In a previous blog, we saw how ADAudit Plus’ user behavior analytics (UBA) capabilities allow administrators to monitor user logon activity to identify compromised accounts. UBA in ADAudit Plus can also help you track any unusual process on member servers to safeguard against external threats. In this blog, we’ll look at how organizations can easily track when a process is executed on member servers for the first time.

Tracking unusual processes on a host

Imagine a scenario where an employee clicks on a malicious link and downloads malware that encrypts their data before it starts spreading across the network. Immediately after the malicious program is downloaded, the UBA solution detects a new process on the member servers and triggers an alert. It also detects the unusually high number of files that are modified in the process and alerts the administrator. The quicker an attack is detected, the easier it is for administrators to mitigate the impact.

To track unusual processes on a host with ADAudit Plus:

  1. Log in to ADAudit Plus.

  2. Click Analytics and select Unusual Process Activity.

  3. To view the report of processes that were run on the host for the first time, select New process on server. See Figure 1.

Figure 1. First time process activity report in ADAudit Plus.

Having a report of unusual processes on a host is nice, but most administrators don’t have time to review reports. This is where alerts come in handy. By default, UBA alerts are triggered through email, but you can configure these alerts to be sent via SMS as well.

To edit alert profiles:

  1. Select the Configuration tab.

  2. Go to Alert Profiles > View/Modify Alert Profiles, and select the required profile.

  3. Click Configure to modify the alert profile. You can choose to be notified via email, SMS, or both.

  4. Click Update.

Upon configuring these settings, administrators will begin receiving alerts about any unusual processes on a host.


ADAudit Plus’ UBA engine alerts administrators about any process activity that’s run for the first time on a member server. Using the data created by past processes, the analytics engine will check the current processes for any unusual activity. If there is a first-time process on a host, an unusual process alert will be triggered and sent to the administrator.

Receive a free copy of our white paper on UBA to learn more about how UBA can help you defend against insider attacks.