azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
efb5bdfa77555e57a412b4a9fa381b32b7397e95
claudetools/wiki/clients/safesite.md
Mike Swanson a0e01c3d39 sync: auto-sync from GURU-5070 at 2026-06-08 19:04:33 
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-08 19:04:33
2026-06-08 19:05:38 -07:00

71 lines
4.3 KiB
Markdown
Raw Blame History

---
title: Safe Site Utility Services LLC
type: client
slug: safesite
last_verified: 2026-06-08
source_logs:
- session-logs/2026-06/2026-06-08-mike-safesite-investigation.md
---
# Safe Site Utility Services LLC
MSP client. Fragmented endpoint management across **four** systems (Datto RMM, Intune/MDM,
ScreenConnect, Syncro) — a GuruRMM consolidation is in progress.
## M365 tenant
- **Domain:** safesitellc.com · **Tenant ID:** `71b4e637-c802-4137-a812-ae50dbc839e3`
- **Onboarded apps (ComputerGuru MSP suite), verified live 2026-06-08:**
- Security Investigator, User Manager, Tenant Admin — Graph, consented + reading.
- **Intune Manager** (`46986910-aa47-4e5e-b596-f65c6b485abb`) — **consented 2026-06-08** (Mike, GA).
Holds full Intune write scopes (DeviceManagementConfiguration/ManagedDevices/Apps ReadWrite.All
+ ManagedDevices.PrivilegedOperations.All). Use the `intune-manager` get-token tier.
- Exchange Operator/Investigator-EXO: token issues but EXO `InvokeCommand` 401 — the SP lacks the
**Exchange Administrator** role in-tenant (not yet assigned). Defender tier: reachable but **0
devices onboarded** to MDE (no endpoint EDR telemetry).
- **get-token note:** `~/.claude/identity.json` lacks `vault_path` on GURU-5070 → pass
`VAULT_ROOT_ENV=D:/vault` to `remediation-tool/scripts/get-token.sh`.
## Intune posture (45 Windows devices, enrollment-only)
- 45 Windows MDM devices; **no compliance policies, no configuration profiles** (settings catalog
empty). Enrollment configs are all default. **One** deployed app: **ScreenConnect Client**.
- **Security gaps:** 22 of 45 **unencrypted** (no BitLocker, nothing enforcing it); 8 noncompliant.
- Devices enrolled under **IT/admin accounts** (JonathanB@, sysadmin@, subhamb@, mailadmin1@), NOT
end users — so Intune's `userPrincipalName` does NOT identify the real operator. Use **Datto's
Last User** for person→machine attribution instead.
## Endpoint management fragmentation (reconciled 2026-06-08)
Unified inventory by hostname across all four sources = **73 unique machines**.
- **Datto RMM = the near-master list (71/73)** and carries real `Last User` + AV/EDR status.
Only `0325-DELL3550` and `LAPTOP` are absent from Datto (Intune-only).
- Intune 42 · Syncro 24 · GuruRMM 18 (as of 2026-06-08).
- No Datto API creds in vault — Datto data comes from console CSV export.
- ScreenConnect API key only supports `GetSessionsByName` (blank for agents) → **cannot enumerate**
the fleet; see [[reference_screenconnect_api]].
## GuruRMM
- Client **Safesite** `fe17552f-736b-42ec-86a2-0e6f107f2397`. Sites: **Bell** (RED-HAWK-6595),
**Glendale** (SWIFT-OCEAN-8321), **Unknown** (LIGHT-CLOUD-3585, created 2026-06-08 as the
catch-all bucket for un-attributed push installs).
- 18 agents enrolled; **55 of 73 machines still need the agent**. Agents observed **offline /
WS-disconnected** 2026-06-08 (dispatches go to `pending`) while the same machines are **Online in
Datto** — Datto/Intune are the live push channels, not GuruRMM, right now.
## NexSite recalled-email investigation (2026-06-08)
External sender m.paris@nexsitepartners.com sent "Re: NWWells - SafeSite - Vendor Forms" with
attachment **`SSUS 06122026.PDF`** to 9 Safe Site recipients on 2026-06-08 ~18:54 UTC; recalled.
IT contact: Jonathan Byrd (j.byrd@nexsitepartners.com). Goal: determine if the PDF was
accessed/downloaded on managed endpoints.
- **No EDR back-telemetry** (MDE 0 devices) → endpoint history can only come from **on-disk
artifact recovery** (file search + Zone.Identifier MotW + Outlook cache + browser DL history +
RecentDocs), run via a live channel.
- **Recipient → machine (via Datto Last User):** beeanna=`0225-DELL3550`, david=`0622-DAVID-HP`,
jon=`0525-ASUSFX707Z`, justinb=`0525-DELL3550-1`, lennyg=`DESKTOP-3USU20B`,
suzannep=`1122-SUZANNE-DELL`, travisf=`MSI`, jeremiahw=`DESKTOP-LOPKB4G`, thomasc=`0724-DELL3550`.
- Caveat: artifact recovery proves "downloaded=yes"; it cannot prove "never accessed". Only covers
managed machines (not phones/personal). Time-sensitive — artifacts age out.
## Open items
- Choose forensic channel (Datto console job vs Intune proactive remediation) — GuruRMM agents
offline. Push GuruRMM agent to the 55 gap machines. Assign Exchange Admin role to the Sec
Investigator SP if mailbox-audit forensic is wanted. Remediate the 22 unencrypted endpoints.
Reference in New Issue View Git Blame Copy Permalink