How to configure an alert for monitoring changes to specific files or folders
Objective
To guide users through the process of creating an alert in ADAudit Plus that notifies them whenever specific files or folders are modified, accessed, created, deleted, moved or renamed ensuring proactive monitoring and quick response to critical file system changes.
Prerequisites
You must have access to the ADAudit Plus web console with an administrator account or a technician account that has permissions to create alert profiles.
Your file server must be configured in ADAudit Plus and successfully collecting security logs.
Required Audit Policy and SACLs(Object-Level auditing) must be configured.
If you wish to receive notifications, the relevant services must be configured:
Email: SMTP server settings must be configured under Admin > General Settings > Server Settings.
SMS: Your SMS provider must be configured under Admin > General Settings > Server Settings > SMS.
Tickets: Your ticketing tool must be integrated under Admin > Configuration > Ticketing system Integration.
Steps to follow
- Log in to the ADAudit Plus web console.
- Navigate to the Alerts tab and click New Alert Profile.
Enter a relevant Name and Description for the alert (e.g., Critical File/Folder Changes Alert).
In the Report Profiles field, click the + symbol.
In the Select Report Profile window, configure the following:
Domain: Select the domain where the file server resides.
Category: Choose File Audit.
Report Profile: Select the required report profile and click OK.
Note: You may select specific actions such as create, modify, or delete or choose all actions if you want to monitor every type of change.
Under Advanced Configuration, check the Filter box.
Configure the filter to target specific File/Folder. Set the filter to:
UNC Name | Equals | [Click +Add to choose the File/Folder from the list].
In the Alert Actions section, check the Email Notification box.
Enter recipient email addresses.
Provide a clear and relevant subject line for the email notification.
Select the preferred format for the alert email, either HTML or Plain Text.
Use the check boxes to select the details you would like to include in the email:
Alert Message
Alert Profile Name
Event Details
Check the Throttle Notification box to suppress multiple alerts into a single notification based on defined criteria.
Example: If multiple logon failures are detected from the same user within 15 minutes, consolidate them into one alert.If SMS provider settings are configured in ADAudit Plus (Admin > General Settings > Server Settings > SMS), check the SMS Notification box for real-time updates.
Check the Execute Script box to trigger a script automatically when a specific alert is generated.
Example: Lock a user account temporarily after detecting 10 consecutive logon failures from that account.If a ticketing tool is integrated with ADAudit Plus (Admin > Configuration > Ticketing System Integration), check the Configure Auto Ticketing box to automatically generate tickets for alerts.
Note: You can also use Throttle Ticket Generation to avoid creating a ticket for every alert and instead generate one for a group of alerts meeting certain conditions.
Click Save to activate the alert profile.
Validation and confirmation
- On your file server, navigate to the folder you included in the filter and make some some modifications (e.g., Create or delete a file).
- In the ADAudit Plus Alerts tab, verify that a new alert from this profile has been triggered, showing the changes.
Confirm that you have received the alert via email or any other notification channel you configured.
Tips
Always enable alerts only for business-critical folders (finance, HR, legal, application config paths) to avoid unnecessary noise and ensure high-priority changes are captured.
Include alerts for privilege escalation actions, such as ownership changes or permission modifications on the selected folders—these are strong indicators of insider threats or ransomware activity.
Enable real-time alerts for file deletions and unexpected modifications, as these are the most common actions during data theft or malware-based attacks.
Restrict alert recipients to only security, compliance, or system owners to ensure immediate and actionable response without overwhelming non-relevant teams.
Related topics and articles
New to ADSelfService Plus?
Related Articles
How to configure File Integrity in ADAudit Plus
In this article: Objective Prerequisites Steps to follow Validation and confirmation Tips Related topics and articles Objective To enable and configure File Integrity Monitoring (FIM) in ADAudit Plus, allowing you to detect and report critical file ...How to configure File Integrity in ADAudit Plus
In this article: Objective Prerequisites Steps to follow Validation and confirmation Tips Related topics and articles Objective To enable and configure File Integrity Monitoring (FIM) in ADAudit Plus, allowing you to detect and report critical file ...How to configure a custom alert to receive alerts for the group membership changes
Objective This article explains how to create an alert profile in ManageEngine ADAudit Plus to monitor and receive notifications when group membership changes occur in specific security or distribution groups in Active Directory. This helps ...How to configure an alert to notify when password is changed for a user
Objective To guide administrators through the process of configuring an alert in ADAudit Plus that notifies them whenever a user’s password is changed, enabling proactive monitoring and rapid response to potential security risks. Prerequisites Have ...How to create an alert for permission changes on critical shares
Objective This article explains how to configure a real-time alert in ADAudit Plus to notify administrators whenever permissions are modified on specific, critical file shares. Prerequisites You must have access to the ADAudit Plus web console with ...