Objective  

This article explains how to create an alert profile in ADAudit Plus to monitor and notify administrators whenever specific users or groups successfully log in. The alert can be configured for both Domain Controller authentication events (Event IDs 4768 and 4771) and Local Logon events (Event IDs 4624). This helps ensure visibility into privileged or high-risk account activity by generating timely notifications whenever these selected accounts successfully authenticate.

Prerequisites  

• Access to the ADAudit Plus web console using an account with administrator or a technician role with permission to create alert profiles.

• All Domain Controllers and relevant Member Servers must be added and configured under Domain Settings in ADAudit Plus.

• Real-time event log fetching must be enabled for accurate and immediate alerting.

• Required audit policies must be enabled on Domain Controllers and Windows servers to log authentication events:

• Account Logon > Audit Kerberos Authentication Service (Success and Failure).

• Logon/Logoff > Audit Logon (Success and Failure).

NOTE: Refer to the link for enabling audit policy.

• If email notifications are expected, ensure the Mail Server Settings are configured under Admin > General Settings > Server Settings.

Steps to follow

1. Log in to the ADAudit Plus web console as an administrator or with a Technician account with delegated permissions to create or modify alerts.
   

2. Navigate to the Alerts tab.

3. Click New Alert Profile in the top-right corner.
   

4. Enter a relevant Name and Description.

5. Set the Severity level based on the importance of the action being monitored.

6. Click the + symbol in the Report Profiles field.

7. Under Domain, select the on-premises domain.

8. In the Category drop-down, choose the following report profiles.

• Local Logon Success for Computers

• All Users Logon

9. Click OK to add the report to the alert profile.

10. You can tailor the Alert Message to suit your specific requirements.

11. Additionally, the Advanced Configuration options allow you to customize alerts based on thresholds, business hours, and advanced filtering criteria.

12. Click Add Filter, and configure the filter as follows:

1. Attribute: LogonType

2. Operator: equals

3. Value: Success

13. Use AND Condition and add the second Filter

1. Attribute: User Name

2. Operator: equals

3. Value: <Choose any individual user/group>

14. In the Alert Actions section, select the E-mail Notification check box.

15. Enter the recipient email addresses where the alert should be delivered.

16. Provide a clear and relevant subject line for the email notification.

17. Select the preferred format for the alert email, either HTML or Plain Text.

18. Select the details you would like to include in the email, such as:

19. Alert Message

20. Alert Profile Name

21. Event Details

22. Enable the Throttle Notification check box to suppress multiple alerts into a single notification based on defined criteria.
    Example: If multiple logon failures are detected from the same user within 15 minutes, consolidate them into one alert.

23. If SMS provider settings are already configured in ADAudit Plus (Admin > General Settings > Server Settings > SMS), select the SMS Notifications check box for real-time updates.

24. Select the Execute Script check box to trigger a script automatically when a specific alert is generated.
    Example: Lock a user account temporarily after detecting 10 consecutive logon failures from that account.

25. If a ticketing tool is integrated with ADAudit Plus (Admin > Configuration > Ticketing system Integration), select the Configure Auto Ticketing check box to automatically generate tickets for alerts.

Note: You can also enable the Throttle Ticket Generation check box to avoid creating a ticket for every alert and instead generate one for a group of alerts meeting certain conditions.

26. Click Save to activate the alert profile.

Validation and confirmation  

• After saving the alert profile, attempt a successful logon using one of the users or accounts included in the alert criteria.
  
• Go to Alerts > Choose the Alert Profile that was created to track logon activity in ADAudit Plus and confirm that the new alert entry appears with the correct event details.

• Verify that the alert specifies the correct user, logon source, Domain Controller / workstation, and event ID (4768/4771 for DC authentication or 4624 for local logon).

• If email notifications are configured, confirm that the designated recipients receive the alert message.

• Review the Audit Reports (User Logon Reports / Logon Activity Reports) to ensure the corresponding logon event is being captured in real time.
  

Tips

• Use AD Group selection instead of manually selecting multiple users if you need to monitor a larger set of accounts.

• Ensure Kerberos and Logon auditing policies are consistently enabled across all Domain Controllers for complete coverage.

• If alerts do not trigger, check whether the relevant servers are sending logs and confirm there are no WMI/Firewall/DNS issues preventing event collection.

• Review alert profiles periodically to ensure they align with current security policies, privileged user lists, and operational requirements.

Related topics and articles  

• How to Detect and Alert on Logins from Anonymized IP Addresses in Entra ID