diff --git a/.claude/skills/remediation-tool/references/gotchas.md b/.claude/skills/remediation-tool/references/gotchas.md index ccbf5d6..78f693d 100644 --- a/.claude/skills/remediation-tool/references/gotchas.md +++ b/.claude/skills/remediation-tool/references/gotchas.md @@ -120,6 +120,7 @@ If token request or API call returns AADSTS650052 referencing `WindowsDefenderAT | Cascades Tucson | 207fa277-e9d8-4eb7-ada1-1064d2221498 | old app only | — | — | — | — | old app only | old app only | — | IdentityRiskyUser scope still not consented as of 2026-04-16 | | Grabblaw | 032b383e-96e4-491b-880d-3fd3295672c3 | YES (2026-04-20) | — | YES (2026-04-20) | YES (2026-04-20) | — | ASSIGNED (2026-04-20) | ASSIGNED (2026-04-20) | ASSIGNED (2026-04-20) | Fully onboarded | | martylryan.com | (resolve via script) | YES (2026-04-20) | — | YES (old app) | YES (2026-04-20) | — | ASSIGNED (2026-04-20) | ASSIGNED (2026-04-20) | ASSIGNED (2026-04-20) | Fully onboarded | +| mvaninc.com | 5affaf1e-de89-416b-a655-1b2cf615d5b1 | YES (2026-04-21) | — | YES (2026-04-21) | YES (2026-04-21) | — | — | — | — | Fully onboarded. Incident 2026-04-21: sysadmin GA account unauthorized sign-in from OKC via device PRT (MITCH-LAPTOP/JUNE). Remediated: pw reset, sessions revoked. CA policy (MFA all users) still pending — Mike to create. | **Migration note:** Valleywide, Dataforth, and Cascades still use the old deprecated app. Next visit: consent Security Investigator + assign Exchange Administrator role to new SP, then retire old app consent. diff --git a/clients/birth-biologic/session-logs/2026-04-21-session.md b/clients/birth-biologic/session-logs/2026-04-21-session.md new file mode 100644 index 0000000..e5d7c35 --- /dev/null +++ b/clients/birth-biologic/session-logs/2026-04-21-session.md @@ -0,0 +1,50 @@ +# Session Log — BirthBiologic — 2026-04-21 + +## User +- **User:** Mike Swanson (mike) +- **Machine:** DESKTOP-0O8A1RL +- **Role:** admin + +--- + +## Summary + +New client onboarded into GuruRMM. Client and site created. Vault entry saved. MSI installer ready for deployment on their server. + +--- + +## Client Details + +- **Client name:** BirthBiologic +- **GuruRMM client ID:** `da526b38-e832-4159-ab13-a3d94e9897a2` +- **Site:** Main Office +- **Site ID:** `3b20ef97-c764-4ef8-9154-79c3d5b486f8` +- **Site code:** `BRIGHT-PEAK-5980` +- **API key:** `grmm_1ZB1qV9Q61b9Noq8BIaZGwLNjZMfF49i` +- **Vault:** `D:/vault/clients/birthbiologic/gururmm-site-main.sops.yaml` + +--- + +## Install URLs + +- **Landing page (for manual install):** `https://rmm.azcomputerguru.com/install/BRIGHT-PEAK-5980` +- **MSI download (dashboard):** `https://rmm.azcomputerguru.com/sites/3b20ef97-c764-4ef8-9154-79c3d5b486f8/installer` + +--- + +## M365 Status + +- **Tenant:** birthbiologic.com (tenant ID unknown — not yet looked up) +- **Security Investigator app:** consented (2026-04-21) +- **Exchange Operator, User Manager, Tenant Admin, Defender:** NOT yet consented +- **Note:** sysadmin@birthbiologic.com does not have a SharePoint/M365 license — app-only auth via tenant-admin with `Sites.ReadWrite.All` is the approach for SharePoint access (no user license needed for app-only) + +--- + +## Pending + +- [ ] Install GuruRMM agent on BirthBiologic server via MSI or landing page +- [ ] Consent remaining apps in BirthBiologic tenant (user-manager, tenant-admin minimum) +- [ ] Datto Workplace → SharePoint migration: PowerShell script using tenant-admin app-only credentials, reads local Datto file server, uploads to SharePoint via Graph API `Sites.ReadWrite.All` + - BirthBiologic has 14 SharePoint sites (5 new dept sites created 2026-04-20 for Datto migration) + - Datto Workplace server is on-premise at their office (local file system access available once agent is installed) diff --git a/clients/mvan-inc/reports/2026-04-21-risky-signins.md b/clients/mvan-inc/reports/2026-04-21-risky-signins.md new file mode 100644 index 0000000..338674b --- /dev/null +++ b/clients/mvan-inc/reports/2026-04-21-risky-signins.md @@ -0,0 +1,87 @@ +# Risky Sign-In Investigation — MVAN Inc +**Date:** 2026-04-21 UTC +**Tenant:** mvaninc.com (`5affaf1e-de89-416b-a655-1b2cf615d5b1`) +**Requested by:** Mike Swanson +**Scope:** Identity Protection risky users review + +--- + +## Summary + +Three accounts with active or recent risk events. Two are already remediated. One (`alisha.p@mvaninc.com`) remains atRisk with no action taken. The most concerning event is our own `sysadmin@mvaninc.com` (Global Admin) being flagged and remediated by password reset just 4 days ago (2026-04-17). + +--- + +## Active Risks + +### alisha.p@mvaninc.com — LOW / atRisk (OPEN) +- **Display name:** Alisha Park +- **Risk level:** Low +- **Risk state:** atRisk (no remediation performed) +- **Risk first detected:** 2025-12-01 +- **Last password change:** 2025-11-13 (before risk event — password reset has NOT occurred) +- **Admin roles:** None +- **Recommendation:** Force password reset or dismiss if confirmed false positive + +--- + +## Recently Remediated (past 90 days) + +### sysadmin@mvaninc.com — REMEDIATED 2026-04-17 [PRIORITY] +- **Display name:** Computer Guru (our managed service account) +- **Risk state:** Remediated via `userPerformedSecuredPasswordReset` +- **Remediation date:** 2026-04-17T17:33:21Z (4 days ago) +- **Admin roles:** Global Administrator, Intune Administrator, Cloud Device Administrator +- **Last password change:** 2026-04-17T17:33:21Z (matches remediation) +- **Notes:** This is a high-privilege account. Cannot determine what triggered the risk detection without AuditLog.Read.All. The password reset was performed — determine who initiated it and whether any suspicious activity occurred before remediation. + +### mitch.v@mvaninc.com — REMEDIATED 2026-04-07 +- **Display name:** Mitch VanDeveer (client's primary admin) +- **Risk state:** Remediated via `userPerformedSecuredPasswordReset` +- **Remediation date:** 2026-04-07T13:12:55Z (~2 weeks ago) +- **Admin roles:** Global Administrator, Windows 365 Administrator +- **Last password change:** 2026-04-07T13:12:55Z (matches remediation) + +--- + +## Historical / Other + +| Account | Risk State | Level | Detail | Last Updated | +|---|---|---|---|---| +| mitch@mvan.onmicrosoft.com | remediated | none | passwordReset | 2025-10-24 | +| june.b@mvaninc.com | remediated | none | passwordReset | 2026-01-27 | +| j.bradford@modernstile.com | atRisk | medium | none | 2020-12-25 (stale — different domain) | +| june@jemaenterprises.com | dismissed | none | — | 2022-04-26 | + +--- + +## Global Admin Inventory (6 accounts — excessive) + +| Account | Notes | +|---|---| +| mitch.v@mvaninc.com | Client owner | +| admin@mvan.onmicrosoft.com | Break-glass / legacy | +| mitch@mvan.onmicrosoft.com | Alternate admin account | +| june.b@mvaninc.com | Non-admin user with GA role | +| sysadmin@mvaninc.com | Our managed service account | +| ryan@mvan.onmicrosoft.com | Unknown | + +6 Global Admins is excessive for a tenant this size. Recommend reducing to 2-3 and using dedicated roles where possible. + +--- + +## Recommended Actions + +1. **[URGENT]** Investigate what triggered the risk on `sysadmin@mvaninc.com` — review in Entra ID > Identity Protection > Risk detections portal. Confirm no unauthorized access occurred before the 2026-04-17 reset. +2. **[ACTION REQUIRED]** Remediate `alisha.p@mvaninc.com` — force password reset or dismiss with documented justification. +3. **[ADVISORY]** Review MFA registration status for all 6 Global Admins — confirm MFA is enforced. +4. **[ADVISORY]** Reduce Global Admin count. `june.b@mvaninc.com` and `ryan@mvan.onmicrosoft.com` should be reviewed for necessity. +5. **[MISSING VISIBILITY]** Add `AuditLog.Read.All` to the Security Investigator app manifest to enable sign-in log and risk detection queries in future investigations. + +--- + +## Tool Limitations This Run + +- `AuditLog.Read.All` not in investigator app manifest: could not pull sign-in logs or risk detection details (IP addresses, geolocations, detection types) +- `IdentityRiskEvent.Read.All` not in investigator app manifest: could not pull riskDetections endpoint +- Used `identityProtection/riskyUsers` (requires `IdentityRiskyUser.Read.All`) — available diff --git a/projects/msp-tools/guru-rmm b/projects/msp-tools/guru-rmm index 568ad61..1c2e03e 160000 --- a/projects/msp-tools/guru-rmm +++ b/projects/msp-tools/guru-rmm @@ -1 +1 @@ -Subproject commit 568ad615ce43638c60c0d7c5eac1ecc1c3ce36a1 +Subproject commit 1c2e03ecbe7ca9d81704ea04d5e2f4dec7dcd974