claudetools/session-logs/2026-06-06-howard-lighthouse-risky-user-alerts.md

Session Log — 2026-06-06 — Howard — Lighthouse Risky-User Alert Triage

User

• User: Howard Enos (howard)
• Machine: Howard-Home
• Role: tech

Session Summary

Investigated a burst of Microsoft 365 Lighthouse alert emails Howard received at howard@azcomputerguru.com, using the remediation-tool skill (read-only, investigator tier). Acquired a Graph read token for the ACG partner tenant and searched Howard's mailbox: found 35 "Risky user" alerts (severity High) plus one Lighthouse billing/invoice email, all from m365-noreply@microsoft.com, all dated June 5 2026, delivered in a single 2-minute burst (2026-06-05 22:18-22:20 UTC). Pulled the full HTML body of one alert and parsed all of them to extract per-tenant detail.

Every alert was generated by the same rule: "SAMPLE - Alert on risky user" — a Microsoft built-in Lighthouse sample alert rule (the "SAMPLE -" prefix is Microsoft's). The 35 alerts spanned 15 client tenants. Concluded this is a sample-rule backfill / risk-detection wave firing portfolio-wide, not 35 simultaneous live breaches. Flagged the accounts worth real triage: ACG-controlled admin accounts showing risky in client tenants ("Computer Guru" @ MVAN + Valley Wide, "Mike Swanson" @ JR Kennedy), and service/shared accounts (GTIMail + Shoretel @ Glaz-Tech, "remote" @ IMC, On-Prem Dir Sync svc acct @ Russo, Accounting @ Sonoran Green, Orders VWP @ Valley Wide).

Howard then asked when the rule was applied and by whom. Began a per-tenant riskyUsers pull (Identity Protection) for the priority accounts — extracted all 15 tenant GUIDs straight from the alert email bodies — but Howard interrupted/redirected to the rule-provenance question before that ran. Pivoted to provenance investigation.

Attempted to determine rule provenance through every read-only path the tool can reach, all of which dead-ended: (1) Entra directory audit log for the ACG tenant returned no Lighthouse alert-rule events (Lighthouse does not log there; only SaaSAlerts.Fortify SP grants matched "alert"), and only retains 30 days (back to 5/6). (2) Lighthouse rule config via Graph is unavailable — the investigator app lacks ManagedTenants.Read.All. (3) Unified Audit Log via the Exchange tier (Search-UnifiedAuditLog over a 180-day window) returned HTTP 401; a follow-up Get-OrganizationConfig probe also 401'd, confirming the Security Investigator app has no Exchange/audit RBAC role in our OWN partner tenant (we only grant it Exchange Admin in client tenants for breach checks).

Reported the blocker and presented three unblock options to Howard: check the Lighthouse portal directly (Alerts -> Alert rules -> rule detail shows created/modified-by), run Search-UnifiedAuditLog himself in an interactive admin EXO session, or have Claude grant the investigator SP the "View-Only Audit Logs" role in the ACG tenant (a privilege change, deferred pending explicit go). Session ended awaiting his choice.

Key Decisions

• Classified the 35 alerts as a SAMPLE-rule backfill / risk-detection wave rather than 35 live incidents, based on: the literal "SAMPLE -" Microsoft template name, the single 2-minute portfolio-wide burst, and many flagged accounts being non-interactive service/shared accounts.
• Narrowed recommended triage to ACG admin accounts and service accounts rather than all 35 users — those are the ones where a real risk flag actually matters.
• Extracted tenant GUIDs from the alert email bodies (each contains "Tenant ID:") instead of resolving 15 domains separately — faster and avoids name-to-domain guessing for tenants whose display name is not a domain.
• Did NOT grant the investigator app an Exchange/audit role in the ACG tenant to unblock the UAL search — that is a privilege change in our own tenant and requires explicit user approval.
• Kept the entire session read-only: did not mark any emails read, ran no remediation, made no riskyUser state changes.

Problems Encountered

• Windows /tmp path mismatch broke a Python HTML-stripper that read from a Git-Bash-written /tmp file (Windows Python resolved a different /tmp). Resolved by piping the HTML to Python via stdin instead of a temp file.
• Entra directoryAudits rejected an activityDateTime filter older than 30 days ("Minimum allowed time ... is 5/6/2026"). Resolved by setting the filter start to 2026-05-06.
• Search-UnifiedAuditLog via EXO REST returned an empty body, then HTTP 401. Diagnosed with a trivial Get-OrganizationConfig probe (also 401) -> root cause is the investigator SP having no Exchange RBAC role in the ACG partner tenant (blanket 401, not cmdlet-specific). Reported as a blocker rather than worked around.

Configuration Changes

• session-logs/2026-06-06-howard-lighthouse-risky-user-alerts.md — created (this log).
• No repo code/config changes. No M365 changes (read-only session).

Credentials & Secrets

None discovered or created. Tokens acquired via remediation-tool get-token.sh (investigator = Graph read; investigator-exo = EXO read) for the ACG tenant; cert/secret auth from the SOPS vault entry msp-tools/computerguru-security-investigator.sops.yaml. Tokens cached at /tmp/remediation-tool/{tenant}/{tier}.jwt (TTL 55 min).

Infrastructure & Servers

• ACG partner tenant (azcomputerguru.com): tenant id ce61461e-81a0-4c84-bb4a-7b354a9a356d
• ComputerGuru Security Investigator app id bfbc12a4-f0dd-4e12-b06d-997e7271e10c — Graph roles include AuditLog.Read.All, Directory.Read.All, IdentityRiskyUser.Read.All; does NOT have ManagedTenants.Read.All. Has NO Exchange RBAC role in the ACG tenant (EXO adminapi returns 401).
• Client tenant GUIDs (from alert email bodies):
  • Bill Tedards 4fcbb1f4-fbf9-4548-a93e-7d14a3c091e6
  • Dataforth Corporation 7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584
  • Glaz-Tech Industries 82931e3c-de7a-4f74-87f7-fe714be1f160
  • Instrumental Music Center 65adab75-f1fd-4ef9-b2b4-c24f595393e3
  • JR Kennedy Company a92594b9-c8ad-4dba-8b40-14fcd32c723c
  • Jema Enterprises, LLC 41268042-9a8e-41c2-9a3c-0775398b86cb
  • Kittle Design & Construction 3d073ebe-806a-4a5e-9035-3c7c4a264fc0
  • MVAN Enterprises, Inc 5affaf1e-de89-416b-a655-1b2cf615d5b1
  • Patient Care Advocates 463b462d-0995-4e51-9e41-82c208015c7f
  • Ridgetop Group ef111bfc-9c90-43c9-a581-f9bbfceb6517
  • Russo Law Firm bef1b190-f78f-4b1c-aa4b-fab186a30702
  • Safe Site Utility Services LLC 71b4e637-c802-4137-a812-ae50dbc839e3
  • Sonorangreenllc.com ededa4fb-f6eb-4398-851d-5eb3e11fab27
  • Valley Wide Plastering 5c53ae9f-7071-4248-b834-8685b646450f
  • cclac.net e8a0fafc-21ee-41e8-a5ba-f3a250a8a30e

Commands & Outputs

• bash scripts/resolve-tenant.sh azcomputerguru.com -> ce61461e-81a0-4c84-bb4a-7b354a9a356d
• bash scripts/get-token.sh <tenant> investigator / ... investigator-exo -> bearer tokens.
• Graph mailbox search: GET /users/howard@azcomputerguru.com/messages?$search="Microsoft 365 Lighthouse alert was detected" with header ConsistencyLevel: eventual -> 35 risky-user alerts + 1 invoice.
• Token roles decoded from JWT roles claim — confirmed AuditLog.Read.All present, ManagedTenants.Read.All absent.
• GET /auditLogs/directoryAudits?$filter=activityDateTime ge 2026-05-06T00:00:00Z -> 88 events, services: Core Directory / Self-service Group Mgmt / Self-service Password Mgmt; only "alert" matches were SaaSAlerts.Fortify SP grants (5/7, 5/15). No Lighthouse rule events.
• EXO Search-UnifiedAuditLog via POST https://outlook.office365.com/adminapi/beta/{tenant}/InvokeCommand -> HTTP 401; Get-OrganizationConfig probe -> HTTP 401 (blanket no-RBAC).

Pending / Incomplete Tasks

• AWAITING HOWARD'S CHOICE on rule provenance ("when/who applied SAMPLE - Alert on risky user"):
  • (B, fastest) Lighthouse portal -> Alerts -> Alert rules -> open the rule -> created/modified-by metadata.
  • (3) Howard runs Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-180) -EndDate (Get-Date) -FreeText "Alert on risky user" -ResultSize 500 in an interactive admin EXO session.
  • (1) Claude grants the Security Investigator SP the "View-Only Audit Logs" role in the ACG tenant (tenant-admin tier) then re-runs the UAL search via the tool — deferred, needs explicit go (privilege change in our own tenant).
• NOT DONE (interrupted): per-tenant riskyUsers (Identity Protection) pull for the priority accounts (ACG admin + service accounts) to separate live risk from stale backfill. Tenant GUIDs already gathered above; ready to resume if asked.
• Consideration: ACG admin accounts flagged risky in client tenants (Computer Guru @ MVAN/Valley Wide, Mike Swanson @ JR Kennedy) warrant a genuine check that our own creds are not being sprayed.
• Housekeeping: the noisy "SAMPLE -" rule could be quieted/renamed in the Lighthouse portal so this does not re-spam Howard's inbox (portal action, not this tool).

Reference Information

• Mailbox investigated: howard@azcomputerguru.com (ACG tenant).
• Alert source: m365-noreply@microsoft.com; rule "SAMPLE - Alert on risky user"; type "Risky user"; severity High; detection date June 5 2026.
• 35 risky-user alerts across 15 tenants. Full per-tenant user list captured in chat (e.g. Glaz-Tech: GTIMail, Shoretel, Dave Hill, Linda Salazar, Roxy Scott; Ridgetop: Jan Traficanti, Nicolas Blanchard, Luis Hernandez, Arsh Nadkarni, Clay Hunt; Safe Site: Lisa Stirzl, Rachel Rupp, George Brandt, Cody Kennedy, Jeff Mortenson; Valley Wide: Computer Guru, Orders VWP, Sammy Montijo, Bart Graffin; etc.).
• Remediation skill: .claude/skills/remediation-tool/ (get-token.sh, resolve-tenant.sh, user-breach-check.sh).
• Graph riskyUsers endpoint for resume: GET https://graph.microsoft.com/v1.0/identityProtection/riskyUsers?$top=200 (per tenant, investigator tier).
• EXO REST: POST https://outlook.office365.com/adminapi/beta/{tenant}/InvokeCommand (needs Exchange RBAC role on the SP — absent in ACG).