azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Session log: remediation skill rewrite (5-app tiered arch) + Cascades breach check John Trozzi

Browse Source 
- Rewrote get-token.sh: tiered app system (investigator/exchange-op/user-manager/tenant-admin/defender)
- Updated SKILL.md, command, gotchas, checklist, graph-endpoints for new app suite
- Cascades breach check: mailbox clean, inbound phishing received by John, DMARC gap noted

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-04-20 11:34:59 -07:00
parent b0db273e1e
commit 26df2c47b9
7 changed files with 728 additions and 307 deletions
Download Patch File Download Diff File Expand all files Collapse all files

236
session-logs/2026-04-20-session.md Normal file
View File

@@ -0,0 +1,236 @@
# Session Log — 2026-04-20
## User
- **User:** Mike Swanson (mike)
- **Machine:** DESKTOP-0O8A1RL
- **Role:** admin
## Session Summary
This session continued from a previous context that ran out of window. It covered two bodies of work:
1. **Remediation skill complete rewrite** — Updated all skill files to reflect the new 5-app tiered Entra architecture (Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender Add-on) replacing the old single over-permissioned app.
2. **Cascades Tucson breach check on John Trozzi** — Ran a full 10-point breach check after John reported spoofed email in his inbox. Mailbox confirmed clean; incident is inbound phishing, not account compromise.
---
## Work 1: Remediation Skill Rewrite
### Context (from prior session — summarized)
Previous session built out the full tiered MSP Entra app architecture:
- Created all 5 apps + management app via ComputerGuru-Management SP
- Granted admin consent in Grabblaw for Security Investigator + User Manager
- Old app `fabb3421` (ComputerGuru - AI Remediation) had 159 permissions including Defender ATP, which broke consent on tenants without MDE license (AADSTS650052)
### Files Rewritten
**`D:/claudetools/.claude/skills/remediation-tool/scripts/get-token.sh`**
- Completely rewritten: accepts `<tenant-id|domain> <tier>` instead of `<tenant-id> <scope>`
- Tiers: `investigator` | `investigator-exo` | `exchange-op` | `user-manager` | `tenant-admin` | `defender`
- Each tier maps to correct CLIENT_ID, vault SOPS path, and resource scope URL
- Cache key is now `{tenant}/{tier}.jwt` (not `{tenant}/{scope}.jwt`)
- Falls back through both `credentials.client_secret` and `credentials.credential` field names
- Falls back to raw sops+python if vault.sh fails
**`D:/claudetools/.claude/skills/remediation-tool/SKILL.md`**
- Added full app tier table with App IDs and vault files
- Updated Exchange REST prerequisites to name correct SP per operation
- Added minimum-privilege guidance ("never use tenant-admin for read-only check")
**`D:/claudetools/.claude/commands/remediation-tool.md`**
- Rewrote token acquisition to use tier flags
- Added per-app consent URLs in correct format (`redirect_uri=https://azcomputerguru.com`)
- Added `disable-smtp-auth` action
- Mapped each remediation action to its correct app tier (Exchange Operator for EXO write, User Manager for user ops)
**`D:/claudetools/.claude/skills/remediation-tool/references/gotchas.md`**
- Full rewrite: 5-app suite table, per-app consent URLs, directory role map updated
- Tenant table updated: Grabblaw now shows Security Investigator + User Manager consented (2026-04-20)
- Migration note for Valleywide/Dataforth/Cascades (still on old app)
- AADSTS650052 note for Defender tier on non-MDE tenants
**`D:/claudetools/.claude/skills/remediation-tool/references/checklist.md`**
- False-positive filter updated to match any "ComputerGuru" app display name
**`D:/claudetools/.claude/skills/remediation-tool/references/graph-endpoints.md`**
- Added token acquisition block at top with tier variable mapping
- Exchange REST section now distinguishes `$EXO_R` (Security Investigator) from `$EXO_W` (Exchange Operator)
### Vault Field Name Note
New SOPS files for the 5 apps were created in previous session. The field name for client secrets may be `credentials.client_secret` or `credentials.credential`. The updated `get-token.sh` tries both. If neither works on first use, check field with:
```bash
bash D:/vault/scripts/vault.sh get msp-tools/computerguru-security-investigator.sops.yaml
```
---
## Work 2: Cascades Tucson — John Trozzi Breach Check
### Trigger
John reported "spoofed email in his inbox." He forwarded the phishing email to howard@azcomputerguru.com and emailed Mike at 12:26 UTC with subject "Spoof emails."
### Approach Note
Cascades Tucson still uses the OLD app (`fabb3421`) — the new Security Investigator hasn't been consented there yet. Used old app credentials from vault (`msp-tools/claude-msp-access-graph-api.sops.yaml`) for this investigation.
### Tenant
- **Domain:** cascadestucson.com
- **Tenant ID:** `207fa277-e9d8-4eb7-ada1-1064d2221498`
- **App used:** fabb3421 (old app, still active at Cascades)
### User
- **UPN:** john.trozzi@cascadestucson.com
- **User ID:** a638f4b9-6936-4401-a9b7-015b9900e49e
- **Last password change:** 2026-04-16T16:05:11Z (self-service, after April 16 remediation)
### 10-Point Results — All Clean
| Check | Result |
|---|---|
| Graph inbox rules | CLEAN — no custom rules |
| Exchange REST rules (incl. hidden) | CLEAN — Junk E-mail Rule only |
| Mailbox forwarding | CLEAN — null/false on all fields |
| Delegates / FullAccess | CLEAN — no non-SELF |
| SendAs grants | CLEAN — no non-SELF |
| OAuth consents | CLEAN — BlueMail (2022) + EAS, both legitimate |
| Auth methods | NOTE — duplicate Authenticator (SM-F731U null date), low risk |
| Sign-ins 30d | CLEAN — all US/Phoenix, IP 184.191.143.62, no foreign access |
| Risky user | CLEAN — riskLevel: none |
| Directory audits | EXPECTED — April 16 sysadmin reset cycle + John self-service pw change |
### Incident Finding
John received phishing email:
- **Subject:** "ATTN!! — Pending 5 (Pages) Documents expires in 2 days REF, ID:f1bb60a2a1d6ae023a3c3e0c0f959a8d"
- Classic credential-harvesting lure
- John correctly identified it, forwarded to Howard, reported to Mike
- No evidence of link click or credential entry
- Original email no longer in inbox/deleted — John deleted it
### Google Account Alert
John received a security alert (16:01 UTC today) from no-reply@accounts.google.com for `201cascades@gmail.com`. Possibly a shared facility account. Confirm it has 2FA.
### DMARC Finding
```
_dmarc.cascadestucson.com: v=DMARC1;p=none;pct=100;rua=mailto:info@cascadestucson.com
cascadestucson.com SPF: v=spf1 ip4:72.194.62.5 include:spf.protection.outlook.com -all
```
- SPF is tight (`-all`) — good
- DMARC is `p=none` — monitoring only, no enforcement. Phishing emails can land in inboxes
- **Action needed:** Upgrade to `p=quarantine` after confirming DKIM. Coordinate with Meredith.
### Recommendations
1. Confirm John didn't click anything or enter credentials (if he did: revoke-sessions + password-reset)
2. Howard should delete the forwarded phishing email without clicking
3. Upgrade DMARC to p=quarantine (coordinate with Meredith)
4. Confirm DKIM is configured for cascadestucson.com in Exchange Online
5. Verify 201cascades@gmail.com Google alert
6. Clean up duplicate Authenticator entry (SM-F731U, null date) — low priority
### Report Location
`D:/claudetools/clients/cascades-tucson/reports/2026-04-20-breach-check-john-trozzi.md`
Committed: db157e3
---
## Credentials Reference (from prior session — carried forward)
### ComputerGuru-Management App (ACG home tenant)
- **App ID:** `0df4e185-4cf2-478c-a490-cc4ef36c6118`
- **Tenant ID:** `ce61461e-81a0-4c84-bb4a-7b354a9a356d`
- **Secret:** `C8t8Q~.bN-q5kJ~ARhkK3oMgg~w6pQhRq3-IKc15`
- **Vault:** `D:/vault/msp-tools/computerguru-management.sops.yaml`
- **Permissions:** Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, User.Read.All
### ComputerGuru Security Investigator (multi-tenant, read-only breach checks)
- **App ID:** `bfbc12a4-f0dd-4e12-b06d-997e7271e10c`
- **Secret:** `LS28Q~wHInqBB1y1TOWfwamKHBz~D2IFeSyUCcb0`
- **Vault:** `D:/vault/msp-tools/computerguru-security-investigator.sops.yaml`
- **Tenants consented:** Grabblaw (032b383e) — Security Investigator + Exchange Admin role needed
- **Note:** NOT YET CONSENTED at Cascades, Dataforth, Valleywide — still using old app there
### ComputerGuru Exchange Operator (multi-tenant, EXO write)
- **App ID:** `b43e7342-5b4b-492f-890f-bb5a4f7f40e9`
- **Secret:** `Ct28Q~fKYUu.RvkMaGNAV1YeK6h-HBewCTPnwa.Y`
- **Vault:** `D:/vault/msp-tools/computerguru-exchange-operator.sops.yaml`
### ComputerGuru User Manager (multi-tenant, user/group write)
- **App ID:** `64fac46b-8b44-41ad-93ee-7da03927576c`
- **Secret:** `GEQ8Q~Xl0_Lrbq85QjEyUsvK9rMe1m-C.ze.0ahN`
- **Vault:** `D:/vault/msp-tools/computerguru-user-manager.sops.yaml`
- **Tenants consented:** Grabblaw (032b383e)
### ComputerGuru Tenant Admin (multi-tenant, high-privilege)
- **App ID:** `709e6eed-0711-4875-9c44-2d3518c47063`
- **Secret:** `GYe8Q~I-hzqK1hUsh2uUg6RVFwM1TQt8C7h8XaUm`
- **Vault:** `D:/vault/msp-tools/computerguru-tenant-admin.sops.yaml`
### ComputerGuru Defender Add-on (multi-tenant, MDE only)
- **App ID:** `dbf8ad1a-54f4-4bb8-8a9e-ea5b9634635b`
- **Secret:** `r1h8Q~L4kPb3STTjazbxNDsYw3JuHm1yIhTy5bqM`
- **Vault:** `D:/vault/msp-tools/computerguru-defender-addon.sops.yaml`
### Old App (DEPRECATED — still active at Cascades/Dataforth/Valleywide)
- **App ID:** `fabb3421-8b34-484b-bc17-e46de9703418`
- **Display name:** ComputerGuru - AI Remediation
- **Vault:** `D:/vault/msp-tools/claude-msp-access-graph-api.sops.yaml` → field: `credentials.credential`
- **Status:** Retire after migrating remaining tenants to new app suite
### Mike's Entra User ID (for app ownership)
- **Object ID:** `f34ebe40-9565-4135-af4c-2e808df57a25`
- **ACG Tenant:** `ce61461e-81a0-4c84-bb4a-7b354a9a356d`
### Grabblaw
- **Tenant ID:** `032b383e-96e4-491b-880d-3fd3295672c3`
- **Svetlana Larionova:** slarionova@grabblaw.com (created 2026-04-20, temp pw: TempGrabb2026!, User ID: affab40c-5535-4c1a-9a78-a2eda1a4a3b7)
- **License:** M365 Business Premium (f245ecc8-75af-4f8e-b61f-27d8114de5f3)
- **Apps consented:** Security Investigator, User Manager
- **Directory roles:** none assigned yet (no Exchange Admin on either SP)
### Cascades Tucson
- **Tenant ID:** `207fa277-e9d8-4eb7-ada1-1064d2221498`
- **Apps:** Still using old app fabb3421. New app not yet consented.
- **Directory roles (old app):** Exchange Administrator, User Administrator
---
## Pending Items
### MSP App Suite Migration
- [ ] Consent Security Investigator at Cascades, Dataforth, Valleywide
- [ ] Assign Exchange Administrator role to Security Investigator SP in Cascades + Dataforth
- [ ] Publisher verification on Apps 3-5 and Defender Add-on (MPN 6149186 — Arizona Computer Guru LLC)
- [ ] Retire/delete old ComputerGuru - AI Remediation app (`fabb3421`) after migration
### Cascades Tucson
- [ ] Confirm John Trozzi didn't click phishing link / enter credentials
- [ ] Howard: delete the forwarded phishing email
- [ ] DMARC p=none → p=quarantine (after DKIM confirmed) — coordinate with Meredith
- [ ] Confirm DKIM configured for cascadestucson.com in Exchange Online
- [ ] Verify 201cascades@gmail.com Google security alert
- [ ] Clean up duplicate John Authenticator entry (low priority)
### azcomputerguru.com (from prior session)
- [ ] Add ToS + Privacy URLs to new app registrations in portal (Branding & properties)
- [ ] Vault cPanel credentials at `clients/azcomputerguru/cpanel.sops.yaml`
- [ ] Add Windows SSH key to authorized_keys on 172.16.3.10
- [ ] Reset mike WP password to permanent value and vault it
### ClaudeTools
- [ ] Add Windows SSH key to authorized_keys on 172.16.3.30
---
## Key Infrastructure Reference
| Resource | Details |
|---|---|
| IX Web Hosting | 172.16.3.10 (ext: 72.194.62.5) WHM port 2087 |
| cPanel user | azcomputerguru |
| WP DB | azcomputerguru_acg2025, table prefix Lvkai5BQ_, mike/TempWP2026! |
| ClaudeTools API | http://172.16.3.30:8001 |
| GuruRMM server | 172.16.3.30:3001 |
| Gitea | http://172.16.3.20:3000 (internal) |
| ACG Tenant | ce61461e-81a0-4c84-bb4a-7b354a9a356d |