification. This ensures AiTM incidents appear at the top of the queue.

Action 2: “Add tags” → enter “aitm-triage.” Tags serve two purposes: filtering in the incident queue (show me all aitm-triage tagged incidents) and playbook coordination (the enrichment playbook in SA1.4 will check for this tag to apply AiTM-specific enrichment).

Action 3: “Assign owner” → select the SOC Tier 2 analyst or queue. If your SOC uses individual assignment, select the identity analyst. If you use queues, select the identity queue. Avoid assigning to a single person — when that person is unavailable, incidents accumulate.

Order. Set to 100. This leaves room for future rules at lower order numbers (50 — severity overrides for other alert types) and higher order numbers (200 — playbook triggers that depend on the severity change).

Status. Enabled. There is no reason to create a disabled rule — deploy and validate.

Expiration. None. This is a permanent rule. Use expiration only for temporary rules created during active incidents.

Click “Apply” and the rule is live. Every AiTM incident created from this point forward is automatically set to High severity, tagged “aitm-triage,” and assigned to the correct analyst or queue.

Validating the rule

After deployment, validate that the rule works correctly. You need a test incident.

Option 1: Wait for a real alert. If your AiTM detection fires regularly, the next alert will trigger the rule. Check the incident: is the severity High? Is the tag present? Is the owner assigned? If yes, the rule works.

Option 2: Create a test incident manually. In Sentinel, navigate to Incidents → Create incident (preview). Set the title to include “AiTM” (matching your condition), set initial severity to Medium, and create the incident. Check immediately: did the automation rule change it to High and add the tag?

Option 3: Trigger the analytics rule. If you have a test environment, simulate the AiTM indicator (sign-in with MFA-claim-in-token from a new IP) to trigger the analytics rule. The resulting incident should have the automation rule applied.

If the rule did not fire, check: is the rule enabled? Does the analytics rule name match the condition exactly? Is the order number correct (not conflicting with another rule that closes the incident before this rule runs)?

Building three more rules in 10 minutes

Now that you know the process, build three additional rules:

Rule 2: Ransomware severity override (order 110). Trigger: incident created. Condition: analytics rule name contains “ransomware” OR “VSS deletion” OR “shadow copy.” Action: change severity to Critical. Ransomware indicators are always Critical at NE — they require immediate response.

Rule 3: Known FP auto-close (order 500). Trigger: incident created. Condition: analytics rule name = “Impossible Travel” AND incident title contains “ceo@northgateeng.com.” Actions: change status to Closed, classification = BenignPositive, add tag “auto-closed-known-travel,” add comment “Auto-closed: known weekly travel pattern for CEO. Monthly review scheduled.” Order 500 ensures this runs after any severity changes or enrichment triggers — you do not want to close an incident before enrichment runs.

Rule 4: Playbook trigger (order 200). Trigger: incident created. Condition: severity = High OR severity = Critical. Action: run playbook “SA-Playbook-Enrichment-General” (you will build this in SA1.4). This rule triggers the enrichment playbook on all high-priority incidents. Order 200 ensures it runs after Rule 1 (which sets AiTM to High at order 100).

Four rules. Fifteen minutes total. Your Sentinel automation is operational.

⚠ Compliance Myth: "We need formal approval to create automation rules in our production Sentinel workspace"

The myth: Any change to the production Sentinel workspace requires CAB approval.

The reality: Automation rules that change severity, assign owners, or add tags are Tier 1 changes — they modify incident properties, not the environment. They have zero blast radius. They are the equivalent of an analyst manually changing severity on every AiTM incident — the rule just does it automatically and consistently. Review with the SOC lead (a 2-minute conversation: “I’m setting AiTM to always-High severity”) and deploy. The FP auto-close rule (Rule 3) deserves slightly more scrutiny because it closes incidents without analyst review — but with proper safeguards (specific conditions, auto-closed tag, monthly review), this is a standard triage acceleration practice.

Your First Four Automation Rules

RuleOrderTriggerConditionActions
AiTM Triage100CreatedRule name contains “AiTM”Severity → High, tag “aitm-triage”, assign Tier 2
Ransomware Priority110CreatedRule name contains “ransomware”Severity → Critical
Playbook Trigger200CreatedSeverity = High or CriticalRun enrichment playbook
CEO Travel FP500CreatedRule = “Impossible Travel” + title has CEOClose (BenignPositive), tag “auto-closed”

Decision point: You deployed Rule 3 (CEO travel FP auto-close) and it works perfectly for 3 weeks. Then the CEO’s account is actually compromised — the attacker signs in from Lagos while the CEO is in London. The impossible travel alert fires, matches the auto-close rule, and is closed automatically. The compromise goes undetected for 4 hours until the CEO reports suspicious activity. What went wrong? The condition was too broad: it matched ANY impossible travel alert for the CEO, not just the London-to-New-York pattern. The fix: tighten the condition to include the specific city pairs, or change the auto-close to auto-enrich + tag “known-pattern-check-required” instead of closing. FP auto-close rules must be specific enough that they do not mask real attacks in the same pattern.

Try it: Deploy your first automation rule

Build and deploy Rule 1 (AiTM Triage Acceleration) in your Sentinel workspace:

  1. Navigate to Automation → Create → Automation rule
  2. Name: SA-Rule-AiTM-Triage-Acceleration
  3. Trigger: When incident is created
  4. Condition: Analytics rule name contains “AiTM” (adjust to match your detection rule names)
  5. Actions: Change severity to High + Add tag “aitm-triage” + Assign to your team’s queue
  6. Order: 100, Enabled, No expiration
  7. Deploy and validate with a test incident

Time yourself. Target: under 5 minutes from start to deployed.

You deployed an automation rule that changes severity to High for all incidents from the "Suspicious Inbox Rule" analytics rule. After deployment, you notice that inbox rules created by the IT team's automated mailbox provisioning script (which runs daily and creates legitimate inbox rules for new employees) are also being escalated to High severity. What is the best fix?
Remove the automation rule — it creates too many false escalations. This removes the severity escalation for real suspicious inbox rules too. The rule is correct for actual threats; it just needs a more specific condition.
Add a condition to the automation rule that excludes incidents where the entity account matches the provisioning service account, OR create a second rule at a higher order number that changes severity back to Medium for incidents matching the service account pattern. Alternatively, tune the analytics rule to exclude the service account — this prevents the alert from firing at all, which is cleaner.
Change the analytics rule to exclude all inbox rule creations from IT accounts. This might be too broad — IT accounts can be compromised too. A targeted exclusion for the specific provisioning service account is safer than excluding all IT accounts.
Create an FP auto-close rule for the provisioning account. Auto-closing is more aggressive than adjusting severity. The better approach is either excluding the service account from the detection (so no alert fires) or keeping the alert but not escalating severity. Auto-close removes the incident from the queue entirely, which means you lose visibility if the service account is compromised.

Where this goes deeper. SA1.4 builds the enrichment playbook that Rule 4 triggers — the Logic App that transforms raw incidents into investigation-ready packages. SA9 covers advanced automation rule patterns: tag-based chaining (Rule A tags → Rule B triggers on tag), conditional ordering for multi-stage workflows, and rules that adapt based on time-of-day for after-hours escalation.

Operational Artifact — First Four Automation Rules
Deploy the four rules above in your production workspace. They are Tier 1 (severity changes, tagging, assignment) and Tier 2 (FP auto-close with safeguards) — low risk, immediate value. After deployment, validate each rule with a test incident. Monitor for one week to confirm no unintended behavior. These four rules are the foundation that every subsequent playbook trigger builds on.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of this course

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← SA1.2 Playbooks — The Power Layer SA1.4 Your First Playbook →