NEXUS
Documentation menu

Docs · Using Nexus

SecOps Dashboard

The manager serves a built-in web dashboard — no extra install. It is offline (your data never leaves the LAN), bilingual (English / Indonesia), dark/light, with a clean flat design and Solar icons. Connect once and it auto-refreshes every 4 seconds.

Open the dashboard

Start the manager — it serves the dashboard on the same port — then open it in any browser on your network.

bash
nexus manager run --host 0.0.0.0 --port 8765
nexus manager info        # prints the enrollment key + admin token
# open http://<manager-host>:8765/
1
Connect
Enter the manager host, port, and admin token (from nexus manager info) in the top bar, then click Connect. The status dot turns green when linked. The token lives in sessionStorage and is cleared when you close the tab.
Offline & bilingual. Everything renders locally — no CDN, no telemetry. Use the language toggle for English / Indonesia and the theme toggle for dark / light. The whole UI uses sharp (non-rounded) cards and Solar-style icons.

Core views

  • Overview — live metric cards, the license seat-usage bar, and recent alerts
  • Agents — every endpoint; Scan collects telemetry now, Remove frees a seat
  • Alerts — rule-engine findings mapped to MITRE ATT&CK; click to ack / resolve, or Secure to remediate
  • Events — raw telemetry, filterable by severity
  • Incidents — related alerts grouped to kill alert fatigue
  • Policy — edit the JSON configuration pushed to all agents
  • License — tier, seats, features and expiry at a glance
  • Help — a built-in guide so new operators are never lost

SecOps views

Under the sidebar's SecOps group are nine analytics views — the SOC brain layered on the same event/alert store. They all read real data; nothing here is a demo.

Search (SIEM)

A query box using Nexus Query Language (NQL) over events and alerts. Combine field filters with spaces (AND); they all map to the real store.

NQL examples
severity>=high last:24h           # high+critical in the last day
event_type:failed_login           # one field, exact match
event_type:failed_login,sca       # IN (comma = OR)
title:*brute*                     # wildcard contains
target.path:*.env                 # nested JSON path
-origin:demo                      # negation (NOT)
"failed password"                 # free-text phrase
Plain language → NQL. Click the AI button next to the search box and type in plain language (e.g. “failed logins this week from agt_x”). The local AI translates it to NQL (event_type:failed_login last:7d agent_id:agt_x) — no token, no cloud.

XDR — correlated incidents

Many alerts across time fused into one kill-chain incident (e.g. brute-force → suspicious process → C2 beaconing). Click a row to expand the timeline, the MITRE techniques, and the recommended response.

AI Triage

Local AI cards that prioritise the queue: each shows a priority (P1 / P2 / P3), a score, the false-positive likelihood %, a confidence %, a plain-language kill-chain summary, and recommended actions plus suggested SOAR playbooks. The model learns from which alerts you dismiss — and costs nothing to run.

EDR — process tree

The real parent→child process tree per host (from pid/ppid telemetry). A red nodemarks suspicious lineage — for example a web server spawning a shell (webshell / RCE), Office spawning a script, or an encoded PowerShell command.

UEBA — entity risk

A risk leaderboard of entities scored against their own behavioral baseline — volume spikes, off-hours activity, never-seen activity types, and peer-group outliers — each with the reasons that drove the score.

Threat Intel

The IOC database (IP / domain / URL / hash) plus stats: total IOCs, matches on real telemetry, and a breakdown by type. Import feeds (abuse.ch, MISP, OTX) and matches flow straight into alerts.

Cloud (CSPM)

A cloud posture score plus the CIS-style findings behind it (public storage, open security groups, root without MFA, unencrypted volumes, …) from a config evaluation or a Prowler import.

NDR — network detection

Top external talkers and network-threat stats from connection telemetry — beaconing / C2 (periodic, low-jitter connections), port scans, and connections to known-bad IOC destinations.

SOAR — playbooks

Your automated playbooks (trigger, mode, enabled) and a log of recent runs with their outcome. A playbook reacts to an alert or incident and runs a sequence of steps — notify, block IP, isolate, kill process, and more.

Destructive actions are dry-run by default. Anything that touches an endpoint (block IP, kill process, isolate) is triple-gated: the playbook mode must be active (default is dry_run), the license must include active response, and the agent policy.active_responsewith ar_allowed_actions must permit it. Nothing destructive fires until you open all three — and a protected-IP allowlist stops you locking yourself out.

Your first five minutes

1
Connect
Paste host / port / admin token, click Connect, wait for the green dot.
2
Search
Open Search and run severity>=high last:24h to see what matters today — or click the AI button and ask in plain language.
3
Open an XDR incident
Go to XDR, click the top incident, and read the kill-chain timeline + MITRE techniques.
4
Read the AI triage
Switch to AI Triage — the same incident now has a priority, a false-positive estimate, a summary, and suggested actions.
5
Inspect a playbook
Open SOAR, see which playbook would respond, and confirm its mode. Keep destructive ones in dry_run until you trust them.
PreviousNotification HubNext Nexus Mobile (companion app)