Introducción
Monitor policies define what Level watches on your devices and who gets notified when something goes wrong. Each policy bundles one or more monitors, a set of target tags, and a list of alert recipients — so you can apply a coherent set of checks to any group of devices just by tagging them.
This article covers how policies work, how to create and configure them, and which monitor types are available. For configuration details on specific monitor types, see the linked articles in each section below.
🎬 VIDEO
Monitoring Policies
A monitor policy has three parts:
Targets: One or more tags. Every device carrying a matching tag is observed by this policy.
Monitores: The individual checks — CPU usage, disk space, a service status, a script result, etc.
Recipients: Email addresses that receive notifications when monitors in this policy trigger alerts.
When a monitor's threshold is exceeded, Level opens an alert and (if configured) emails the recipients. If Resolución automática is enabled on that monitor, the alert closes automatically once the condition clears. If it's off, a technician must manually resolve it from the Alertas view.
Tags are the mechanism that links policies to devices. Apply a tag to a device, and Level immediately checks whether any monitor policies target that tag — then applies those policies automatically. Quitar the tag and those policies stop monitoring that device. The Monitores tab on a device's detail page shows every monitor currently active on it, across all policies and tags, in a single flat list. See Dispositivo Detalles → Monitores for more.
💡 CONSEJO: Design policies around roles, not just device types. A policy called "Domain Controllers" that monitors AD-specific services pairs naturally with a tag of the same name — making it obvious which devices it covers and easy to assign.
Policies Ver
Navigate to Monitores in the sidebar. The Monitor policies page lists every policy in your organization.
Each row shows:
Nombre: The policy name, with a count of monitors and a link to the devices it currently targets
Creard / Creard by: When the policy was created and which technician created it
Last edited / Last edited by: When and by whom the policy was last modified
To customize which columns appear, click Columnas in the top right. On the policies listing, you can toggle: Nombre, Creard, Creard by, Last edited, and Last edited by.
To delete one or more policies, check the box next to each row and click Eliminar.
Creating a monitor policy
Haga clic en + Crear monitor policy in the top right.
Ingrese a name in the Monitor policy name field. The placeholder text suggests "e.g. Laptop policy" — pick something that reflects the role or device group this policy covers.
Haga clic en Crear.
The new policy opens immediately. You'll land on the policy detail view, ready to add targets and monitors.
Configuring Targets
The Targets panel on the left side of a policy controls which devices it monitors. Targets are tag-based — add a tag here and every device carrying that tag gets monitored by this policy.
To add a target tag:
Haga clic en + in the Targets panel header.
Búsqueda for an existing tag or click Crear new tag to create one on the spot.
Seleccione the tag. It appears in the panel with a live count of the devices currently carrying it.
To remove a target tag:
Haga clic en el three-dot menu next to a tag in the Targets panel and select Quitar target.
ℹ️ NOTA: Targets update dynamically. If you add a tag to a device after the policy is already configured, that device starts being monitored immediately — no changes to the policy required.
Configuring Recipients
The Recipients panel sits below Targets on the left side. Recipients receive email notifications when monitors in this policy trigger or resolve alerts.
To add recipients:
Haga clic en + in the Recipients panel header.
Ingrese one or more email addresses in the Email field. Hit Tab or add a comma to enter multiple addresses at once.
Haga clic en Añadir recipients.
To remove a recipient:
Haga clic en el three-dot menu next to a recipient's email and select Quitar recipient.
ℹ️ NOTA: Recipients here receive notifications for all monitors in this policy. Whether a specific monitor actually sends notifications on alert and on resolution is controlled on each individual monitor — but the recipient list is shared across the whole policy.
Monitor Configuración
The right side of the policy shows all monitors attached to it. This is where you see what the policy is actually checking.
Default columns visible in the table:
Column | Description |
Nombre | The monitor's name |
Escriba | The monitor type (CPU usage, Disk usage, Event log, Run script, etc.) |
Threshold/Duración | The configured threshold value and the duration a condition must persist before triggering |
Gravedad | Información, Advertencia, Crítico o Emergencia |
Three additional columns are available but hidden by default. Haga clic en Columnas to enable them:
Remediation automations: Any automation set to run when the monitor triggers
Resolución automática: Whether the alert closes automatically when the condition clears
Send notifications: Whether this monitor sends email notifications
Añadiring a Monitor
Haga clic en + Añadir new monitor in the top right of the policy view. This opens a monitor configuration panel where you choose the monitor type and set its parameters.
The available monitor types fall into two categories:
Built-in monitors
These watch standard system metrics without requiring any script:
CPU usage — Triggers when CPU exceeds a percentage threshold for a sustained duration. See Monitor de uso de CPU.
Connection — Triggers when a device goes offline for longer than a configured number of minutes. See Monitor de conexión.
Disk usage — Triggers when available disk space on any drive (or just the system drive) drops below a threshold. See Monitor de uso de disco.
Event log — Triggers when a specific Windows Event ID appears a set number of times within a defined time window. See Monitor del registro de eventos.
Memory usage — Triggers when RAM usage exceeds a percentage threshold for a sustained duration. See Monitor de uso de memoria.
Process — Triggers when a specific process starts or stops running. See Monitor de procesos.
Service — Triggers when a specific Windows service stops or starts. See Monitor de servicios.
Monitores de script
Monitores de script run a PowerShell, Bash, or Python script on the device and evaluate the output against a configured condition. Use these for anything the built-in types don't cover — software license checks, custom application health, registry values, and so on.
Run script — See Run Script Monitor for full configuration details and supported output formats.
For examples: Script Monitor Examples.
ℹ️ NOTA: A policy can contain multiple monitors of the same type. If you need separate thresholds for Warning and Critical disk levels, add two Disk usage monitors to the same policy with different thresholds and severities.
How Alertas Work
When a monitor's threshold is breached, Level opens an alert and captures a payload reflecting device state at the time of the trigger. What's in that payload depends on the monitor type:
Monitores de CPU show the top processes by CPU usage at the moment the alert triggered
Monitores de memoria show the top processes by memory consumption
Monitores de script show the raw output the script returned
Monitores del registro de eventos show the matching event details: Event ID, source, and message
The payload stays live and synced for as long as the alert is open. Once the alert resolves, Level freezes it — preserving the last bad state at the moment of resolution. That frozen snapshot is what you see when you expand a resolved alert.
To view and triage alerts across all devices, go to the Alertas global view. To see alerts scoped to a single device, open the device and click the Alertas tab. See Alertas and Dispositivo Detalles → Alertas for details.
💡 CONSEJO: If a monitor keeps re-triggering on one specific device but not others, open that device's Alertas tab and expand the payload. Level captures the exact values at trigger time, which is usually the fastest way to spot what's different about that device.
Policy-level actions
Haga clic en Actions in the top right of a policy to access:
Rename — Rename the policy
Eliminar — Permanently delete the policy
⚠️ WARNING: Deleting a policy removes all its monitors and stops monitoring on all targeted devices immediately. Alertas that were open at the time of deletion remain in the Alertas view but will no longer update or auto-resolve.
Resource Library
Level's Resource Library has hundreds of ready-to-use monitor policies and scripts built by the Level team and the community. Any of them can be imported directly into your account with one click — no configuration required to get started.
💡 TIP: Before building a monitor from scratch, check the Resource Library. There's a good chance a policy already exists for what you need — domain controller health, antivirus status, backup verification, uptime checks, and more.
Best Practices
A few patterns that hold up in practice:
Keep policies role-focused. Split resource monitoring (CPU, memory, disk) from application monitoring (services, processes). A domain controller policy should only monitor domain controller functions — not generic workstation metrics.
Match policy names to tag names. If your tag is "Exchange", name the policy "Exchange Monitoring". The pairing is obvious and makes auditing easier.
Deshabilitar auto-resolve selectively. Leave auto-resolve off only when you want a technician to investigate the root cause. If it's off everywhere, unresolved alerts pile up and create noise.
Don't overload a single policy. Level supports multiple policies per device via tag overlap. A device can receive checks from a "Workstations - Resources" policy and a "Huntress" policy simultaneously — use that.
Use per-device disable for permanent exceptions, not policy changes. If one device generates noise for a monitor that's valid everywhere else, disable that specific monitor on that device from Dispositivo Detalles → Monitores. Don't weaken the policy for everyone else. For temporary suppression during planned work, use Maintenance Mode instead.
Preguntas frecuentes
Who can create and edit monitor policies? Monitor policy management requires appropriate permissions for your organization. Technicians with restricted access may be able to view policies but not create or modify them. See Workspace → Permisos for details.
Can one device be monitored by more than one policy? Sí. If a device carries multiple tags and each tag is targeted by a different policy, that device receives all of them. Each policy runs its monitors independently. You can see the full list on the device's Monitores tab, including which tag pulled in each policy.
Why isn't a monitor triggering even though the threshold should be exceeded? Check that the device's tag appears in the policy's Targets panel with a non-zero device count. Also check the monitor's Duración setting — most monitors require a condition to persist for a defined period before firing. If the device is in Maintenance Mode, alerts are suppressed. If the monitor has been manually disabled on this device, it won't fire regardless of policy settings — check Dispositivo Detalles → Monitores.
Can I add a recipient who isn't a Level technician? Sí. Recipients are plain email addresses — they don't need a Level account. Any address you add will receive notifications for this policy's alerts.
What happens to open alerts if I remove a target tag from a policy? Existing open alerts from those devices remain visible in the Alertas view. New alerts won't be created since the devices are no longer targeted. Alertas won't auto-resolve unless the monitor's auto-resolve was already enabled.
An alert resolved and came back — why does it show the original start time? Level reopens an existing alert rather than creating a new one if the same monitor fires again within 24 hours. The original start timestamp is preserved. If the alert keeps cycling, the start time reflects when it first opened, not its most recent trigger. After 24 hours without re-triggering, Level creates a fresh alert with a new start time.