Alerts for Atera logins?

preid

I don't know if this has been considered - but with the focus on attackers going after RMM logins (makes sense - getting into an RMM is the holy grail), and the constant exploits for MFA bypasses, it would make sense to have the ability to have Atera send alerts whenever someone logs into the RMM to a specific monitored email address.

I can't tell you how many attacks I've thwarted over the years just because I had login alerts set up (RDP, for example, via a Schedule Task setup). An alert after hours is a sure sign something evil is afoot, and could save the day. Intercepting the attack right away is a sure way to stop things before they become a huge mess for the IT provider and their clients.

An attack like this could easily lead to going out of business. I'd say that this could even be a critical addition, and could be one feature that is a decision point for anyone considering an RMM. It'd be a simple thing to add.

Thoughts?

DP

Yes agree, an email when a user logs into Atera would be great. I've had various solutions over the years with login alerts and hashing out a new solution now. Any tips? An old event manager system used event ID for administrator + interactive to alert - false positives can be challenging.

preid

I set up a scheduled task to watch for the RDP login/reconnect and send me an email when it sees one, along with the currently logged in users and their connection status, so I can see what account is currently active. I was working on a script to add it - got it mostly done, then got distracted and didn't finish it, but I want to get back to it, since it's a lot faster than having to set it up by hand every time.

For Atera, I don't have a solution. That would have to happen on their end, as far as I can see.

mjones

I would like to see either a notification of login, or a notification of multiple failures.

Seems like it wouldn't be too hard to implement and would add a lot of security value.

preid

Totally agree. It should be a pretty simple addition, and the value-add would be immense, from a security perspective. I like the addition of a failed login attempt email, too. Then we'd know if someone was trying to get in, and respond appropriately.

DP

I had a bit of a play - I created a solution that emails on events 22,24 or RDP logins which then grabs the 4265 security info and emails the details.

preid

Similar to what we did for RDP, since RDP is such a common way attackers try to move laterally inside a network. It's saved us a few times from much more serious attacks. We've been able to interrupt their recon and kick them out before they can even start their assault.

Similar alerts for Atera logins would do the same on an even more critical part of our infrastructure.

DP

Yes it's nice having the visibility. Using Atera to capture the events, and then my own script to send the email is the best of both worlds and no local setups to deal with.

Login to Atera - send email alert @nina can they do this?

preid

That is a great way to do it, for sure!

I'm surprised we haven't see any response at all from Atera on this thread. It's almost like they're not using their own community for anything other than just announcements. The Facebook group seemed to be a lot more active.

nina

Hi @DP, @preid and @mjones - It's a good idea! I have reached out to our Security Team and Product Team to see what we can do here. Thank you for raising this.

preid

@nina Great! Thanks! I did notice there's a captcha on the login now, which helps a bit, too. :)