Sentinel Playbook help required

If this is an incident based on a Sentinel rule, you are better off using automation rules for a small number of user exemptions. For a larger list I would add a list to the incident rule's KQL. This will achive the auto-close requirement and prevent response delays. There are email generating playbook samples provided, also look at the essentials solutions in the content hub. If you do decide to go with a custom playbook I would use an LLM to guide the creation. Build from a template or start fresh. I would use a watchlist to store your exclusion list for easier management.