Overview
At this level, administrators begin to actively monitor network events detected by Sentry. While Level 1 focused on establishing visibility, Level 2 introduces threat awareness which is recognizing when the system detects suspicious or malicious activity and understanding what it means.
The goal is to transition from simply knowing that Sentry is watching to using its insights to make informed security decisions.
Understanding Alerts
Sentry generates alerts when traffic matches known attack patterns, behaves abnormally, or violates established security policies. These alerts are summarized in the Dashboard, primarily within:
For a more detailed view, the Incidents tab of the Security page allows administrators to view, filter, sort, and search all existing Sentry findings.
Each alert includes key details such as:
- Timestamp: When the event was detected
- Severity: Impact level (Critical, High, Medium, Low)
- Source and destination: Which device initiated or received the traffic
- Description: What type of activity was observed (for example, scanning, exploit attempt, or data exfiltration pattern)
Administrators should review these alerts regularly to determine whether further investigation or containment is required.
Prioritizing Incidents
Sentry automatically classifies detections based on severity to help administrators focus on what matters most. A good rule of thumb:
| Severity | Typical Context | Suggested Action |
|---|---|---|
| Critical | Confirmed malicious or high-impact behavior | Investigate and isolate affected systems immediately |
| High | Strong indicators of attack or policy violation | Review logs and confirm legitimacy |
| Medium | Suspicious but not confirmed | Monitor for recurrence or pattern escalation |
| Low | Informational or benign anomalies | Use for awareness or tuning |
By tracking these patterns over time, administrators can begin to understand what “normal” looks like in their environment and more easily identify meaningful deviations.
Taking Action
At this stage, response may be manual but should be deliberate and consistent. Recommended steps include:
- Verify legitimacy: Confirm whether an alert corresponds to real activity or a benign false positive.
- Document findings: Record the outcome within internal notes or incident tickets.
- Contain threats: If the activity is malicious, disconnect affected devices or rotate credentials.
- Review prevention settings: Determine if adjustments to Blackhole, VPN, or firewall policies would reduce recurrence.
All incident updates are automatically reflected in the Active Incidents card and historical reporting metrics.
Building Situational Awareness
Administrators reaching this stage should develop habits for interpreting data contextually rather than individually.
For example:
- Multiple Medium alerts involving the same device may signal an early compromise attempt.
- Repeated High-severity detections from the same external IP could indicate a targeted campaign.
- A sudden drop in overall detections may not always be good—it could indicate sensor failure or misconfiguration.
Awareness grows by looking for trends, not just incidents.
Maturity Progress
By understanding and responding to alerts, the organization reaches Level 2 — Visibility 🟡. Sentry now acts as a trusted source of intelligence rather than a passive monitor, helping administrators identify threats in real time and make informed decisions about containment and prevention.