Browse documentation
Reviewing audit events
↩ AD Audit
Once a domain controller is collecting, its events appear on the AD Audit page — searchable, filterable, and available to alert on.
The summary
Four cards at the top show Audited DCs, Events (7 days), Ingested today (against the daily cap), and Dropped today. If events were dropped because the cap was reached, a notice suggests narrowing categories on noisy DCs.
The events table
Below the domain controllers, the Events table lists what's been collected:
| Column | Shows |
|---|---|
| Time | When the event occurred |
| Category | Account changes, Group changes, Computer accounts, Directory object changes, Logon, or Lockout |
| Action | e.g. Create, Modify, Delete, Enable, Disable, Add member, Remove member, Logon, Logon failed, Lockout (colour-coded) |
| Actor | Who performed it |
| Target | What was changed |
| Detail | The attribute and new value, or result status |
| Source | The source workstation/IP (for logons) or the DC |
Filtering
Narrow the list by search (actor, target, or source host), category, domain controller, and time range (last 24 hours, 7 days, 30 days, or all). The newest events are shown first.
Alerting on events
AD Audit can notify you when a sensitive event is collected — for example, someone added to Domain Admins. In Alert rules, add a rule with:
- A name.
- Optional match criteria — category, action, target contains, and actor contains (all set criteria must match).
- A notification profile to notify through (email, Slack, Teams, a ticket, and so on — see Notification profiles and recipients).
When a newly collected event matches, JOATOS fires the notification and records it in the alert history.
Compliance reporting
AD Audit's data also feeds the Reports module — with reports for AD account & computer changes, group membership changes, and logon & lockout activity — which you can view and download as CSV, Excel, or PDF.
Notes & tips
- Use target contains with a group name like Domain Admins to catch privileged-group changes specifically.
- Because it's a Pilot, the retention window on raw events is intentionally limited — export anything you need to keep long-term via Reports.