From 5a9fe1bc6cbe77ea751d479ab411200c294b1877 Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Sat, 6 Jun 2026 16:15:25 -0700 Subject: [PATCH] sync: auto-sync from HOWARD-HOME at 2026-06-06 16:15:15 Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-06 16:15:15 --- ...-06-howard-lighthouse-risky-user-alerts.md | 90 +++++++++ session-logs/show-notes-2026-06-06.html | 177 ++++++++++++++++++ 2 files changed, 267 insertions(+) create mode 100644 session-logs/2026-06-06-howard-lighthouse-risky-user-alerts.md create mode 100644 session-logs/show-notes-2026-06-06.html diff --git a/session-logs/2026-06-06-howard-lighthouse-risky-user-alerts.md b/session-logs/2026-06-06-howard-lighthouse-risky-user-alerts.md new file mode 100644 index 0000000..3b5ed65 --- /dev/null +++ b/session-logs/2026-06-06-howard-lighthouse-risky-user-alerts.md @@ -0,0 +1,90 @@ +# Session Log — 2026-06-06 — Howard — Lighthouse Risky-User Alert Triage + +## User +- **User:** Howard Enos (howard) +- **Machine:** Howard-Home +- **Role:** tech + +## Session Summary + +Investigated a burst of Microsoft 365 Lighthouse alert emails Howard received at howard@azcomputerguru.com, using the remediation-tool skill (read-only, investigator tier). Acquired a Graph read token for the ACG partner tenant and searched Howard's mailbox: found 35 "Risky user" alerts (severity High) plus one Lighthouse billing/invoice email, all from m365-noreply@microsoft.com, all dated June 5 2026, delivered in a single 2-minute burst (2026-06-05 22:18-22:20 UTC). Pulled the full HTML body of one alert and parsed all of them to extract per-tenant detail. + +Every alert was generated by the same rule: "SAMPLE - Alert on risky user" — a Microsoft built-in Lighthouse sample alert rule (the "SAMPLE -" prefix is Microsoft's). The 35 alerts spanned 15 client tenants. Concluded this is a sample-rule backfill / risk-detection wave firing portfolio-wide, not 35 simultaneous live breaches. Flagged the accounts worth real triage: ACG-controlled admin accounts showing risky in client tenants ("Computer Guru" @ MVAN + Valley Wide, "Mike Swanson" @ JR Kennedy), and service/shared accounts (GTIMail + Shoretel @ Glaz-Tech, "remote" @ IMC, On-Prem Dir Sync svc acct @ Russo, Accounting @ Sonoran Green, Orders VWP @ Valley Wide). + +Howard then asked when the rule was applied and by whom. Began a per-tenant riskyUsers pull (Identity Protection) for the priority accounts — extracted all 15 tenant GUIDs straight from the alert email bodies — but Howard interrupted/redirected to the rule-provenance question before that ran. Pivoted to provenance investigation. + +Attempted to determine rule provenance through every read-only path the tool can reach, all of which dead-ended: (1) Entra directory audit log for the ACG tenant returned no Lighthouse alert-rule events (Lighthouse does not log there; only SaaSAlerts.Fortify SP grants matched "alert"), and only retains 30 days (back to 5/6). (2) Lighthouse rule config via Graph is unavailable — the investigator app lacks ManagedTenants.Read.All. (3) Unified Audit Log via the Exchange tier (Search-UnifiedAuditLog over a 180-day window) returned HTTP 401; a follow-up Get-OrganizationConfig probe also 401'd, confirming the Security Investigator app has no Exchange/audit RBAC role in our OWN partner tenant (we only grant it Exchange Admin in client tenants for breach checks). + +Reported the blocker and presented three unblock options to Howard: check the Lighthouse portal directly (Alerts -> Alert rules -> rule detail shows created/modified-by), run Search-UnifiedAuditLog himself in an interactive admin EXO session, or have Claude grant the investigator SP the "View-Only Audit Logs" role in the ACG tenant (a privilege change, deferred pending explicit go). Session ended awaiting his choice. + +## Key Decisions + +- Classified the 35 alerts as a SAMPLE-rule backfill / risk-detection wave rather than 35 live incidents, based on: the literal "SAMPLE -" Microsoft template name, the single 2-minute portfolio-wide burst, and many flagged accounts being non-interactive service/shared accounts. +- Narrowed recommended triage to ACG admin accounts and service accounts rather than all 35 users — those are the ones where a real risk flag actually matters. +- Extracted tenant GUIDs from the alert email bodies (each contains "Tenant ID:") instead of resolving 15 domains separately — faster and avoids name-to-domain guessing for tenants whose display name is not a domain. +- Did NOT grant the investigator app an Exchange/audit role in the ACG tenant to unblock the UAL search — that is a privilege change in our own tenant and requires explicit user approval. +- Kept the entire session read-only: did not mark any emails read, ran no remediation, made no riskyUser state changes. + +## Problems Encountered + +- Windows /tmp path mismatch broke a Python HTML-stripper that read from a Git-Bash-written /tmp file (Windows Python resolved a different /tmp). Resolved by piping the HTML to Python via stdin instead of a temp file. +- Entra directoryAudits rejected an activityDateTime filter older than 30 days ("Minimum allowed time ... is 5/6/2026"). Resolved by setting the filter start to 2026-05-06. +- Search-UnifiedAuditLog via EXO REST returned an empty body, then HTTP 401. Diagnosed with a trivial Get-OrganizationConfig probe (also 401) -> root cause is the investigator SP having no Exchange RBAC role in the ACG partner tenant (blanket 401, not cmdlet-specific). Reported as a blocker rather than worked around. + +## Configuration Changes + +- `session-logs/2026-06-06-howard-lighthouse-risky-user-alerts.md` — created (this log). +- No repo code/config changes. No M365 changes (read-only session). + +## Credentials & Secrets + +None discovered or created. Tokens acquired via remediation-tool `get-token.sh` (investigator = Graph read; investigator-exo = EXO read) for the ACG tenant; cert/secret auth from the SOPS vault entry `msp-tools/computerguru-security-investigator.sops.yaml`. Tokens cached at `/tmp/remediation-tool/{tenant}/{tier}.jwt` (TTL 55 min). + +## Infrastructure & Servers + +- ACG partner tenant (azcomputerguru.com): tenant id `ce61461e-81a0-4c84-bb4a-7b354a9a356d` +- ComputerGuru Security Investigator app id `bfbc12a4-f0dd-4e12-b06d-997e7271e10c` — Graph roles include AuditLog.Read.All, Directory.Read.All, IdentityRiskyUser.Read.All; does NOT have ManagedTenants.Read.All. Has NO Exchange RBAC role in the ACG tenant (EXO adminapi returns 401). +- Client tenant GUIDs (from alert email bodies): + - Bill Tedards `4fcbb1f4-fbf9-4548-a93e-7d14a3c091e6` + - Dataforth Corporation `7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584` + - Glaz-Tech Industries `82931e3c-de7a-4f74-87f7-fe714be1f160` + - Instrumental Music Center `65adab75-f1fd-4ef9-b2b4-c24f595393e3` + - JR Kennedy Company `a92594b9-c8ad-4dba-8b40-14fcd32c723c` + - Jema Enterprises, LLC `41268042-9a8e-41c2-9a3c-0775398b86cb` + - Kittle Design & Construction `3d073ebe-806a-4a5e-9035-3c7c4a264fc0` + - MVAN Enterprises, Inc `5affaf1e-de89-416b-a655-1b2cf615d5b1` + - Patient Care Advocates `463b462d-0995-4e51-9e41-82c208015c7f` + - Ridgetop Group `ef111bfc-9c90-43c9-a581-f9bbfceb6517` + - Russo Law Firm `bef1b190-f78f-4b1c-aa4b-fab186a30702` + - Safe Site Utility Services LLC `71b4e637-c802-4137-a812-ae50dbc839e3` + - Sonorangreenllc.com `ededa4fb-f6eb-4398-851d-5eb3e11fab27` + - Valley Wide Plastering `5c53ae9f-7071-4248-b834-8685b646450f` + - cclac.net `e8a0fafc-21ee-41e8-a5ba-f3a250a8a30e` + +## Commands & Outputs + +- `bash scripts/resolve-tenant.sh azcomputerguru.com` -> `ce61461e-81a0-4c84-bb4a-7b354a9a356d` +- `bash scripts/get-token.sh investigator` / `... investigator-exo` -> bearer tokens. +- Graph mailbox search: `GET /users/howard@azcomputerguru.com/messages?$search="Microsoft 365 Lighthouse alert was detected"` with header `ConsistencyLevel: eventual` -> 35 risky-user alerts + 1 invoice. +- Token roles decoded from JWT `roles` claim — confirmed AuditLog.Read.All present, ManagedTenants.Read.All absent. +- `GET /auditLogs/directoryAudits?$filter=activityDateTime ge 2026-05-06T00:00:00Z` -> 88 events, services: Core Directory / Self-service Group Mgmt / Self-service Password Mgmt; only "alert" matches were SaaSAlerts.Fortify SP grants (5/7, 5/15). No Lighthouse rule events. +- EXO `Search-UnifiedAuditLog` via `POST https://outlook.office365.com/adminapi/beta/{tenant}/InvokeCommand` -> HTTP 401; `Get-OrganizationConfig` probe -> HTTP 401 (blanket no-RBAC). + +## Pending / Incomplete Tasks + +- AWAITING HOWARD'S CHOICE on rule provenance ("when/who applied SAMPLE - Alert on risky user"): + - (B, fastest) Lighthouse portal -> Alerts -> Alert rules -> open the rule -> created/modified-by metadata. + - (3) Howard runs `Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-180) -EndDate (Get-Date) -FreeText "Alert on risky user" -ResultSize 500` in an interactive admin EXO session. + - (1) Claude grants the Security Investigator SP the "View-Only Audit Logs" role in the ACG tenant (tenant-admin tier) then re-runs the UAL search via the tool — deferred, needs explicit go (privilege change in our own tenant). +- NOT DONE (interrupted): per-tenant riskyUsers (Identity Protection) pull for the priority accounts (ACG admin + service accounts) to separate live risk from stale backfill. Tenant GUIDs already gathered above; ready to resume if asked. +- Consideration: ACG admin accounts flagged risky in client tenants (Computer Guru @ MVAN/Valley Wide, Mike Swanson @ JR Kennedy) warrant a genuine check that our own creds are not being sprayed. +- Housekeeping: the noisy "SAMPLE -" rule could be quieted/renamed in the Lighthouse portal so this does not re-spam Howard's inbox (portal action, not this tool). + +## Reference Information + +- Mailbox investigated: howard@azcomputerguru.com (ACG tenant). +- Alert source: m365-noreply@microsoft.com; rule "SAMPLE - Alert on risky user"; type "Risky user"; severity High; detection date June 5 2026. +- 35 risky-user alerts across 15 tenants. Full per-tenant user list captured in chat (e.g. Glaz-Tech: GTIMail, Shoretel, Dave Hill, Linda Salazar, Roxy Scott; Ridgetop: Jan Traficanti, Nicolas Blanchard, Luis Hernandez, Arsh Nadkarni, Clay Hunt; Safe Site: Lisa Stirzl, Rachel Rupp, George Brandt, Cody Kennedy, Jeff Mortenson; Valley Wide: Computer Guru, Orders VWP, Sammy Montijo, Bart Graffin; etc.). +- Remediation skill: `.claude/skills/remediation-tool/` (get-token.sh, resolve-tenant.sh, user-breach-check.sh). +- Graph riskyUsers endpoint for resume: `GET https://graph.microsoft.com/v1.0/identityProtection/riskyUsers?$top=200` (per tenant, investigator tier). +- EXO REST: `POST https://outlook.office365.com/adminapi/beta/{tenant}/InvokeCommand` (needs Exchange RBAC role on the SP — absent in ACG). diff --git a/session-logs/show-notes-2026-06-06.html b/session-logs/show-notes-2026-06-06.html new file mode 100644 index 0000000..834b975 --- /dev/null +++ b/session-logs/show-notes-2026-06-06.html @@ -0,0 +1,177 @@ + + + + + +Show Notes — June 6, 2026 + + + +
+ +
+
ClaudeTools — Daily Show Notes
+

Gemini CLI on the Mac, Wolkin’s FRONT Gets a Checkup, and a Plan to Print From Anywhere

+
+ 📅 June 6, 2026 + 👤 Mike Swanson + 🖥 Mikes-MacBook-Air + ⏱ ~2 hours +
+
+ Gemini CLI + GuruRMM + Wolkin + Tailscale + macOS fix +
+
+ +

In This Episode

+
+

Stood up the Mac as a second Gemini CLI fleet host for the AGY skill, fixed a macOS base64 bug in the GuruRMM onboarding diagnostic, ran a full security/health baseline on Wolkin’s FRONT PC (graded AMBER — 5 warnings), dispatched a reboot to clear a pending-update flag, and wrote up a Tailscale mesh-VPN plan for remote laptop-to-office printing.

+
+ +

Chapters

+
+
00:00
+
+

Gemini CLI joins the fleet

+

Installed @google/gemini-cli v0.45.1 via Homebrew npm, added a gemini block to identity.json with full AGY capabilities, and flagged the Mac as a fleet host. One step left: run gemini once to finish Google OAuth.

+
+
+
+
00:20
+
+

Two sync cycles

+

Pulled 15 then 17 commits — new AGY + Mailprotector skills, sync-lock.sh per-machine locking, human-flow scanner v2, Cascades Tucson GPO scripts, and a new IX server wiki article.

+
+
+
+
00:45
+
+

Wolkin FRONT diagnostic AMBER

+

First onboarding baseline for FRONT (Win 11 Home 25H2, ASUS P500MV). 0 critical, 5 warning, 14 info. Probe chunked into 4×24KB uploads, ran as SYSTEM, exit 0. Immutable JSON + Markdown baselines written.

+
+
+
+
01:20
+
+

Remote printing — Tailscale plan

+

Office is on Verizon residential (CGNAT, dynamic IP), so traditional VPN and port-forwarding are out. Picked Tailscale mesh VPN (WireGuard, free ≤100 devices) over GuruConnect, ScreenConnect redirect, cloud print, and DIY VPN. Deployment plan documented.

+
+
+ +

FRONT — Warning Findings

+
    +
  • Defender Tamper Protection OFF — RTP on and signatures current, but tamper protection disabled. Enable via Intune/Security Center.
    • +
  • 4 pending Windows updates — may include security patches; install next maintenance window.
    • +
  • 2 disk errors in last 14 days (Event IDs 7/51/153) — run Check Disk / SMART. No BSODs or unexpected shutdowns.
    • +
  • Reboot pending (PendingFileRenameOperations) — reboot dispatched this session to clear it.
    • +
  • Group Policy Client (gpsvc) stopped — should auto-start even on workgroup machines; investigate. (Other stopped services — Dropbox/Google/Intel updaters — are benign.)
    • +
+ +

FRONT — The Good News

+
    +
  • BitLocker enabled on OS volume (TPM + recovery password, 100% encrypted)
    • +
  • Defender active and only registered AV — no conflicts
    • +
  • All firewall profiles enabled; SMBv1 disabled; LAPS detected
    • +
  • No competitor/leftover RMM agents; ScreenConnect present as expected
    • +
  • OS supported until 2027-10-12; last hotfix KB5089573 (2026-05-27)
    • +
+ +

Tech Note — macOS base64 fix

+
    +
  • BSD base64 (macOS) uses -i input with no wrap flag; GNU (Linux) uses -w0. The diagnostic script now tries BSD first, falls back to GNU, then a portable base64 < file | tr -d '\n' stdin path.
    • +
+ +

Follow-ups

+
    +
  • Complete Gemini OAuth on the Mac (gemini interactively)
    • +
  • Fix identity.json machine name (“Mikes-MacBook-Air” vs hostname “Mac”)
    • +
  • Verify FRONT came back online after reboot
    • +
  • Remediate FRONT AMBER findings, then re-run diagnostic for a second baseline
    • +
  • Deploy Tailscale: enroll laptop in RMM, install on both, share printer, test print, vault creds
    • +
+ +

Show Links

+ + + + +
+ +