azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a0e01c3d39fae2af8d1a007198147a9de1411793
claudetools/wiki/clients/safesite.md
Mike Swanson a0e01c3d39 sync: auto-sync from GURU-5070 at 2026-06-08 19:04:33 
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-08 19:04:33
2026-06-08 19:05:38 -07:00

4.3 KiB
Raw Blame History

title, type, slug, last_verified, source_logs
title type slug last_verified source_logs
Safe Site Utility Services LLC client safesite 2026-06-08
session-logs/2026-06/2026-06-08-mike-safesite-investigation.md

Safe Site Utility Services LLC

MSP client. Fragmented endpoint management across four systems (Datto RMM, Intune/MDM, ScreenConnect, Syncro) — a GuruRMM consolidation is in progress.

M365 tenant

  • Domain: safesitellc.com · Tenant ID: 71b4e637-c802-4137-a812-ae50dbc839e3
  • Onboarded apps (ComputerGuru MSP suite), verified live 2026-06-08:
    • Security Investigator, User Manager, Tenant Admin — Graph, consented + reading.
    • Intune Manager (46986910-aa47-4e5e-b596-f65c6b485abb) — consented 2026-06-08 (Mike, GA). Holds full Intune write scopes (DeviceManagementConfiguration/ManagedDevices/Apps ReadWrite.All
      • ManagedDevices.PrivilegedOperations.All). Use the intune-manager get-token tier.
    • Exchange Operator/Investigator-EXO: token issues but EXO InvokeCommand 401 — the SP lacks the Exchange Administrator role in-tenant (not yet assigned). Defender tier: reachable but 0 devices onboarded to MDE (no endpoint EDR telemetry).
  • get-token note: ~/.claude/identity.json lacks vault_path on GURU-5070 → pass VAULT_ROOT_ENV=D:/vault to remediation-tool/scripts/get-token.sh.

Intune posture (45 Windows devices, enrollment-only)

  • 45 Windows MDM devices; no compliance policies, no configuration profiles (settings catalog empty). Enrollment configs are all default. One deployed app: ScreenConnect Client.
  • Security gaps: 22 of 45 unencrypted (no BitLocker, nothing enforcing it); 8 noncompliant.
  • Devices enrolled under IT/admin accounts (JonathanB@, sysadmin@, subhamb@, mailadmin1@), NOT end users — so Intune's userPrincipalName does NOT identify the real operator. Use Datto's Last User for person→machine attribution instead.

Endpoint management fragmentation (reconciled 2026-06-08)

Unified inventory by hostname across all four sources = 73 unique machines.

  • Datto RMM = the near-master list (71/73) and carries real Last User + AV/EDR status. Only 0325-DELL3550 and LAPTOP are absent from Datto (Intune-only).
  • Intune 42 · Syncro 24 · GuruRMM 18 (as of 2026-06-08).
  • No Datto API creds in vault — Datto data comes from console CSV export.
  • ScreenConnect API key only supports GetSessionsByName (blank for agents) → cannot enumerate the fleet; see reference_screenconnect_api.

GuruRMM

  • Client Safesite fe17552f-736b-42ec-86a2-0e6f107f2397. Sites: Bell (RED-HAWK-6595), Glendale (SWIFT-OCEAN-8321), Unknown (LIGHT-CLOUD-3585, created 2026-06-08 as the catch-all bucket for un-attributed push installs).
  • 18 agents enrolled; 55 of 73 machines still need the agent. Agents observed offline / WS-disconnected 2026-06-08 (dispatches go to pending) while the same machines are Online in Datto — Datto/Intune are the live push channels, not GuruRMM, right now.

NexSite recalled-email investigation (2026-06-08)

External sender m.paris@nexsitepartners.com sent "Re: NWWells - SafeSite - Vendor Forms" with attachment SSUS 06122026.PDF to 9 Safe Site recipients on 2026-06-08 ~18:54 UTC; recalled. IT contact: Jonathan Byrd (j.byrd@nexsitepartners.com). Goal: determine if the PDF was accessed/downloaded on managed endpoints.

  • No EDR back-telemetry (MDE 0 devices) → endpoint history can only come from on-disk artifact recovery (file search + Zone.Identifier MotW + Outlook cache + browser DL history + RecentDocs), run via a live channel.
  • Recipient → machine (via Datto Last User): beeanna=0225-DELL3550, david=0622-DAVID-HP, jon=0525-ASUSFX707Z, justinb=0525-DELL3550-1, lennyg=DESKTOP-3USU20B, suzannep=1122-SUZANNE-DELL, travisf=MSI, jeremiahw=DESKTOP-LOPKB4G, thomasc=0724-DELL3550.
  • Caveat: artifact recovery proves "downloaded=yes"; it cannot prove "never accessed". Only covers managed machines (not phones/personal). Time-sensitive — artifacts age out.

Open items

  • Choose forensic channel (Datto console job vs Intune proactive remediation) — GuruRMM agents offline. Push GuruRMM agent to the 55 gap machines. Assign Exchange Admin role to the Sec Investigator SP if mailbox-audit forensic is wanted. Remediate the 22 unencrypted endpoints.
Reference in New Issue View Git Blame Copy Permalink