* Regions PoC

[bozhinov]

Hey. Long time no talk :)

according to MS:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list

"For better performance, you can use server closer to your geo location:"

so lets add support to this in cfg

[LinkOps]

Changing this prior to the OAUTH token request renders the following error (tested with api-uk)
Invoke-RestMethod : {"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named https://api-uk.securitycenter.windows.com was not found in the tenant named 
{security string redacted} This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have 
sent your authentication request to the wrong tenant.\r\nTrace ID: {security string redacted}\r\nCorrelation ID: {security string redacted}\r\nTimestamp: 2021-03-04 
19:36:53Z","error_codes":[500011],"timestamp":"2021-03-04 
19:36:53Z","trace_id":"{security string redacted}","correlation_id":"836152ab-6485-4e49-96ac-7ace2013f268","error_uri":"https://login.windows.net/error?code=500011"}
At line:14 char:13
+ $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

It may therefore be more beneficial to provide the localisation as an addition option parameter on calls like Get-MDATPDevice -DeviceName "SomeComputer" -Region "UK" and then in the script do the below after building DeviceUri

$DeviceUri = "https://api.securitycenter.windows.com/api/machines"
		if ($Region){
			$DeviceUri = $DeviceUri -replace "/api.sec", "/api-$Region.sec"
		}
		$DeviceUri

Note: Had to put "/api.sec" otherwise just "/api." would replace "/api/" for some unknown reason to me.

You'll also need somewhere to globally manage the accepted Regions to simplify the addition or removal later on.

[LinkOps]

Changing this to regional affects the OAUTH process resulting in a failure message although the script does continue

Invoke-RestMethod : {"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named
https://api-uk.securitycenter.windows.com was not found in the tenant

[LinkOps]

@bozhinov You could leave the $DeviceUri to look at the config file but the OAUTH needs to stay as /api.

[bozhinov]

But it was not the point to just auth to the regional server but to do the "heavy" op on it.
This needs more investigation.

I just wanted to say Hi to @alexverboon. Thought this FR was a no brainer. I was mistaken :)

[LinkOps]

@bozhinov

You need to auth to the non regional server and then you can do the workload on the regional one

Like this:

Write-Verbose "Checking for $PoshMTPconfigFilePath"
        If (Test-Path -Path $PoshMTPconfigFilePath -PathType Leaf){
            $ConfigSettings  = @(Get-Content -Path "$PoshMTPconfigFilePath" | ConvertFrom-Json)
            **$Uri             = $ConfigSettings.API_MDATP.Uri**
            $OAuthUri        = $ConfigSettings.API_MDATP.OAuthUri
            $ClientID        = $ConfigSettings.API_MDATP.ClientID
            $ClientSecret    = $ConfigSettings.API_MDATP.ClientSecret
        }
        Else{
            Write-Error "$PoshMTPconfigFilePath not found"
            Break
        }
        # End Get API Information

        # Connect with MDATP API
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        $Body = @{
            **resource      = "https://api.securitycenter.windows.com"**
            client_id     = $ClientID
            client_secret = $ClientSecret
            grant_type    = 'client_credentials'
            redirectUri   = "https://localhost:8000"
        }
        $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
        #$Authorization = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body -ContentType "application/x-www-form-urlencoded" -UseBasicParsing
        #$access_token = $Authorization.access_token
        $headers = @{
            'Content-Type' = 'application/json'
            Accept         = 'application/json'
            Authorization  = "Bearer $($Response.access_token)"
        }
    }
    Process{
        **$MDATP_API_URI = "${Uri}/api"**

See how the API connection remains on the original URL however the workload request URL (in this case MDATP_API_URI) use the config file URL

[LinkOps]

Come to think about it this may be worth highlighting to MS as they should have probably allowed these new regional URL's to do the authentication as well and not just the workload.

[LinkOps]

I've raised this with Microsoft support ;)

[bozhinov]

10 years ago I would have told you you were a mad person (gigle)