sync: auto-sync from GURU-BEAST-ROG at 2026-07-14 15:28:42

Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-07-14 15:28:42
This commit is contained in:
Winter Williams
2026-07-14 15:29:34 -07:00
committed by ClaudeTools Bot
parent 088ffb7645
commit a9a17f426f
2 changed files with 124 additions and 0 deletions

View File

@@ -94,3 +94,44 @@ cause, and the awaiting-client questions. Bot alert posted to #bot-alerts.
- Discord thread: 1526651647214882956 (#tech-department, Arizona Computer Guru)
- Wiki: `wiki/clients/mvan-enterprises.md` (GPS client, Syncro cid 29462761)
- Vault: `clients/mvan-inc/m365.sops.yaml`, `msp-tools/syncro-winter`
## Update: 15:28 AZ — RMM restore, risky sign-in check, MFA remediation (requested by Mike)
Follow-on work in the same Discord thread, requested by **Mike Swanson** (@azcomputerguru).
### RMM / ScreenConnect
- MVAN RMM footprint: 1 agent — "June" (92f583bc-1095-400c-8cd3-2e15a881ab3d), offline since
2026-07-12 05:05 UTC despite the machine being in active use.
- ScreenConnect session JUNE (0737c201-61a0-4f07-b7b8-68dcc5796cad) was online (June Bradford
logged in, Win 11 Pro). CP1 tag has a typo: "MVAN Enterprised" (fix pending).
- Reinstalled GuruRMM agent via SC send-command using site installer one-liner
(site Main, code LOWER-FORGE-6736). Agent checked back in at 18:28 UTC (11:28 AZ). Verified online.
### Risky sign-in check (remediation-tool, tenant 5affaf1e-de89-416b-a655-1b2cf615d5b1)
- **No compromise**: 0 active risk detections, 0 successful anomalous sign-ins (14-day window,
126 events). Legit sign-ins from Boise ID (June/Mitch), OKC (Jason).
- **Active distributed credential attack**: mitch.v@mvaninc.com — 72 fails / 73 unique IPs /
6 countries (US CA DE IT RO NL), err 50053/50126, ongoing. m.vandeveer@modernstile.com —
14 fails (JP NL NP), account had NO MFA.
- MFA gaps found: m.vandeveer@modernstile.com, j.bradford@modernstile.com, kyeri.b@mvaninc.com,
invoicing@mvaninc.com.
- Full report: `clients/mvan-inc/reports/2026-07-14-risky-signin-check.md`
### Remediation (approved by Mike in-thread)
- Internal comment with findings posted to Syncro #32554 (comment 423730614) + bot alert.
- **Disabled** m.vandeveer@modernstile.com and j.bradford@modernstile.com (never a successful
sign-in, unlicensed, no MFA) — PATCH accountEnabled=false via user-manager tier, verified
after ~20s replication lag (204 + immediate read-back showed stale true; re-read confirmed).
- Consent audit was AMBER (tenant-admin missing Policy.Read.All → 403 on CA endpoints).
Mike re-consented interactively; refreshed token shows full manifest.
- Created CA policy "ACG - Require MFA for all users (report-only)"
(f69d7b41-bf13-4631-b1cd-ccf449ef06b9), enabledForReportingButNotEnforced, all users/apps,
MFA grant, break-glass sysadmin@mvaninc.com excluded. Security defaults off; only the 2
Microsoft-managed policies pre-existed.
### Pending
- MVAN answers for ticket #32554 (affected users, mail client, browser vs desktop view change).
- kyeri.b (active) + invoicing (dormant since 2025-09) MFA enrollment or disable decision.
- Review report-only CA impact after a few days; explicit go before flipping to enabled.
- SC CP1 typo fix ("MVAN Enterprised" -> "MVAN Enterprises").
- Exchange Operator consent still AMBER (Mail.ReadWrite) — verify on next EXO task.