# ADAudit Plus

ManageEngine ADAudit Plus is an Active Directory auditing and reporting tool that detects insider threats, privilege misuse, and unauthorized changes across AD, Azure AD, file servers, and Windows endpoints.&#x20;

Connecting ADAudit Plus forwards logon activity, account management changes, and policy change events to Radiant Security via Radiant's HTTPS webhook endpoint. Radiant uses these events to enrich alerts during AI triage, giving analysts visibility into the directory-layer context behind a suspicious sign-in or privilege change.

### Prerequisites

* [ ] Admin access to the ADAudit Plus Control Panel
* [ ] Administrator role in Radiant Security

### Add the data connector in Radiant Security

1. Log in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, select **Settings** > **Data Connectors** and click **+ Add Connector**.
3. Search for and select **ADAudit Plus Webhook**, then click **Data Feeds**.
4. Under **Select your data feeds**, select **ADAudit Plus Webhook** and click **Credentials**.
5. In the **Credential Name** field, enter an identifiable name for this credential (e.g., `ADAudit Plus Integration`).
6. Under **Required Credentials**, enter a value in the **Connector tag** field. This can be any string. Radiant uses this value as salt when generating the authentication token for your connector.
7. Click **Add Connector**.
8. Open the newly created connector. Under **Vendor Configuration**, copy and save the `Webhook URL` and `Token` values. You will need both in the next section.

{% hint style="warning" %}
**Important Note:** Treat the `Token` value as a secret. Anyone with access to this token can post alerts to your connector. Do not expose it in client-side code, version control, or shared logs.
{% endhint %}

### Configure ADAudit Plus to forward events via HTTPS

ADAudit Plus's Splunk HTTP Event Collector forwarder is compatible with Radiant's webhook endpoint. Configure it with the `Webhook URL` and `Token` you copied from Radiant.

1. In the ADAudit Plus Control Panel, click the **Admin** tab.
2. In the side panel, select **Configuration** > **SIEM Integration**.
3. Select the **Enable forwarding of ADAuditPlus Data** checkbox.
4. Click the **Splunk HTTP** tab and enter the following values:
   * **Splunk Server**: the `Webhook URL` value copied from Radiant.
   * **HTTP Event Collector port**: `443`
   * **SSL Enabled**: `True`
   * **Authentication Token**: the `Token` value copied from Radiant.
   * **Folder size threshold**: `5 GB`
   * Leave **Enable Log forwarding of ADAudit Plus application logs** unselected.
   * Select **Yes, I agree that it is compliant**.
5. Click **Save**.
6. On the right side, click **Choose Categories to forward**.
7. Select all categories except **AzureAD Logon Reports** and **AzureAD Management Reports**.
8. Click **Save**.

### Verify ingestion

After saving the ADAudit Plus configuration, confirm events are reaching Radiant:

1. In Radiant Security, navigate to [Log Management](https://app.radiantsecurity.ai/logs).
2. Search for events from this connector: `rs_connectorType:"ad_audit_webhook"`&#x20;
3. Confirm recent ADAudit Plus events appear in the parsed or unparsed index. Allow several minutes for the first events to be indexed.

{% hint style="info" %}
**Note:** If no events appear after 10 minutes, verify that the **Splunk Server**, port, and **Authentication Token** values in ADAudit Plus exactly match the `Webhook URL` and `Token` from the Radiant connector page.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/adaudit-plus.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.