Introduction
Moniteur policies define what Level watches on your devices and who gets notified when something goes wrong. Each policy bundles one or more monitors, a set of target tags, and a list of alert recipients — so you can apply a coherent set of checks to any group of devices just by tagging them.
This article covers how policies work, how to create and configure them, and which monitor types are available. For configuration details on specific monitor types, see the linked articles in each section below.
🎬 VIDEO
Moniteuring Policies
A monitor policy has three parts:
Targets: One or more tags. Every device carrying a matching tag is observed by this policy.
Moniteurs: The individual checks — CPU usage, disk space, a service status, a script result, etc.
Recipients: Email addresses that receive notifications when monitors in this policy trigger alerts.
When a monitor's threshold is exceeded, Level opens an alert and (if configured) emails the recipients. If Résolution automatique is enabled on that monitor, the alert closes automatically once the condition clears. If it's off, a technician must manually resolve it from the Alertes view.
Tags are the mechanism that links policies to devices. Apply a tag to a device, and Level immediately checks whether any monitor policies target that tag — then applies those policies automatically. Supprimer the tag and those policies stop monitoring that device. The Moniteurs tab on a device's detail page shows every monitor currently active on it, across all policies and tags, in a single flat list. See Appareil Détails → Moniteurs for more.
💡 CONSEIL : Design policies around roles, not just device types. A policy called "Domain Controllers" that monitors AD-specific services pairs naturally with a tag of the same name — making it obvious which devices it covers and easy to assign.
Policies Afficher
Navigate to Moniteurs in the sidebar. The Moniteur policies page lists every policy in your organization.
Each row shows:
Nom: The policy name, with a count of monitors and a link to the devices it currently targets
Créerd / Créerd by: When the policy was created and which technician created it
Last edited / Last edited by: When and by whom the policy was last modified
To customize which columns appear, click Colonnes in the top right. On the policies listing, you can toggle: Nom, Créerd, Créerd by, Last edited, and Last edited by.
To delete one or more policies, check the box next to each row and click Supprimer.
Creating a monitor policy
Cliquez sur + Créer monitor policy in the top right.
Entrer a name in the Moniteur policy name field. The placeholder text suggests "e.g. Laptop policy" — pick something that reflects the role or device group this policy covers.
Cliquez sur Créer.
The new policy opens immediately. You'll land on the policy detail view, ready to add targets and monitors.
Configuring Targets
The Targets panel on the left side of a policy controls which devices it monitors. Targets are tag-based — add a tag here and every device carrying that tag gets monitored by this policy.
To add a target tag:
Cliquez sur + in the Targets panel header.
Recherche for an existing tag or click Créer new tag to create one on the spot.
Sélectionnez the tag. It appears in the panel with a live count of the devices currently carrying it.
To remove a target tag:
Cliquez sur le three-dot menu next to a tag in the Targets panel and select Supprimer target.
ℹ️ REMARQUE : Targets update dynamically. If you add a tag to a device after the policy is already configured, that device starts being monitored immediately — no changes to the policy required.
Configuring Recipients
The Recipients panel sits below Targets on the left side. Recipients receive email notifications when monitors in this policy trigger or resolve alerts.
To add recipients:
Cliquez sur + in the Recipients panel header.
Entrer one or more email addresses in the Email field. Hit Tab or add a comma to enter multiple addresses at once.
Cliquez sur Ajouter recipients.
To remove a recipient:
Cliquez sur le three-dot menu next to a recipient's email and select Supprimer recipient.
ℹ️ REMARQUE : Recipients here receive notifications for all monitors in this policy. Whether a specific monitor actually sends notifications on alert and on resolution is controlled on each individual monitor — but the recipient list is shared across the whole policy.
Moniteur Configuration
The right side of the policy shows all monitors attached to it. This is where you see what the policy is actually checking.
Default columns visible in the table:
Column | Description |
Nom | The monitor's name |
Tapez | The monitor type (CPU usage, Disk usage, Event log, Run script, etc.) |
Threshold/Durée | The configured threshold value and the duration a condition must persist before triggering |
Gravité | Information, Avertissement, Critique ou Urgence |
Three additional columns are available but hidden by default. Cliquez sur Colonnes to enable them:
Remediation automations: Any automation set to run when the monitor triggers
Résolution automatique: Whether the alert closes automatically when the condition clears
Send notifications: Whether this monitor sends email notifications
Ajoutering a Moniteur
Cliquez sur + Ajouter new monitor in the top right of the policy view. This opens a monitor configuration panel where you choose the monitor type and set its parameters.
The available monitor types fall into two categories:
Built-in monitors
These watch standard system metrics without requiring any script:
CPU usage — Triggers when CPU exceeds a percentage threshold for a sustained duration. See Moniteur d'utilisation du processeur.
Connection — Triggers when a device goes offline for longer than a configured number of minutes. See Moniteur de connexion.
Disk usage — Triggers when available disk space on any drive (or just the system drive) drops below a threshold. See Moniteur d'utilisation du disque.
Event log — Triggers when a specific Windows Event ID appears a set number of times within a defined time window. See Moniteur du journal des événements.
Memory usage — Triggers when RAM usage exceeds a percentage threshold for a sustained duration. See Moniteur d'utilisation de mémoire.
Process — Triggers when a specific process starts or stops running. See Moniteur de processus.
Service — Triggers when a specific Windows service stops or starts. See Moniteur de service.
Moniteurs de script
Moniteurs de script run a PowerShell, Bash, or Python script on the device and evaluate the output against a configured condition. Use these for anything the built-in types don't cover — software license checks, custom application health, registry values, and so on.
Run script — See Run Script Moniteur for full configuration details and supported output formats.
For examples: Script Moniteur Examples.
ℹ️ REMARQUE : A policy can contain multiple monitors of the same type. If you need separate thresholds for Warning and Critical disk levels, add two Disk usage monitors to the same policy with different thresholds and severities.
How Alertes Work
When a monitor's threshold is breached, Level opens an alert and captures a payload reflecting device state at the time of the trigger. What's in that payload depends on the monitor type:
Moniteurs CPU show the top processes by CPU usage at the moment the alert triggered
Moniteurs de mémoire show the top processes by memory consumption
Moniteurs de script show the raw output the script returned
Moniteurs du journal des événements show the matching event details: Event ID, source, and message
The payload stays live and synced for as long as the alert is open. Once the alert resolves, Level freezes it — preserving the last bad state at the moment of resolution. That frozen snapshot is what you see when you expand a resolved alert.
To view and triage alerts across all devices, go to the Alertes global view. To see alerts scoped to a single device, open the device and click the Alertes tab. See Alertes and Appareil Détails → Alertes for details.
💡 CONSEIL : If a monitor keeps re-triggering on one specific device but not others, open that device's Alertes tab and expand the payload. Level captures the exact values at trigger time, which is usually the fastest way to spot what's different about that device.
Policy-level actions
Cliquez sur Actions in the top right of a policy to access:
Rename — Rename the policy
Supprimer — Permanently delete the policy
⚠️ WARNING: Deleting a policy removes all its monitors and stops monitoring on all targeted devices immediately. Alertes that were open at the time of deletion remain in the Alertes view but will no longer update or auto-resolve.
Resource Library
Level's Resource Library has hundreds of ready-to-use monitor policies and scripts built by the Level team and the community. Any of them can be imported directly into your account with one click — no configuration required to get started.
💡 TIP: Before building a monitor from scratch, check the Resource Library. There's a good chance a policy already exists for what you need — domain controller health, antivirus status, backup verification, uptime checks, and more.
Best Practices
A few patterns that hold up in practice:
Keep policies role-focused. Split resource monitoring (CPU, memory, disk) from application monitoring (services, processes). A domain controller policy should only monitor domain controller functions — not generic workstation metrics.
Match policy names to tag names. If your tag is "Exchange", name the policy "Exchange Moniteuring". The pairing is obvious and makes auditing easier.
Désactiver auto-resolve selectively. Leave auto-resolve off only when you want a technician to investigate the root cause. If it's off everywhere, unresolved alerts pile up and create noise.
Don't overload a single policy. Level supports multiple policies per device via tag overlap. A device can receive checks from a "Workstations - Resources" policy and a "Huntress" policy simultaneously — use that.
Use per-device disable for permanent exceptions, not policy changes. If one device generates noise for a monitor that's valid everywhere else, disable that specific monitor on that device from Appareil Détails → Moniteurs. Don't weaken the policy for everyone else. For temporary suppression during planned work, use Maintenance Mode instead.
Questions fréquemment posées
Who can create and edit monitor policies? Moniteur policy management requires appropriate permissions for your organization. Technicians with restricted access may be able to view policies but not create or modify them. See Workspace → Autorisations for details.
Can one device be monitored by more than one policy? Oui. If a device carries multiple tags and each tag is targeted by a different policy, that device receives all of them. Each policy runs its monitors independently. You can see the full list on the device's Moniteurs tab, including which tag pulled in each policy.
Why isn't a monitor triggering even though the threshold should be exceeded? Check that the device's tag appears in the policy's Targets panel with a non-zero device count. Also check the monitor's Durée setting — most monitors require a condition to persist for a defined period before firing. If the device is in Maintenance Mode, alerts are suppressed. If the monitor has been manually disabled on this device, it won't fire regardless of policy settings — check Appareil Détails → Moniteurs.
Can I add a recipient who isn't a Level technician? Oui. Recipients are plain email addresses — they don't need a Level account. Any address you add will receive notifications for this policy's alerts.
What happens to open alerts if I remove a target tag from a policy? Existing open alerts from those devices remain visible in the Alertes view. New alerts won't be created since the devices are no longer targeted. Alertes won't auto-resolve unless the monitor's auto-resolve was already enabled.
An alert resolved and came back — why does it show the original start time? Level reopens an existing alert rather than creating a new one if the same monitor fires again within 24 hours. The original start timestamp is preserved. If the alert keeps cycling, the start time reflects when it first opened, not its most recent trigger. After 24 hours without re-triggering, Level creates a fresh alert with a new start time.