Skip to main content

Process Monitor

Alert when a specific process starts running or stops running on a device.

Updated this week

Introduction

Alert when a specific process starts or stops on a device. The Process monitor watches for a named process by exact name and fires when the condition you've configured is met — whether that's a critical process going missing or an unauthorized process appearing.

Process Monitor

Level checks whether the named process is running on covered devices. When the condition you've set (running or not running) is detected and sustained for your breach duration, an alert fires.

Two use cases drive most configurations: watching for a required process that should always be running (antivirus, backup agent, line-of-business app), and watching for a process that shouldn't be running (unauthorized software, known malware process names).

Configuring Process Monitor

Open the target monitor policy, then add or edit a Process monitor. The Edit monitor panel opens on the right.

Name and Type

  1. Enter a name in the Name field. Including the process name helps — "CrowdStrike Agent Not Running" is more useful in an alert list than "Process Monitor."

  2. Set Type to Process.

Process Monitor

Severity

Set Severity based on how critical the process condition is:

  • Information

  • Warning

  • Critical

  • Emergency

Operating System

Select the OS the target process runs on: Windows, macOS, or Linux. Process names vary by platform — a Windows executable won't match a Linux process name, so this scopes the monitor correctly.

Operating System Selection

Process Name

Enter the exact process name in the Process name field. The name must match precisely — Level uses an exact string match, not a partial or wildcard search.

Process Name

⚠️ WARNING: The process name must be exact. On Windows, include the .exe extension if that's how the process appears in Task Manager (e.g., notepad.exe). On Linux and macOS, use the process name as it appears in your process list — no extension.

💡 TIP: Not sure of the exact process name? Open the device in Level, go to Manage → Processes, and find the process in the list. The name shown in the Process Name column is what to enter here.

Process Name Column

Trigger

Trigger sets the condition that fires the alert:

  • Is not running — alert when the process isn't found on the device

  • Is running — alert when the process is detected on the device

Trigger

Breach Duration

Breach duration sets how long the condition must be sustained before Level creates an alert. Adjust using the slider or up/down arrows. Range is 0–120 minutes.

Breach duration

💡 TIP: A short breach duration (1–2 minutes) works well for "Is not running" monitors on critical processes — you want to know quickly if an antivirus agent goes missing.

Auto-Resolve

Auto-resolve alert if it is no longer applicable is disabled by default for Process monitors. Enable it if you want alerts to close automatically when the condition clears (e.g., the missing process comes back online). Leave it off if you want the alert to persist for manual review regardless.

Remediation

Attach one or more automations to run when this monitor fires — restart a stopped process, kill an unauthorized one, or notify your team.

  1. Click in the Remediation field and select an automation.

  2. To add more, click + Add another remediation.

  3. To remove one, click the × next to it.

ℹ️ NOTE: Remediations run when the alert is created, not when it resolves.

Notifications

  • Send notifications on alert creation — policy recipients get an email when the alert fires

  • Send notifications on alert resolution — policy recipients get an email when the alert resolves

Both toggles are off by default. Recipients are managed at the monitor policy level, in the Recipients section.

Notifications

Saving the Monitor

Click Add monitor to save a new monitor, or Update monitor to save changes to an existing one.

FAQ

  • Who can create and edit monitors? Technicians with access to the relevant monitor policy. Permission settings are managed in Workspace → Permissions.

  • Why isn't my process monitor firing even though the process isn't running? Check that the process name is entered exactly as it appears on the device — including .exe on Windows if applicable. Also confirm the device is covered by the policy's target tags and that the breach duration has elapsed.

  • Should I use the Process monitor or the Service monitor for Windows background tasks? If the background task runs as a Windows service, use the Service monitor — it's designed for that and has the added option to automatically restart stopped services. Use the Process monitor for applications that don't run as a service.

  • Can I monitor the same process across different operating systems? Not in a single monitor — each Process monitor is scoped to one OS. Create a separate monitor per OS if you need cross-platform coverage of the same application.

  • What happens to open process alerts if I delete the monitor? Existing alerts remain in place. Deleting a monitor doesn't close alerts it already created — resolve those manually.

Related Articles
Getting Started with Monitors
CPU Usage Monitor
Connection Monitor
Memory Usage Monitor
Service Monitor
Did this answer your question?