Skip to main content

Application Monitor

Get alerted when required software goes missing or unauthorized software shows up.

Introduction

Get alerted when an application is installed where it shouldn't be, or missing where it should be. The Application monitor watches the software inventory on each covered device and fires an alert when an application's installation status matches the condition you set.

Two jobs, one monitor. Catch unauthorized software the moment it lands, or catch required software that's gone missing.

Application Monitor

The Application monitor checks the installed applications on every device covered by the policy. It reads the same inventory shown on each device's Applications tab, then compares it against the application names and installation status you configure. When the condition matches, Level creates an alert.

You're choosing between two conditions:

  • Is installed — alert when the named application is present. Use this to flag unauthorized or unwanted software (torrent clients, remote-access tools you didn't sanction, an app that violates policy).

  • Is not installed — alert when the named application is absent. Use this to confirm required software stays in place (your AV agent, a VPN client, a mandatory line-of-business app).

Application Monitor - SentinelOne

ℹ️ NOTE: This monitor reads the same application inventory shown on Devices → Device Details → Applications. That inventory covers anything installed through normal channels (installers, package managers, the registry).

How Detection Works

Detection Timing

Evaluation runs on the agent, not the backend, on a fixed cadence you can't change:

  • The agent rebuilds its installed-application inventory roughly every 10 minutes.

  • The monitor re-checks your configured names against that cached inventory roughly every 1 minute.

  • When the result flips, the agent pushes the change to Level immediately (it doesn't wait for the next periodic flush).

The 10-minute inventory refresh is the real bottleneck, not the 1-minute check. So an install or uninstall surfaces in up to about 10 minutes (often less), worst case ~10–11 minutes once the eval tick is added.

ℹ️ NOTE: Unlike Run Script monitors, the Application monitor has no run-frequency or breach-duration setting. The cadence above is fixed in the agent.

Offline devices don't evaluate. They catch up on the next inventory refresh after they reconnect.

Resolving and Re-Alerting

This is the part that trips people up. Manually resolving an alert is not a durable dismissal while the condition still holds.

While an app stays in the triggering state (installed, for an "Is installed" monitor; absent, for "Is not installed"), the agent keeps re-asserting that state on a 5-minute reconciliation flush. So if you resolve the alert by hand and nothing about the device actually changed, the next agent report reopens the same alert, usually within about 5 minutes.

What happens on re-report depends on timing:

  • Resolved less than 24 hours ago: Level reopens the original alert (no new alert is created).

  • Resolved more than 24 hours ago: Level creates a brand-new alert.

💡 TIP: The only clean way to close one of these is for the underlying condition to actually clear. Install the missing app (for an "Is not installed" monitor) or remove the unwanted one (for "Is installed"), and with Auto-resolve on, the alert closes itself on the next report. Resolving by hand while the app is unchanged just buys you ~5 minutes.

Configuring Application Monitor

Open the monitor policy you want to add this to, then click + Add new monitor (or open an existing Application monitor to edit it). The Edit monitor panel opens.

Application Monitor - Chrome

Name and Type

  1. Enter a name in the Name field. The name shows up in the alert, so make it readable at a glance. "Chrome Not Installed" or "Unauthorized: BitTorrent" beats "Application Monitor 3."

  2. Set Type to Application.

Severity

Set Severity to match how your team should treat the alert. Four levels:

  • Information — low priority, FYI-level

  • Warning — worth attention but not urgent

  • Critical — requires prompt response

  • Emergency — drop everything

💡 TIP: A missing AV agent is usually Critical or Emergency. An unauthorized but low-risk app might be Information or Warning so it logs without paging anyone at 2 a.m.

Application Name(s)

Enter the application name in the Application name(s) field. Type a name, then press Tab or add a comma to commit it as a chip. Add as many as you need, each becomes its own chip, and click the × on a chip to remove it.

Matching is a case-insensitive substring match against the application's display name as the device reports it. Your configured name is the needle; the installed name is the haystack. "Chrome," "chrome," and "Google Chrome" all match an installed "Google Chrome." If you're unsure of the name, open a target device, go to Devices → Device Details → Applications, and check the Name column.

⚠️ WARNING: Substring matching cuts both ways. A short name over-matches: "Chrome" also catches "Chrome Remote Desktop" and "Chromium." And direction matters: a configured name only matches if it's contained in the installed name, so "Google Chrome Stable" will not match an app that just reports as "Chrome." Name apps as specifically as you can without overshooting the installed string.

You can also click the {x} button to insert a variable instead of a literal name, so the monitored application can vary per device (for example, pulled from a custom field). When a variable resolves to a value, Level splits it on commas and newlines, trims each piece, and drops blanks. So one custom field holding Google Chrome, Firefox, 7-Zip expands into three application names, each matched independently.

🖥️ PLATFORM NOTE:

  • Windows: Reads the registry Uninstall keys, the same source as Add/Remove Programs (HKLM 64-bit and 32-bit views, plus per-user hives including offline profiles). Per-user installs that register an uninstall entry (user-scope Chrome, Slack, Zoom, Teams) are detected. Portable apps that drop an .exe without an uninstall registry entry are not.

  • macOS: Reads system_profiler plus .app bundles under /Applications and each user's ~/Applications. Anything that isn't a .app bundle won't show.

  • Linux: Reads the system package manager (apt/dpkg, yum/rpm, or pacman) plus Snap and Flatpak. Manually installed binaries and AppImages aren't tracked. Package names often differ from the Windows or macOS label (e.g., google-chrome-stable), so check the device's Applications tab for the exact string.

Installation Status

Set Installation status to the condition that should fire the alert:

  • Is installed — alert fires when the named application is found

  • Is not installed — alert fires when the named application is absent

💡 TIP: Pair this monitor with a remediation. Set Is not installed on a required app and attach an install action so Level reinstalls it automatically. Set Is installed on an unwanted app and attach an uninstall action to rip it back out. See Remediation below.

Remediation

Optionally attach an automation to run when the alert fires. This is how you auto-install missing software, auto-remove unauthorized software, open a ticket, or notify a channel the moment the condition is detected.

ℹ️ NOTE: Remediations run when the alert is created, not when it resolves.

  1. Click the Select an automation (optional) field and pick an automation from the list.

  2. Click the link icon to open that automation in a new tab and review or edit it.

  3. Click the eye icon to preview the automation's actions inline without leaving the panel.

  4. Click the × to clear the selected automation.

Automated Remediation

Notify Recipients

Two checkboxes control whether the policy's recipients get emailed:

  • On alert creation — recipients get an email when the alert fires

  • On alert resolution — recipients get an email when the alert resolves

Recipients are set at the monitor policy level, not on the individual monitor. Add email addresses in the Recipients section of the policy.

ℹ️ NOTE: If the policy has no recipients, no notification email sends regardless of these checkboxes.

Auto-Resolve

The Auto-resolve alert when conditions clear toggle (enabled by default) closes the alert automatically once the condition no longer holds. For an Is not installed monitor, that means the alert closes when the app gets installed. For an Is installed monitor, it closes when the app is removed.

Leave it on unless you want alerts to stay open for manual review even after the underlying condition clears.

FAQ

  • What does the monitor actually check against? The device's reported application inventory, the same list you see on Devices → Device Details → Applications. If an app isn't in that list, the monitor can't match it.

  • I added Chrome and Firefox to one monitor. How are multiple names handled? Each name is matched independently against the inventory. You can also feed a single custom field holding comma- or newline-separated names (like Chrome, Firefox, 7-Zip) through the {x} picker, and it expands into separate names automatically.

  • Do I need to enter the exact application name? No. It's a case-insensitive substring match, so "chrome" matches "Google Chrome." But your name has to be contained in the installed name: "Google Chrome Stable" won't match an app that reports as just "Chrome." And short names over-match ("Chrome" also catches "Chrome Remote Desktop"). When in doubt, check the device's Applications tab and use the most specific name that's still a substring of what's installed.

  • Is there a breach duration like on the CPU or Connection monitors? No. There's no breach-duration or frequency setting on this type. The agent rebuilds its app inventory about every 10 minutes and re-checks your names against it about every minute, both fixed. A new install or uninstall shows up in up to ~10 minutes.

  • I resolved an alert and it came right back. Why? Because the app is still in the state the monitor watches for. The agent re-asserts that state every ~5 minutes, so resolving by hand reopens the same alert (if you resolved it within the last 24 hours) or creates a new one (if longer ago). The only durable fix is the condition clearing: install the missing app, or remove the unwanted one. With Auto-resolve on, that closes the alert on the next report.

  • Can I have Level reinstall missing software automatically? Yes. Set the monitor to Is not installed and attach an install action as the remediation. The same pattern works in reverse: Is installed plus an uninstall action to remove unwanted software.

  • Does it work on macOS and Linux? Yes, all three platforms, no OS selector. The sources differ: Windows reads the registry Uninstall keys (Add/Remove Programs), macOS reads system_profiler and .app bundles, Linux reads the package managers plus Snap and Flatpak. Portable Windows apps, manual Linux binaries, and AppImages aren't tracked because they don't register with those sources.

  • Who can create and edit Application monitors? Technicians with access to the relevant monitor policy. Policy access is controlled by your permission settings. See Workspace → Permissions.

  • What happens to open alerts if I delete the monitor? Existing alerts stay in place. Deleting a monitor doesn't close or remove the alerts it already created, resolve those manually.

Related Articles
CPU Usage Monitor
Connection Monitor
Memory Usage Monitor
Process Monitor
User Monitor
Did this answer your question?