Hello. I have a playbook that must be the only running instance of that playbook. I can't seem to find any "lock" functionality to facilitate this. Does anyone know if any sort of lock functionality exists out of the box? Thanks in advance!
The whole playbook does need to be locked. I envisioned a "lock" action at the beginning and an "unlock" action at the end of the playbook. The playbook is deduplicating events. Basically, the playbook checks if the event is a duplicate, and if it is, it updates the event to reflect it is a duplicate. We are using on poll to pull events from Splunk, so it's common for multiple events to be created at the same time. If two events come in at the same time that are duplicates, the "check if duplicate event" action may be run at the same time for both events, prior to either of them updating the event with the result of the check, which causes inaccurate results.
Just in case you ask about deduplicating the data prior to pulling the data into Phantom, I'll note that's not always possible for us.