Objective   

This article explains how to configure a real-time alert in ADAudit Plus to notify you of both successful and failed interactive logon attempts to your domain controllers (DCs). An interactive logon occurs when a user logs in directly at the physical console of a server. 

Prerequisites   

• You must have access to the ADAudit Plus web console with an administrator account or a technician account that has permissions to create alert profiles.

• Your on-premises DCs must be configured in ADAudit Plus and successfully collecting security logs.

• If you wish to receive notifications, the relevant services must be configured:

• Email: SMTP server settings must be configured under Admin > General Settings > Server Settings.

• SMS: Your SMS provider must be configured under Admin > General Settings > Server Settings > SMS.

• Tickets: Your ticketing tool must be integrated under Admin > Configuration > Ticketing system Integration.

 Steps to follow   

1. Log in to the ADAudit Plus web console.
   
2. Navigate to the Alerts tab, then click New Alert Profile.

3. Enter a relevant Name and Description for the alert (e.g., "Interactive Logon Attempts to DCs").

4. In the Report Profiles field, click the + symbol.

5. In the Select Report Profile window, configure the following:
   

• Domain: Select your on-premises domain.

• Category: Choose Local Logon-Logoff.

• Report Profile: Select both the Local Logon Failures for Computers and Local Logon Success for Computers report profiles, then click OK.

6. Under Advanced Configuration, check the Filter box.

7. Configure the filters to define the specific conditions for the alert:

• Filter 1 (Specify DCs): Set the first filter to: Where | equals | [Click Add and select all your Domain Controllers].

• Filter 2 (Specify interactive Logon): Click the plus icon (+) to add another filter with the AND operator. Set it to: Logon Type | contains | Interactive
  
  

8. In the Alert Actions section, enable your desired notification methods, such as E-mail Notification, SMS Notification, or Configure Auto Ticketing.

9. Click Save to activate the alert profile.

 Validation and confirmation   

• Simulate the event: Log in to one of your domain controllers interactively at its physical console or through a virtual machine console. First, attempt to log in with an incorrect password, then with a correct one.
  
• Check the console: In the ADAudit Plus Alerts tab, verify that new alerts from this profile have been triggered for both the failed and successful interactive logon attempts.

• Verify notifications: Confirm that you have received the alerts via email or any other notification channel you configured. 

 Tips   

• Interactive logons to DCs should be extremely rare and are typically only performed for hardware maintenance or in recovery scenarios. All such alerts should be treated as high-priority security events.

• This alert provides a critical control for monitoring physical access to your most sensitive servers, helping to detect unauthorized local access.
  

 Related topics and articles   

• Alert Profiles