Objective  

This article explains how to configure ADAudit Plus alert profiles to monitor successful domain authentication events (Event ID 4768) and local logon events (Event ID 4624) performed by specific users or groups. By setting up these alerts, administrators can closely track privileged account activity, identify unusual login behavior, and improve security visibility across both domain controllers and workstations.

Prerequisites  

• You must have access to the ADAudit Plus web console.

• Use an administrator account or a technician account with delegated rights to create or modify alert profiles.

• All relevant domain controllers/workstations must:

• Be added and configured in ADAudit Plus.

• Be actively sending security event logs without errors.

• Have real-time log fetching enabled to detect changes immediately.

• Enable the following audit policy on all domain controllers via Group Policy:

• Advanced Audit Policy Configuration > Account Logon > Audit Kerberos Authentication Service > Success and Failure

• Advanced Audit Policy Configuration > Logon/Logoff > Audit Logon > Success and Failure

• Apply System Access Control List (SACL) auditing on user objects to track attribute-level changes.

• If email alerts are required, configure SMTP settings under:

• Admin > General Settings > Server Settings in ADAudit Plus.

Steps to follow  

1. Open the ADAudit Plus web console in a supported browser.
   
2. Log in using an account with either administrator privileges or a technician account that has permissions to manage alert profiles.

3. Navigate to Alerts from the top menu.

4. Click New Alert Profile located in the top-right corner.
   

5. Enter a relevant Alert Name and Description (e.g., Alert – Track Logon activity for Specific User/Group).

6. Set the Severity level based on the importance of the action being monitored.

7. Click the + icon next to Report Profiles.

8. Under Domain, select the on-premises domain.

9. Select All Users Logon and Local Logon Success for Computers as the report profiles.

10. You can tailor the Alert Message to suit your specific requirements.

11. In the Advanced Configuration section, enable the Filter check box.

12. Add the following conditions:

1. Filter 1

1. Attribute: Logon Type

2. Operator: Equals

3. Value: Success

2. Condition AND

3. Filter 2

1. Attribute: User Name

2. Operator: Equals

3. Value: <Click Add and choose the User/Group>

13. In the Alert Actions section, select the E-mail Notification check box.

14. Enter the recipient email addresses where the alert should be delivered.

15. Provide a clear and relevant subject line for the email notification.

16. Select the preferred format for the alert email, either HTML or Plain Text.

17. Select the details you would like to include in the email, such as:

1. Alert Message

2. Alert Profile Name

3. Event Details

18. Enable the Throttle Notification option to suppress multiple alerts into a single notification based on defined criteria.
    Example: If multiple logon failures are detected from the same user within 15 minutes, consolidate them into one alert.

19. If SMS provider settings are already configured in ADAudit Plus (Admin > General Settings > Server Settings > SMS), select the SMS Notifications check box for real-time updates.

20. Select the Execute Script check box to trigger a script automatically when a specific alert is generated.
    Example: Lock a user account temporarily after detecting 10 consecutive logon failures from that account.

21. If a ticketing tool is integrated with ADAudit Plus (Admin > Configuration > Ticketing system Integration), select the Configure Auto Ticketing check box to automatically generate tickets for alerts.

Note: You can also enable the Throttle Ticket Generation check box to avoid creating a ticket for every alert and instead generate one for a group of alerts meeting certain conditions.

22. Click Save to activate the alert profile.

Validation and confirmation  

• Perform a test change.
  
• Go to Alerts and expand the on-premises domain under Profile based alerts.

• Choose the alert profile that was created and view alerts in the ADAudit Plus console.

• Verify that the alert appears with the correct event details.

• Ensure the alert email is received at the specified address.
  

Tips

• Set alerts only for high-value or high-risk accounts (admins, service accounts, VIP users) to prevent unnecessary notifications.

• Since both 4768 (Kerberos authentication) and 4624 (local logon) generate frequent events, configure alerts strictly for successful logons to reduce noise.

• Ensure all DCs and relevant workstations/servers are added as data sources so no authentication event is missed.

• As users and groups evolve, regularly revisit your included users/groups list to keep alerts aligned with security requirements.

Related topics and articles  

• No data available in Logon Reports