Best practices for working with dynamic content and expressions
In the examples discussed in previous chapters, we used dynamic content over static content wherever we could. This is because with dynamic content, we receive the latest data to make appropriate decisions.
We learned that all actions in the playbooks that speak with external services, such as Microsoft Sentinel, Azure AD, MDE, and VirusTotal, use API calls. All APIs will return responses in JSON format, as we saw in our MDE example in Chapter 8 when we searched for MdatpDeviceId. While most of the actions map API responses to dynamic content, not all response fields from the API are available as dynamic content, and we saw that with MdatpDeviceId.
In this case, when dynamic content is not available for the specific field we need, we can utilize expressions instead of dynamic content to get the data inside the playbook – but how do we utilize expressions?
Let’s open the Isolate-MDE-Machine playbook...
