Permissions, audit logs, and triggers—Your key to securely using remote connection tools

| By:
Dee Cater

Every end user has at least one thing in common—they must log in to their devices. The high number of logins in any organization inherently makes the process vulnerable to cyberthreats. On top of that, you have to trust that every end user is being a responsible user. That’s a lot of moving parts and fine details to track.   

MFA and role-based security (if set up correctly) are extremely valuable to protect credentials and decrease vulnerability, but outside of those protections, how can you identify potentially malicious behavior?   

As a security-first company, we dedicate engineering resources to ensure top-notch security in our products, so you can deliver top-notch security to your customers’ systems. ConnectWise Control, the industry’s most powerful and top-rated remote support toolset, has two critical tools for next-level protection—audit logs and triggers.  

Audit logs with ConnectWise Control 

Part of cyberthreat protection is seeing what’s happening during sessions, who is logging in from where, and attempted logins with incorrect passwords. That’s where audit logs come in, and they help in at least two ways: First, they can alert you to potential problems so you can proactively fix issues; and second, they are useful in finding the root cause and faster action when a threat actor inevitably sneaks into a system with compromised credentials. (Remember, with the increased activity in threat group activity, we are all in a “not if but when” situation.) 

Audit log types 

Control includes two basic categories of audit logs that you can easily access: 

1. Basic auditing 

  • Includes a readout of everything that happens, in text format, aka “query audit log” 
  • Session event logs track session details, including geolocation 
  • Security event logs track user logins and password management logs 

2. Extended auditing  

  • Records each session automatically when a technician joins the session 
  • Tracks what happened in a session 

Accessing these details in a user-friendly, searchable way gives you high-level visibility that helps you spot out-of-the ordinary and potentially malicious activity and act faster when a breach occurs.  

Audit log best practices 

Audit logs can only track the processes and tools you already have in place, so it’s important to follow a few guidelines.  

1. Be diligent with your security permission discipline. Giving access to areas to just those that need it will decrease the chance of compromise. 

2. Monitor your audit logs regularly so you are familiar with your regular “volume” (especially commands run outside of a session). This way it’ll be easier to detect if additional actions are being taken in addition to your regular remote access activities.

3. Regularly review audit logs and watch for specific event details, which is key for securely using remote access tools. Watch for events such as: 

  • Connections—Did someone connect to a machine? Who connected to the machine? What time? IP address? 
  • Running commands, especially bulk commands that run outside of a session 
  • Tools that are run outside of a session 
  • File transfers 

Triggers in ConnectWise Control 

As you know, triggers generate responses to corresponding events. For example, if a user changes their password, a trigger could automatically send an email, publish a web post to the internet, or add a session event. Dynamic triggers are built inside of extensions and can be used to create a special trigger for use with an extension. 

Control provides a series of out-of-the-box triggers in two varieties: session triggers and security triggers.

Session triggers include: 

  • When a guest connects to an unconnected support or meeting session
  • When a guest sends a message to an unconnected session 

Security triggers include: 

  • When a user’s account is locked 
  • When a user enters an invalid one-time password 
  • When a user enters an invalid password 
  • When a user successfully changes their password 
  • When a user successfully logs into an instance 

These triggers will cover the basics, but we know they can’t cover everything. Your business likely caters to specific industries with specific compliance needs, so Control includes the ability to create custom triggers as well.

More power in the ConnectWise ecosystem 

ConnectWise Control is a powerful tool in and of itself, but there are two parts of the ConnectWise ecosystem that can add even more power and, well, control. Two Control-compatible solutions are outlined below. To learn more about how they work together, watch our webinar “Secure, Connected, In Control Identify Potential Threats.” 

Perch, a ConnectWise solution 

Perch, a ConnectWise solution, is a co-managed network threat and detection response platform.  When used with Control, Perch monitors the frequency and location of the triggers, which adds even more visibility into security issues and vulnerabilities across all your clients. The solution is supported by the ConnectWise SOC. 

Learn more >> 

ConnectWise SOC 

Working as an extension of your team, our certified security analysts, cutting-edge threat intelligence, and latest solutions will manage all your security monitoring, 24/7. Your clients will be more secure and you’ll have more resources to scale and grow your business. 

Learn more >>