Hamish Burke | 2025-06-29

Security Ops Master Document

Task Descriptions

1. Automating Certificate Renewal

More info: Automating Certificate Renewal

Solutions

Use acme.sh for automatic certificate issuance and renewal:
- Bash-only, cross-platform (Linux, macOS, Git Bash on Windows).
- Supports DNS-01 for wildcard/SAN certs.
- Allows --reloadcmd to restart services post-renewal.
- Error handling via log-parsing email scripts (Linux & PowerShell).
Scheduled renewal: (daily)
- Linux: via crontab.
- Windows: via schtasks and PowerShell script.
Install certs with --install-cert to store them in proper locations and auto-reload services.
OpenSSL to generate self-signed certs or act as your own CA.
Use rysync or scp to copy certs to LB, or run script on each individually (for load balancers)
Monitor certs centrally:
- acme.sh --list
- Prometheus, Zabbix/Nagios, or custom audit scripts.

Challenges

Windows automation needs Git Bash and workaround scripts.
Wildcard certs require DNS-01 challenges: HTTP-01 won’t work.
Key reuse happens by default: must disable if rotating keys is desired.
Secure reloads require correct and tested --reloadcmd.
DNS plugin setup needs valid tokens (e.g. Cloudflare, AWS).
Renewal failure before expiry could cause downtime without alerts.

Questions

Where should certs be saved long-term on production?
Will reload commands work reliably on all services, esp. Windows?
Are your DNS providers compatible with acme.sh plugins?
What key rotation strategy do you want? Reuse vs regen?
Should a central tool (e.g. DigiCert) be used org-wide?
Which SMTP service do you trust for email notifications?

Key Concepts to know

TSL basics**:
- Handshake, cert contents, SANs, OCSP, HSTS
OpenSSl tools:
- Generating keys, CSRs, certs, and inspecting with x509
Cert formats:
- .pem vs .pfx, and what services expect
acme.sh usage:
- --issue, --renew, --install-cert, --reloadcmd, plugins
Scheduled automation:
- crontab (Linux), schtasks (Windows)
DNS-01 challenge:
- Why it's needed, how to configure plugins
Reload hooks:
- systemctl reload nginx, Task Scheduler on Windows
Monitoring + error alerting:
- Email scripts, logging, dashboard tools (Prometheus, CertCentral)

2. Auto-Disabling Unused Active Directory Accounts

More Info: Auto-Disabling Unused Active Directory Accounts

Solutions

Identify idle accounts
Exclude service-principal accounts or whitelisted accounts
Notify/Get approval via email
Disable Accounts
Logs and auditing/reversing
Automating It

Challenges

False positives (service accounts, leave-of-absence)
- Requires approval, can be added to a whitelist
lastLogonTimestamp replication lag
Legacy/batch accounts detection
Recovery of mistaken disables

Questions

How to prevent disabling service accounts?
- Can look for OU account tags, filter them from list (also require manager approval for disabling)
Notify user/manager beforehand?
- Get email about disabling (using Power Automate (triggered when new item added to a sharepoint list))
Handle mail-only accounts?
Process to re-enable?Asset Management Dashboard
- Create script, from dashboard have re-enable button

Concepts and tools to know

Powershell AD module
- Search-ADAccount
- Get-ADUser
- Disable-ADAccount
- Enable-ADAccount
Email
- Send-MailMessage
- SMTP Settings
Azure AD Indentiy protection risk-based disablement?
Power Automate (flow) and ShareSheet
Logging
- Export-Csv
- Write-EventLog
- SIEM connectors
- ShareSheet

3. Reporting Desktop Vulnerabilities

More Info: Reporting Desktop Vulnerabilities

Solutions

Kusto Query Language on DeviceTvmSoftwareVulnerabilities
Automate report via Logic Apps / Power Automate → email/Teams
Export to Power BI for visualisation
Tag devices in Intune for auto-remediation

Challenges

Data latency (scan intervals), Dashboard may be delayed in accuracy
Integrating with ticketing/patching workflows
CVE severity vs real exploitability (not every 'high' CVE is actively exploitable)

Questions

Report cadence?
- Weekly or daily?
Trend analysis over time?
- Doable with bin() in Kusto Query Language
Integration with patch management?
- Power Automate or logic apps can trigger API calls to patch tools
Prioritisation criteria?
- Could mix exploitability scores with asset criticality

Key Concepts to Learn

KQL basics: filters, summarise, tables
Defender data model: TVM, CVE scoring
Logic Apps workflow creation
Hands-on: DeviceTvmSoftwareVulnerabilities| where CveSeverityLevel == "High" | summarize count() by DeviceName

4. Power BI Dashboards for Security Operations

More Info: Sec Ops Dashboard

Solutions

Power BI Dataflows → ingest APIs, SQL, flat files
Scheduled dataset refresh → Reports & Dashboards
Visuals: vuln counts, cert expiries, sign-in failures, inactive accounts
- Implement RBAC for viewers
Power Automate Alerts: Email/teams msg on critical stats
Role-based: Different views for managers (KPI) and analysts (drill down into CVE, device etc)

Challenges

API rate limits/permissions
Normalising disparate data sources
Avoiding info overload
Refresh reliability

Questions

How non-tech staff use it?
- Multiple roles, different roles will be able to view different LOD's of visualisations
Refresh frequency?
- Dependant on volatility of data, eg: Certs daily, auth hourly
Alert thresholds?
- Certificate expiring in one week
- Certain number of logins

Key Concepts to Learn

Power BI architecture: Dataflows vs Datasets vs Reports
Power Query transforms: merge, filter, pivot
Dashboard best practices: clarity, prioritisation, freshness

5. Asset Management Dashboard

More Info: Asset Management Dashboard

Solutions

Data collection:
- Windows: WMI/PowerShell (Get-ComputerInfo)
- Linux: SSH → lshw, dmidecode
AD/Azure AD inventories
SCCM/Intune/Lansweeper APIs
Storage: PostgreSQL/MSSQL + REST ingestion API
Visualisation: Power BI
Integrate patch state, warranty info, cert expiries

Challenges

Offline/laptop discovery gaps
Data normalisation (naming, duplicates)
Sync HR system for owner info
Staleness of records

Questions

How ensure data freshness?
- Indicate when data was last updated, so not basing decisions off old data
VMs vs physical asset handling?
- Display if a VM, will change lifecycle, patch remediation
Link to vulnerability scans?
- Could get added to a sharepoint list? Or other DB
MVP scope?
- A collection of computers, daily cron job (or task scheduler) giving stats to sharepoint, updating asset info daily

Key Concepts to Learn

Asset data sources: AD, ConfigMgr, Intune, custom scripts
Schema design: host, owner, OS, last_seen, vuln_count, cert_expiry
Data sync strategies: polling vs event-driven
Hands-on: draft schema in plaintext or ER diagram