Docs · Reference
Tips & Best Practices
Short, practical advice for getting the most out of Nexus — from staying safe with automated response to feeding threat intel, training the analytics, and hunting day to day.
Start automated response in dry-run
Every destructive SOAR playbook ships in dry_run mode: it records what it would do without touching the endpoint. Leave it that way until you trust the trigger.
- Flip a playbook to
activeonly when you're confident in its conditions. - Enable
active_responsein the agent policy and list exactly which actions are allowed inar_allowed_actions— nothing runs that isn't on the list. - Keep your management IPs in
ar_protected_ipsso a block rule can never lock you out.
active, the license includes active response, and the agent policy permits that action. Any one gate closed = dry-run.Feed Threat Intelligence real feeds
The IOC store is empty until you fill it — that's deliberate (no fake indicators). Import real feeds, then matches on your telemetry become alerts automatically.
# abuse.ch Feodo Tracker (one indicator per line)
ti_import url=https://feodotracker.abuse.ch/downloads/ipblocklist.txt fmt=text threat=feodo
# MISP / OTX export (JSON array of indicators)
ti_import url=https://example/otx-pulse.json fmt=json threat=otx
# then retro-hunt: scan EXISTING events for the new IOCs
ti_scanAfter importing, run a retro-hunt so indicators that already passed through are caught, not just future traffic.
Train UEBA before you trust it
UEBA scores an entity against its own baseline. Give it history first.
- Let agents report for ~14 days of normal activity, then run
ueba_train. - Only entities with enough samples are baselined — new hosts simply aren't scored yet.
- Re-train periodically so the baseline tracks how your fleet actually behaves.
Let the local AI learn
The AI triage engine is local — pure Python, no API key, no token cost — and it starts automatically when the manager runs. It learns from you: as you resolve or acknowledge alerts, it learns which kinds you dismiss and de-prioritises similar noise.
Licensing & seats
- Free — 2 agents, core rules.
- Pro — seat-based (default 50 agents), full rules, Sigma, active response, Threat-Intel matching and CSPM.
- Enterprise — unlimited agents, mTLS, at-rest encryption, RBAC.
One token covers the desktop GUI, the CLI, and the Fleet on the same device. Redeem it once in the GUI and the CLI/Fleet reuse it automatically — no second code.
Stay offline-first & harden the transport
Nothing leaves your LAN, which is what makes Nexus a fit for on-prem and compliance. On untrusted networks, add transport security on top of the per-agent HMAC signing.
nexus manager run --host 0.0.0.0 --port 8765 \
--tls-cert server.pem --tls-key server.key \
--tls-client-ca ca.pem # require mutual TLSKeep it light
The agent is stdlib-only and intentionally lean. Tune how often it works from the central policy rather than per host — the collect and heartbeat intervals are policy fields pushed to every agent.
Verify the install
nexus --version # prints: nexus 2.2.1Hunt with NQL every day
A few queries worth keeping in the Search view for daily triage:
severity>=high last:24h # today's high+critical
event_type:ioc_match last:7d # threat-intel hits this week
event_type:suspicious_lineage # EDR process-lineage alerts
event_type:behavior_anomaly # UEBA anomalies
event_type:network_threat # NDR beaconing / scans / C2
event_type:cloud_finding severity>=high # risky cloud misconfig