"Acknowledged by" email address Playbook attribute

Issue

What attribute can I use in a Playbook to pull the email address of the person who acknowledged the detection?

Resolution

The $Detection.marked_acknowledged_by_user.email attribute will return the email address of the person who acknowledged the detection. However, if it is used in conjunction with a detection that has not been acknowledged, it will return the the attribute name because there is no email address available; e.g., if you create a Playbook that is triggered when a detection is remediated, but no one has acknowledged that detection, there would not be an email address to populate the attribute.