In this article:

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

Objective  

This article explains how to configure an alert in ManageEngine ADAudit Plus to notify administrators whenever a new service is installed on a monitored Windows system. This helps administrators detect potential unauthorized or suspicious software installations, supports early threat detection, and ensures compliance with security policies and change control procedures.

Prerequisites  

• Access to the ADAudit Plus web console.

• A user account with administrator privileges or a technician account with delegated permissions to configure alerts in ADAudit Plus.

• Ensure that all relevant servers or workstations are properly added to ADAudit Plus under Server Audit > Configured Servers > Member Servers.

• Ensure the audit policy is enabled on the server where service installation attempts are being tracked under Advanced Audit Policy Configuration > Audit Policies > System > Audit Security System Extension, and enable the Success check box.

• To receive alert notifications via email, ensure the SMTP settings are configured under Admin > General Settings > Server Settings.
  

Steps to follow

Step 1: Create a New Alert Profile  

1. Log in to the ADAudit Plus web console as an administrator or with a technician account with delegated permissions to create or modify alerts.

2. Navigate to the Alerts tab.

3. In the top-right corner, click New Alert Profile.

4. Enter a relevant Name and Description (e.g., Service Installation Attempt Detected).

5. Click the + button next to Report Profiles.

6. In the Select Report Profile window, select Attempt to install service from domain <your domain name> as the report profile.

7. Tailor the Alert Message to suit your specific requirements.

Step 2: Configure advanced alert settings  

1. Under Advanced Configuration, customize the alerts based on thresholds, business hours, and advanced filtering criteria.

2. Enable the Filter check box.

3. Use the drop-down menus to set the first filter as follows:

1. Attribute: REMARKS

2. Operator: CONTAINS

3. Value: A service was installed in the system

Step 3: Configure alert notification  

1. In the Alert Actions section, enable the E-mail Notification check box.

2. Enter recipient email addresses.

3. Provide a clear and relevant subject line for the email notification.

4. Select the preferred format for the alert email, either HTML or Plain Text.

5. Use the check boxes to select the details you would like to include in the email:

• Alert Message

• Alert Profile Name

• Event Details

6. Enable the Throttle Notification check box to suppress multiple alerts into a single notification based on defined criteria.
   Example: If multiple logon failures are detected from the same user within 15 minutes, consolidate them into one alert.

7. If SMS provider settings are configured in ADAudit Plus (Admin > General Settings > Server Settings > SMS), enable the SMS Notification check box for real-time updates.

8. Enable the Execute Script check box to trigger a script automatically when a specific alert is generated.
   Example: Lock a user account temporarily after detecting 10 consecutive logon failures from that account.

9. If a ticketing tool is integrated with ADAudit Plus (Admin > Configuration > Ticketing system Integration), enable the Configure Auto Ticketing check box to automatically generate tickets for alerts.

Note: You can also use Throttle Ticket Generation to avoid creating a ticket for every alert and instead generate one for a group of alerts meeting certain conditions.

10. Click Save to activate the alert profile.

Validation and confirmation

• On a monitored system, manually install a test service.

• Go to Alerts and under Profile-Based Alerts, expand Domain.

• Choose the Alert profile that was created and view the alerts in the ADAudit Plus console.

• Verify that the alert appears with the correct event details (i.e, Service name, Installed by, Host system, Timestamp).

• Ensure the alert email is received at the specified address.

Best practices

• Prioritize high-value systems:

• Domain controllers

• Database and critical application servers

• Systems hosting sensitive services

• Periodically review:

• Triggered alerts

• Frequency of service installation attempts

Related topics and articles