In this article:  

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

Objective  

Get step-by-step instructions for configuring an alert in ADAudit Plus that will notify you in real time when a user who is not a member of a privileged administrative group successfully logs on to a domain controller.

Prerequisites  

• Access to the ADAudit Plus web console with an administrator account or a technician account that has permissions to create alert profiles.

• A list of all privileged administrative groups (e.g., Domain Admins, Enterprise Admins, Administrators) to exclude from the alert.

• On-premises domain controllers must be configured in ADAudit Plus and successfully collecting security logs.

• If you wish to receive notifications, the relevant services must be configured:

• Email: SMTP server settings must be configured under Admin > General Settings > Server Settings.

• SMS: Your SMS provider must be configured under Admin > General Settings > Server Settings > SMS.

• Tickets: Your ticketing tool must be integrated under Admin > Configuration > Ticketing system Integration.

Steps to follow  

1. Log in to the ADAudit Plus web console.

2. Navigate to the Alerts tab and click New Alert Profile.

3. Enter a relevant Name and Description for the alert (e.g., "Non-Admin Logon to a Domain Controller").

4. In the Report Profiles field, click the plus icon +.

5. In the Select Report Profile window, configure the following:

• Domain: Select your on-premises domain.

• Category: Choose Account Logon.

• Report Profile: Select the All Users Logon report profile and click OK.

6. Under Advanced Configuration, check the Filter box.

7. Configure the filters to define the specific conditions for the alert:

• Filter 1 (Exclude Admins): Set the first filter to User Name | not equals | [Click Add and select all your privileged groups, such as Domain Admins and Enterprise Admins].

• Filter 2 (Specify Domain Controllers): Click the plus icon + to add another filter with the AND operator. Set it to Client Host Name | equals | [Enter the names of your domain controllers].

• Filter 3 (Specify Success): Click the plus icon + again, ensure the operator is AND, and set the filter to Event Type | equals | Success.
  
  
  

8. In the Alert Actions section, enable your desired notification methods, such as E-mail Notification, SMS Notification, or Configure Auto Ticketing.

9. Click Save to activate the alert profile.

Validation and confirmation  

• Simulate the event: Log in to one of the specified domain controllers using a standard user account that is not a member of any privileged group.

• Check the console: In the Alerts tab, verify that a new alert from this profile has been triggered.

• Verify notifications: Confirm that you have received the alert via email or any other notification channel you configured.

Tips  

• For effective alerting, it is crucial to maintain an up-to-date list of all administrative groups in the exclusion filter.

• Treat alerts from this profile as high-priority security events, as they can indicate unauthorized access attempts or an insider threat.

Related topics and articles  

• Alert Profiles