Documentation

Welcome to the Sentinel Nerd documentation. Learn how to set up, configure, and get the most out of your UniFi SIEM platform.

Quick Start

Get up and running in under 5 minutes with our step-by-step setup guide.

Integrations

Connect your UniFi Network, Protect, Access, and Talk controllers.

Detection Rules

Write YAML-based detection rules for real-time threat monitoring.

API Reference

Integrate with the Sentinel Nerd REST API for custom workflows.

Core Concepts

Sentinel Nerd is a Security Information and Event Management (SIEM) platform built exclusively for Ubiquiti UniFi ecosystems. It collects logs and events from your UniFi controllers, applies detection rules, and alerts you to potential security threats.

How It Works

  1. Collect — Syslog, API polling, and webhook receivers ingest events from all UniFi applications.
  2. Normalize — Events are parsed, enriched with threat intelligence, and stored in a time-series database.
  3. Detect — YAML detection rules and AI analysis identify threats, anomalies, and policy violations.
  4. Alert — Notifications are sent via email, Slack, Discord, PagerDuty, or webhooks.
  5. Respond — Automated response actions can block IPs, isolate devices, or adjust firewall rules.

Supported UniFi Applications

  • UniFi Network — Firewalls, switches, APs, IDS/IPS, and syslog events
  • UniFi Protect — Cameras, motion events, and smart detection (person, vehicle, package)
  • UniFi Access — Door access events, credentials, and visitor management
  • UniFi Talk — Call detail records, voicemail, and SIP trunk monitoring

Feature Highlights

  • Detection Rules — YAML-based rule engine with 50+ built-in rules
  • Alerting — Multi-channel notifications with severity-based routing
  • AI Analysis — GPT-4 powered event analysis and contextual threat scoring
  • Threat Intelligence — GeoIP, AbuseIPDB, and VirusTotal enrichment
  • Active Response — Automated blocking, VLAN isolation, and rate limiting

Network Telemetry

  • Network Events — Operational events (link, AP radio, WAN, controller lifecycle) on a dedicated page, separate from security alerts
  • Traffic Analytics — NetFlow v5, v9, and IPFIX with 60s aggregation, top-talkers, protocol breakdown, and reverse-DNS enrichment
  • SNMP Trap Receiver — SNMPv1 and SNMPv2c traps with well-known OID mapping

Deployment

  • Multi-Tenant Admin Center — MSP-style per-client instances with automated subdomain, DNS, wildcard SSL, and super-admin SSO