Authentication via PowerShell

Hello all,

We are attempting to send logs from Akamai to our Microsoft Sentinel cluster. As a serverless solution, we are trying to use PowerShell to authenticate. In our request we followed documentation to create the following script. We are getting an error using it for “detail”: “Unsupported authorization algorithm” and have been unable to determine where the error resides.

$client_token = “”
$access_token = “”
$client_secret = “”
#Calculate current UTC timestamp in the prescribed format
$time_stamp_local = Get-Date
$time_stamp_utc = [System.TimeZoneInfo]::ConvertTimeBySystemTimeZoneId($time_stamp_local, [System.TimeZoneInfo]::Local.Id, ‘GMT Standard Time’ )
$time_stamp = $time_stamp_utc.ToString(“yyyyMMddTHH:mm:sszz00”)
$nonce = New-Guid
#get data for encryption
$SiemURL = “”;
$SiemURLParts = $SiemURL -split “(./{2})(.?)(/)(.*)”
$DataToEncrypt = “GET” + “thttpst” + $SiemURL[2] + “t" + $SiemURL[3] + $SiemURL[4] + "ttt” + "EG1-HMAC-SHA256 " + “client_token=” + $client_token + “;” + “access_token=” + $access_token + “;” + “timestamp=” + $time_stamp + “;” + “nonce=” + $nonce + “;”

#encryption function
Function EncryptMessage ($key, $plain_message)
{
[byte] $keyByte = [System.Text.Encoding]::ASCII.GetBytes($key)
[byte] $plainMessageBytes = [System.Text.Encoding]::ASCII.GetBytes($plain_message)
$hmacSha = new-object System.Security.Cryptography.HMACSHA256((,$keyByte))
$encryptedMessage = $hmacSha.ComputeHash($plainMessageBytes)
$base64Message = [System.Convert]::ToBase64String($encryptedMessage)
return $base64Message
}
#encrypt timestamp with client secret
$timeStampKey = EncryptMessage -key $client_secret -plain_message $time_stamp
#encrypt request data with encrypted timestamp
$signature = EncryptMessage -key $timeStampKey -plain_message $DataToEncrypt
#Combine all elements of authorization header
$Header = "EG1-HMAC-SHA256 " + “client_token=” + $client_token + “;” + “access_token=” + $access_token + “;” + “timestamp=” + $time_stamp + “;” + “nonce=” + $nonce + “;” + “signature=” + $signature
$headers = @{
‘Authorization’ = “'” + $Header + “'”
}
Invoke-RestMethod -Method ‘Get’ -Uri $SiemURL -Headers $headers

1 Like

Hi Biers,

Thanks for reaching out regarding the PowerShell module. It is unclear to me how this error is occuring, EG1-HMAC-SHA256 should be supported with Akamai EdgeGrid, including PowerShell. Also the timestamps needs to be within 10 seconds time skew from NTP servers.

I will ask the PowerShell experts internally if they have any ideas on what could be happening here.

/Mike

1 Like

Hi @biers,

Are you attempting to pull down logs from the Akamai SIEM API? The $SiemURL in your code is empty, though I suspect that is redaction rather than an error. In any case, are you familiar with the Akamai PowerShell module? We have functions for the EdgeGrid auth (Invoke-AkamaiRestMethod) and also abstracted functions for pretty much everything else, including pulling SIEM logs (Get-SIEMData). If you are interested you can install it from the gallery (Install-Module AkamaiPowershell) or pull it from github here GitHub - akamai/akamaipowershell: Powershell module for Akamai {OPEN} APIs

With regards to your code I have a feeling the split regex isnt quite right. When I split a URL I don’t get the breakdown of scheme, host and uri that I would expect, and also in your $DataToEncrypt line it references $SiemURL rather than $SiemURLParts. Could you try with this regular expression?

"(https?:\/\/)([^\/]+)(.*)"

This will produce the scheme, host and uri as separate items. You don’t need to split the path and query for EdgeGrid auth.

However, I really would recommend using the module. It hugely simplifies all this, and is only 8MB in size if you are doing things in a container.

1 Like

The empty spaces are indeed redactions.

We were initially looking into the module however due to our use case, we cannot currently run a container unfortunately.

I made the changes to $SIEMUrlParts and we did try with your updated regex, however are still getting the same “Unsupported authorization algorithm” error

OK, so you could do it a few ways then. You could simply copy the existing Invoke-AkamaiRestMethod function into your own script then call it. That would likely be easiest. If you would rather find the cause in your code, can you capture the resulting authorization header (either by printing it or through a proxy like Fiddler) and paste it in here? Feel free to redact, of course, but there should be nothing really sensitive in there. I suspect something about the format is off and the server is finding something else in the place it believes it should find the algorithm

Sorry for the delay, we believe we are able to import the methods into the PowerShell on Sentinel side. During testing we received an unauthorized error though, so it appears our API does not have the correct permissions set. We did have this updated to role Manage SIEM, but are still getting unauthorized errors.

This is the error from a bit ago from testing. Have not received a response from the Akamai support group, who I emailed on January 9th and 10th and today again.

 | { "type": https://problems.cloudsecurity.akamaiapis.net/siem/v1/unauthorized, "title": "Unauthorized", "instance": https://<redacted>.luna.akamaiapis.net/siem/v1/configs/12345?from=1674086045,
 | "detail": "The specified user is unauthorized to access the requested data", "method": "GET", "serverIp": "<redacted>", "clientIp": "<redacted?", "requestId": "a1a3cd7", "requestTime": "2024-01-08T18:05:45Z" }

Hey @biers,

Sorry to hear you’re not having any luck with Akatec. Can you email me at smacleod@akamai.com and I can dive in? I have had a quick look at your setup and it looks right, but obviously something else amiss.

Thanks

Hi Stuart,

Thank you but we did get the effort elevated and resolved. We are now connecting and pulling logs in Sentinel! Thank you.

1 Like