UniFi Talk Integration

Ingest call detail records, voicemail events, and SIP trunk monitoring data from your UniFi Talk system.

Overview

The UniFi Talk integration monitors your phone system for security-relevant events. It tracks call patterns, voicemail activity, and SIP trunk health to detect toll fraud, social engineering attempts, and system abuse.

Note

The UniFi Talk integration requires a Pro plan or above. Talk is a newer UniFi product and API availability varies by firmware version.

Supported Event Types

  • Call detail records (CDR) — Inbound, outbound, internal calls with duration and disposition
  • Voicemail events — New messages, retrievals, and forwarding activity
  • SIP trunk events — Registration status, authentication failures, trunk capacity
  • Auto-attendant — IVR navigation patterns and call routing decisions
  • Emergency calls — 911/emergency number dials with caller location data

Configuration

Navigate to Instance Settings → Integrations → UniFi Talk and enter your Talk controller details.

Talk API Configuration 

Controller URL: https://192.168.1.1
    API Token: ut_xxxxxxxxxxxxxxxxxxxxxxxx
    CDR Polling Interval: 60s
    Monitor SIP Trunks: true
    Emergency Call Alerts: true

Call Detail Records

CDRs are captured with full metadata for security analysis:

CDR Event Example 
{
  "type": "cdr",
  "direction": "outbound",
  "caller": "ext:201",
  "caller_name": "Reception",
  "callee": "+1-900-555-0123",
  "duration_seconds": 342,
  "disposition": "answered",
  "trunk": "primary_sip",
  "timestamp": "2025-01-15T10:23:45Z",
  "cost_estimate": 4.50
}

Toll Fraud Detection

Sentinel Nerd analyzes call patterns to detect potential toll fraud:

  • Calls to premium-rate numbers (900, international premium)
  • Unusual call volume outside business hours
  • Calls to high-fraud-risk country codes
  • Abnormally long call durations
  • Rapid sequential dialing patterns

SIP Trunk Monitoring

Monitor your SIP trunk health and security:

  • Registration failures — Failed SIP REGISTER attempts indicating misconfiguration or attack
  • Authentication failures — Brute force attempts against SIP credentials
  • Trunk capacity — Concurrent call usage approaching limits
  • Quality metrics — Jitter, packet loss, and latency affecting call quality

Built-in Detection Rules

Rule Severity Description
talk.toll_fraudCriticalCalls to premium-rate numbers detected
talk.after_hours_callsMediumOutbound calls outside business hours
talk.sip_brute_forceHigh5+ SIP auth failures in 5 minutes
talk.emergency_callCritical911 or emergency number dialed
talk.trunk_downHighSIP trunk registration lost

Warning

Emergency call detection (talk.emergency_call) should always have at least one active alert channel configured. This rule cannot be disabled on Enterprise plans per compliance requirements.