Can't connect to remote Center about advanced-threat-analytics HOT 6 OPEN

Hi @hkelley

Are you running the command on the ATACenter itself or are you running on a remote machine?

If your ATACenter is hosted on a different machine, you need to first run Set-ATACenterURL to specify the remote URL. For example, if your ATA portal is accessible by atacenter.contoso.com you need to run:

Set-ATACenterURL -URL "atacenter.contoso.com"

from advanced-threat-analytics.

Yes, those are the steps I have taken.

PS C:\temp> Set-ATACenterURL -URL abc.xyz.net
PS C:\temp> $ATACenter
abc.xyz.net
PS C:\temp> Get-ATASuspiciousActivity
Get-ATASuspiciousActivity : Unable to connect to remote server. Your ATACenter url is set to localhost. Run
Set-ATACenterURL '<url>' if this is incorrect.
At line:1 char:1
+ Get-ATASuspiciousActivity

from advanced-threat-analytics.

It looks like you are following the correct steps, but the Get-ATASuspiciousActivity command is not recognizing your $ATACenter variable. Could you answer the following questions to help narrow down the cause?

1. Could you confirm for me where you are using the module? Are you on the ATA Center or on a different machine? What OS are you on?

2. Could you please run Get-ATASuspiciousActivity -verbose and share with me the output.

3. Could you please run Get-ExecutionPolicy and share with me the output.

4. Could you please run Get-Module -Name Advanced-Threat-Analytics and share with me the output.

I did a test on my end using a remote machine and didn't have any issues. I started with localhost, got the same error you did, ran Set-ATACenterURL and pointed to my atacenter, then ran Get-ATASuspiciousActivity with the verbose flag to make sure it's using the correct URL. I put the output below. I'm testing from a 2016 machine, and ATA Center is on a 2012R2 machine.

PS C:\Users\rush.K45515> Get-ATASuspiciousActivity
Get-ATASuspiciousActivity : Unable to connect to remote server. Your ATACenter url is set to localhost. Run Set-ATACenterURL '<url>' if this is incorrect.
At line:1 char:1
+ Get-ATASuspiciousActivity
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-ATASuspiciousActivity
 

PS C:\Users\rush.K45515> Set-ATACenterURL atacenter.k45515.com

PS C:\Users\rush.K45515> Get-ATASuspiciousActivity -Verbose
VERBOSE: GET https://atacenter.k45515.com/api/management/suspiciousActivities with 0-byte payload
VERBOSE: received 4477-byte response of content type application/json; charset=utf-8


WindowsEventId                              : 2021
ExclusionUniqueEntityId                     : c52a7c75-21a9-409b-a4bc-26bb104ffeb9
SourceComputerId                            : c52a7c75-21a9-409b-a4bc-26bb104ffeb9
SourceAccountIds                            : {66c3c708-7c49-4095-833c-7c6429fa7c66}
DestinationComputerIds                      : {ff336d33-81f4-458c-b70b-33f0070ffb20}

from advanced-threat-analytics.

1. Windows 10, connecting remotely to the Center (it works fine from the server locally)

2. Get-ATASuspiciousActivity -Verbose
   VERBOSE: GET https://localhost/api/management/suspiciousActivities with 0-byte payload
   Get-ATASuspiciousActivity : Unable to connect to remote server. Your ATACenter url is set to localhost.

3. RemoteSigned

4. ModuleType Version Name ExportedCommands

Script 0.0.12 Advanced-Threat-Analytics {Get-ATAMonitoringAlert, Get-ATAStatus, Get-ATASuspiciousA...

from advanced-threat-analytics.

I needed the PS module today so I decided to dig into this myself by copying the PSM1 file to a PS1 and dotsourced it into my session (thinking I could debug the script interactively).

However, as soon as I loaded the functions that way, they started working.

Any thoughts on that?

from advanced-threat-analytics.

Based on your Feb 27 post (very sorry I missed it), it seems like you hadn't run Set-ATACenterURL. The error message says that the cmdlet is looking for localhost (which is default), but you say you are doing a remote connection. If you are running these cmdlets from a machine other than the ATACenter, you have to run Set-ATACenterURL first and provide the URL of the ATACenter.

from advanced-threat-analytics.