NEXUS
Documentation menu

Docs · SecOps

SIEM — Search & Analytics

One query engine for everything the manager stores. NQL (Nexus Query Language) searches the real events and alerts, and the aggregation API powers dashboards and timelines — no separate index to run.

Best-of
Splunk · Elastic · QRadar · Graylog
Module
nexus_secops/siem.py
Edition
Free (core) — searches whatever the manager stores
API
/api/v1/search · /api/v1/siem/stats

What it does

SIEM is the search layer over the manager's events and alerts tables. Instead of bolting on a heavyweight indexer, Nexus gives you a compact query language and a set of aggregations that read the same store every other pillar uses — so a search, a dashboard chart, and a detection all see the same data.

  • Search two indexes: events (raw telemetry) and alerts (rule hits).
  • Aggregate — counts by severity, top values of a field, and a time histogram.
  • Validateexplain parses a query without running it (used by the UI).

How to use it

1
From the dashboard
Open the Search view, pick the index (events/alerts), type an NQL query and run it. The plain-language → NQL button (powered by the local AI) turns a sentence into a query.
2
From the API
Query the manager directly with the admin token from nexus manager info.
bash
curl -H "X-Admin-Token: $TOKEN" \
  "http://<manager>:8765/api/v1/search?index=alerts&q=severity%3E%3Dhigh%20last%3A24h"

curl -H "X-Admin-Token: $TOKEN" \
  "http://<manager>:8765/api/v1/siem/stats?index=events&top_field=event_type"

NQL — the query language

Tokens are separated by spaces and combined with AND. The syntax is deliberately small:

NQL cheatsheet
severity:high                 field equals (case-insensitive)
severity>=high                severity comparison (info<low<medium<high<critical)
level>=12                     numeric comparison (alerts)
event_type:failed_login,sca   IN — comma means OR
title:*brute*                 wildcard contains (also: ~brute)
-origin:demo                  NOT (negation)
target.path:*.env             nested JSON field
last:24h                      relative time window (m / h / d)
"failed password"             free-text phrase across title + detail

Worked examples

text
severity>=high last:24h                 # everything serious today
event_type:ioc_match last:7d            # threat-intel hits this week
rule_id:NEXUS-EDR-001                   # suspicious process lineage
agent_id:agt_web01 -severity:info       # one host, drop the noise
target.path:*.env                       # any .env touched

Aggregations

/siem/stats returns a dashboard-ready summary for any query: total matches, a breakdown by severity, the top values of a chosen field (default event_type), and a time-bucketed histogram for trend lines.

How it feeds the pipeline

SIEM is read-only — it does not create alerts. It is the lens you use to investigate what the other pillars produced: search for the alerts behind an XDR incident, confirm a Threat-Intel match, or scope a UEBA anomaly before you act in SOAR.

Tips

  • Start broad with last:24h, then narrow by event_type or agent_id.
  • Field names are allow-listed and values are bound parameters — NQL is safe from injection.
  • Use the AI "plain language → NQL" button when you are not sure of the field names.
Same data, one source of truth. Search reads the exact store the manager already keeps — there is no second copy of your data to index, sync, or secure.
PreviousSecOps OverviewNext XDR — Correlation