Skip to content
This repository was archived by the owner on Jun 27, 2026. It is now read-only.

* Regions PoC#2

Open
bozhinov wants to merge 2 commits into
alexverboon:masterfrom
bozhinov:master
Open

* Regions PoC#2
bozhinov wants to merge 2 commits into
alexverboon:masterfrom
bozhinov:master

Conversation

@bozhinov

@bozhinov bozhinov commented Mar 4, 2021

Copy link
Copy Markdown

Hey. Long time no talk :)

according to MS:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list

"For better performance, you can use server closer to your geo location:"

so lets add support to this in cfg

@LinkOps

LinkOps commented Mar 4, 2021

Copy link
Copy Markdown
Changing this prior to the OAUTH token request renders the following error (tested with api-uk)
Invoke-RestMethod : {"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named https://api-uk.securitycenter.windows.com was not found in the tenant named 
{security string redacted} This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have 
sent your authentication request to the wrong tenant.\r\nTrace ID: {security string redacted}\r\nCorrelation ID: {security string redacted}\r\nTimestamp: 2021-03-04 
19:36:53Z","error_codes":[500011],"timestamp":"2021-03-04 
19:36:53Z","trace_id":"{security string redacted}","correlation_id":"836152ab-6485-4e49-96ac-7ace2013f268","error_uri":"https://login.windows.net/error?code=500011"}
At line:14 char:13
+ $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

It may therefore be more beneficial to provide the localisation as an addition option parameter on calls like Get-MDATPDevice -DeviceName "SomeComputer" -Region "UK" and then in the script do the below after building DeviceUri

$DeviceUri = "https://api.securitycenter.windows.com/api/machines"
		if ($Region){
			$DeviceUri = $DeviceUri -replace "/api.sec", "/api-$Region.sec"
		}
		$DeviceUri

Note: Had to put "/api.sec" otherwise just "/api." would replace "/api/" for some unknown reason to me.

You'll also need somewhere to globally manage the accepted Regions to simplify the addition or removal later on.

This reverts commit c82ba7e.
Comment thread src/PSMDATP/Public/Get-MDATPDevice.ps1 Outdated
Comment on lines +123 to +124
resource = "https://api.securitycenter.windows.com"
resource = $Uri

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changing this to regional affects the OAUTH process resulting in a failure message although the script does continue

Invoke-RestMethod : {"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named
https://api-uk.securitycenter.windows.com was not found in the tenant

@LinkOps

LinkOps commented Mar 4, 2021

Copy link
Copy Markdown

@bozhinov You could leave the $DeviceUri to look at the config file but the OAUTH needs to stay as /api.

@bozhinov

bozhinov commented Mar 4, 2021

Copy link
Copy Markdown
Author

But it was not the point to just auth to the regional server but to do the "heavy" op on it.
This needs more investigation.

I just wanted to say Hi to @alexverboon. Thought this FR was a no brainer. I was mistaken :)

@LinkOps

LinkOps commented Mar 4, 2021

Copy link
Copy Markdown

@bozhinov

You need to auth to the non regional server and then you can do the workload on the regional one

Like this:

Write-Verbose "Checking for $PoshMTPconfigFilePath"
        If (Test-Path -Path $PoshMTPconfigFilePath -PathType Leaf){
            $ConfigSettings  = @(Get-Content -Path "$PoshMTPconfigFilePath" | ConvertFrom-Json)
            **$Uri             = $ConfigSettings.API_MDATP.Uri**
            $OAuthUri        = $ConfigSettings.API_MDATP.OAuthUri
            $ClientID        = $ConfigSettings.API_MDATP.ClientID
            $ClientSecret    = $ConfigSettings.API_MDATP.ClientSecret
        }
        Else{
            Write-Error "$PoshMTPconfigFilePath not found"
            Break
        }
        # End Get API Information

        # Connect with MDATP API
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        $Body = @{
            **resource      = "https://api.securitycenter.windows.com"**
            client_id     = $ClientID
            client_secret = $ClientSecret
            grant_type    = 'client_credentials'
            redirectUri   = "https://localhost:8000"
        }
        $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
        #$Authorization = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body -ContentType "application/x-www-form-urlencoded" -UseBasicParsing
        #$access_token = $Authorization.access_token
        $headers = @{
            'Content-Type' = 'application/json'
            Accept         = 'application/json'
            Authorization  = "Bearer $($Response.access_token)"
        }
    }
    Process{
        **$MDATP_API_URI = "${Uri}/api"**

See how the API connection remains on the original URL however the workload request URL (in this case MDATP_API_URI) use the config file URL

@LinkOps

LinkOps commented Mar 4, 2021

Copy link
Copy Markdown

Come to think about it this may be worth highlighting to MS as they should have probably allowed these new regional URL's to do the authentication as well and not just the workload.

@LinkOps

LinkOps commented Mar 4, 2021

Copy link
Copy Markdown

I've raised this with Microsoft support ;)

@bozhinov

bozhinov commented Mar 4, 2021

Copy link
Copy Markdown
Author

10 years ago I would have told you you were a mad person (gigle)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants