Note: Shieldlix is currently offered completely free. Contact us to get your API keys.

Introduction to Shieldlix

Shieldlix is a unified Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platform. Built from the ground up using Rust and Next.js, it offers unprecedented speed and flexibility without the prohibitive ingestion costs of legacy systems.

Core Concepts

1. Ingestion

Send logs to Shieldlix via our HTTP Event Collector, Syslog, or Kafka. The Rust-based indexer automatically parses common formats (JSON, key-value, syslog) and stores them in Quickwit (full-text) and ClickHouse (analytics).

# Upload a log file curl -X POST "http://localhost:8080/v1/uploads" \ -H "x-shieldlix-tenant: my-org" \ -F "file=@/var/log/auth.log" # Send JSON events curl -X POST "http://localhost:8080/v1/uploads" \ -H "x-shieldlix-tenant: my-org" \ -H "Content-Type: application/json" \ -d '{"event_type": "login_failed", "user": "admin", "src_ip": "10.0.0.5"}'

2. Search

Use the pipeline search language to filter, transform, and aggregate data. Commands are chained with the pipe | character.

# Top 10 source IPs index=auth | top limit=10 src_ip # Failed logins in last hour index=auth event_type=login_failed | stats count by user # Time chart of events index=* | timechart span=1h count() BY source # Deduplicate by field index=auth | dedup user | table user, src_ip, timestamp # Regex extraction index=auth | rex "(?<user>\w+)@(?<domain>\w+)" | table user, domain

3. Dashboards

Create dashboards with drag-and-drop panels. Supported chart types: line, area, bar, pie, table, single value, and choropleth map. Panels auto-refresh every 60 seconds.

  • Line / Area Chart: Time-series visualization with optional area fill
  • Bar Chart: Horizontal bars for top-N aggregations
  • Pie Chart: Donut chart with legend for proportional data
  • Table: Paginated data table with sticky headers
  • Single Value: Animated counter with color modes
  • Choropleth Map: Geographic visualization for IP/location data

4. Alerts & Detection

Shieldlix includes 37,000+ detection rules across three types:

  • Threshold Rules: Fire when event count exceeds a threshold within a time window
  • Correlation Rules: Fire when an ordered sequence of event types occurs for an entity
  • Anomaly Rules: Fire when event volume deviates from statistical baseline (mean + N*stddev)

Alerts generate risk scores (1-100) and are grouped into incidents by entity + 24-hour bucket. Each rule maps to MITRE ATT&CK tactics and techniques.

5. SOAR Playbooks

Automate incident response with playbooks. Pre-built playbooks include:

  • Contain Ransomware: Collect evidence → Isolate host → Open recovery ticket
  • Contain Identity Threat: Collect evidence → Revoke sessions → Disable user
  • Data Exfiltration Response: Preserve DLP evidence → Block cloud share → Open privacy ticket
  • Security Analytics Abuse: Collect query history → Restore rule state → Notify owner

6. Integrations

Connect to external tools via integration connectors. Supported connector types:

EDR (CrowdStrike)
IAM (Okta)
Firewall
DNS
Proxy
Email
SaaS
Cloud
Ticketing (ServiceNow)
Chat (Slack)
MDM
DLP
SIEM
Search
Custom

7. Case Management

Cases track incidents through their lifecycle. Features include:

  • States: Open → In Progress → Pending Approval → Contained → Closed
  • Automatic queue assignment based on severity
  • SLA targets: Critical (15min), High (60min), Medium (4hr), Low (24hr)
  • Full audit trail with append-only logging
  • Evidence management with S3-backed storage and retention policies

API Reference

Query API (port 8080)

GET /v1/events/search # Search events GET /v1/events/total # Event count GET /v1/events/top # Top-N aggregation GET /v1/events/timeline # Time series histogram GET /v1/events/:id # Single event detail POST /v1/uploads # Ingest events POST /v1/ml/outliers # Outlier detection POST /v1/ml/clustering # Event clustering POST /v1/ml/forecast # Time series forecast GET /health # Health check

SOAR API (port 8090)

GET /v1/cases # List cases POST /v1/cases # Create case PATCH /v1/cases/:id # Update case POST /v1/cases/:id/close # Close case POST /v1/alerts # Ingest alert (auto-groups) POST /v1/playbooks/:id/simulate # Simulate playbook POST /v1/cases/:id/playbooks # Run playbook POST /v1/integrations # Register connector POST /v1/integrations/:id/actions # Execute action

Need help? Contact us or check the architecture docs.