alexverboon
* Regions PoC
Hey. Long time no talk :)
according to MS: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list
"For better performance, you can use server closer to your geo location:"
so lets add support to this in cfg
Changing this prior to the OAUTH token request renders the following error (tested with api-uk)
Invoke-RestMethod : {"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named https://api-uk.securitycenter.windows.com was not found in the tenant named
{security string redacted} This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have
sent your authentication request to the wrong tenant.\r\nTrace ID: {security string redacted}\r\nCorrelation ID: {security string redacted}\r\nTimestamp: 2021-03-04
19:36:53Z","error_codes":[500011],"timestamp":"2021-03-04
19:36:53Z","trace_id":"{security string redacted}","correlation_id":"836152ab-6485-4e49-96ac-7ace2013f268","error_uri":"https://login.windows.net/error?code=500011"}
At line:14 char:13
+ $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
It may therefore be more beneficial to provide the localisation as an addition option parameter on calls like Get-MDATPDevice -DeviceName "SomeComputer" -Region "UK" and then in the script do the below after building DeviceUri
$DeviceUri = "https://api.securitycenter.windows.com/api/machines"
if ($Region){
$DeviceUri = $DeviceUri -replace "/api.sec", "/api-$Region.sec"
}
$DeviceUri
Note: Had to put "/api.sec" otherwise just "/api." would replace "/api/" for some unknown reason to me.
You'll also need somewhere to globally manage the accepted Regions to simplify the addition or removal later on.
@bozhinov You could leave the $DeviceUri to look at the config file but the OAUTH needs to stay as /api.
But it was not the point to just auth to the regional server but to do the "heavy" op on it. This needs more investigation.
I just wanted to say Hi to @alexverboon. Thought this FR was a no brainer. I was mistaken :)
@bozhinov
You need to auth to the non regional server and then you can do the workload on the regional one
Like this:
Write-Verbose "Checking for $PoshMTPconfigFilePath"
If (Test-Path -Path $PoshMTPconfigFilePath -PathType Leaf){
$ConfigSettings = @(Get-Content -Path "$PoshMTPconfigFilePath" | ConvertFrom-Json)
**$Uri = $ConfigSettings.API_MDATP.Uri**
$OAuthUri = $ConfigSettings.API_MDATP.OAuthUri
$ClientID = $ConfigSettings.API_MDATP.ClientID
$ClientSecret = $ConfigSettings.API_MDATP.ClientSecret
}
Else{
Write-Error "$PoshMTPconfigFilePath not found"
Break
}
# End Get API Information
# Connect with MDATP API
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$Body = @{
**resource = "https://api.securitycenter.windows.com"**
client_id = $ClientID
client_secret = $ClientSecret
grant_type = 'client_credentials'
redirectUri = "https://localhost:8000"
}
$Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
#$Authorization = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body -ContentType "application/x-www-form-urlencoded" -UseBasicParsing
#$access_token = $Authorization.access_token
$headers = @{
'Content-Type' = 'application/json'
Accept = 'application/json'
Authorization = "Bearer $($Response.access_token)"
}
}
Process{
**$MDATP_API_URI = "${Uri}/api"**
See how the API connection remains on the original URL however the workload request URL (in this case MDATP_API_URI) use the config file URL
Come to think about it this may be worth highlighting to MS as they should have probably allowed these new regional URL's to do the authentication as well and not just the workload.