NEXUS
Documentation menu

Docs · Reference

Nexus Hub — Content Packs

Detection content is worth sharing — a good ruleset, a curated IOC list, a tested playbook. Nexus Hub packages all three into a portable bundle you can export, hand to another deployment, and install offline. A built-in catalog ships starter packs to get you going.

Topic
Content distribution · Sharing
Pack format
nexus-pack/1
Contains
Rules · IOCs · SOAR playbooks
API
/pack/catalog · /pack/install

What it does

A content pack is a portable bundle in the nexus-pack/1 format. It carries detection content — detection rules, threat-intel IOCs and SOAR playbooks — in a single file you can move between deployments. Because installing is fully offline, packs pair naturally with air-gapped mode: carry the file across the gap and install it without ever touching the internet.

  • Rules — detection rules for the rule engine.
  • Threat-intel IOCs — indicators for the TI store.
  • SOAR playbooks — automated response playbooks.
  • Portable & offline — one file, installed without any network — ideal for air-gapped sites.

The built-in catalog

Nexus ships a catalog of starter packs so you have working content from day one. List them with pack-catalog.

  • id-fintech-baseline — a baseline for Indonesian fintech environments.
  • web-app-starter — starter content for web-application defense.
  • ransomware-response — detection and response for ransomware.

How to use it

1
Browse the catalog
See the starter packs available to install.
bash
nexus-cli pack-catalog
2
Install a pack
Install a catalog pack by id — its rules, IOCs and playbooks are loaded in.
bash
nexus-cli pack-install --id ransomware-response
3
Export your own content
Bundle your current rules, IOCs and playbooks into a portable file to share or archive.
bash
nexus-cli pack-export --file mypack.json
4
Import a pack
Install a pack from a file — for example one exported on another deployment.
bash
nexus-cli pack-import --file mypack.json

REST API

endpoints
GET  /pack/catalog    # list the built-in starter packs
GET  /pack/export     # export current rules + IOCs + playbooks
POST /pack/import     # import a pack bundle
POST /pack/install    # install a catalog pack by id

How it fits the pipeline

Content packs feed the very engines that run your detection: the rules land in the rule engine, the IOCs in the threat-intel store, and the playbooks in SOAR. Pair Hub with air-gapped mode to distribute content into disconnected sites — export on a connected side, carry the file across, and install offline.

Tips

  • Start a new deployment with a catalog pack so it has working detections immediately.
  • Export your tuned content as a pack to standardize detection across multiple managers.
  • For air-gapped sites, export on the connected side and import on the disconnected one.
Detection you can hand off. A ruleset is only as useful as the places it runs. Packs make your rules, intel and playbooks portable — share them, version them, and install them anywhere, even offline.
PreviousAir-gapped Mode & Offline TINext Editions & Licensing