Use PowerShell to add Proofpoint TAP Malware findings to Cisco AMP Simple Custom Detections list.

This works well running as a scheduled task; perhaps every 15 minutes for detections within previous 901 seconds.

• Enter your TAP API and Cisco AMP API credentials in the $credfile (c:\scripts\credentials.csv)
• Uses the location c:\scripts\ for the log and credential file.
• The variable $seconds sets how far back in the past to look for TAP data - maximum API limit of 3600 is the default.
• The script gets the GUID of your AMP 'Simple Custom Detections' list, once you know it, you can set it permanently as the variable $GUID (Line 77).

• If there are results with the classification 'MALWARE' then get the threat hashes and save them in an array.
• Loop through the unique hashes in the array and add them to Cisco AMP 'Simple Custom Detections'.

• The hash of any file added is displayed on the screen.