UniFi Access Integration

Ingest door access events, credential usage, and visitor management data from your UniFi Access system.

Overview

The UniFi Access integration connects to your Access controller to monitor physical access events. It tracks door opens, credential scans, access denials, and visitor check-ins to correlate physical and network security events.

Supported Event Types

  • Door events — Open, close, held-open, forced-open alerts
  • Credential events — NFC tap, PIN entry, fingerprint scan, mobile unlock
  • Access decisions — Granted, denied (reason: expired, revoked, wrong schedule)
  • Visitor events — Check-in, check-out, badge provisioning Pro
  • Emergency events — Lockdown activation/deactivation, fire alarm integration
  • Device health — Reader offline, lock battery low, tamper detection

Configuration

Navigate to Instance Settings → Integrations → UniFi Access and provide your Access controller details.

Access API Configuration 

Controller URL: https://192.168.1.1:12445
    API Token: ua_xxxxxxxxxxxxxxxxxxxxxxxx
    Polling Interval: 10s
    Sync Credentials: true

Note

UniFi Access uses API tokens instead of username/password. Generate a token in the Access controller under Settings → API.

Access Event Data

Each access event includes rich contextual data:

Access Event Example 
{
  "type": "access_granted",
  "door": "Main Entrance",
  "user": "Jane Smith",
  "credential_type": "nfc",
  "credential_id": "cred_abc123",
  "schedule": "Business Hours",
  "timestamp": "2025-01-15T08:45:12Z",
  "device": "UA-Pro Reader",
  "device_battery": 85
}

Physical + Network Correlation

One of the most powerful features is correlating physical access with network activity. For example:

  • Alert if a user's device connects to the network without a corresponding door access event
  • Detect credential sharing by matching access events with network device fingerprints
  • Track after-hours access and correlate with VPN or network logins
Correlation Rule Example 
name: access.no_physical_entry
description: Network device connected without corresponding door access
severity: medium
conditions:
  - field: source
    equals: unifi_network
  - field: event_type
    equals: client_connect
  - field: correlation.physical_access
    equals: false
  - field: client.is_known
    equals: true
window: 15m
actions:
  - alert:
      channels: [email]

Built-in Detection Rules

Rule Severity Description
access.forced_openCriticalDoor opened without valid credential
access.held_openMediumDoor held open longer than threshold
access.denied_repeatedHigh3+ access denials in 5 minutes
access.after_hoursMediumAccess granted outside scheduled hours
access.reader_offlineHighAccess reader disconnected for 5+ min

Warning

Door forced-open events should always be treated as critical security events. We recommend pairing this with an active response action to send immediate PagerDuty notifications.