Create an alert response instead of an incident response - the incident response is expecting an incident to be passed to the "for each incident update" (as in each thing that updates the incident that you're alerting on). An alert response will simply alert on the KQL query and run the playbook, without bothering with passing the non-existent incident info through the flow.

Recreated my playbooks to send emails on alerts instead of incidents and they run just fine when "user added" and "device added" are found. No need to create incidents for those, just email records that new users or devices were added.