Thank you for your response, Tony.

To clarify my goal, every new or existing case with the “vulnerability” tag will have alerts created like Jira tickets using a playbook. Regarding your suggested solution, would I need to attach a tag-based playbook for it to work correctly, or can I simply create it in the playbook editor? I’m not sure how to activate this tag-based playbook without attaching it to a case first.

It depends on how you have your playbooks structured and what you want the playbook to do. Every playbook requires a trigger and this trigger can allow it to automatically attach the playbook to a case: 
https://cloud.google.com/chronicle/docs/soar/respond/working-with-playbooks/using-triggers-in-playbo...
If you have 1 master playbook that attaches to every case then runs through a workflow of blocks depending on the case you could add a conditional step checking the case tags and if it contains vulnerability then it creates a jira:

If it is a playbook specifically for the cases that have "vulnerability" tag, you would set the trigger to tag = vulnerability, then add the step for jira ticket creation and whatever else you are wanting it to do.  

in order to do this, you will need to add a tag condition ( SOAR Settings > Case Data > Tags) for the vulnerability tag to attach where applicable: 

Also it is good to double check your playbook priorities to since only 1 playbook gets attached automatically: 
https://cloud.google.com/chronicle/docs/soar/respond/working-with-playbooks/whats-on-the-playbooks-s...

Hi ajohnson,

Thank you for your response!

I tried to replicate the solution, but the results were not as expected:

• I found that I needed to attach a playbook to a case to initiate the process. I’m actually looking for a solution that works like a scheduled job, which would check the case list daily for new cases with the “vulnerability” tag and then attach the appropriate playbook to each case alert.

• When the “attach playbook” action was triggered, only the alerts from the “main” case received the playbooks. My intention is to apply the “Create Jira Ticket” playbook to all alerts in the system, including those outside of this specific case.

I believe one potential solution could be to create a job to handle this, but I’m unsure if that’s feasible.

Hello everyone,

Last week, I decided to develop a custom solution for a problem I was facing. I created a simple Python script utilizing the Chronicle IDE functionality to iterate through all alerts with a specific tag and attach a playbook to them. This works well for new manual cases created by me, but I encountered an issue when trying to apply it to existing cases.

When I attempt to use the siemplify.attach_workflow_to_case function, I receive a "bad request" status code. The error message states:
"errorMessage": "You cannot perform this action on a closed alert."

I’m trying to understand why this error is occurring, as all the cases and alerts I’m working with are open.

Has anyone encountered a similar issue or have any insights on what might be happening?

OBS: I'm currently only adding alerts with a status of 1.