Create On-Premise Active Directory Alert Profile

This guide will walk you through the process of creating a new Alert Profile to monitor your on-premise Active Directory environment for specific events.

Before creating an Alert Profile, please note that the maximum number of active profiles is determined by your company’s subscription level. This limit applies strictly to enabled profiles; you may create and save additional profiles in a disabled state for future use without affecting your quota.

Furthermore, these limits are environment-specific: active profiles in Active Directory (AD) and Office 365 are tracked and capped independently. Reaching the limit in one environment does not prevent you from activating profiles in the other.

Step 1: Navigate to Alert Profiles

Figure 1 – Navigation to the “Create Alert Profile” form


  1. Select the “Active Directory” section of the portal.
  2. From the main menu of the InfraSOS portal, navigate to the Alerting section.
  3. Select the Alert Profiles tab to view your existing profiles for cloud tenants.
  4. Click the "+ Create Alert Profile" button to start the configuration process.

Step 2: Select the AD Agent

Figure 2 – AD Agent selection


First, you need to choose which of your connected AD agents this alert profile will monitor. Select the desired agent from the dropdown list. The profile will only track activities within the domain(s) managed by this agent.

Step 3: Define the Event to Monitor

Figure 3 – Definition of the “user created” event


Next, you must define the specific Windows event that you want to be notified about. Unlike Azure AD alerts which use predefined policies, for Active Directory you define the event directly using its properties from the Windows Event Log.

  • Event ID: Specify the numeric ID of the Windows event you want to monitor.
  • Provider Name: Enter the name of the Event Log provider that generates the event.

This combination allows you to target very specific activities on your domain controllers. You can find a comprehensive list of Windows Security event IDs on the Microsoft documentation website to help you choose the right events to monitor.

Read more about InfraSOS AD Event Log monitoring here.

Step 4: Define Profile Details

Figure 4 – Alert Profile details


Now, fill in the basic identification details for your new alert profile:

  • Profile Name: Give your profile a clear and descriptive name (e.g., "Critical: Risky Sign-ins for Admin Accounts").
  • Description (Optional): Add a brief explanation of the profile's purpose for future reference.
  • Severity Level: Assign a severity (e.g., Review, Attention, Critical). This helps you categorize, filter, and prioritize alerts during incident response.
  • Labels (Optional): Assign up to 10 labels to your alert profile to help you organize and filter your active alerts produced by the alert profile. Learn more about labels.

Step 5: Add Event Filters and Custom Summary

To refine your alerts and reduce noise, you can add specific filters based on the event's data. You can also customize the summary message that appears in notifications.

Event Filtering

For a given Event ID, different activities can be recorded. Filtering allows you to trigger alerts only for the events that match specific criteria. You can create filters based on the data inside the Windows Event.

For example, to monitor for a specific user logging on, you can filter Event ID `4624` where the `SubjectUserName` field in the event data equals the user's name.

You can add multiple filter conditions.


Figure 5 – Event filter


Figure 5 - This filter excludes user creation events initiated by the "Administrator."

Custom Summary Message

Figure 6 – Custom alert details message


You can create a dynamic summary message for your alerts. This allows you to craft a clear, informative message that includes specific details from the event.

You can use placeholders in your summary message that will be replaced with actual data from the event. For example:


`"User %SubjectUserName% logged on from workstation %WorkstationName%."`


When an alert is triggered, `%SubjectUserName%` and `%WorkstationName%` will be replaced with the values from the event.

Step 6: Configure Notifications

Figure 7 – Notification settings that do not send an email


Define who should be notified about an alert and how:

  • Recipients: Add the email addresses of one or more users or distribution lists that should receive the alert notifications.
  • Notification Frequency: Choose how often emails should be sent.
  • Business Hours Rule: Choose which active alerts trigger notifications based on your company's schedule.

Read more about Alert Profile notifications here.

Step 7: Save the Profile

Once you have configured all the settings, review them one last time to ensure they are correct. Click "Save Alert Profile" to finalize the process.

Your new AD alert profile is now created, but not yet active.

Step 8: Activate the Profile

Figure 8 – Alert Profile activation


Find the newly created alert profile in the Alert Profiles table and activate it by toggling the “Status” button.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us