azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5ead5d4deec15022dbabb6917b12f89e6aad3a13
claudetools/.claude/skills/remediation-tool/SKILL.md
Mike Swanson 26df2c47b9 Session log: remediation skill rewrite (5-app tiered arch) + Cascades breach check John Trozzi 
- Rewrote get-token.sh: tiered app system (investigator/exchange-op/user-manager/tenant-admin/defender)
- Updated SKILL.md, command, gotchas, checklist, graph-endpoints for new app suite
- Cascades breach check: mailbox clean, inbound phishing received by John, DMARC gap noted

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-20 11:35:18 -07:00

5.2 KiB
Raw Blame History

name, description
name description
remediation-tool M365 tenant investigation and remediation using the ComputerGuru tiered MSP app suite (5 apps: Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender Add-on). Auto-invoke when the user says "remediation tool", "365 remediation", "check <user>'s mailbox/box", "credential stuffing" against an M365 user, "breach check" on an M365 tenant, or needs M365 admin API work that client-credentials Graph + Exchange REST can perform. NOT for CIPP — this is the direct Graph API app suite. Also invoke when the user needs any of: inbox rule enumeration, mailbox forwarding check, delegate/SendAs audit, OAuth consent audit, sign-in log queries, risky user lookup, directory audit queries, B2B guest invite audit against M365. Triggers: "365 remediation", "remediation tool", "check <user> box/mailbox/account for breach", "credential stuff*", "who's getting attacked", "foreign sign-in", "inbox rule", "mailbox forward*", "oauth consent" (in MSP context), "tenant sweep", "risky user", "hidden rule", Exchange Online admin API, "adminapi/beta/{tenant}/InvokeCommand".

365 Remediation Tool

Read-only by default. All remediation actions require explicit YES confirmation in chat (not a permission prompt).

App Architecture (Tiered)

Five multi-tenant apps cover distinct privilege tiers. Use only what the task requires.

Tier App display name App ID Vault file Scope
investigator ComputerGuru Security Investigator bfbc12a4-f0dd-4e12-b06d-997e7271e10c computerguru-security-investigator.sops.yaml Graph read-only
investigator-exo ComputerGuru Security Investigator bfbc12a4-f0dd-4e12-b06d-997e7271e10c computerguru-security-investigator.sops.yaml Exchange Online read
exchange-op ComputerGuru Exchange Operator b43e7342-5b4b-492f-890f-bb5a4f7f40e9 computerguru-exchange-operator.sops.yaml Exchange Online write
user-manager ComputerGuru User Manager 64fac46b-8b44-41ad-93ee-7da03927576c computerguru-user-manager.sops.yaml Graph user/group write
tenant-admin ComputerGuru Tenant Admin 709e6eed-0711-4875-9c44-2d3518c47063 computerguru-tenant-admin.sops.yaml Graph high-privilege
defender ComputerGuru Defender Add-on dbf8ad1a-54f4-4bb8-8a9e-ea5b9634635b computerguru-defender-addon.sops.yaml Defender ATP (MDE only)

Default for breach checks: use investigator (Graph) + investigator-exo (Exchange read). Escalate to write tiers only when remediating.

Auto-Invocation Behavior

When triggered automatically (vs. via /remediation-tool), follow the same workflow in .claude/commands/remediation-tool.md:

  1. Parse the user's intent into a subcommand (check/sweep/signins/consent-url/remediate).
  2. Resolve tenant ID from domain.
  3. Acquire tokens via get-token.sh <tenant> <tier> — use lowest-privilege tier needed.
  4. Run checks via scripts in scripts/.
  5. Interpret findings using references/checklist.md.
  6. Write report to clients/{slug}/reports/YYYY-MM-DD-{action}.md using templates/breach-report.md.
  7. Chat summary + delegate commit to Gitea agent.

Before calling any script, verify

  • The SOPS vault is accessible: test -f D:/vault/scripts/vault.sh (Windows) or test -f ~/vault/scripts/vault.sh (other).
  • jq, curl, bash are available.
  • For Exchange REST checks: confirm the target tenant has Exchange Administrator role assigned to the Security Investigator SP (for reads) or Exchange Operator SP (for writes). If any Exchange REST call returns 403, emit the tenant-scoped Entra Roles link from references/gotchas.md.
  • For Identity Protection checks: IdentityRiskyUser.Read.All is in the Security Investigator manifest AND the tenant has consented to that app. If 403, emit the per-app consent URL from references/gotchas.md.
  • For Defender checks: confirm tenant has Microsoft Defender for Endpoint (MDE) license before using defender tier — it returns AADSTS650052 otherwise.

Conventions

  • Target identifiers: accept UPN, domain, or tenant GUID. Normalize to tenant GUID internally.
  • Token tiers: minimum necessary privilege. Never use tenant-admin for a read-only check.
  • Token cache: /tmp/remediation-tool/{tenant-id}/{tier}.jwt. TTL 55 minutes. Check -mmin -55 before reuse.
  • Raw JSON artifacts: /tmp/remediation-tool/{tenant-id}/{check}/ — keep so the user can re-analyze.
  • Reports: clients/{slug}/reports/YYYY-MM-DD-{action}.md. Derive slug from domain (strip TLD, hyphenate).
  • UTC dates everywhere.

Scope boundaries

  • Not a replacement for CIPP. Use CIPP for bulk baseline configuration, templates, standards alerting. Use this tool for focused investigation and point-in-time remediation.
  • Not for creating/modifying Entra apps or Conditional Access policies. Those are sensitive enough to stay manual in the portal.
  • Not for Graph permissions the apps don't have. If a call 403s and the scope isn't in the relevant app's manifest, stop and tell the user — don't try to work around it.
  • Defender tier requires MDE license. If the tenant doesn't have MDE, the token request succeeds but API calls return AADSTS650052. Check before using.
Reference in New Issue View Git Blame Copy Permalink