Sign in risk alert and playbook

I am running into some issues with an alert I am trying to build and I wonder if anyone else has come across this.  I have an alert rule with the following query:

SecurityAlert
| where TimeGenerated > ago(30m)
| where AlertName == "Unfamiliar sign-in properties"
| extend Extprop = parsejson(ExtendedProperties)
| extend UserPrincipalName = Extprop["User Account"]
| extend IPAddress = Extprop["Client IP Address"]
| extend Location = Extprop["Client Location"]
| project AlertName,AlertType,TimeGenerated,UserPrincipalName,IPAddress,Location
| extend AccountCustomEntity = UserPrincipalName
| extend IPCustomEntity = IPAddress

Here are the problems:

1. When a case is created, it does not map the user principal name or the IP address to the case.  When building that alert, the drop down menu for these values did not show the selected fields as options.

2. The second problem is I think related to the first.  Once a case is created I tried creating a logic app/playbook that would email the details of the case to me and create a powershell command using output from the alert.  Because the entities like username and IP address didn’t map to the case, I can’t pull that in from the Sentinel Case that is defined in the trigger.  I was able to add a step to run a log query and then use the output in future steps.  This worked okay for testing, but the problem I see is that the query has a time limit.  Right now it is for all events generated within 30 minutes.  If the playbook is run more than 30 minutes after the alert, it won’t see it.

3. I was able to use a data gateway to create a powershell script on a local server through the playbook.  The problem was, that the last few lines of the script add an A after each value.  I attached a screenshot.  If I change the file extension to .txt then it displays correctly, but then when I switch it back to .ps1 the “A”s are back.  This happens whether I create the file with dynamic values or not.