Issue

Which attribute can I use in a playbook to pull the email address of the person who acknowledged a threat?

Resolution

The $Detection.marked_acknowledged_by_user.email attribute will return the email address of the person who acknowledged the threat. However, if the attribute name is used in conjunction with a threat that has not been acknowledged, it will return the attribute name because there is no email address available. If you create a Playbook that is triggered when a threat is remediated, but no one has acknowledged that threat, there would not be an email address to populate the attribute.