-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathAdd-TAPMalwareToAMP.ps1
115 lines (105 loc) · 7.62 KB
/
Add-TAPMalwareToAMP.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
## Delivered threats
## TAP API Docs: https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API
$Outfile = "C:\scripts\TAP_Threats-$(get-date -f yyyy-MM-dd).csv" ## Log location.
$CredFile = Import-Csv 'C:\scripts\credentials.csv' ## Location of your credential file.
$TAPURI = "https://tap-api-v2.proofpoint.com/v2/siem/messages/delivered" ## TAP Base URI.
## Pull credential data from CSV file
$TAPprincipal = $CredFile | Where-Object -Property Type -eq 'TAPprincipal'
$TAPprincipal = $TAPprincipal.data
$TAPsecret = $CredFile | Where-Object -Property Type -eq 'TAPsecret'
$TAPsecret = $TAPsecret.data
## Set TLS 1.2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$Seconds = "3600" ## API limits to maximum of 3600 seconds (60 min). If you run script every x number of minutes, maybe set this to x + 1 second to add a small overlap.
$Delivery = $null ## Null out the variable
$Credpair = "$($TAPprincipal):$($TAPsecret)" ## Create the credential pair, then encode it
$TAPencodedcredentials = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($credPair))
$TAPquery = '?sinceSeconds=' + $seconds + '&format=json' ## The query: 3600 seconds = 60 mins; format JSON
$TAPURI = $TAPURI + $TAPquery ## Building the URI from the base URI and the Query
$TAPFiles = @() ## This is the array we will put unique hashes into
#$TAPFiles += "THISISAFAKEHASH" ## Any hashes you want to add manually can be added to the array here.
#$TAPFiles += "ANOTHERFAKEHASH"
$Parameters = @{ ## Parameters for our TAP Request that were built from the above variables
URI = $TAPURI
Headers = @{ 'Authorization' = "Basic $TAPencodedcredentials" }
Method = 'GET'
}
$deliveries = Invoke-RestMethod @parameters ## This runs the query against TAP and puts it into $deliveries
if (!($deliveries.messagesDelivered)) {write-host "No deliveries to report."}
else {
foreach ($Delivery in $deliveries) ## Loop through every returned result
{
foreach ($threat in $Delivery.messagesDelivered.threatsInfoMap) ## Each Delivery can have multiple threats we need to look at them each
{
## Log all threats for this period into a CSV file for the day.
$threat | select-object threattime,classification,threattype,threaturl,threat | export-csv -NoTypeInformation -append $Outfile
if ($threat.classification -eq "MALWARE") ## We only want to look at malware threats, not phish or spam
{
write-host "Malware threat found."
If ($TapFiles -NOTcontains $threat.threat) ## If this threat's hash isn't already in the array, add it
{
$TAPFiles += $Threat.threat ## Add the threat's hash to the array and say so
Write-Host "Adding: " $Threat.threat " to array."
}
else {write-host "Not unique hash."} ## Output if the hash is already in the array
}
else ## Display some info about the threats that were found.
{
Write-host "Threat ID :" $threat.threatID
Write-Host "Threat classification :" $threat.classification
Write-Host "Threat type :" $threat.threattype
Write-Host "Threat :" $threat.threat
Write-Host "--------------"
}
}
}
}
### AMP ###
## AMP API Docs: https://api-docs.amp.cisco.com/api_resources?api_host=api.amp.cisco.com&api_version=v1
## Pull credential data from CSV file
$AMPClientID = $CredFile | Where-Object -Property Type -eq 'AMPClientID'
$AMPClientID = $AMPClientID.data
$AMPKey = $CredFile | Where-Object -Property Type -eq 'AMPKey'
$AMPKey = $AMPKey.data
## Other AMP specific variables
$day = get-date -f yyyy-MM-dd ## Date as 4 digit year, 2 digit month, 2 digit day (for AMP description)
$AMPDescription = "TAP via PowerShell" ## Note on AMP list entry
$AMPcredpair = "$($AMPClientID):$($AMPKey)" ## Creating the credential
$AMPencodedcredentials = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($AMPcredpair))
$AMPBody = @{description = "$AMPDescription $day"} ## Adding the description to the body
## $GUID = "this-is-my-GUID" ## This can be set to your GUID (inside the quotes) once you know it so it doesn't need to run the query every time and waste an api call.
## API Query to find AMP Simple Custom Detection GUID and define it as $GUID if it is unknown.
if ($GUID -like $null)
{
$AMPURIEndpointFolder= "https://api.amp.cisco.com/v1/file_lists/simple_custom_detections"
$AMPFolderParameters = @{
URI = $AMPURIEndpointFolder
Headers = @{ 'Authorization' = "Basic $AMPencodedcredentials" }
Method = 'GET'
}
$ampFolderGUID = Invoke-RestMethod @AMPFolderParameters
$GUID = $AMPFolderGUID.data.GUID
write-host "GUID is:" $GUID ## Enter this into the $GUID variable (line 75 above), and uncomment that line to save yourself some API calls.
}
if ($tapfiles -like $null) {write-host "I'm null."} ## Say so if no result
else
{
foreach ($AMPFile in $TapFiles) ## Loop through all $AMPFiles and add them each
{ ## Building the URI Endpoint based on the documentation
$AMPURIEndpoint = "https://api.amp.cisco.com/v1/file_lists/" + $GUID + "/files/" + $AMPFile
## Display each hash and endpoint
write-host "Hash:" $AMPFile
write-host "URI :" $AMPURIEndpoint
Write-Host "--------------"
$AMPParameters = @{
URI = $AMPURIEndpoint
Headers = @{ 'Authorization' = "Basic $AMPencodedcredentials" }
Method = 'POST'
Body = $AMPBody
}
## Add this hash to AMP
$AMPadd = Invoke-RestMethod @AMPparameters -ErrorAction SilentlyContinue
$AMPadd
}
}
if (Get-Content $Outfile -erroraction silentlycontinue) {write-host -f cyan $Outfile} ## Only display the output file if it exists