Monitors - New UI

SECURITY Refer to Sites > Monitor in Permissions.
NAVIGATION New UI > Policies > Monitoring > click the name of a policy > Add Monitor
NAVIGATION New UI > Policies > All > click the name of a Monitoring policy > Add Monitor
NAVIGATION New UI > Global > Policies > click the name of a Monitoring policy > Add Monitor
NAVIGATION New UI > Sites > All Sites > click the name of a site > Policies (left navigation menu) > click the name of a Monitoring policy > Add Monitor
NAVIGATION New UI > Device Summary page > Monitors card > Create a Monitor. To view the various navigation paths you can use to access the Device Summary page, refer to Device Summary - New UI.
NAVIGATION The Threat Detection monitor is only available as part of an Endpoint Security policy. Refer to Datto EDR in Endpoint Security policy.
NAVIGATION The Windows Defender Antivirus monitor is only available as part of an Endpoint Security policy. Refer to Managed Windows Defender Antivirus in Endpoint Security policy.
About monitors
Monitors can keep track of a variety of attributes, processes, settings, statuses, events, and much more. They can raise an alert when the device they are deployed to is not operating within specified parameters.

You can create and manage the following monitor types in the New UI:
- Antivirus Status monitor
- Component monitor
- CPU monitor
- Datto Continuity monitor
- Disk Usage monitor
- ESXi Data Store monitor
- ESXi Disk Health monitor
- ESXi Fan monitor
- ESXi PSU monitor
- ESXi Temperature monitor
- Event Log monitor
- File/Folder Size monitor
- Memory monitor
- Online Status monitor
- Patch monitor
- Ping monitor
- Process monitor
- Ransomware monitor
- Service monitor
- SNMP monitor
- SNMP Throughput monitor
- Software monitor
- Threat Detection monitor
- Windows Defender Antivirus monitor
- Windows Performance monitor
- WMI monitor
Further monitor types are available in the legacy UI. Refer to Monitor types and categories.
Creating a monitor
To create a monitor, follow any of the navigation paths described in Security and navigation.

- In the Monitor Type section, click Select.
- In the Select a Monitor pane, use the search bar to search for a monitor type or scroll down in the list. Click Select to specify the monitor type.
- Once the monitor type has been selected, you can configure the monitor criteria. To choose a different monitor type, click Change Monitor Type and modify your selection.


The Datto RMM Agent can be instructed to alert when no antivirus product is detected or it has a certain status (for example, Not running). For information on which antivirus products are detected by Datto RMM, refer to Antivirus detection.
Supported operating systems/device types in the New UI: Windows, macOS, Linux.
Configure the following criteria:
Field | Description |
---|---|
Antivirus status is found to be | Select the antivirus status you want to monitor: • Not Detected • Not Running • Running And Not Up To Date |
For a period of (minutes) | Specify for how long the device's antivirus status needs to be in this state before an alert is raised (1-240 minutes). |
Raise an alert of priority | Choose the priority of the alert that will be raised: • Critical • High • Moderate • Low • Information |
Auto resolve the alert if it is no longer applicable | Configure the monitor to auto-resolve the alert if it's no longer triggered after a specified time frame (1 minute - 1 week). The monitor will then be reset, allowing further alerts to be raised. |

Component monitors are scripts that regularly run on your devices and raise an alert if a specific condition is met. You can find and download a number of pre-configured component monitors from the ComStore covering antivirus packages, backup systems, CPU temperature, predicted hard drive failures, etc. Refer to Download a component in the legacy UI and Download a component in the New UI. When one of these components is run on a device, it will raise an alert if an issue occurs. You can also create and add your own monitoring scripts to your Component Library if you need to be able to generate alerts based on specific requirements. To learn how to start writing and uploading these scripts to your account, refer to Create a custom component monitor.
Supported operating systems/device types in the New UI: Windows, macOS, Linux.
Configure the following criteria:
Field | Description |
---|---|
Select a Component Monitor | Click the Select a Component Monitor button to add a component from your Component Library. Use the search bar to search for a component or scroll down in the list, and click Select.![]() In order for a component to appear in this list, it first needs to be added to your Component Library by downloading it from the ComStore or by creating and adding your own custom component. Refer to Download a component in the legacy UI and Download a component in the New UI, and Create a custom component monitor. You will only be able to see components available to you based on your component level. Refer to Component Level. Once a component has been selected, you can configure any required variables. Variable value limit: 20,000 characters. ![]() To choose a different component, click Change Component Monitor and modify your selection. |
Execute the Component monitor every (minutes) | Specify how often the monitor should run. |
Raise an alert of priority | Choose the priority of the alert that will be raised: • Critical • High • Moderate • Low • Information |
Auto resolve the alert if it is no longer applicable | Configure the monitor to auto-resolve the alert if it's no longer triggered after a specified time frame (1 minute - 1 week). The monitor will then be reset, allowing further alerts to be raised. |

There may be times when your device runs noticeably slower than usual. One reason may be the device's high CPU usage. It is normal to have high CPU usage occasionally but having it for a longer period of time might indicate hardware or software problems or may even be a sign of virus or malware infection. Monitoring your devices' CPU usage may help you proactively address further issues.
Supported operating systems/device types in the New UI: Windows, macOS, Linux, ESXi.
Configure the following criteria:
Field | Description |
---|---|
CPU usage on a device has reached | Specify what the CPU usage threshold should be (1-100%). |
For a period of (minutes) | Specify for how long the device's CPU usage needs to be above the threshold before an alert is raised (1-60 minutes). |
Check interval (minutes) | Specify the check interval (1-60 minutes). |
Raise an alert of priority | Choose the priority of the alert that will be raised: • Critical • High • Moderate • Low • Information |
Auto resolve the alert if it is no longer applicable | Configure the monitor to auto-resolve the alert if it's no longer triggered after a specified time frame (1 minute - 1 week). The monitor will then be reset, allowing further alerts to be raised. |

When this monitor is applied to a device that is protected by a Datto Continuity device, the Datto RMM Agent can alert you if the protected device experiences a backup failure on its Datto backup agent.
NOTE Make sure to enable the Datto Continuity Integration before configuring the monitor. Refer to Datto Continuity Integration.
Supported operating systems/device types in the New UI: devices protected by your Datto Continuity device.
Configure the following criteria:
Field | Description |
---|---|
Time frame | Specify the time frame to monitor for errors (1-48 hours). |
Raise an alert of priority | Choose the priority of the alert that will be raised: • Critical • High • Moderate • Low • Information |

Low disk space on a device can result in poor performance, application problems, and eventually user complaints when they cannot save any more data. If the available space on your hard drive drops below a certain threshold, the device may not be reliable anymore; therefore, it is important to be aware of any disk space issues.
Supported operating systems/device types in the New UI: Windows.
Configure the following criteria:
Field | Description |
---|---|
Drive and threshold | Select the drive you want to monitor and specify the disk space threshold that needs to be passed for an alert to be triggered (% used/GB used/ GB free). If you enter a percentage value, you can only use integers. NOTE If you select the option Any Drive and multiple drives are over the threshold, only one alert will be triggered for one of the drives. The Agent will not alert for each drive individually. NOTE Any Drive Disk Usage monitor will only show value for a drive that is closest to the threshold set within the monitor. Refer to Real-Time Monitoring Status in the legacy UI and Monitors in the New UI. |
Only apply for disks > GB | Select the check box to only apply the monitor to disks above a certain disk capacity and enter a value of GB. This option is useful if you want to exclude disks below a certain capacity (for example, USB sticks). |
Only apply to fixed drives | Select the check box to only apply the monitor to fixed drives. |
For a period of (minutes) | Specify for how long the device's disk usage needs to be in this state before an alert is raised (1-60 minutes). |
Raise an alert of priority | Choose the priority of the alert that will be raised: • Critical • High • Moderate • Low • Information |
Auto resolve the alert if it is no longer applicable | Configure the monitor to auto-resolve the alert if it's no longer triggered after a specified time frame (1 minute - 1 week). The monitor will then be reset, allowing further alerts to be raised. |

This monitor raises an alert if the available space in any of the datastores on an ESXi host drops below a certain threshold.
Supported operating systems/device types in the New UI: ESXi.
Configure the following criteria:
Field | Description |
---|---|
Usage of any datastore on an ESXi host has passed | Specify the threshold that needs to be passed for an alert to be triggered (%). You can only use integers. NOTE ESXi Data Store monitor will only show the datastore that is closest to the threshold set within the monitor. Refer to Real-Time Monitoring Status in the legacy UI and Monitors in the New UI. |
For a period of (minutes) | Specify for how long the datastore needs to be in this state before an alert is raised (0-60 minutes). |
Raise an alert of priority | Choose the priority of the alert that will be raised: • Critical • High • Moderate • Low • Information |
Auto resolve the alert if it is no longer applicable | Configure the monitor to auto-resolve the alert if it's no longer triggered after a specified time frame (1 minute - 1 week). The monitor will then be reset, allowing further alerts to be raised. |

This monitor raises an alert if any disk on any targeted device registers disk health or RAID errors. The monitor relies on the presence of CIM providers. ESXi servers must have CIM providers installed to provide the information this monitor requires. Devices that do not have CIM providers installed will not raise any alerts.
NOTE No alert is raised if the status of the monitored object is Unknown.
Supported operating systems/device types in the New UI: ESXi.
Configure the following criteria:
Field | Description |
---|---|
Raise an alert of priority | Choose the priority of the alert that will be raised: • Critical • High • Moderate • Low • Information |

This monitor raises an alert if the status of any fan unit on any targeted device is other than Normal.
NOTE No alert is raised if the status of the monitored object is Unknown.
Supported operating systems/device types in the New UI: ESXi.
Configure the following criteria:
Field | Description |
---|---|
Raise an alert of priority | Choose the priority of the alert that will be raised: • Critical • High • Moderate • Low • Information |

This monitor raises an alert if the status of any power supply on any targeted device is other than Normal.
NOTE No alert is raised if the status of the monitored object is Unknown.
Supported operating systems/device types in the New UI: ESXi.
Configure the following criteria:
Field | Description |
---|---|
Raise an alert of priority | Choose the priority of the alert that will be raised: • Critical • High • Moderate • Low • Information |

This monitor raises an alert if the temperature sensors on the ESXi host exceed a certain threshold.
Supported operating systems/device types in the New UI: ESXi.
Configure the following criteria:
Field | Description |
---|---|
Temperature sensors on host exceeds (°C) for (minutes) | Specify the temperature threshold that needs to be passed for an alert to be triggered (°C). Also specify for how long the temperature needs to be above the threshold before an alert is raised (0-60 minutes). |
Raise an alert of priority | Choose the priority of the alert that will be raised: • Critical • High • Moderate • Low • Information |
Auto resolve the alert if it is no longer applicable | Configure the monitor to auto-resolve the alert if it's no longer triggered after a specified time frame (1 minute - 1 week). The monitor will then be reset, allowing further alerts to be raised. |

The Windows event log is a rich source of information about the health and status of the devices you manage and support. A large number of operating system features as well as the applications that are running on the device will write to the event log when they encounter problems. You can see events like virus infections, backup status, or even pending hardware failures by looking at specific event log entries. The Datto RMM Agent can query the Windows Event Viewer for diagnostic information, monitor the event logs, and raise an alert whenever the entries you are interested in are created.
Supported operating systems/device types in the New UI: Windows.
Configure the following criteria:
Field | Description |
---|---|
An event in | Enter an Event Log Name. This is displayed as Log Name in Windows Event Viewer (for example, Application, System, etc.). As you start typing, you will see a list of matching items to choose from. |
... raised by | Enter an Event Source Name. This is displayed as Source in Windows Event Viewer (for example, Service Control Manager). As you start typing, you will see a list of matching items to choose from. The list is based on audit data. If a value is not appearing in the list, it has not yet been submitted by the device; however, you can still enter the value manually. You can also use the % wildcard character if you do not know the exact name or would like to search for multiple names (for example, %service% would alert for Service Control Manager as well as for Time-Service). The wildcard character search is not case-sensitive, but a space next to % will change the result (for example, % service will not alert for Time-Service, but it will alert for Disk Service). Do not use quote marks when entering an Event Source Name. NOTE Windows operational logs have a specific syntax for Log Name and Source. To obtain the correct Log Name and Source for a specific operational log entry, run the command wevtutil qe Application-Name-Here/Operational /c:1 /f:text /rd:true on the device exhibiting a log entry you wish to search for. The output data can be used to create an Event Log monitor definition. |
... and matching (fill in at least one of these fields) |
Event codes
Enter one or more event codes separated by a space. For example: 1 56 431. Event codes are displayed as Event IDs in Windows Event Viewer. The monitor will alert if any of the event codes entered here is seen in the event log. The query operates on the basis of equals and not contains. For example, a monitor for the event code 44 will only alert for that event code and not for 440. Additionally, use a minus sign in front of an event code to exclude that event from the monitor. (For example, if you set -44 as the event code, the Agent will alert for all event codes except for 44.) Here are a few examples of important Event IDs that might be logged to your device's event log if something goes wrong: • 6008: Unexpected shutdown. Refer to Microsoft Support. • 51: Error writing to disk. It may be worth taking a look as the hard drive may be coming to an end. Refer to Microsoft Support. • 17052: SQL error. This is a catch-all SQL error, which will allow you to see where you've got database problems that need investigating. • 13568: Journal wrap error. Refer to Microsoft Support. • 5 or 32: Almost every antivirus software will write to the event log when it finds an infection. These are the event codes for Symantec AV and Sophos, but the documentation for the antivirus software you're using should contain the information you need to monitor for, allowing you to see infection incidents before they become wide-scale outbreaks. NOTE You can also monitor built-in Windows backups using an Event Log monitor. |
Event types
Select one or more of the following event types: • Critical • Error • Warning • Information • Verbose |
|
Event descriptions
Enter one or more words, or phrases enclosed in quotation marks, of which at least one should be present in the event message body. Use a minus sign in front of a word or a phrase to indicate that it should not be present in the message body (for example, "backup failed" -partial). Use a space between the event descriptions to apply an "or" condition (for example, enter failed error to raise an alert if the event log entry contains either failed or error [or both]). Use a wildcard character to check the start/part/end of a description (for example, "starts with%", "%contains%", or "%ends with"). If an event description has text within quotation marks (for example: "Home PC") and you want to get an alert based on the information within the quotation marks, you need to add quotation marks around the quotation marks (for example: ""Home PC""). |
|
Raised/not raised for a period of (minutes) | Select whether you want to be alerted when an event is raised or not raised. Also specify the number of times this should occur within a certain time frame (maximum value: 5999 minutes) for the alert to be created. NOTE The Datto RMM Agent is able to detect events logged up to 10 minutes before the Datto RMM Agent Process starts. |
Raise an alert of priority | Choose the priority of the alert that will be raised: • Critical • High • Moderate • Low • Information |
Auto-resolution | Select the check box to configure the auto-resolution details. If the event specified here is seen in the event log, the alert will be auto-resolved. The monitor will then be reset allowing further alerts to be raised. See above for more information about the following: • Event Source Name • Event codes • Event types • Event descriptions • Raised/not raised for a period of (minutes) Refer to Best practices for Windows event log monitoring to learn more about auto-resolution use cases. |
Event log alert de-duplication
- For an Event Log monitor, a total of 5 alerts can be raised per device within 12 hours. When the fifth alert has been reached, the trigger count will be incremented by one on the last alert. For example, when alert #6 would be raised, the trigger count on alert #5 will display 2 in the Alert Information window in the legacy UI and in the Timeline card in the New UI. The trigger count will keep rising for any subsequent alerts. To learn how to view the Alert Information window in the legacy UI, refer to View and act on alert information. To learn how to view the Timeline card in the New UI, refer to Timeline.
- If an Event Log monitor assigned to a device triggers excessively (over 100 times in 24 hours), the Global monitor alert rate limit will take effect.

At times you may find that opening certain files or folders takes too much time and your device slows down or even freezes. In these cases, it is worth checking the size of the files or folders. Keeping your system organized will help you prevent an overflow of data and may also prevent you from running out of disk space.
Supported operating systems/device types in the New UI: Windows, macOS, Linux.
Configure the following criteria:
Field | Description |
---|---|
Full path to file/folder | Select whether you want to monitor a file or a folder and enter its full path. |
Is below/over (MB) | Select whether the size of the file or folder should be below or over a certain threshold that you specify. |
For a period of (minutes) | Specify for how long the file or folder needs to be in this state before an alert is raised (1-60 minutes). |
Raise an alert of priority | Choose the priority of the alert that will be raised: • Critical • High • Moderate • Low • Information |
Auto resolve the alert if it is no longer applicable | Configure the monitor to auto-resolve the alert if it's no longer triggered after a specified time frame (1 minute - 1 week). The monitor will then be reset, allowing further alerts to be raised. |

There may be times when your device gets slower than usual, it freezes or fails to start certain programs, or it even restarts while you are working on it. One reason may be the device's high memory usage. Monitoring your device's memory performance may help you proactively address further issues.
Supported operating systems/device types in the New UI: Windows, macOS, Linux, ESXi.
Configure the following criteria:
Field | Description |
---|---|
Memory usage on a device has reached | Specify what the memory usage threshold should be (1-100%). |
For a period of (minutes) | Specify for how long the device's memory usage needs to be above the threshold before an alert is raised (1-60 minutes). |
Check interval (minutes) | Specify the check interval (1-60 minutes). |
Raise an alert of priority | Choose the priority of the alert that will be raised: • Critical • High • Moderate • Low • Information |
Auto resolve the alert if it is no longer applicable | Configure the monitor to auto-resolve the alert if it's no longer triggered after a specified time frame (1 minute - 1 week). The monitor will then be reset, allowing further alerts to be raised. |

A device with a Datto RMM Agent installed normally checks in with the Web Portal every 90 seconds. If it does not (for example, due to a power or network outage), Datto RMM will see this device as offline. This is particularly useful for servers since they should never go offline without you knowing. In the case of ESXi servers, the monitor waits for the device to come online first. If the device is already online, monitoring will start immediately. If the device is offline, the monitor will only start monitoring the device once it has come online and then gone back offline. Every Network Node device will try to contact the ESXi host to see if it responds.
Supported operating systems/device types in the New UI: Windows, macOS, Linux, network devices, printers, Datto Continuity devices, ESXi.
Configure the following criteria:
Field | Description |
---|---|
Offline/online status | Select whether you want to be alerted when the device goes offline or comes online, and specify for how long the device needs to be in either of these states before an alert is raised. Enter any integer (maximum value: 43200 minutes). |
Raise an alert of priority | Choose the priority of the alert that will be raised: • Critical • High • Moderate • Low • Information |
Auto resolve the alert if it is no longer applicable | Configure the monitor to auto-resolve the alert if it's no longer triggered after a specified time frame (1 minute - 1 week). The monitor will then be reset, allowing further alerts to be raised. |
NOTE An Online Status monitor prioritizes monitor configurations with an alert threshold and auto-resolution time set to 15 minutes or less.

If you are using Datto RMM's Patch Management, create a Patch monitor to get alerts on failed patch installations. This eliminates the need to manually check if patch installations have gone through.
The monitor raises an alert when the device fails to install any patches as part of a Datto RMM Patch Management policy. Refer to Create a Patch Management policy in the legacy UI and Patch Management policy in the New UI. For example, if three out of four patches are installed during the patch window as part of the policy, an alert will be triggered since the fourth patch was not installed. Refer to Patch Management in Device Summary - New UI for information about how to review affected patches.
NOTE The monitor does not automatically resolve alerts. Alerts must be resolved manually.
Supported operating systems/device types in the New UI: Windows.

Internet Control Message Protocol (ICMP), or more commonly called Ping, is a great tool to detect and analyze network problems or to check if a device is still online. The Datto RMM Agent can send regular ICMP packets outward to another device and measure latency, packet loss, and the online status of that remote device.
Supported operating systems/device types in the New UI: Windows, macOS, Linux.
Configure the following criteria:
Field | Description |
---|---|
IP address/Hostname | Select whether you want to monitor the IP address or the hostname of the device and enter it accordingly. |
Send ping packets | Select how many ping packets should be sent to the device (1-40). |
Check interval (minutes) | Specify the check interval (1-120 minutes). |
Alert when host unreachable for (minutes) | Select this check box to raise an alert when the device is unreachable for a certain amount of time (1-120 minutes). |
Alert when % packets are lost | Select this check box to raise an alert when a certain percentage of ping packets are lost (5-95%). NOTE The packet loss configuration only alerts if the monitored device is reachable but experiences a degree of packet loss. If you look to alert for the host being completely unreachable, the Alert when host unreachable for (minutes) option needs to be configured. |
Alert when average roundtrip takes longer than (milliseconds) | Select this check box to raise an alert when the average roundtrip takes longer than a certain amount of time that you specify. |
Raise an alert of priority | Choose the priority of the alert that will be raised: • Critical • High • Moderate • Low • Information |
Auto resolve the alert if it is no longer applicable | Configure the monitor to auto-resolve the alert if it's no longer triggered after a specified time frame (1 minute - 1 week). The monitor will then be reset, allowing further alerts to be raised. |

There may be times when you would want to prevent end users from being able to use certain programs on their devices (for example, torrent software). Too many unnecessary or unwanted processes can slow down the device, so being able to control the processes that run in the background may help you to improve overall system performance.
Supported operating systems/device types in the New UI: Windows, macOS, Linux.
Configure the following criteria:
Field | Description |
---|---|
The process |
Enter the Process name. As you start typing, you will see a list of matching items to choose from. IMPORTANT If the process name contains one or more spaces (for example, Reference 4 Systemwide.exe) and the .exe filename extension is included in the entry for this field, the monitor will not function. As a general rule, we recommend entering the process name exactly as it automatically populates from the list of matching items to choose from (that is, without .exe). Also specify when an alert should be raised. Choose any of the following options: NOTE In the Response details section, you can configure the monitor to stop the process if it triggers an alert. Refer to Process monitor only. |
For a period of (minutes) | Specify for how long the process needs to be in this state before an alert is raised (1-60 minutes). |
Raise an alert of priority | Choose the priority of the alert that will be raised: • Critical • High • Moderate • Low • Information |
Auto resolve the alert if it is no longer applicable | Configure the monitor to auto-resolve the alert if it's no longer triggered after a specified time frame (1 minute - 1 week). The monitor will then be reset, allowing further alerts to be raised. |

NOTE For general information about Ransomware Detection in Datto RMM, refer to Ransomware Detection.
NOTE The Ransomware monitor requires a license. Refer to Add Ransomware Detection licenses.
The Datto RMM Agent can monitor for ransomware that has been detected on a device. You can also configure an automatic response to isolate the device from the network once ransomware has been detected, and you can have the Agent attempt to stop suspected ransomware processes.
Supported operating systems/device types in the New UI: Windows.
Configure the following criteria:
Field | Description |
---|---|
Any local drive | An alert will be triggered if ransomware is detected in the system drive. Additionally, you can also select one of the following locations: • Any local drive: Select the check box to monitor any local drive. Network drives, removable drives, and USB mass storage devices are excluded from being monitored. • Additional paths: Enter a path to be monitored. Network drives, removable drives, and USB mass storage devices are not recommended to be added. To add another path, click the plus sign. To remove a path, click the minus sign. Make sure there is no empty row in this section before saving the monitor. NOTE In the Response details section, you can configure the monitor to isolate the device from the network if ransomware is found and attempt to stop suspected ransomware processes. Refer to Ransomware monitor only. NOTE Device isolation can be reverted by running the Revert Device Isolation [WIN] component available in the ComStore. This will revert any isolation that has occurred on a device and return its ability to contact the Internet and other devices on the network. Refer to Download a component in the legacy UI and Download a component in the New UI. |
Additional paths | |
Exclude the following file extensions | Enter a file extension that you want to exclude. To add another file extension, click the plus sign. To remove a file extension, click the minus sign. Make sure there is no empty row in this section before saving the monitor. |
Raise an alert of priority | Choose the priority of the alert that will be raised: • Critical • High • Moderate • Low • Information |
NOTE The Ransomware monitor will raise an alert as soon as the Agent detects ransomware on a device. This is to notify the platform of ransomware; however, the alert will not contain diagnostic information. The monitor will then raise another alert with diagnostic information, and the Agent will resolve the first alert. You will see two alerts in the legacy UI (where the first alert will be shown as resolved by the Agent), whereas the New UI will only display one alert with diagnostic information. Refer to the Timeline card in Single Alert View - New UI.
In some scenarios, it is possible that only one alert is raised (either with or without diagnostic information).
NOTE If multiple Ransomware monitors are configured for a device and ransomware is detected, each monitor will raise an alert. However, diagnostic actions, such as collecting log files, stopping processes, isolating the device from the network, or running a response component, will only be performed once against the initial monitor. This means that only the initial monitor will contain text in the diagnostic information section of the alert Timeline card.
When the diagnostic actions have been performed, the monitor can be reset by restarting the Agent, updating the monitor configuration, or resolving the alert.

Services are applications that operate in the background on your device, and while some of them are useful and necessary for the optimal running of a device, you may not need others. To ensure that critical services such as Windows Server Update Services (WSUS) or Exchange are running on your device, the Datto RMM Agent can be instructed to monitor these services.
Supported operating systems/device types in the New UI: Windows.
Configure the following criteria:
Field | Description |
---|---|
The service | Enter the Service name. As you start typing, you will see a list of matching items to choose from. Also specify when an alert should be raised. Choose any of the following options: • The service is Running or Stopped. • The service has reached a certain CPU or Memory usage (0-100%). NOTE In the Response details section, you can configure options specific to Service monitor. Refer to Service monitor only. |
For a period of (minutes) | Specify for how long the service needs to be in this state before an alert is raised (1-60 minutes). |
After the machine has booted | Specify the startup delay (immediately - 60 minutes). |
Raise an alert of priority | Choose the priority of the alert that will be raised: • Critical • High • Moderate • Low • Information |
Auto resolve the alert if it is no longer applicable | Configure the monitor to auto-resolve the alert if it's no longer triggered after a specified time frame (1 minute - 1 week). The monitor will then be reset, allowing further alerts to be raised. |

An SNMP monitor allows you to monitor SNMP value changes on any Managed device (both network devices and devices with an Agent installed). The SNMP checks are done by an assigned Network Node, and an alert is generated when the SNMP alert conditions are met.
NOTE Datto RMM only supports SNMP polling. SNMP traps are not supported.
Supported operating systems/device types in the New UI: Windows, macOS, Linux, network devices, printers.
NOTE This guide assumes that you know the SNMP Object Identifiers (OIDs) that you want to monitor and the thresholds (values) that you want to monitor for. For some general information on SNMP terminology, refer to SNMP background information and terminology.
Configure the following criteria:

This monitor allows you to see whether your network hardware is overworked or if your networks could support more strenuous action. It monitors the bandwidth consumption of the network devices' internal or external interfaces using the OIDs in the IF-MIB. This monitor is useful to detect periods of increased network load.
Supported operating systems/device types in the New UI: network devices, printers.
Configure the following criteria:
Field | Description |
---|---|
Interface number | Enter an interface number (maximum value: 3 digits). |
Check interval (minutes) | Specify the check interval (5-120 minutes). |
Check interface usage | Select the interface usage you want to monitor: • incoming • outgoing • total |
Alert when the average value of the last check(s) is (Mbps) | Specify the number of checks (1-10) and select any of the following qualifiers: • equal to • not equal to • less than • less than or equal to • greater than • greater than or equal to Enter a value next to the selected qualifier (Mbps). |
Raise an alert of priority | Choose the priority of the alert that will be raised: • Critical • High • Moderate • Low • Information |
Auto resolve the alert if it is no longer applicable | Configure the monitor to auto-resolve the alert if it's no longer triggered after a specified time frame (1 minute - 1 week). The monitor will then be reset, allowing further alerts to be raised. |

The Datto RMM Agent can monitor whether a certain software application has been installed or uninstalled on your endpoints, or if it has changed version.
Supported operating systems/device types in the New UI: Windows.
Configure the following criteria:
Field | Description |
---|---|
After a software package matching | Enter the name of the software application you want to monitor. As you start typing, you will see a list of matching items to choose from. Use quotation marks for phrase match. You can also use the % wildcard character if you do not know the exact name or would like to search for multiple software applications. Also specify when an alert should be raised. Choose any of the following options: • The software application is installed. • The software application changes version. • The software application is uninstalled. |
Raise an alert of priority | Choose the priority of the alert that will be raised: • Critical • High • Moderate • Low • Information |
NOTE A Software monitor cannot alert on missing software but the following ComStore components can: Monitor if Application is not installed and Software Detection Monitor. To learn how to download a component from the ComStore and how to use it, refer to ComStore - New UI and Component Library - New UI.

NOTE The Threat Detection monitor is only available as part of an Endpoint Security policy. Refer to Datto EDR in Endpoint Security policy.
You can monitor for threat detection rules. If indicators of compromise are detected, the monitor will raise an Endpoint Security alert, and the alert message will contain the following text: Endpoint Security Threat detected on this device.
Supported operating systems/device types in the New UI: Windows, macOS, Linux.
Configure the following criteria:
Field | Description |
---|---|
Raise an alert of priority | Choose the priority of the alert that will be raised: • Critical • High • Moderate • Low • Information |

NOTE The Windows Defender Antivirus monitor is only available as part of an Endpoint Security policy. Refer to Managed Windows Defender Antivirus in Endpoint Security policy.
NOTE The Windows Defender Antivirus monitor is only supported on Windows 8.1 and above. On lower Windows versions, the Datto RMM Agent will not enforce any settings defined in the Endpoint Security policy and it will report back blank data.
You can monitor for active threats on a device and apply default remediation rules. These checks ensure that Windows Defender is able to respond to threats automatically, and that these actions can be reported on within Datto RMM. If an issue is found, the monitor will raise an Endpoint Security alert, and the alert message will contain the following text: Endpoint Security Threat (via Defender) detected on this device.
NOTE Tamper Protection is not monitored as part of the Windows Defender Antivirus monitor in Datto RMM; however, you can use the Windows Defender Tamper Protection Monitor [WIN] component from the ComStore to alert if Tamper Protection is disabled. Refer to Download a component.
Tamper Protection can also be monitored in Datto EDR. To learn about Microsoft Defender Antivirus with Datto EDR, refer to Using Microsoft Defender Antivirus with Datto EDR in the Datto EDR Online Help.
Supported operating systems/device types in the New UI: Windows.
Configure the following criteria:
Field | Description |
---|---|
Raise an alert of priority | Choose the priority of the alert that will be raised: • Critical • High • Moderate • Low • Information |
Auto resolve the alert if it is no longer applicable | Configure the monitor to auto-resolve the alert if it's no longer triggered after a specified time frame (1 minute - 1 week). The monitor will then be reset, allowing further alerts to be raised. |

This monitor allows you to generate alerts for any Windows Performance Counter, such as SQL Server cache hit ratio, Exchange email queues, or a system’s Disk Queue Length.
Supported operating systems/device types in the New UI: Windows.
Configure the following criteria:
Field | Description |
---|---|
Counter | Specify a counter in the form of \Category\Counter. For example: \Print Queue\Jobs. |
Instance | Specify an object type. For example: HP LaserJet Professional. |
Alert when performance result is | Select any of the following qualifiers: • equal to • not equal to • less than • less than or equal to • greater than • greater than or equal to Enter a value next to the selected qualifier. |
For a period of (minutes) | Specify for how long the device needs to be in this state before an alert is raised (1-60 minutes). |
Raise an alert of priority | Choose the priority of the alert that will be raised: • Critical • High • Moderate • Low • Information |
Auto resolve the alert if it is no longer applicable | Configure the monitor to auto-resolve the alert if it's no longer triggered after a specified time frame (1 minute - 1 week). The monitor will then be reset, allowing further alerts to be raised. |

Windows Management Instrumentation (WMI) provides access to a lot of useful metrics on any Windows system. This monitor allows you to check specific WMI information on your devices.
Supported operating systems/device types in the New UI: Windows.
NOTE To use a WMI monitor on Windows Servers, they need to be able to get monitors on custom WMI values.
Configure the following criteria:
Field | Description |
---|---|
WMI namespace | Specify the WMI namespace. |
WMI query | Specify the WMI query. |
WMI property | Specify the WMI property. |
Result calculation (numeric values) | Select this check box to be able to perform a calculation on the result. Once the check box is selected, you can enter a mathematical operator (+ - * /) and any integer. For example, enter *4 to multiply the result by 4. Result calculations are not used to raise alerts. Alerts are raised from the original values. |
Result translation (text values) | Select this check box to be able to configure a key to translate the output into a more easily understood string. Once the check box is selected, you can enter a key. For example: 1=OK,2=Bad. Result translations are not used to raise alerts. Alerts are raised from the original values. NOTE Result translation can only be used to convert numerical responses to text strings. A text string cannot be translated to read a different text string. |
Display name | Enter a display name. It will appear in the description of the monitor on the Device > Monitor > Monitors page in the legacy UI and in the Device Summary > Monitors card in the New UI. |
Format Data as | Specify how to format the data. Select any of the following formats: • % • GB • MB • KB • bytes • days • hours • minutes • seconds • ms • ticks • C • F The selected format will be appended to the end of the data returned by the monitor. |
Alert when WMI calculated result is | Select any of the following qualifiers: • equal to • not equal to • less than • less than or equal to • greater than • greater than or equal to • contains • starts with • ends with Enter a value next to the selected qualifier. |
Alert when no results | Select this check box to have the monitor raise an alert when no result is returned. |
Check interval (minutes) | Specify the check interval (5-120 minutes). |
Raise an alert of priority | Choose the priority of the alert that will be raised: • Critical • High • Moderate • Low • Information |
Auto resolve the alert if it is no longer applicable | Configure the monitor to auto-resolve the alert if it's no longer triggered after a specified time frame (1 minute - 1 week). The monitor will then be reset, allowing further alerts to be raised. |
EXAMPLE You can try out the below configuration to monitor the health of your laptop's battery.
Configure the monitor the following way:
- WMI namespace: root\CIMV2
- WMI query: SELECT * FROM Win32_Battery
- WMI property: Status
- Display name: Battery Status
- Alert when WMI calculated result: not equal to OK

Configure a system response when a monitor alert is triggered by enabling any of the following options:


NOTE This option is only available for the Process monitor, and you can only select it if you chose "The process is Running or Stopped" option in the Process monitor's alert details. Refer to The process.
Attempt to kill the process if it triggers an alert: Select this check box to stop the process if it triggers an alert as per the criteria you specified in the monitor's alert details.

NOTE These options are only available for the Ransomware monitor.
- Isolate the device from the network: Selected by default. When selected, the device will be isolated from the network when ransomware is detected on the device. Note that the device will still be able to connect to Datto RMM and you will be able to connect to it using Web Remote.
NOTE When this option is selected, the Run a component option will become unavailable and any response component you have configured previously will be removed from the monitor.
NOTE The PowerShell script performing the device isolation is digitally signed and run using the AllSigned execution policy.
NOTE Device isolation can be reverted by running the Revert Device Isolation [WIN] component available in the ComStore. This will revert any isolation that has occurred on a device and return its ability to contact the Internet and other devices on the network. Refer to Download a component in the legacy UI and Download a component in the New UI.
- Attempt to kill suspected ransomware processes: Selected by default. When selected, suspected ransomware processes will be stopped when ransomware is detected on the device.

NOTE These options are only available for the Service monitor, and you can only select them if you chose "The service is Running or Stopped" option in the Service monitor's alert details. Refer to The service.
Select any of the following options:
- Attempt to take remedial action (start a stopped service or stop a running service): Select this check box to start or stop the service if it triggers an alert as per the criteria you specified in the monitor's alert details.
- Do not alert service stopped messages if the service has been disabled: Select this check box if you would not like to be alerted if the service has been disabled.

IMPORTANT This option is not available for ESXi devices. Response components do not function for Online Status monitors and Patch monitors.
Enable this option to run a specific component when the monitor raises an alert.
Once this option is turned on, you can add a component from your Component Library. You can filter components by category and component group using the filter icon, you can use the search bar to search for a component, or you can simply scroll down in the list, and then click Select.
The list includes all components of the categories Applications and Scripts. Refer to Component categories. You will only be able to see the components available to you based on your component level. Refer to Component Level. For information about component groups, refer to Manage component groups.
Once a component has been selected, you can configure any required variables.
Variable value limit: 20,000 characters.
To choose a different component, click Change Component and modify your selection.
A few notes to consider
-
A response component will only fire if there is not an alert already open.
-
When a component is run as a response component, its timeout setting is ignored. A response component will time out after a maximum of 60 minutes.
-
Gui.exe will not run if started in Session 0 by a custom component script that attempts to start this process in response to an alert.
- For a Ransomware monitor, the Run a component option will become unavailable and any response component you have configured previously will be removed from the monitor if the Isolate the device from the network check box is selected. Refer to Ransomware monitor only. Moreover, a component run in response to a ransomware alert will time out after a maximum of 60 seconds.

Enable this option to send an email to multiple recipients to inform them when the monitor raises an alert.
Field | Description |
---|---|
Subject line | Leave this field blank for a standard (automated) subject line or enter a custom subject line. You can include any of the following variables: • [hostname]: The hostname of the device. • [description]: The description of the device. • [os]: The operating system of the device. • [user-defined1-30]: User-defined field number. Refer to User-defined fields. • [lastuser]: The login name of the user that last logged in to the device. • [sitename]: The name of the site in which the device resides. • [category]: The category of the alert raised (for example, performance or event log). • [type]: The type of the alert raised (for example, memory or disk usage). • [alert]: The trigger details of the monitor that raised the alert. • [ipaddress]: The external IP address (public IP address) of the device. • [alertuid]: The alert ID. NOTE The Ticket Title field in Autotask has a limit of 255 characters. If your subject line exceeds this limit, it will be truncated in the ticket's Ticket Title field at 255 characters. NOTE The Ticket Summary field in ConnectWise PSA has a limit of 100 characters. If your subject line exceeds this limit, it will be truncated in the ticket's Ticket Summary field at 100 characters. |
Send email to | Select the check box Add default recipients to add the account's default email recipients to the Recipients section below. To update the default recipients, refer to Email Recipients in Account Settings (legacy UI), Email Recipients in Global Settings (New UI), and Email Recipients in Site Settings (legacy UI). |
Recipients | Click Add Additional Recipient to add another email recipient. Enter a name, an email address, and choose the correct email type (HTML, text, or both). To remove a recipient, click the minus sign. To add another recipient, click the plus sign. Make sure there is no empty row in this section before saving the monitor.![]() NOTE The email address field only accepts the following characters: a-z, A-Z, 0-9, @, and !#$%&'`*+-|/=?^_{}~. |

Refer to Webhooks.

Enable this option to create a ticket in a PSA tool that your RMM account is integrated with when the monitor raises an alert.
NOTE Tickets are entirely separate from alerts. If you would like to use monitors to raise tickets in an integrated PSA tool, make sure to enable this option. Alerts alone will not be able to synchronize with the PSA tool.
Autotask
NOTE You must have the Autotask Integration enabled for this option to be available. Refer to Autotask Integration.
Field | Description |
---|---|
Subject line | Select the check box to use the subject line configured in the Send an email section as the ticket title. (The subject line field below will appear grayed out.) Otherwise, leave the check box clear and add a subject line to customize the ticket title, or leave the subject line blank to apply a standard (automated) subject line as the ticket title. NOTE The Ticket Title field in Autotask has a limit of 255 characters. If your subject line exceeds this limit, it will be truncated in the ticket's Ticket Title field at 255 characters. |
Ticket details | Select the check box Use default to use the default settings of the monitor type as configured in the Autotask Integration. Refer to Configure ticket integration. (The subject line field below will appear grayed out.) If you don't want to use the default settings, leave the check box clear and select the required Source, Queue, Issue Type, Sub-Issue Type, and Work Type from the drop-down lists. The drop-down lists display the values that are currently active in Autotask. NOTE If the mapped device (that is, the Autotask configuration item) has a contact assigned in Autotask, that contact will be selected for the ticket by default. |
NOTE By default, tickets created from alerts are not assigned to any resource in Autotask.
NOTE Tickets will be assigned the AEM Alert ticket category in Autotask whether they are automatically generated by a monitor that was configured to create tickets or manually created from an alert raised by a monitor that was not configured to create tickets.
NOTE If a monitor is configured to create a ticket when an alert is raised but the device cannot get synchronized to Autotask (for example, the contract or contact of the Autotask configuration item is inactive, the device sync is switched off, etc.), Datto RMM will queue the device sync event and will attempt to create a ticket three times (every time a device sync is triggered, approximately once every minute). If the device fails to be synchronized within this time frame, a ticket will still be created for the corresponding Autotask company containing the device name and ID and a link to the device in Datto RMM. In case the Datto RMM site is no longer mapped to an Autotask company, a ticket will be created for the zero account.
NOTE If the ticket creation fails (for example, because of changes made to credentials, queues, categories, security settings, and so forth), a notification email will be sent to the email addresses set to receive alerts. If no email address listed under Setup > Account Settings > Email Recipients (legacy UI) or Setup > Global Settings > Email Recipients (New UI) has Alerts selected, then the failed ticket email will default to the email address configured under Setup > My Info > Account Email. Refer to Email Recipients in Account Settings (legacy UI) and Email Recipients in Global Settings (New UI). The notification email will specify the error message and the reason for the error.
ConnectWise PSA
NOTE You must have the ConnectWise PSA Integration enabled for this option to be available. Refer to ConnectWise PSA Integration.
Field | Description |
---|---|
Subject line | Select the check box to use the subject line configured in the Send an email section as the ticket title. (The subject line field below will appear grayed out.) Otherwise, leave the check box clear and add a subject line to customize the ticket title, or leave the subject line blank to apply a standard (automated) subject line as the ticket title. NOTE The Ticket Summary field in ConnectWise PSA has a limit of 100 characters. If your subject line exceeds this limit, it will be truncated in the ticket's Ticket Summary field at 100 characters. |
Ticket details | Select the check box Use default to use the default settings of the monitor type as configured in the ConnectWise PSA Integration. Refer to Map Datto RMM alerts to ConnectWise PSA tickets. (The subject line field below will appear grayed out.) If you don't want to use the default settings, clear the check box and select a Service Board (required), Type, Subtype, Open Status, and Closed Status from the drop-down lists. NOTE In order to select a Subtype, a Type must first be selected. |

Once you have configured the monitor details, click Add Monitor, then click OK to execute the action. Or, click Cancel to close out of the confirmation dialog box. Once the monitor has been created, you will be redirected to the Device Summary page.
Viewing and managing monitors

The monitor detail pane opens on the right side of the page and displays all details of the selected monitor.
Open the monitor detail pane in one of the following ways:
- On the Device Summary page, navigate to the Monitors card and click the description of a monitor. Refer to Monitors in Device Summary - New UI.
- In a list of alerts, click a link in the Monitor Type column. Refer to List of alerts.
- In the Overview card on the Single Alert View page, click the link in the Monitor Type field. Refer to Overview in Single Alert View - New UI.
NOTE The Threat Detection monitor is only available as part of an Endpoint Security policy. Refer to Datto EDR in Endpoint Security policy.
NOTE The Windows Defender Antivirus monitor is only available as part of an Endpoint Security policy. Refer to Managed Windows Defender Antivirus in Endpoint Security policy.
Field | Description |
---|---|
Monitor type | Refer to Monitor types. |
Edit | Only available for standalone monitors. Click Edit to update the monitor details. Refer to Editing a monitor. |
Delete | Only available for standalone monitors. The monitor will be deleted as soon as you click the Delete button. SNMP monitors: if a monitor has an instance, this action will delete the parent monitor. |
Enabled | Refer to Enable. |
Latest value and last reading | Refer to Latest Value. |
Latest 10 days of alerts | Refer to Latest 10 Days of Alerts. |
Policy | If the monitor is part of a policy, you can click the policy name to see and update the policy details. Refer to Policies - New UI. |
Alert details | Refer to Alert details per monitor type. |
Response details | Refer to Response details. |
Created by | Only available for monitors within policies. Displays who created the monitor and when. |
Last edited | Only available for monitors within policies. Displays who last edited the monitor and when. |

On the Device Summary page, navigate to the Monitors card and click the description of a standalone monitor to open the monitor detail pane. Refer to Monitors in Device Summary - New UI.
NOTE Monitors within policies can only be edited in the policy. Refer to Editing a monitor within a policy.
NOTE The Threat Detection monitor is only available as part of an Endpoint Security policy. Refer to Datto EDR in Endpoint Security policy.
NOTE The Windows Defender Antivirus monitor is only available as part of an Endpoint Security policy. Refer to Managed Windows Defender Antivirus in Endpoint Security policy.
You can edit a standalone monitor in the following ways:
- To update the monitor details, click the Edit button. Refer to Alert details per monitor type and Response details.
NOTE The type of the monitor cannot be changed.
- To delete the monitor, click the Delete button. The monitor will be deleted immediately.
Notes

Monitors can be applied as standalone monitors at the device level or as part of a Monitoring policy at either the site or the account level. For more information, refer to Create a Monitoring policy in the legacy UI and Monitoring policy in the New UI.

In addition to setting up your own policies, a selection of Monitoring policies is freely available to download from the ComStore (legacy UI) or the Policies page (New UI). These include best practices to monitor the most common platforms and applications such as Exchange and SQL.
These Monitoring policies aim to provide a best-practice solution for the most typically encountered usage scenarios involving Datto RMM. However, they only serve as guidelines and may require modification depending on device configuration. (For example, ensure that network Monitoring policies are querying the correct SNMP OIDs of your devices.)
We encourage you to try these policies on your own devices to provide a solid, baseline monitoring solution to which your own monitoring can be added. Once added to your account, a policy downloaded from the ComStore (legacy UI) or the Policies page (New UI) becomes a regular Monitoring policy, which can be configured and modified as required. Targets typically must be configured before use.
For more information, refer to the following topics: Download a Monitoring policy (legacy UI), Download a ComStore policy (New UI), and Best practices for Monitoring policies (general topic that includes detailed information on the criteria monitored in some of the policies).

Thresholds
- An Event Log monitor can raise 100 identical alerts per device in 24 hours.
- An Event Log monitor can raise 600 unique alerts per device in one hour and 1,200 unique alerts per device in 24 hours.
- Any other monitor can raise 60 unique alerts per device in one hour and 120 unique alerts per device in 24 hours.
Actions
Once a monitor hits any of the limits listed above, the following actions are taken automatically:
- The monitor will be disabled on the device that has exceeded the threshold. The ON/OFF toggle on the legacy UI Device > Monitor > Monitors page and the Enabled toggle in the New UI > Device Summary > Monitors card will be set to OFF and Disabled, respectively. Refer to Manage monitors in the legacy UI and Monitors in the New UI.
- The action of disabling the monitor through alert rate limiting will be logged in the Unified Activity Log. Refer to Activity Log.
- A notification email will be sent to all users with an Administrator security level (max. 50 users) to inform them that the monitor has been disabled on the device due to alert rate limiting.
NOTE Online Status monitors do not get disabled through alert rate limiting.
NOTE The alert counter is reset at the end of every hour and at 00:00 UTC.