
Explanation:

In Azure Security Center (now Microsoft Defender for Cloud), Workflow automation is provisioned as an ARM resource of type Microsoft.Security/automations. The automation resource defines one or more actions, and when the action is a Logic App, the actionType is set to LogicApp and the action must reference the Logic App by its resource ID. In ARM, the correct provider namespace for Logic Apps is Microsoft.Logic, so the template uses resourceId('Microsoft.Logic/workflows', <logicAppName>) to populate logicAppResourceId.
To enable the security alert to trigger the Logic App, the automation action includes a callback URL to the Logic App's manual trigger. In ARM, this is retrieved with listCallbackURL() against the trigger resource ID, which must also use the Microsoft.Logic provider, i.e., resourceId(<subscriptionId>,
<resourceGroupName>, 'Microsoft.Logic/workflows/triggers', <logicAppName>, 'manual'), with the Logic Apps API version such as 2019-05-01. This is the documented pattern for Security Center workflow automations: define an automation under Microsoft.Security/automations, specify an action of type LogicApp, reference the workflow by Microsoft.Logic, and obtain the manual trigger callback via listCallbackURL on Microsoft.Logic/workflows/triggers. This wiring ensures that when the specified security alerts are received, the automation invokes the Logic App for automatic remediation on each match.