In this article:  

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

 Objective   

This article explains how to create an alert in ADAudit Plus to monitor and notify users when a user attribute is modified.

 Prerequisites   

• Access to the ADAudit Plus web console.

• A user account with administrator privileges or a technician account with delegated permissions to configure alert profiles.

• All relevant Domain Controllers must be added and configured in ADAudit Plus for auditing.

• Event log collection must be active and healthy for each configured Domain Controller.

• For immediate alerting, ensure real-time event fetching is enabled for the monitored domain controllers.

• Enable the following audit policy via Group Policy on all Domain Controllers:

• Audit Policy: Audit Directory Service Changes

• Path: Advanced Audit Policy Configuration > DS Access > Audit Directory Service Changes

• Setting: Enable Success

• To receive alert notifications via email from ADAudit Plus, ensure the SMTP settings are configured under Admin > General Settings > Server Settings.

 Steps to follow 

 Step 1: Create a new Alert Profile   

1. Use an account with either the administrator role, or a technician account with delegated permissions to create and manage alert profiles.

2. Navigate to the Alerts tab.

3. Click New Alert Profile in the top-right corner.

4. Enter a relevant Name and Description (e.g., "Alert – User Email Address Modified").

5. Click the + symbol next to Report Profiles.

6. Under Domain, select the On-Prem Domain.

7. Choose User Attributes Changed as the report profile.

 Step 2: Configure advanced alert settings   

1. The Advanced Configuration options allow you to customize alerts based on thresholds, business hours, and advanced filtering criteria.

2. Under Advanced Configuration, enable Filter.

3. Click Add Filter, then configure the filter as follows:

1. Attribute: Modified Attributes

2. Operator: CONTAINS

3. Value: Enter the name of the attribute you want to monitor (e.g., Email Addresses, Department, Title, etc.)

 Step 3: Configure an alert notification   

1. In the Alert Actions section, enable E-mail Notification.

2. Enter the recipient email addresses where the alert should be delivered.

3. Provide a clear and relevant subject line for the email notification.

4. Select the preferred format for the alert email, either HTML or Plain Text.

5. Select the details you would like to include in the email, such as:

• Alert Message

• Alert Profile Name

• Event Details

6. Enable the Throttle Notification option to suppress multiple alerts into a single notification based on defined criteria.
   Example: If multiple logon failures are detected from the same user within 15 minutes, consolidate them into one alert after that time window.

7. If SMS provider settings are already configured in ADAudit Plus (Admin > General Settings > Server Settings > SMS), enable SMS Notifications for real-time updates.

8. Enable the Execute Script option to trigger a script automatically when a specific alert is generated.
   Example: Lock a user account temporarily after detecting 10 consecutive logon failures from that account.

9. If a ticketing tool is integrated with ADAudit Plus (Admin > Configuration > Ticketing system Integration), enable Configure Auto Ticketing to automatically generate tickets for alerts.

Note: You can also use Throttle Ticket Generation to avoid creating a ticket for every alert and instead generate one for a group of alerts meeting certain conditions.

10. Click Save to activate the alert profile.

 Validation and confirmation   

Perform a test attribute change:

• Go to Alerts > Expand Cloud account. 

• Under Profile Based Alerts, choose the alert profile that was created and view alerts in the ADAudit Plus console.

• Verify that the alert appears with the correct event details.

• Ensure the alert email is received at the specified address.

• If you have configured a filter for a specific attribute, confirm that alerts are triggered only for that attribute and not for others.

 Tips 

• Monitor critical attributes. Focus on high-impact attributes such as:

• Email Addresses

• MemberOf

• Title

• Department

• AccountStatus

• Combine this alert with a Non-Business Hours filter to highlight unusual or potentially risky modifications occurring outside working hours.

 Related topics and articles   

• How to set an alert for users with Password Never Expire enabled