Detection Rules
Sentinel Nerd uses a YAML-based rule engine to detect threats, anomalies, and policy violations across your UniFi ecosystem in real-time.
Rule Structure
Every detection rule is a YAML document with the following structure:
rule-template.yaml
name: namespace.rule_name
description: Human-readable description of what this rule detects
severity: critical | high | medium | low | info
enabled: true
source: unifi_network | unifi_protect | unifi_access | unifi_talk | any
tags:
- network
- brute_force
conditions:
- field: event.type
equals: login_failure
- field: event.src_ip
not_in: [192.168.0.0/16, 10.0.0.0/8]
window: 5m
threshold:
count: 5
group_by: event.src_ip
actions:
- alert:
channels: [email, slack]
- enrich:
threat_intel: true
Fields Reference
Metadata Fields
| Field | Type | Description |
|---|---|---|
| name | string | Unique rule identifier (namespace.name format) |
| description | string | Human-readable description |
| severity | enum | critical, high, medium, low, or info |
| enabled | boolean | Whether the rule is active (default: true) |
| source | string | Event source filter, or "any" for all sources |
| tags | string[] | Tags for organizing and filtering rules |
Condition Operators
Conditions evaluate fields from incoming events. Available operators:
| Operator | Description | Example |
|---|---|---|
| equals | Exact match | field: type, equals: "login_failure" |
| not_equals | Not equal | field: status, not_equals: "success" |
| in | Value in list | field: port, in: [22, 23, 3389] |
| not_in | Value not in list | field: src_ip, not_in: [10.0.0.0/8] |
| contains | Substring match | field: message, contains: "denied" |
| regex | Regular expression | field: url, regex: "\\.(exe|bat|ps1)$" |
| gt / gte / lt / lte | Numeric comparisons | field: bytes_out, gt: 1073741824 |
| exists | Field is present | field: threat_score, exists: true |
Windowing and Thresholds
For aggregate detections (e.g., brute force), use window and threshold:
Brute Force Rule
name: net.ssh_brute_force
description: Multiple SSH login failures from a single source
severity: high
source: unifi_network
conditions:
- field: event.type
equals: login_failure
- field: event.dst_port
equals: 22
window: 5m
threshold:
count: 10
group_by: event.src_ip
actions:
- alert:
channels: [slack, email]
- active_response:
action: block_ip
duration: 1h
Actions
When a rule matches, one or more actions execute:
- alert — Send notifications via configured channels (Alerting docs)
- enrich — Run threat intelligence lookups on matched events
- active_response — Execute automated response (Active Response docs) Pro
- tag — Add tags to matched events for later analysis
- snapshot — Save a camera snapshot (Protect events only)
Built-in Rule Packs
Sentinel Nerd ships with curated rule packs that you can enable with one click:
- Network Security (12 rules) — Brute force, port scans, unauthorized access
- IDS/IPS Correlation (8 rules) — Enhanced Suricata alert triage
- Physical Security (10 rules) — Access control and camera monitoring
- Anomaly Detection (6 rules) — Traffic and behavior anomalies Pro
- Compliance (8 rules) — PCI-DSS, SOC 2 monitoring rules Enterprise
Testing rules
Use the rule simulator in the dashboard (Detection → Rules → Simulate) to test your rules against historical events before enabling them in production.
Managing Rules via API
Rules can be managed programmatically via the Rules API. This is useful for deploying rules from version control or automating rule management across multiple instances.