* Regions PoC #2

bozhinov · 2021-03-04T18:09:01Z

Hey. Long time no talk :)

according to MS:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list

"For better performance, you can use server closer to your geo location:"

so lets add support to this in cfg

LinkOps · 2021-03-04T19:46:56Z

Changing this prior to the OAUTH token request renders the following error (tested with api-uk)
Invoke-RestMethod : {"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named https://api-uk.securitycenter.windows.com was not found in the tenant named 
{security string redacted} This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have 
sent your authentication request to the wrong tenant.\r\nTrace ID: {security string redacted}\r\nCorrelation ID: {security string redacted}\r\nTimestamp: 2021-03-04 
19:36:53Z","error_codes":[500011],"timestamp":"2021-03-04 
19:36:53Z","trace_id":"{security string redacted}","correlation_id":"836152ab-6485-4e49-96ac-7ace2013f268","error_uri":"https://login.windows.net/error?code=500011"}
At line:14 char:13
+ $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

It may therefore be more beneficial to provide the localisation as an addition option parameter on calls like Get-MDATPDevice -DeviceName "SomeComputer" -Region "UK" and then in the script do the below after building DeviceUri

$DeviceUri = "https://api.securitycenter.windows.com/api/machines"
		if ($Region){
			$DeviceUri = $DeviceUri -replace "/api.sec", "/api-$Region.sec"
		}
		$DeviceUri

Note: Had to put "/api.sec" otherwise just "/api." would replace "/api/" for some unknown reason to me.

You'll also need somewhere to globally manage the accepted Regions to simplify the addition or removal later on.

This reverts commit c82ba7e.

LinkOps · 2021-03-04T20:00:56Z

src/PSMDATP/Public/Get-MDATPDevice.ps1

-            resource      = "https://api.securitycenter.windows.com"
+            resource      = $Uri


Changing this to regional affects the OAUTH process resulting in a failure message although the script does continue

Invoke-RestMethod : {"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named https://api-uk.securitycenter.windows.com was not found in the tenant

LinkOps · 2021-03-04T20:04:21Z

@bozhinov You could leave the $DeviceUri to look at the config file but the OAUTH needs to stay as /api.

bozhinov · 2021-03-04T20:23:15Z

But it was not the point to just auth to the regional server but to do the "heavy" op on it.
This needs more investigation.

I just wanted to say Hi to @alexverboon. Thought this FR was a no brainer. I was mistaken :)

LinkOps · 2021-03-04T21:14:26Z

@bozhinov

You need to auth to the non regional server and then you can do the workload on the regional one

Like this:

Write-Verbose "Checking for $PoshMTPconfigFilePath"
        If (Test-Path -Path $PoshMTPconfigFilePath -PathType Leaf){
            $ConfigSettings  = @(Get-Content -Path "$PoshMTPconfigFilePath" | ConvertFrom-Json)
            **$Uri             = $ConfigSettings.API_MDATP.Uri**
            $OAuthUri        = $ConfigSettings.API_MDATP.OAuthUri
            $ClientID        = $ConfigSettings.API_MDATP.ClientID
            $ClientSecret    = $ConfigSettings.API_MDATP.ClientSecret
        }
        Else{
            Write-Error "$PoshMTPconfigFilePath not found"
            Break
        }
        # End Get API Information

        # Connect with MDATP API
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        $Body = @{
            **resource      = "https://api.securitycenter.windows.com"**
            client_id     = $ClientID
            client_secret = $ClientSecret
            grant_type    = 'client_credentials'
            redirectUri   = "https://localhost:8000"
        }
        $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
        #$Authorization = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body -ContentType "application/x-www-form-urlencoded" -UseBasicParsing
        #$access_token = $Authorization.access_token
        $headers = @{
            'Content-Type' = 'application/json'
            Accept         = 'application/json'
            Authorization  = "Bearer $($Response.access_token)"
        }
    }
    Process{
        **$MDATP_API_URI = "${Uri}/api"**

See how the API connection remains on the original URL however the workload request URL (in this case MDATP_API_URI) use the config file URL

LinkOps · 2021-03-04T21:17:47Z

Come to think about it this may be worth highlighting to MS as they should have probably allowed these new regional URL's to do the authentication as well and not just the workload.

LinkOps · 2021-03-04T21:24:35Z

I've raised this with Microsoft support ;)

bozhinov · 2021-03-04T21:27:25Z

10 years ago I would have told you you were a mad person (gigle)

* Regions PoC

c82ba7e

Revert "* Regions PoC"

08fe0b2

This reverts commit c82ba7e.

LinkOps suggested changes Mar 4, 2021

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

* Regions PoC #2

* Regions PoC #2

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

		resource = "https://api.securitycenter.windows.com"
		resource = $Uri

* Regions PoC #2

Are you sure you want to change the base?

* Regions PoC #2

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!