Proactive, Not Paranoid: Tracking Login Attempts the Smart Way in ConnectWise

Is your MSP business truly in control of who’s logging into ConnectWise platforms? Or are you crossing your fingers and hoping for the best? With remote access, privileged IT support, and more credentials in circulation than a Vegas poker table, tracking login attempts is about more than just compliance. It’s about being the grown-up in the server room.

This guide tackles why and how to monitor login attempts in ConnectWise (including Automate and Control), explains the difference between vigilance and paranoia, and gives you a blueprint for proactive, auditable security built for MSPs who value uptime and sanity. Because neither fortune nor fate favors the careless.

Why Tracking Login Attempts Is Non-Negotiable for Modern MSPs

You might trust your team, but can you trust every endpoint, every remote session, and every outside contractor who lands in your environment? Doubtful.

Here’s what’s at risk if you ignore authentication monitoring:

• Buffalo jumping isn’t just a term thrown around on threat reports. It’s what happens when your RMM is compromised and every downstream client is suddenly in the blast radius.
• Credential stuffing, brute force, and lateral movement can start with something as mundane as a failed login from a strange IP.
• Supply chain attacks love unmanaged logs. If you’re not watching, neither are your clients.

The honest truth? Cybersecurity isn’t optional, and neither is logging. But there’s no need for alarm bells to ring every time Gary in accounting fat-fingers his password. Treat login attempt tracking as the seatbelt in your IT operations vehicle. It’s standard. It’s sensible. And it keeps everyone safe without fuss.

Rolling Up Your Sleeves: Set Up Login Attempt Monitoring the Right Way

Wondering where to start? It seems overwhelming, and you need more than just a vague “security posture”, but it can be tough to just…start. Here’s a step-by-step approach you can implement today:

1. Identify Where Authentication Leaves Tracks

ConnectWise is wide-reaching. The main login surfaces you want to monitor include:

• ConnectWise Control (ScreenConnect)
• ConnectWise Automate
• ConnectWise Manage and other web panels
• Remote session connections for users and agents

Each of these platforms maintains logs, but some are more verbose than others. Ensure your current deployment (especially on-prem builds) is running the latest version (no excuses, see CVE-2024-1709 for what happens when you snooze on patches).

2. Leverage Audit Logs for Maximum Visibility

ConnectWise provides audit logs for all practical activities:

• Basic Audit Logs: Track session events, login geolocation, password changes, and more. These tell you the who, where, when, and how.
• Extended Audit Logs: Record technician activity, commands executed, remote file transfers, and more, automatically and per session.
• Audit Log Search: Use text search to quickly hunt down suspicious activity. Filter for failed logins, new successful logins from unexpected regions, or bulk password changes.
• Custom Integrations: For orchestrated monitoring, integrate your logs with a Security Information and Event Management (SIEM) platform like ConnectWise SIEM or Perch. This lets you automate analysis, cross-reference events, and detect patterns across multiple clients.

3. Set Triggers and Alerts for Real Security Events

Don’t try to watch every log line manually. ConnectWise Control and Automate allow you to create triggers:

• Session Triggers: Alert when unknown users connect or a guest initiates or sends a message during a session.
• Security Triggers: Notify you of account lockouts, invalid one-time passwords, failed logins, and new successful logins. You can also trigger on changes such as password resets and suspicious session activity.

Bonus: Customize these triggers for your business’s risk profile. Are you working with financial or healthcare clients? You may need extra notifications for file transfers, script executions, or admin role changes.

4. Automate and Normalize Logs for Speedy Analysis

Centralized, normalized logging is a must. SIEM integrations aren’t just for Fortune 500s. With ConnectWise SIEM or Perch, you can:

• Aggregate and normalize authentication logs.
• Correlate events across multiple servers and platforms (think “failed logins from the same IP across two clients”).
• Create reports for both audits and compliance.

Pro Tip: Normalize your logs to a standard format. This makes trend spotting and forensics drastically easier and reduces the chance your next compliance audit will run four days late.

5. Regularly Review and Audit

Set a recurring date to review authentication logs and trigger activity. It’s not about micromanagement; it’s about knowing what’s “normal.”

• Note baseline login activity (users, times, IPs).
• Watch for anomalies (sudden bursts of failed logins, logins from new countries, or new devices).
• Document remediation steps for attacks or near misses.

Consistent quarterly reviews help you catch the spark before it becomes a wildfire.

What Login Attempts Are Trying to Tell You—and How to Respond Smartly

Not every failed login deserves IT’s nuclear option. But the right monitoring can reveal:

• Brute-force attacks: Multiple rapid-fire failed attempts from the same source.
• Account lockouts: Are often legit, but if paired with country-hopping IPs, someone’s testing your defenses.
• New device or location logins: Red flags, especially outside known business geographies or hours.
• Failed logins for non-existent users: Script kiddie behavior or a credential stuffing attack.
• Mass file downloads and script execution after login: If these pop up, you could be facing a threat actor exploiting a breached credential.

Respond with tiered playbooks:

• Step 1: Isolate and investigate (don’t just reset passwords blindly).
• Step 2: Check audit and session logs for lateral movement.
• Step 3: Increase monitoring on affected accounts.
• Step 4: If you find a pattern, escalate to your incident response team.

Real-World Breach: When One Login Becomes a Widespread Disaster

Need proof that login tracking matters? Consider one of the most damaging tactics used in recent MSP attacks: credential hopping.

In several real-world cases, attackers gained access to an MSP’s remote monitoring and management (RMM) platform using weak or reused credentials. From there, they pivoted across clients—installing ransomware, stealing data, and disabling backups from inside the trusted system.

The result? Dozens of businesses compromised. Hours of recovery. And months of trust lost.

The takeaway: monitoring logins isn’t optional.
Authenticate. Monitor. Review. Repeat.

If you’re new to ConnectWise or still building your security posture, don’t guess your way through the setup.
Check out our blog on Your First 100 Days with ConnectWise: A Complete Setup Roadmap—it walks through the critical (and often overlooked) security configurations every MSP should lock down from day one.

Secure Smarter: MSP-Friendly Tips for Staying Ahead of Threats

• Patch, patch, patch. Vulnerabilities like CVE-2024-1709 make headlines because people ignore reminders.
• Document triggers and notifications. Make sure your team knows what each alert means.
• Don’t ignore the “quiet” periods. Attackers often brute-force or poke at accounts at night and on weekends.
• Run test scenarios. Simulate a brute force event and track your detection and response speed.

Try these pre-meeting conversation starters:

• “Can we account for every successful and failed login?”
• “Who’s responsible for reviewing login attempt logs each month?”
• “When did we last update our triggers and thresholds?”

Add a little splash of irony, and you’re just a compliance audit away from security enlightenment.

Securing the Human Element Without the Paranoia

Some call this line of work herding cats. The reality? With proper login attempt tracking in ConnectWise, you’re more like a conductor ensuring harmony than a zookeeper putting out digital fires. Security is necessary, but it doesn’t have to mean panic.

Make authentication and log review a core MSP discipline. Your clients may never thank you for attacks that didn’t happen, but you’ll thank yourself (and Bering McKinley) for building a reliable, trustworthy, and resilient practice.

Want help bringing your ConnectWise deployment from “just working” to “rock-solid secure”? Reach out to Bering McKinley for expert support and strategies that grow with you.

Take your MSP’s security from guessing to knowing. Because the only thing worse than not knowing who logged in is pretending it doesn’t matter.