Sentinel incident playbook - get alert entities

What I would do in this case is to create Logic App with a trigger "Microsoft Sentinel incident" (this will grab alerts as well) and then run SystemAlertID (it's a dynamic function) against KQL. 

You can use the following KQL to achieve that (we need to move the actual entities from the array into separate column) 

SecurityAlert
| summarize arg_max(TimeGenerated, *) by SystemAlertId
| where SystemAlertId in ("")
| extend
HostNames = extract_all(@"\""HostName\""\s*:\s*\""(.*?)\""", tostring(Entities)),
IpAddresses = extract_all(@"\""Address\""\s*:\s*\""(.*?)\""", tostring(Entities)),
Accounts = extract_all(@"\""Name\""\s*:\s*\""(.*?)\""", tostring(Entities)),
UPNS = extract_all(@"\""UPNSuffix\""\s*:\s*\""(.*?)\""", tostring(Entities)),
Urls = extract_all(@"\""Url\""\s*:\s*\""(.*?)\""", tostring(Entities))
| extend
HostName = iff(array_length(HostNames) > 0, tostring(HostNames[0]), ""),
IP = iff(array_length(IpAddresses) > 0, tostring(IpAddresses[0]), ""),
Account = iff(array_length(Accounts) > 0, tostring(Accounts[0]), ""),
UPN = iff(array_length(UPNS) > 0, tostring(UPNS[0]), ""),
URL = iff(array_length(Urls) > 0, tostring(Urls[0]), "")
| project SystemAlertId, TimeGenerated, AlertName, HostName, IP, Account, UPN, URL

and then run it against automation rule

Here is how the output will look like

You can then Parse_JSON in another step and use for whatever you need.