Introduction
Script monitors are only as useful as the scripts behind them. These examples show complete end-to-end configurations β the script, the monitor settings, and why each decision was made β so you can deploy them as-is or use them as a starting point for your own.
Example 1: Detecting Unauthorized Local Admins
This monitor alerts when a Windows device has a local administrator account that isn't on your approved list β a common compliance and security check.
The script compares enabled local admin accounts against an authorized list stored in a custom field ({{cf_authorized_admins}}). If it finds anyone who shouldn't be there, it outputs ALERT and exits with code 1.
PowerShell Script
$AuthorizedAdmins = "{{cf_authorized_admins}}"
# Get all enabled local admin accounts
$admins = Get-LocalGroupMember -Group "Administrators" |
Where-Object { $_.ObjectClass -eq 'User' -and (Get-LocalUser $_.SID).Enabled -eq $true } |
Select-Object -ExpandProperty Name
# Strip domain prefix, normalize to lowercase
$admins = $admins | ForEach-Object { ($_ -split '\\')[-1] }
$detectedArray = ($admins -join ",") -split ',' | ForEach-Object { $_.Trim().ToLower() }
$authorizedArray = $AuthorizedAdmins -split ',' | ForEach-Object { $_.Trim().ToLower() }
# Find admins not in the authorized list
$unauthorizedAdmins = $detectedArray | Where-Object { $authorizedArray -notcontains $_ }
if ($unauthorizedAdmins.Count -gt 0) {
Write-Output "Unauthorized Admins ALERT: $($unauthorizedAdmins -join ',')"
exit 1
} else {
Write-Output "No unauthorized admins detected."
exit 0
}Monitor configuration:
Field | Value |
Type | Run script |
OS | Windows |
Script | Windows - Unauthorized Admins |
Script output | Contains |
Value |
|
Run frequency | 1 hour |
Trigger count | 1 |
When an unauthorized admin is present, the output contains ALERT and the monitor fires. When the account list is clean, the output doesn't contain ALERT and the monitor stays quiet.
π‘ TIP: Set cf_authorized_admins as a custom field at the group or organization level so a single maintained list covers all your devices. You can override it per device if specific machines have different admin requirements.
The Admin Monitoring Policy imports everything needed to run this check on Windows, macOS, and Linux: three pre-configured monitors (one per OS), all three scripts, the Authorized Admins custom field, and Workstation and Server tags.
Example 2: Monitoring Device Uptime
This monitor alerts when a device has been running for more than 30 days without a reboot β a signal that patch cycles may have been missed or that a device is being overlooked.
The script is a single osquery query:
osQuery Script
SELECT days FROM uptime;
osquery returns the number of days since the last boot as a plain integer. The monitor compares that value directly using Greater than.
Monitor configuration:
Field | Value |
Type | Run script |
OS | Windows (or macOS / Linux β osquery is cross-platform) |
Script | OsQuery Monitor - Uptime |
Script output | Greater than |
Value |
|
Run frequency | 24 hours |
Trigger count | 1 |
When uptime exceeds 30 days, the monitor fires. After a reboot brings uptime back below 30 days, the alert auto-resolves.
Pairing this monitor with a Prompt User to Restart remediation automation means the user gets notified to reboot directly β no technician intervention needed for the common case.
π‘ TIP: osquery runs on Windows, macOS, and Linux. You can create three separate monitors β one per OS β all pointing to the same script for cross-platform uptime coverage.
The Uptime Monitoring Policy imports three pre-configured monitors (Windows, macOS, and Linux) and the Osquery Uptime script β ready to assign to a group.
Example 3: Monitoring DNS Server Configuration
This monitor alerts when a Windows device is using DNS servers that aren't on your approved list β useful for detecting misconfiguration, DHCP drift, or unauthorized changes.
The script compares the device's active DNS servers against an allowed list stored in a custom field ({{cf_dns}}). If any interface has DNS servers outside the approved list, it outputs ALERT and exits with code 1.
PowerShell Script
# Comma-separated list of expected DNS servers
$allowedDnsServers = "{{cf_dns}}"
$allowedDnsServersArray = $allowedDnsServers -split "\s*,\s*"
function Check-DnsServers {
$networkInterfaces = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled }
foreach ($interface in $networkInterfaces) {
$dnsServers = $interface.DNSServerSearchOrder
Write-Host "Interface: $($interface.Description)"
Write-Host "Allowed DNS servers: $($allowedDnsServersArray -join ', ')"
Write-Host "Current DNS servers: $($dnsServers -join ', ')"
if ($dnsServers -ne $null -and $dnsServers.Count -gt 0) {
$matchingServers = @($dnsServers | Where-Object { $allowedDnsServersArray -contains $_ })
if ($matchingServers.Count -eq $dnsServers.Count) {
Write-Host "SUCCESS: DNS servers match the allowed list."
exit 0
} else {
Write-Host "ALERT: Not all DNS servers are in the allowed list."
exit 1
}
} else {
Write-Host "ALERT: No DNS servers configured"
exit 0
}
}
}
Check-DnsServers
Monitor configuration:
Field | Value |
Type | Run script |
OS | Windows |
Script | Windows Monitor - DNS Servers |
Script output | Contains |
Value |
|
Run frequency | 1 hour |
Trigger count | 1 |
When a DNS server outside the allowed list is detected, the output contains ALERT along with the interface name and actual DNS servers configured β visible in the alert payload for quick diagnosis. When all interfaces match the allowed list, no alert fires.
π‘ TIP: Set cf_dns as a custom field at the group level so different sites or client environments can have their own approved DNS server lists without creating separate monitor policies.
The DNS Monitoring Policy imports three pre-configured monitors (Windows, macOS, and Linux) and the DNS monitoring script. It also sets up the cf_dns custom field so you can define allowed DNS servers at the group or device level without any extra configuration.
More Examples
The Level Library at level.io/library has a growing collection of ready-to-import scripts and monitor policies. Browse by category to find monitors for security, disk health, application state, and more β or submit your own.
FAQ
Do I need to create the script before I can use it in a monitor? Yes β the script must be saved in your script library before you can select it in a monitor. If you import a script from the Level Library, it's added to your library automatically and available immediately.
Can I modify an imported script? Yes. Importing creates a copy in your account β changes you make don't affect the original library resource or other users.
The import link takes me to a login page. Is that expected? Yes β you need to be logged into Level to import. After logging in you'll be redirected to the import confirmation.