locked
Lateral Movement Path and API RRS feed

  • Question

  • Hello,

    I would like to use some simple script to query ATA using APIs.

    I already know that there is such possibility for suspicious activities, by sending a request as follows:

    https://$ATACenter/api/management/suspiciousActivities/

    or, for a specific activity id:

    https://$ATACenter/api/management/suspiciousActivities/$id

    Is there a similar possibility to use for Lateral Movement Paths?

    This functionality is there for report generations, I'm wondering if there is a public accessible API.

    Tuesday, October 30, 2018 12:51 PM

All replies

  • Hello,

    As far as I know, there is no public API for ATA currently.

    A similar request has already been submit on the ATA uservoice site below, and you can vote it.

    https://microsoftsecurity.uservoice.com/forums/905158-advanced-threat-analytics/suggestions/34849822-public-api-documentation-for-ata-center-console

    Best regards,
    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 31, 2018 7:20 AM
  • Hello Andy,

    even without a public and documented API, there is such functionality. The link for voting you provided is also mentioning a powershell script (https://www.powershellgallery.com/packages/Advanced-Threat-Analytics/0.0.12) that could be used for that.

    What I'm looking for is a similar functionality to retrieve information about Lateral Movement Path. Or just the rest structure to be used with "Invoke-RestMethod", then I can maybe figure it out.

    Christian

    Wednesday, October 31, 2018 9:17 AM
  • In theory you might be able to reverse engineer how to use any API on the center if you have the privileges..

    We don't document those for a reason, we don't want people to use them, as improper  usage can bring a system down. Also, we want to be "free" to change those APIs without breaking any 3rd party...

    Wednesday, October 31, 2018 2:08 PM
  • Without knowing exactly what you are trying to do it would be tough to figure this one out. Do you want the same data that is in the lateral movement path report? Or do you want to check an account to see if it has known lateral movement paths and what they are?

    I don’t have this use case, but working through some others in ATA. My suggestion here would be to use the developer tools with network tab or view enabled and mimic in the GUI what you are trying to get programmatically. If it’s the lateral movement path report, you can see how the console accessed the excel doc, make the same call with invoke-restmethod, download the report, and use powershell to open and parse the data. Should be examples out there for importing excel document data with powershell.

    To check a user account for lateral movement paths, you can browse to the page that shows the paths per user. Be aware there are multiple api calls needed, like getting the unique Ata account id from the users actual account name, than a second request for data on that account.

    From what I can see with ATA, the entire GUI was built over an api, for the most part. Not all documented, but if you can do it in the GUI, you can likely get the same data by making api call(s). Another option to browser dev tools is to use fiddler, as you might get a cleaner view and can use it to help debug your power shell script api calls as well.

    • Edited by ArchedMeerkat Thursday, November 1, 2018 12:20 PM Response was hard to read
    Wednesday, October 31, 2018 6:47 PM
  • This powershell command can be used to pull down the Lateral Movement path report:

    Invoke-WebRequest -Uri "https://YourMSATAURLHERE/api/management/reports/EscalationPaths?startDate=2018-10-25T00:00:00.000Z&endDate=2018-11-01T00:00:00.000Z&localeId=en-us" -UseDefaultCredentials -ContentType application/vnd.openxmlformats-officedocument.spreadsheetml.sheet -OutFile "Drive:\path\to\file.xlsx"

    Requires you are running powershell with an account that has permissions within ATA. You can than import that xlsx to work with the data that is in it, looks like there is a module for this called PSExcel.

    Thursday, November 1, 2018 12:49 PM
  • How to programmatically retrieve the reports, and data about single user lateral movement path is clear.

    With the latter I get the data I want, but it is not feasible to iterate through all the user and check for a path.

    What I would like to achieve is to get data for lateral movement path which are active now. This is similar to the suspicious activity approach, where it is possible to get all open suspicious activity. Similar approach for lateral movement path would be "give me all the open path". I suppose that the generation of the report follows this approach. Following the debugger in the developer tools could be a way, but it takes quite some time as I can see.

    @Eli Ofek, a proper documentation, which shows how to do that safely, would address precisely the use of the technology without taking down systems. I think this would bring little less freedom to the vendor, but more flexibility for customers, which at the end translates to bring additional value to ATA.

    Thursday, November 8, 2018 2:14 PM
  • I agree that an official/supported Web API would be good for some customers, but it's not as easy as it sounds,
    And sadly although it's on the list for a long time, I don't think it will get priority anytime soon.

    Please be careful with playing with unsupported API, it can really cause issues. 

    Thursday, November 8, 2018 2:22 PM