Domus Captures

ISE 3.2 Patch 10 upgrade — CVE-2026-20147 CVSS 9.9 / CVE-2026-20148. Propose maintenance window once patch confirmed on software.cisco.com.

ISE Advisory sa-ise-rce-traversal-8bYndVrZ — check Patch 10 availability

Mandiant Remediation — findings status tracked. Working session prep + defensive posture documented (comms-2026-04-24). Copy 4/16 updates into Excel at work. Guest ACL lockdown (WIR-M-01) pending lab validation. appendix-todos updated with MSCHAPv2 milestones.

Guest ACL update — guest redirect ACL work needed. Lab validate GUEST_CWA_REDIRECT_MAX_SECURITY in d000, then joint CR with NE. On today’s task list.

Disaster Recovery & Downtime Procedures — ISE top priority (dot1x closed mode = SPOF for network access)

SIEM QRadar → Sentinel Migration — LEAD ROLE. 4 collection iterations (Apr 16, 17, 17-streamlined, 20-streamlined). Python chart pipeline built (qradar-charts.py). Migration XLSX generated. Verification pending. Comms sent Apr 23.

Monad Pipeline Evaluation (origin: 2026-03-11) — lead role. Console error RESOLVED 05-12 — secrets configured in CHLA production tenant. Blocked on DCR creation (Rule ID + Stream Name). Azure private network policy unresolved. 10am call today 05-12.

Sentinel KQL — build proficiency, distinguish from team. Azure portal access acquired.

QRadar log source report — run AQL queries, fetch JSON, generate Python Excel

MSCHAPv2 Migration — Report due. 6-sheet Standard Report ready (Sheet 6: policy match by protocol added 05-14 for removal planning + anonymous identity validation on cert profiles). Migration window 5/4 – 5/30. 6,227 MSCHAPv2 devices, 14,249 EAP-TLS/TEAP (70% migrated). Focus: run Standard Report, turn in spreadsheet.

MSCHAPv2 weekly cadence — recurring Wednesday call established (first 04-22). Completed 2026-04-22.

MSCHAPv2 ownership matrix — sent in scoping email 4/24 with manager callouts (@Albert, @John). Completed 2026-04-24.

TCP Clocks deployment — new device added via ERS POST and confirmed (04-24). 7+ clocks validated. v2 query file with partials architecture. Revalidate full set — confirm no flapping.

SRT Research VLAN — confirm roles with Tony Sun: Tony implementor, Evan tester. CAB approved 04-21.

Downtime Computers enforcement — draft ISE AuthZ rule: medigate_724 + Wireless = DenyAccess. Separate CR. d001: DC queries, audit CSVs (v1-v3), wireless violations report delivered 04-21.

Enterprise Linux 802.1X — standardize Shahab/Ding deployment (CISO priority). Overdue since 02-24. Blocked by nmcli cert fix.

Abnormal Security — CR-2026-05-07-abnormal-read-write. CAB 05-12 approved, implementation 05-14. Jason Landeros implements, Evan presents. 06-01 update: Review Jihad’s policy mapping XLSX + Tyler’s Policy and Rules Migration doc before next call. Plan email migration expansion beyond security group to full environment — priority to move off ESA. Exchange rule considerations: external sender disclaimer (sender not company, outside org, not internal IP → prepend disclaimer).

Tube System Upgrade — iTrack 3528165. 15x 10" TS stations need MAC addresses added to ISE identity group IoT_Onboard. MACs received from vendor (C8:1A:FE:20:xx:xx series). Station list spans ICU (CTICU, PICU, BMT, NICU, NICCU), ED, Surgery, Trauma, Pharmacy. Vendor contact: John Genest. Rationale: manufacturer no longer supports current system; failure risks delayed/missed patient care.

BMS Device Inventory — 72 devices discovered across 37 switches (04-24). Profile-driven architecture (Claroty/Medigate). 16 queries built. Phase 0 complete. Next: cross-reference with Visio diagrams, classify by function, begin D2 diagrams. Cleanup: delete 4 orphaned test groups, migrate 4 retire-dACL devices, investigate 3 null-profile devices.

VNC Blocking — block and eliminate VNC enterprise-wide. Due mid-June 2026. Phase 0: discovery. January AQL query baseline to incorporate. Cross-reference BMS inventory for VNC-capable devices.

Murus Portae (WAF) — Phase 0 discovery in progress. FMC cert expired. d001: DMZ NetScaler WAF investigation, zone map, architecture D2 diagrams (v1+v2 SVGs), FMC REST API reference guide, ops script. FMC API returning zero ACP rules — under investigation.

Firewall audit — FMC discovery inventory done (d001: fmc-discovery-2026-04-16). EtherChannel query, prefilter, policy assignments pending.

IoT Dr. Kim devices — RECURRING. All 4 MACs validated in IoT_iPSK_VLAN1620_Misc (04-24). v2 validation queries built with 7 deep analysis queries (group flapping, credential leakage, profile drift, NAS tracking, remediation timeline, deny audit, OUI scan). Revalidate — confirm no flapping since 04-24.

IoT device validation queries — v2 created with partials architecture, 16 queries across ERS/MnT/DataConnect/FMC. Completed 2026-04-24.

k3s NAT verification — rule 170, 10.42.0.0/16 pod network (origin: 2026-03-09). 59 days. Blocks Wazuh indexer recovery → blocks SIEM visibility. Weekend task?

Strongline Gateway VLAN fix — 8 devices wrong identity group (origin: 2026-03-16). 52 days. David Rukiza assigned — follow up on status.

PeopleSoft — track time for current week

iTrack tickets — close open tickets

KQL library — build initial queries in codex + d001

Linux Research project — finalize and review

Tax filing 2025 (MFJ) — see encrypted case file in data/d000/personal/ for details and action items