In a SOAR playbook, after a UDM query finds users who connected to a malicious domain, how should you add those users as entities in an alert to reset passwords with minimal analyst effort?

Automating the population of matching users as alert entities using a data-driven creation step is the key idea. By using the Create Entity action with the Siemplify integration, you can pull the usernames identified by the UDM query directly into the alert’s entities. The Expression Builder lets you map those usernames into the Entities Identifier field, so each user becomes an actionable entity without any manual typing. This approach minimizes analyst effort because the entities are created automatically from the query results, enabling downstream steps like password reset to apply to all affected users in one go. It avoids the overhead of creating a separate case per user, asking the analyst to add entities in the UI, or manually typing identifiers. The automated creation ensures consistency, scalability, and faster response.