Documentation

Quick Start

Get SentinelAI running in under 5 minutes.

1. Start the Dashboard

# Clone or download SentinelAI
docker-compose up -d

The dashboard will be available at your configured URL. Default port is 8015.

2. Create an API Key

Open the dashboard and log in
Go to Settings (gear icon) → API Keys tab
Click Create to generate a new API key
Copy the key immediately — it won't be shown again

3. Run an Agent

# Windows (PowerShell as Administrator)
cd windows_agent
$env:SENTINEL_API_KEY = "sk_live_your_key_here"
python -m venv venv
.\venv\Scripts\activate
pip install -r requirements.txt
python agent.py --dashboard https://your-dashboard-url

# Linux / macOS (as root)
cd linux_agent
export SENTINEL_API_KEY="sk_live_your_key_here"
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
sudo python3 agent.py --dashboard https://your-dashboard-url

4. Verify

You should see the agent register in the dashboard's Agents panel. Events will start appearing within seconds as the monitors initialize.

Dashboard Setup

The dashboard is a Docker stack consisting of FastAPI, PostgreSQL, and Redis.

Docker Compose Services

Service	Description	Default Port
`web`	FastAPI application server	8015 → 8000
`db`	PostgreSQL 14 database	5444 → 5432
`redis`	Redis cache and sessions	6390 → 6379
`snort-connector`	Snort IDS log processor	—

Environment Configuration

Copy .env.example to .env and configure:

Variable	Description	Required
`BYGHEART_API_KEY`	Bygheart API key for AI analysis	Optional
`VIRUSTOTAL_API_KEY`	VirusTotal API key for hash/URL scanning	Optional
`DATABASE_URL`	PostgreSQL connection string	Auto-configured
`REDIS_URL`	Redis connection string	Auto-configured
`DASHBOARD_PORT`	Dashboard port	Default: 8015

Common Docker Commands

# Start all services
docker-compose up -d

# View logs
docker-compose logs -f web

# Rebuild after changes
docker-compose up -d --build web

# Stop all services
docker-compose down

Windows Agent

The Windows agent provides 25+ concurrent security monitors for comprehensive endpoint protection.

Requirements

Python 3.10+
Administrator access (recommended for full capabilities)
Dependencies: psutil, requests, pywin32, numpy, scikit-learn, lightgbm, xgboost

Installation

# Open PowerShell as Administrator
cd windows_agent

# Create virtual environment
python -m venv venv
.\venv\Scripts\activate

# Install dependencies
pip install -r requirements.txt

# Set API key
$env:SENTINEL_API_KEY = "sk_live_your_key_here"

# Run the agent
python agent.py --dashboard https://your-dashboard-url

Or use the batch file after setup:

run_agent.bat

Command Line Options

Option	Description	Default
`-d, --dashboard`	Dashboard URL	http://localhost:8015
`-v, --verbose`	Enable verbose logging	Off
`--no-ai`	Disable Bygheart AI escalation	Off

What It Monitors

The Windows agent runs these monitors concurrently:

Process Monitor — Detects mimikatz, encoded PowerShell, reverse shells, crypto miners, download cradles
Network Monitor — Suspicious ports (4444, 5555, 1337), outbound + inbound connections, port scans, brute force, DDoS
Event Log Parser — Failed logins (4625), privilege escalation (4672), new services (4697), scheduled tasks (4698), audit log cleared (1102)
Registry Watch — Run keys, Services, Winlogon persistence entries
Startup Monitor — Startup folder and registry Run entries
Scheduled Tasks — New task creation for persistence
USB Monitor — Device connections and removals
Hosts File — DNS hijacking via hosts file modifications
Browser Extensions — Chrome/Edge new extension installs
Clipboard — Passwords, API keys, crypto wallet addresses
DNS Queries — DNS tunneling and suspicious domain lookups
PowerShell Logging — Script block execution capture
WMI — WMI persistence and event subscriptions
DLL Injection — Injected DLLs in running processes
Named Pipes — C2 communication channel detection
Services — New service creation for persistence
Drivers — Rootkit driver loading
Firewall Rules — Unauthorized rule changes
Certificates — Rogue certificates in Windows store
Windows Defender — Security Center integration
AMSI — Antimalware Scan Interface events
ETW — Event Tracing for Windows
Sysmon — Enhanced process/network logging
Ransomware Canary — Honeypot files detect encryption
Data Exfiltration — Large outbound transfers (50MB/min threshold)

Agent Logs

The agent writes to sentinel_agent.log in the current directory. Use --verbose for detailed output.

Linux & macOS Agent

The Linux agent provides 16 monitors; macOS provides 10 platform-specific monitors.

Linux Monitors

Category	Monitor	Description
Core	Process	Reverse shells, crypto miners, malicious tools
Core	Network	Suspicious connections and ports
Core	Auth Log	Failed logins, brute force detection
System	Cron Jobs	New/modified cron entries
System	SSH Keys	authorized_keys changes
System	Systemd	New/modified services
System	Packages	Unauthorized installs (dpkg/rpm/pacman)
Security	Kernel Modules	Rootkit detection (diamorphine, reptile)
Security	LD_PRELOAD	Library injection attacks
Security	Setuid	New setuid/setgid binaries
Security	File Integrity	Critical file hash monitoring
Advanced	Container Escape	Docker socket, cgroup escapes
Advanced	Auditd	Audit log parsing
Advanced	SELinux	Policy violations
Advanced	AppArmor	Policy violations

macOS-Specific Monitors

In addition to core process/network monitoring, macOS agents include: pf Firewall, Launch Daemons, Keychain Access, Gatekeeper, TCC Privacy, and XProtect integration.

Installation

# Linux / macOS
cd linux_agent
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
export SENTINEL_API_KEY="sk_live_your_key_here"
sudo python3 agent.py --dashboard https://your-dashboard-url

Running as root/sudo is recommended for full capabilities including firewall control, auth log access, and kernel module monitoring.

API Keys & Authentication

User Authentication

The dashboard uses JWT (JSON Web Token) authentication. Users log in with email and password, receiving a token for subsequent API calls.

Agent API Keys

Agents authenticate using API keys (prefixed with sk_live_). Each key is tied to a user account and determines which agents that user can see.

Creating API Keys

Log in to the dashboard
Go to Settings → API Keys
Click Create
Copy the key immediately (shown only once)
Set as environment variable: SENTINEL_API_KEY=sk_live_xxx

Never share API keys or commit them to version control. Rotate keys immediately if compromised.

Auto-Response

SentinelAI can automatically respond to threats based on severity without manual intervention.

Capabilities

IP Blocking — Automatically blocks malicious IPs via the OS firewall (netsh on Windows, iptables on Linux, pf on macOS)
Process Termination — Kills dangerous processes detected by the ML engine
File Quarantine — Moves suspicious files to a quarantine directory

Configuration

Severity Threshold — Set minimum severity for auto-response (e.g., HIGH or CRITICAL only)
Cooldown Period — Prevents blocking the same IP repeatedly
IP Whitelist — Trusted IPs that are never blocked

Configure auto-response from the dashboard's Monitoring section.

ML Detection Engine

SentinelAI uses a three-stage detection pipeline.

Stage 1: Advanced ML v2.0 (Local)

The primary detection engine runs entirely on the endpoint:

150+ features extracted across process, network, file, registry, behavioral, context, and anomaly dimensions
Ensemble models: LightGBM + XGBoost + Random Forest with weighted voting
Behavioral analysis: Attack chain detection (reconnaissance, lateral movement, exfiltration)
Anomaly detection: Baseline learning with Isolation Forest
MITRE ATT&CK: Maps to 45+ techniques with confidence scores

Stage 2: Legacy Heuristics

Fallback for when ML models are unavailable:

Whitelist check (known safe applications)
Blacklist check (known malware names/hashes)
Command-line pattern matching for suspicious arguments

Stage 3: Bygheart AI Escalation (Optional)

For uncertain cases (40-70% ML confidence):

Deep threat classification
Remediation recommendations
False positive detection

Benchmark Results

Metric	Score
Accuracy	96.5%
Precision	99.7%
Recall	89.9%
F1 Score	94.5%
False Positive Rate	0.2%

Autonomous Learning

The ML model improves over time:

Learns from high-confidence (>80%) predictions
Accepts user feedback to correct false positives
Auto-retrains every 24 hours with 500+ samples
Persists learning between agent restarts

Retraining

# Activate virtual environment
.\venv\Scripts\activate

# Train with synthetic data
python train_ml.py

# Run tests
python test_ml.py

# Benchmark
python benchmark_ml.py

Notifications & Alerts

Supported Channels

Channel	Description
Email (SMTP)	SMTP email notifications for HIGH/CRITICAL threats
Discord Webhooks	Rich embed alerts to Discord channels
Generic Webhooks	POST alerts to any endpoint with HMAC signatures

Configuration

Configure notification channels from the dashboard Settings page. Set the minimum severity threshold for each channel to control alert volume.

Integrations

VirusTotal

Check file hashes, URLs, IPs, and domains against VirusTotal's database. Requires a free VirusTotal API key configured in the dashboard settings.

AlienVault OTX

Threat intelligence feed integration for IP and domain reputation lookups.

Abuse.ch Feeds

Integrates with URLhaus, FeodoTracker, ThreatFox, and MalwareBazaar for known malware indicators.

Snort IDS

The Docker stack includes a Snort connector that ingests Snort IDS alerts into the SentinelAI pipeline.

Docker Projects

Any Docker container can send threat data to SentinelAI:

# From any Docker container
import requests
requests.post("http://host.docker.internal:8015/api/v1/threats/analyze", json={
    "source_ip": "192.168.1.100",
    "threat_type": "suspicious_activity",
    "severity": "HIGH",
    "description": "Unusual database query pattern detected"
})

API Reference

Health Check

GET /api/v1/health

Returns service health status.

Authentication

POST /api/v1/auth/login
Content-Type: application/x-www-form-urlencoded

username=user@example.com&password=yourpassword

Returns a JWT token for subsequent authenticated requests.

Threat Analysis

POST /api/v1/threats/analyze
Content-Type: application/json
X-API-Key: sk_live_xxx

{
    "source_ip": "192.168.1.100",
    "threat_type": "malware",
    "severity": "HIGH",
    "description": "Suspicious process detected"
}

Recent Threats

GET /api/v1/threats/recent
Authorization: Bearer <jwt_token>

Agent Registration

POST /api/v1/windows/agent/register
Content-Type: application/json
X-API-Key: sk_live_xxx

{
    "hostname": "DESKTOP-ABC123",
    "platform": "Windows",
    "platform_version": "10.0.19041",
    "capabilities": ["process", "network", "eventlog", "firewall"]
}

List Connected Agents

GET /api/v1/windows/agent/list
Authorization: Bearer <jwt_token>

Agent Stats

GET /api/v1/agents/stats
GET /api/v1/agents/fleet-overview
Authorization: Bearer <jwt_token>

AI Analysis Stats

GET /api/v1/ai/stats
Authorization: Bearer <jwt_token>

Remote Commands

Send commands to connected agents from the dashboard.

Available Commands

Command	Description
`block_ip`	Block an IP address via OS firewall
`unblock_ip`	Remove an IP block
`kill_process`	Terminate a process by PID or name
`quarantine_file`	Move a file to quarantine
`scan_path`	Scan a directory for threats
`get_system_info`	Retrieve full system information
`list_connections`	List active network connections
`list_processes`	List running processes

Sending Commands via API

POST /api/v1/windows/agent/{hostname}/commands/queue
Authorization: Bearer <jwt_token>
Content-Type: application/json

{
    "command": "block_ip",
    "args": {"ip": "10.0.0.5"}
}

Agents poll for commands every 30 seconds and execute them locally.

Troubleshooting

"Dashboard not reachable"

Ensure Docker is running: docker-compose up -d
Check the dashboard URL and port are correct
Verify firewall allows connections to the dashboard port
Check Docker logs: docker-compose logs -f web

"Access Denied" errors on agent

Run the agent as Administrator (Windows) or root (Linux/macOS)
Some processes may be protected by the OS

No events appearing in dashboard

Check the agent is running (look for log output)
Verify the API key is set correctly
Check agent logs in sentinel_agent.log
Test the API: GET /api/v1/health

Agent not registering

Verify the SENTINEL_API_KEY environment variable is set
Check the dashboard URL is reachable from the agent machine
Look for registration errors in agent logs

High false positive rate

Use the dashboard to mark false positives — the ML model learns from feedback
Retrain the model with python train_ml.py
Check if legitimate software is triggering heuristic rules

Contents

Quick Start

1. Start the Dashboard

2. Create an API Key

3. Run an Agent

4. Verify

Dashboard Setup

Docker Compose Services

Environment Configuration

Common Docker Commands

Windows Agent

Requirements

Installation

Command Line Options

What It Monitors

Agent Logs

Linux & macOS Agent

Linux Monitors

macOS-Specific Monitors

Installation

API Keys & Authentication

User Authentication

Agent API Keys

Creating API Keys

Auto-Response

Capabilities

Configuration

ML Detection Engine

Stage 1: Advanced ML v2.0 (Local)

Stage 2: Legacy Heuristics

Stage 3: Bygheart AI Escalation (Optional)

Benchmark Results

Autonomous Learning

Retraining

Notifications & Alerts

Supported Channels

Configuration

Integrations

VirusTotal

AlienVault OTX

Abuse.ch Feeds

Snort IDS

Docker Projects

API Reference

Health Check

Authentication

Threat Analysis

Recent Threats

Agent Registration

List Connected Agents

Agent Stats

AI Analysis Stats

Remote Commands

Available Commands

Sending Commands via API

Troubleshooting

"Dashboard not reachable"

"Access Denied" errors on agent

No events appearing in dashboard

Agent not registering

High false positive rate