How to create a Playbook that sends an email to a user involved in an incident?

Occasional Contributor

Hello everybody,


I need to configure a Sentinel playbook to send emails to users when an incident is created regarding their account.

I have created a playbook that uses Identity Protection incidents creation as trigger but I'm not currently able to set the right parameter to address automatically the alert to the user the incident refers to.

I don't need to set an address statically but the playbook has to fetch the user email address from the incident automatically and use it as recipient.

Which parameter or expression should I use?



I hope you can kindly help me with this.


Best regards.

1 Reply

@frank_df You definitely need to get both the user name and the UPN from the Incident Entities. Something like the following...