Forum Discussion

Thijs Lecomte's avatar
Thijs Lecomte
Bronze Contributor
Feb 25, 2020

Get full data into Playbook

Hi   We are currently trying to automate some alerts through Playbooks. We created a custom alert that checks for Impossible Travel Alerts from MCAS. This works well. But the issue is that some d...
GaryBushey's avatar
GaryBushey
Bronze Contributor
Feb 25, 2020

Thijs Lecomte  Not sure what you mean when you say that Entities do not support arrays.  If the alert that creates the Incident finds multiple events and each of those events has matching entities, then the incident will have  multiple entities.

 

I currently have one incident that is made up of 13 events and has 5 IP and 6 Account Entities in it.  Using a Playbook to write the Entities to a Teams message I see that it writes out the Entities in a JSON array.

 

Looking at your image it shows the same thing just that, in your case, you only have 1 Entity listed

Thijs Lecomte's avatar
Thijs Lecomte
Bronze Contributor
Feb 25, 2020
Thanks for the response.
The alert is have only has one event.

The event that comes from MCAS.
I can understand that multiple events in one alert can lead to multiple entities.

But can one event in an alert lead into multiple entities?

Or is there another way to get the full event details into Playbooks?
  • GaryBushey's avatar
    GaryBushey
    Bronze Contributor
    Feb 25, 2020

    Thijs Lecomte One event will only have up to a single value for each of the entities. 

     

    • Thijs Lecomte's avatar
      Thijs Lecomte
      Bronze Contributor
      Feb 25, 2020
      Any chance that will be changed in the future?

      Or any way to get the full details through the playbook?
      • GaryBushey's avatar
        GaryBushey
        Bronze Contributor
        Feb 25, 2020

        Thijs Lecomte I would not expect this to change.    What do you mean when you say full details?  What is missing?

Resources