Nexus SecOps — the SOC brain

The nine pillars

• SIEM — search & aggregate the event/alert store with the NQL query language.
• XDR — fuse many alerts across time into one kill-chain incident.
• EDR — real process tree (pid/ppid) + suspicious-lineage detection.
• UEBA — per-entity behavioral baselines + anomaly scoring + peer analysis.
• SOAR — playbooks that run real, dry-run-safe active response.
• Threat Intel — IOC store + match on real telemetry + feed import.
• NDR — beaconing/C2, port-scan & IOC-destination detection from network flows.
• Cloud (CSPM) — evaluate cloud config against CIS + import Prowler.
• AI Triage — a local engine that prioritizes, summarizes & recommends — no token cost.

1 · SIEM — search & analytics

The best of Splunk / Elastic / QRadar / Graylog in one query engine. NQL (Nexus Query Language) searches the real event and alert store; the dashboard Search view also has a plain-language → NQL button powered by the local AI.

severity>=high last:24h            # high+critical in the last day
event_type:failed_login,sca         # IN (comma = OR)
title:*brute* -origin:demo          # wildcard contains, NOT demo
target.path:*.env                   # nested JSON field match
"failed password" last:7d           # free-text phrase + time window

2 · XDR — correlation

Like Microsoft Defender XDR / Palo Alto Cortex XDR, the correlation engine groups alerts that belong together — across time and source — into a single incidentwith a kill-chain timeline and MITRE techniques. A brute-force followed by a suspicious process on the same host becomes one "possible compromise" incident, not two lonely alerts.

3 · EDR — process tree

The CrowdStrike Falcon / SentinelOne signature feature: not a flat process list but the ancestry (parent → child) so you can see how a malicious process was born. Detection is behavioral — a web server spawning a shell (webshell/RCE), an office app spawning a script (macro), or an encoded PowerShell command — not just a bad name.

systemd ─▶ nginx ─▶ bash ─▶ mimikatz   ◀── flagged: web server → shell → cred theft

4 · UEBA — behavioral analytics

Securonix-style entity behavior analytics. Nexus builds a baseline per entity from real event history (time-of-day profile, known activity types, severity rate) and scores deviations with explainable reasons — never a black box.

• Volume spike — activity far above the entity's daily baseline.
• Off-hours — activity in hours the entity was never active.
• New activity — an event type the entity has never produced.
• Severity escalation — a jump in high/critical events.
• Peer outlier — far from the median of its peers (MAD).

# train baselines from ~14 days of real events, then score:
nexus cli   # → SecOps menu, or via the manager API: POST /api/v1/ueba/train
            #                                          POST /api/v1/ueba/scan

5 · Threat Intelligence

An IOC database (IP, domain, URL, hashes) that matches against your real telemetry. Import feeds the way MISP / OTX / abuse.ch publish them; a match becomes a high-severity alert that flows into XDR and SOAR. After adding a feed, retro-hunt scans existing events for the new indicators.

# text feed (one indicator per line — abuse.ch Feodo/URLhaus style):
POST /api/v1/ti/import  { "url": "https://feodotracker.abuse.ch/downloads/ipblocklist.txt",
                          "fmt": "text", "threat": "feodo" }
POST /api/v1/ti/scan    { "lookback": 604800 }   # retro-hunt the last week

6 · NDR — network detection

Security Onion / Zeek + IBM QRadar QFlow in spirit: detect threats that are invisible in a single connection. From real connection telemetry NDR finds beaconing / C2 (periodic callbacks with low jitter, the way malware phones home), port scans, and connections to known-bad destinations (reusing the Threat-Intel pillar).

7 · Cloud — CSPM

Cloud Security Posture Management like Cortex / Defender for Cloud. Evaluate cloud resource configuration against CIS-style checks — public storage buckets, security groups open to 0.0.0.0/0, root without MFA, public databases, unencrypted volumes — or import an existing Prowler scan. Findings get a posture score and flow into the pipeline.

POST /api/v1/cloud/scan  { "resources": [ { "type": "s3_bucket", "id": "b", "public": true } ] }
# or import Prowler output:
POST /api/v1/cloud/scan  { "prowler": <prowler-json> }
GET  /api/v1/cloud/posture

8 · SOAR — automated response

Palo Alto Cortex XSOAR / Google SecOps SOAR in miniature: a playbook is a trigger plus ordered steps, with a full run history. Steps run real Fleet active-response (block IP, enable firewall, kill process, harden) plus notify and incident-status changes.

9 · AI Triage — local, zero token

Nexus ships its own AI — not a cloud copilot. It is a local, explainable engine (a Naive-Bayes classifier that learns from your analyst dispositions, heuristic priority scoring, template kill-chain summaries, and a natural-language → query translator). It is bundled with nexus-fleet, starts with the manager, and costs nothing per query — no API key, no token bill.

• Prioritize — P1/P2/P3 with a transparent score, damped by a false-positive estimate.
• Summarize — a human-readable kill-chain narrative per incident.
• Recommend — response steps + suggested SOAR playbooks (from a MITRE knowledge base).
• Translate — plain language → NQL in the Search view.
• Learn — it gets better as you resolve/ack alerts; honest "collecting" mode until it has enough data.

Where to use it

Every pillar is visible in the manager's web dashboard under the SecOps group (see /docs/dashboard), callable from the nexus CLI, and exposed on the manager REST API (/api/v1/search, /xdr/*, /ai/*, /edr/*, /ueba/*, /ti/*, /cloud/*, /ndr/*, /soar/*). Get the admin token from nexus manager info.