In this article:

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

Objective  

This article explains how to configure an alert in ManageEngine ADAudit Plus to notify administrators whenever a scheduled task is created on monitored Windows servers. This helps in detecting potential signs of persistence mechanisms used in cyberattacks, supports security monitoring, and ensures compliance with operational policies.

Prerequisites   

• Access to the ADAudit Plus web console is needed.

• A user account with administrator privileges or a technician account with delegated permissions to configure alerts in ADAudit Plus is needed.

• Ensure the following audit policies are enabled on the servers where scheduled tasks are to be monitored.

• The servers where you want to monitor scheduled task creation must be added and configured under Server Audit > Configured Server(s) > Member Servers.

• To receive alert notifications via email from ADAudit Plus, ensure the SMTP settings are configured under Admin > General Settings > Server Settings.

Steps to follow

Step 1: Create a New Alert Profile  

1. Log in to the ADAudit Plus web console as an administrator or with a technician account with delegated permissions to create or modify alerts.

2. Navigate to Alerts from the top menu.

3. Click New Alert Profile in the top-right corner.

4. Enter a relevant Name and Description (e.g., Scheduled Task Creation Detected).

5. Click the + symbol next to Report Profiles.

6. Select the report titled Scheduled Task Creation for domain <your domain name>.

7. You can tailor the Alert Message to suit your specific requirements.

8. Additionally, you can use the Advanced Configuration options to customize alerts based on thresholds, business hours, and advanced filtering criteria.

Step 2: Configure advanced alert settings  

1. In the Alert Actions section, enable E-mail Notification.

2. Enter the recipient email addresses where the alert should be delivered.

3. Provide a clear, relevant subject line for the email notification.

4. Select the preferred format for the alert email, either HTML or Text.

5. Select the details you would like to include in the email:

• Alert Message

• Alert Profile Name

• Event Details

6. Enable the Throttle Notification option to combine multiple alerts into a single notification based on defined criteria.
   Example: If multiple login failures are detected from the same user within 15 minutes, consolidate them into one alert after that time window.

7. If SMS provider settings are already configured in ADAudit Plus (under Admin > General Settings > Server Settings > SMS), enable SMS Notification for real-time updates.

8. Enable the Execute Script option to trigger a script automatically when a specific alert is generated.
   Example: Lock a user account temporarily after detecting 10 consecutive login failures from that account.

9. If a ticketing tool is integrated with ADAudit Plus (under Admin > Configuration > Ticketing system Integration), enable Configure Auto Ticketing to automatically generate tickets for alerts.

Note: You can also use the Throttle Ticket Generation option to avoid creating a ticket for every alert and instead generate one for a group of alerts meeting certain conditions.

10. Click Save to activate the alert profile.

Validation and confirmation

1. Create a test scheduled task.

2. Navigate to Alerts and expand the on-premises domain under Profile Based Alerts.

3. Select the alert profile that was created and view alerts in the ADAudit Plus console.

4. Verify that the alert appears with the correct event details (the task name, user who created the task, time of creation, and source machine).

5. Ensure the alert email is received at the specified addresses.

Tips

• Monitor high-value systems:

• Domain controllers

• Database and critical application servers

• Privileged workstations

Related topics and articles

• How to configure an alert for a service installed in ADAudit Plus