Passer au contenu principal

Moniteur de processus

Mis à jour aujourd’hui

Introduction

Alert when a specific process starts or stops on a device. The Process monitor watches for a named process by exact name and fires when the condition you've configured is met — whether that's a critical process going missing or an unauthorized process appearing.

Moniteur de processus

Level checks whether the named process is running on covered devices. When the condition you've set (running or not running) is detected and sustained for your breach duration, an alert fires.

Two use cases drive most configurations: watching for a required process that should always be running (antivirus, backup agent, line-of-business app), and watching for a process that shouldn't be running (unauthorized software, known malware process names).

Configuring Moniteur de processus

Open the target monitor policy, then add or edit a Process monitor. The Modifier monitor panel opens on the right.

Nom and Tapez

  1. Entrer a name in the Nom field. Including the process name helps — "CrowdStrike Agent Nont Running" is more useful in an alert list than "Moniteur de processus."

  2. Set Tapez to Process.

Moniteur de processus

Gravité

Set Gravité based on how critical the process condition is:

  • Information

  • Warning

  • Critical

  • Emergency

Operating System

Sélectionnez the OS the target process runs on: Windows, macOS, or Linux. Process names vary by platform — a Windows executable won't match a Linux process name, so this scopes the monitor correctly.

Operating System Sélectionnezion

Process Nom

Entrer the exact process name in the Process name field. The name must match precisely — Level uses an exact string match, not a partial or wildcard search.

Process Nom

⚠️ WARNING: The process name must be exact. On Windows, include the .exe extension if that's how the process appears in Task Manager (e.g., notepad.exe). On Linux and macOS, use the process name as it appears in your process list — no extension.

💡 CONSEIL : Nont sure of the exact process name? Open the device in Level, go to Manage → Processes, and find the process in the list. The name shown in the Process Nom column is what to enter here.

Process Nom Column

Trigger

Trigger sets the condition that fires the alert:

  • Is not running — alert when the process isn't found on the device

  • Is running — alert when the process is detected on the device

Trigger

Breach Durée

Breach duration sets how long the condition must be sustained before Level creates an alert. Adjust using the slider or up/down arrows. Range is 0–120 minutes.

Breach duration

💡 CONSEIL : A short breach duration (1–2 minutes) works well for "Is not running" monitors on critical processes — you want to know quickly if an antivirus agent goes missing.

Auto-Résoudre

Résolution automatique alert if it is no longer applicable is disabled by default for Process monitors. Activer it if you want alerts to close automatically when the condition clears (e.g., the missing process comes back online). Leave it off if you want the alert to persist for manual review regardless.

Remediation

Attach one or more automations to run when this monitor fires — restart a stopped process, kill an unauthorized one, or notify your team.

  1. Cliquez sur in the Remediation field and select an automation.

  2. To add more, click + Ajouter another remediation.

  3. To remove one, click the × next to it.

ℹ️ REMARQUE : Remediations run when the alert is created, not when it resolves.

Nontifications

  • Send notifications on alert creation — policy recipients get an email when the alert fires

  • Send notifications on alert resolution — policy recipients get an email when the alert resolves

Both toggles are off by default. Recipients are managed at the monitor policy level, in the Recipients section.

Nontifications

Saving the Moniteur

Cliquez sur Ajouter monitor to save a new monitor, or Update monitor to save changes to an existing one.

Questions fréquemment posées

  • Who can create and edit monitors? Technicians with access to the relevant monitor policy. Autorisation settings are managed in Workspace → Autorisations.

  • Why isn't my process monitor firing even though the process isn't running? Check that the process name is entered exactly as it appears on the device — including .exe on Windows if applicable. Also confirm the device is covered by the policy's target tags and that the breach duration has elapsed.

  • Should I use the Process monitor or the Service monitor for Windows background tasks? If the background task runs as a Windows service, use the Service monitor — it's designed for that and has the added option to automatically restart stopped services. Use the Process monitor for applications that don't run as a service.

  • Can I monitor the same process across different operating systems? Nont in a single monitor — each Process monitor is scoped to one OS. Créer a separate monitor per OS if you need cross-platform coverage of the same application.

  • What happens to open process alerts if I delete the monitor? Existing alerts remain in place. Deleting a monitor doesn't close alerts it already created — resolve those manually.

Articles connexes
Run Script Moniteur
Moniteur d'utilisation du processeur
Moniteur de connexion
Moniteur d'utilisation de mémoire
Moniteur de service
Avez-vous trouvé la réponse à votre question ?