sync: auto-sync from GURU-BEAST-ROG at 2026-07-14 15:28:42
Author: Mike Swanson Machine: GURU-BEAST-ROG Timestamp: 2026-07-14 15:28:42
This commit is contained in:
committed by
ClaudeTools Bot
parent
088ffb7645
commit
a9a17f426f
@@ -94,3 +94,44 @@ cause, and the awaiting-client questions. Bot alert posted to #bot-alerts.
|
||||
- Discord thread: 1526651647214882956 (#tech-department, Arizona Computer Guru)
|
||||
- Wiki: `wiki/clients/mvan-enterprises.md` (GPS client, Syncro cid 29462761)
|
||||
- Vault: `clients/mvan-inc/m365.sops.yaml`, `msp-tools/syncro-winter`
|
||||
|
||||
## Update: 15:28 AZ — RMM restore, risky sign-in check, MFA remediation (requested by Mike)
|
||||
|
||||
Follow-on work in the same Discord thread, requested by **Mike Swanson** (@azcomputerguru).
|
||||
|
||||
### RMM / ScreenConnect
|
||||
- MVAN RMM footprint: 1 agent — "June" (92f583bc-1095-400c-8cd3-2e15a881ab3d), offline since
|
||||
2026-07-12 05:05 UTC despite the machine being in active use.
|
||||
- ScreenConnect session JUNE (0737c201-61a0-4f07-b7b8-68dcc5796cad) was online (June Bradford
|
||||
logged in, Win 11 Pro). CP1 tag has a typo: "MVAN Enterprised" (fix pending).
|
||||
- Reinstalled GuruRMM agent via SC send-command using site installer one-liner
|
||||
(site Main, code LOWER-FORGE-6736). Agent checked back in at 18:28 UTC (11:28 AZ). Verified online.
|
||||
|
||||
### Risky sign-in check (remediation-tool, tenant 5affaf1e-de89-416b-a655-1b2cf615d5b1)
|
||||
- **No compromise**: 0 active risk detections, 0 successful anomalous sign-ins (14-day window,
|
||||
126 events). Legit sign-ins from Boise ID (June/Mitch), OKC (Jason).
|
||||
- **Active distributed credential attack**: mitch.v@mvaninc.com — 72 fails / 73 unique IPs /
|
||||
6 countries (US CA DE IT RO NL), err 50053/50126, ongoing. m.vandeveer@modernstile.com —
|
||||
14 fails (JP NL NP), account had NO MFA.
|
||||
- MFA gaps found: m.vandeveer@modernstile.com, j.bradford@modernstile.com, kyeri.b@mvaninc.com,
|
||||
invoicing@mvaninc.com.
|
||||
- Full report: `clients/mvan-inc/reports/2026-07-14-risky-signin-check.md`
|
||||
|
||||
### Remediation (approved by Mike in-thread)
|
||||
- Internal comment with findings posted to Syncro #32554 (comment 423730614) + bot alert.
|
||||
- **Disabled** m.vandeveer@modernstile.com and j.bradford@modernstile.com (never a successful
|
||||
sign-in, unlicensed, no MFA) — PATCH accountEnabled=false via user-manager tier, verified
|
||||
after ~20s replication lag (204 + immediate read-back showed stale true; re-read confirmed).
|
||||
- Consent audit was AMBER (tenant-admin missing Policy.Read.All → 403 on CA endpoints).
|
||||
Mike re-consented interactively; refreshed token shows full manifest.
|
||||
- Created CA policy "ACG - Require MFA for all users (report-only)"
|
||||
(f69d7b41-bf13-4631-b1cd-ccf449ef06b9), enabledForReportingButNotEnforced, all users/apps,
|
||||
MFA grant, break-glass sysadmin@mvaninc.com excluded. Security defaults off; only the 2
|
||||
Microsoft-managed policies pre-existed.
|
||||
|
||||
### Pending
|
||||
- MVAN answers for ticket #32554 (affected users, mail client, browser vs desktop view change).
|
||||
- kyeri.b (active) + invoicing (dormant since 2025-09) MFA enrollment or disable decision.
|
||||
- Review report-only CA impact after a few days; explicit go before flipping to enabled.
|
||||
- SC CP1 typo fix ("MVAN Enterprised" -> "MVAN Enterprises").
|
||||
- Exchange Operator consent still AMBER (Mail.ReadWrite) — verify on next EXO task.
|
||||
|
||||
Reference in New Issue
Block a user