Mike Swanson
100a491ac6
Two session logs: - session-logs/2026-04-16-session.md: cross-cutting (multi-user, audit, infrastructure) - guru-rmm session log appended: MSI installer, Len's Auto Brokerage, Uranus, migration drift Gap fixes: GrepAI initialized + MCP server added, Ollama models pulling, settings.json created (bypassPermissions), MCP_SERVERS.md written. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2.2 KiB
{{TITLE}}
Date: {{YYYY-MM-DD}}
Tenant: {{tenant-display-name}} ({{domain}}, {{tenant-id}})
Subject: {{user-or-tenant}}
Tool: Claude-MSP-Access / ComputerGuru - AI Remediation (App ID fabb3421-8b34-484b-bc17-e46de9703418)
Scope: {{read-only | included remediation}}
Summary
- {{3-5 bullets: breach indicators found? which categories? priority actions?}}
Target details
| Field | Value |
|---|---|
| UPN | |
| Object ID | |
| Account Enabled | |
| Created | |
| Last Password Change |
Per-check findings
1. Inbox rules (Graph)
{{count, flagged items verbatim}}
2. Mailbox forwarding / settings
{{forwarding flags, auto-reply status}}
3. Exchange REST (hidden rules, delegates, SendAs, Get-Mailbox)
{{hidden rule count, non-SELF permissions, ForwardingAddress/ForwardingSmtpAddress}}
4. OAuth consents + app role assignments
{{apps consented, when, scopes}}
5. Authentication methods
{{methods, creation dates — flag any inside attack window}}
6. Sign-ins (30d)
{{count, unique IPs, countries, failures — flag non-US and legacy client apps}}
7. Directory audits
{{30d changes targeting user, by-whom analysis}}
8. Risky users / risk detections
{{risk level, recent detections — or note if blocked by missing permission}}
9. Sent items (recent 25)
{{sample of recipients/subjects — flag blast patterns or unusual externals}}
10. Deleted items (recent 25)
{{sample — flag deleted security alerts or MFA notifications}}
Suspicious items (pulled out of per-check findings)
{{bullets for anything abnormal — external forwards, hidden rules, unfamiliar consents, foreign-geo sign-ins, new auth methods within attack window}}
Gaps — checks not completed
{{list any 403s or missing permissions with exact remediation link (see gotchas.md)}}
Next actions
- {{specific action + owner + deadline}}
- {{...}}
Remediation actions (if any)
{{populated only when /remediation-tool remediate was executed — include cmdlet, parameters, response, timestamp}}
Data artifacts
Raw JSON saved at /tmp/remediation-tool/{{tenant-id}}/{{check-dir}}/ — files:
- {{list filenames the scripts produced}}