Files
claudetools/clients/kittle/reports/2026-07-02-p2-security-scan.md
Winter Williams ac23f17e23 sync: auto-sync from GURU-BEAST-ROG at 2026-07-02 10:55:41
Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-07-02 10:55:41
2026-07-02 10:57:33 -07:00

49 lines
3.0 KiB
Markdown

# Kittle Design & Construction — P2 Security Scan
**Date:** 2026-07-02 (UTC) | **Tenant:** kittlearizona.com (3d073ebe-806a-4a5e-9035-3c7c4a264fc0)
**Requested by:** Mike (via Discord) | **Executed by:** ClaudeTools Discord Bot
**Scope:** Identity Protection (Entra ID P2) data + 30-day tenant sweep, read-only, investigator tier
## Identity Protection (P2)
- **Risk detections (30d):** NONE
- **Risky users:** 5 accounts with prior risk history, ALL currently `riskLevel=none / riskState=remediated`:
- wrex@ (remediated 2026-06-08), Ken@ (2026-06-09), Marco@ (2026-06-15), alexis@ (2026-04-24), scott@ (2025-07-18)
- No active risky sign-ins.
## Sign-in activity (30d)
- **Ken@kittlearizona.com: 140 failed foreign sign-in attempts** from 140 unique IPs (AU, DE, GB), 2026-06-11 → 2026-06-18. Pattern = distributed password spray. **All failed; zero successful non-US sign-ins tenant-wide.** CA non-US block is holding.
- No other accounts targeted from abroad.
## Conditional Access (all enabled)
- ACG - Require MFA for all users
- ACG - Block legacy authentication
- ACG - Block non-US sign-ins
- ACG - Block known attacker IPs
- Note: no risk-BASED CA policy exists — P2 risk signals are informational only, not enforced.
## MFA registration
- All 15 internal users MFA-registered and capable.
- Weakest methods: admin@ and scott@ are SMS-only (mobilePhone); sysadmin@ includes email as a method. Recommend Authenticator app or passkey for these.
- Several users already on passkeys (Accounting, Hayden, Joshua, Neal). Good posture.
## Items needing human review
1. **Guest invite created TODAY 2026-07-02 17:02 UTC** by Accounting@ for external user `darlenecabrera87@gmail.com` — verify this was intentional.
2. Ken@ remains a spray target (also had prior incident — see vault clients/kittle/m365-ken-schagel-incident). Consider risk-based CA or passkey for Ken.
3. admin@/scott@ SMS-only MFA.
4. Consider a report-only risk-based CA policy to actually use the P2 licensing they pay for.
## Related changes same session
- License moves: wrex@ BP removed (disabled acct); alexis@ + Ken@ moved E3 -> Business Premium. BP now 12/12. Josh.B@ + Tyrele@ still on lapsed E3 (0 purchased / 2 consumed).
Raw JSON: /tmp/remediation-tool/3d073ebe-806a-4a5e-9035-3c7c4a264fc0/sweep/ (BEAST)
## Addendum — CA hardening deployed (report-only), 2026-07-02
Four new policies created via tenant-admin tier, all `enabledForReportingButNotEnforced`,
all excluding break-glass sysadmin@ (6139d1af-eee3-4e0b-b240-21e4827df756):
1. ACG - Block device code flow and auth transfer — 61e11a6b-9005-479b-a402-636e5efc8b28
2. ACG - Admins: 12h sign-in frequency, no persistent sessions — 954bee7c-0440-4f5e-bce0-fefd9752cad1
3. ACG - Block guest access to admin portals — 69a24225-132c-45df-8438-cf36ab862eb6
4. ACG - Require MFA to register security info — 70db3c98-bf29-413b-a8df-c58f538246e7
Next: review report-only impact in sign-in logs after ~5-7 days; flip to enabled only
with explicit confirmation from Mike.