From 578261d38b34286258e04d736399271300d9f447 Mon Sep 17 00:00:00 2001 From: Smitha Sundareswaran Date: Wed, 30 Mar 2022 23:12:10 -0700 Subject: [PATCH] Incorporate suggested changes --- .../PaloAltoCustomConnector/azuredeploy.json | 6 +- .../azuredeploy.json | 92 ++++++--- .../PaloAlto-PAN-OS-GetSystemInfo/readme.md | 2 +- .../azuredeploy.json | 192 +++++++++++++----- .../PaloAlto-PAN-OS-GetThreatPCAP/readme.md | 2 +- 5 files changed, 210 insertions(+), 84 deletions(-) diff --git a/Playbooks/PaloAlto-PAN-OS/PaloAltoCustomConnector/azuredeploy.json b/Playbooks/PaloAlto-PAN-OS/PaloAltoCustomConnector/azuredeploy.json index e6c73363cd..3763d28c51 100644 --- a/Playbooks/PaloAlto-PAN-OS/PaloAltoCustomConnector/azuredeploy.json +++ b/Playbooks/PaloAlto-PAN-OS/PaloAltoCustomConnector/azuredeploy.json @@ -1,6 +1,10 @@ { "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", + "metadata": { + "comments": "This PaloAlto custom connector uses PAN-OS API to perform different actions on the PAN-OS VM", + "author": "Sindhu Talluri,PAN-OS" + }, "parameters": { "PaloAlto_PAN-OS_Rest_API_CustomConnector_Name": { "defaultValue": "PAN-OSRestApiCustomConnector", @@ -17,7 +21,7 @@ } }, "Service_EndPoint": { - "defaultValue": "https://fb.com", + "defaultValue": "https://{yourPaloAltoDomain}", "type": "String", "metadata": { "description": "enter the PaloAlto endpoint (ex: https://{yourPaloAltoDomain})" diff --git a/Playbooks/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetSystemInfo/azuredeploy.json b/Playbooks/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetSystemInfo/azuredeploy.json index 2efe270465..dfb4efa4e6 100644 --- a/Playbooks/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetSystemInfo/azuredeploy.json +++ b/Playbooks/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetSystemInfo/azuredeploy.json @@ -5,11 +5,10 @@ "title": "Get System Info - Palo Alto PAN-OS XML API", "description": "This playbook gets a threat PCAP from the Panorama machine for a particular threat. ", "mainSteps": [ - "1.For each alert, check if the alert is a Palo Alto alert.", + "1. For each incident, check if the alert is a Palo Alto incident.", "2. If it is, extract the firewall device name.", "3. Make a call to the device, and get the system info.", - "4. Create a Sentinel Incident for the alert.", - "5. Update the Sentinel Incident with the system info." + "4. Update the Sentinel Incident with the system info." ], "prerequisites": [ "1. Palo Alto PAN-OS custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region.", @@ -50,23 +49,62 @@ "LogAnalyticsResourceName": { "type": "string", "metadata": { - "description": "Name of the cLog Analytics instance for logging" + "description": "Name of the Log Analytics instance for logging" } } }, "variables": { "subscriptionId": "[subscription().subscriptionId]", "location": "[resourceGroup().location]", - "AzureSentinelConnector": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/connections/azuresentinel')]", - "AzureMonitorLogsConnector": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/connections/azuremonitorlogs')]", - "PaloAltoConnector": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/connections/', parameters('CustomConnectorName'))]" + "AzureMonitorConnectionName": "[concat('azuremonitor-', parameters('PlaybookName'))]", + "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]", + "PaloAltoConnectorConnectionName": "[concat('PaloAltoConnector-', parameters('PlaybookName'))]" }, "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[parameters('PlaybookName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('PaloAltoConnectorConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureMonitorConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]" + } + } + }, { "type": "Microsoft.Logic/workflows", "apiVersion": "2017-07-01", "name": "[parameters('PlaybookName')]", - "location": "westus2", + "location": "[variables('location')]", "identity": { "type": "SystemAssigned" }, @@ -82,7 +120,7 @@ } }, "triggers": { - "Microsoft_Sentinel_alert": { + "Microsoft_Sentinel_incident": { "type": "ApiConnectionWebhook", "inputs": { "body": { @@ -101,18 +139,18 @@ "For_each": { "foreach": "@body('Run_query_and_list_results')?['value']", "actions": { - "If_alert_is_a_Palo_Alto_alert": { + "If_incident_is_a_Palo_Alto_incident": { "actions": { "Add_comment_to_incident_(V3)": { "runAfter": { - "Alert_-_Get_incident": [ + "Query_Palo_Alto_XML_API": [ "Succeeded" ] }, "type": "ApiConnection", "inputs": { "body": { - "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "incidentArmId": "@triggerBody()?['object']?['id']", "message": "

@{body('Query_Palo_Alto_XML_API')}

" }, "host": { @@ -124,23 +162,6 @@ "path": "/Incidents/Comment" } }, - "Alert_-_Get_incident": { - "runAfter": { - "Query_Palo_Alto_XML_API": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "get", - "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" - } - }, "Query_Palo_Alto_XML_API": { "runAfter": {}, "type": "ApiConnection", @@ -209,17 +230,22 @@ "$connections": { "value": { "azuremonitorlogs": { - "connectionId": "[variables('AzureMonitorLogsConnector')]", + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureMonitorConnectionName'))]", "connectionName": "azuremonitorlogs", "id": "[concat('/subscriptions/', subscription().subscriptionId,'/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/azuremonitorlogs')]" }, "azuresentinel": { - "connectionId": "[variables('AzureSentinelConnector')]", + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", "connectionName": "azuresentinel", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/azuresentinel')]" + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } }, "paloaltoconnector": { - "connectionId": "[variables('PaloAltoConnector')]", + "connectionId": "[resourceId('Microsoft.Web/connections', variables('PaloAltoConnectorConnectionName'))]", "connectionName": "paloaltoconnector", "id": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" } diff --git a/Playbooks/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetSystemInfo/readme.md b/Playbooks/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetSystemInfo/readme.md index ca9ad5b529..2d0135e333 100644 --- a/Playbooks/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetSystemInfo/readme.md +++ b/Playbooks/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetSystemInfo/readme.md @@ -17,7 +17,7 @@ When a new Sentinel incident is created, this playbook gets triggered and perfor ### Prerequisites 1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page. 2. Generate an API key.[Refer this link on how to generate the API Key](https://paloaltolactest.trafficmanager.net/restapi-doc/#tag/key-generation) -3. Address group should be created for PAN-OS and this should be used while creating playbooks. +3. This playbook only works for Palo Alto incidents. ### Deployment instructions diff --git a/Playbooks/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetThreatPCAP/azuredeploy.json b/Playbooks/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetThreatPCAP/azuredeploy.json index 5bbb270f50..40b6093340 100644 --- a/Playbooks/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetThreatPCAP/azuredeploy.json +++ b/Playbooks/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetThreatPCAP/azuredeploy.json @@ -5,12 +5,11 @@ "title": "Get Threat PCAP - Palo Alto PAN-OS XML API", "description": "This playbook gets a threat PCAP from the Panorama machine for a particular threat. ", "mainSteps": [ - "1.For each alert, check if the alert is a Palo Alto alert.", + "1. For each incident, check if the alert is a Palo Alto incident.", "2. If it is, extract the session ID, the PCAP ID, the firewall device name, the time at which the PCAP was generated.", "3. Make a call to the Panorama, and get the PCAP.", "4. Upload the PCAP to a blob storage account.", - "5. Create a Sentinel Incident for the alert.", - "6. Update the Sentinel Incident with a link to the blob store file." + "5. Update the Sentinel Incident with a link to the blob store file." ], "prerequisites": [ "1. Palo Alto PAN-OS custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region.", @@ -57,19 +56,133 @@ } }, "variables": { + "AzureBlobConnectionName": "[concat('azureblob-', parameters('PlaybookName'))]", + "AzureStorageName": "panosthreatpcapssa", "subscriptionId": "[subscription().subscriptionId]", "location": "[resourceGroup().location]", - "AzureSentinelConnector": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/connections/azuresentinel')]", - "AzureBlobConnector": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/connections/azureblob')]", - "AzureMonitorLogsConnector": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/connections/azuremonitorlogs')]", - "PaloAltoConnector": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/connections/', parameters('CustomConnectorName'))]" + "AzureMonitorConnectionName": "[concat('azuremonitor-', parameters('PlaybookName'))]", + "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]", + "ContainerName": "panosthreatpcaps", + "PaloAltoConnectorConnectionName": "[concat('PaloAltoConnector-', parameters('PlaybookName'))]" }, "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2021-04-01", + "name": "[variables('AzureStorageName')]", + "location": "[resourceGroup().location]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "accessTier": "Hot", + "minimumTlsVersion": "TLS1_2", + "supportsHttpsTrafficOnly": "true", + "allowBlobPublicAccess": "false", + "allowSharedKeyAccess": "true", + "networkAcls": { + "bypass": "AzureServices", + "defaultAction": "Allow", + "ipRules": [] + } + } + }, + { + "name": "[concat(variables('AzureStorageName'), '/default')]", + "type": "Microsoft.Storage/storageAccounts/blobServices", + "apiVersion": "2021-02-01", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('AzureStorageName'))]" + ], + "properties": { + "deleteRetentionPolicy": { + "enabled": "false" + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat(variables('AzureStorageName'), '/default/', variables('ContainerName'))]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('AzureStorageName'), 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('AzureStorageName'))]" + ], + "properties": { + "publicAccess": "None" + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureBlobConnectionName')]", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/', variables('AzureStorageName'))]" + ], + "properties": { + "displayName": "[variables('AzureBlobConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureblob')]" + }, + "parameterValues": { + "accountName": "[variables('AzureStorageName')]", + "accessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('AzureStorageName')), '2019-04-01').keys[0].value]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[parameters('PlaybookName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('PaloAltoConnectorConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureMonitorConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]" + } + } + }, { "type": "Microsoft.Logic/workflows", "apiVersion": "2017-07-01", "name": "[parameters('PlaybookName')]", - "location": "westus2", + "location": "[variables('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureBlobConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('PaloAltoConnectorConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" + ], "identity": { "type": "SystemAssigned" }, @@ -85,7 +198,7 @@ } }, "triggers": { - "Microsoft_Sentinel_alert": { + "incident": { "type": "ApiConnectionWebhook", "inputs": { "body": { @@ -96,7 +209,7 @@ "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, - "path": "/subscribe" + "path": "/incident-creation" } } }, @@ -104,20 +217,20 @@ "For_each": { "foreach": "@body('Run_query_and_list_results')?['value']", "actions": { - "If_alert_is_a_Palo_Alto_alert": { + "If_incident_is_a_Palo_Alto_incident": { "actions": { "If_PCAP_ID_Exists": { "actions": { "Add_comment_to_incident_(V3)": { "runAfter": { - "Alert_-_Get_incident": [ + "Create_blob_(V2)": [ "Succeeded" ] }, "type": "ApiConnection", "inputs": { "body": { - "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "incidentArmId": "@triggerBody()?['object']?['id']", "message": "

@{body('Create_blob_(V2)')?['Path']}

" }, "host": { @@ -129,23 +242,6 @@ "path": "/Incidents/Comment" } }, - "Alert_-_Get_incident": { - "runAfter": { - "Create_blob_(V2)": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "get", - "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" - } - }, "Create_blob_(V2)": { "runAfter": { "Query_Palo_Alto_XML_API": [ @@ -167,7 +263,7 @@ "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('defendpaloaltopcapsdev'))}/files", "queries": { "folderPath": "pcapblobs-palo-alto", - "name": "@{concat(string('paloalto',items('For_each')['PcapID']), string(triggerBody()?['TimeGenerated']), '.pcap')}", + "name": "@{concat(string('paloalto',items('For_each')['PcapID']), string(items('For_each')['TimeGenerated']), '.pcap')}", "queryParametersSingleEncoded": true } }, @@ -192,7 +288,7 @@ "category": "threat-pcap", "device_name": "@items('For_each')['MonitoringDeviceName']", "pcap-id": "@items('For_each')['PcapID']", - "search-time": "@triggerBody()?['TimeGenerated']", + "search-time": "@{items('For_each')['TimeGenerated']}", "sessionId": "@items('For_each')['SessionID']", "type": "export" } @@ -272,28 +368,28 @@ "$connections": { "value": { "azureblob": { - "connectionId": "[variables('AzureBlobConnector')]", - "connectionName": "azureblob", + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureBlobConnectionName'))]", + "connectionName": "[variables('AzureBlobConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId,'/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/azureblob')]" + }, + "azuremonitorlogs": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureMonitorConnectionName'))]", + "connectionName": "[variables('AzureMonitorConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]" + }, + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[variables('AzureSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", "connectionProperties": { "authentication": { "type": "ManagedServiceIdentity" } - }, - "id": "[concat('/subscriptions/', subscription().subscriptionId,'/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/azureblob')]" - }, - "azuremonitorlogs": { - "connectionId": "[variables('AzureMonitorLogsConnector')]", - "connectionName": "azuremonitorlogs", - "id": "[concat('/subscriptions/', subscription().subscriptionId,'/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/azuremonitorlogs')]" - }, - "azuresentinel": { - "connectionId": "[variables('AzureSentinelConnector')]", - "connectionName": "azuresentinel", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/azuresentinel')]" + } }, "paloaltoconnector": { - "connectionId": "[variables('PaloAltoConnector')]", - "connectionName": "paloaltoconnector", + "connectionId": "[resourceId('Microsoft.Web/connections', variables('PaloAltoConnectorConnectionName'))]", + "connectionName": "[variables('PaloAltoConnectorConnectionName')]", "id": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" } } diff --git a/Playbooks/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetThreatPCAP/readme.md b/Playbooks/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetThreatPCAP/readme.md index 5194ad802e..c8e1dd124f 100644 --- a/Playbooks/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetThreatPCAP/readme.md +++ b/Playbooks/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetThreatPCAP/readme.md @@ -19,7 +19,7 @@ When a new Sentinel incident is created, this playbook gets triggered and perfor ### Prerequisites 1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page. 2. Generate an API key.[Refer this link on how to generate the API Key](https://paloaltolactest.trafficmanager.net/restapi-doc/#tag/key-generation) -3. Address group should be created for PAN-OS and this should be used while creating playbooks. +3. This playbook only works for Palo Alto incidents with a threat PCAP where the PCAP ID is not null or zero. ### Deployment instructions