Introduction to Shieldlix
Shieldlix is a unified Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platform. Built from the ground up using Rust and Next.js, it offers unprecedented speed and flexibility without the prohibitive ingestion costs of legacy systems.
Core Concepts
1. Ingestion
Send logs to Shieldlix via our HTTP Event Collector, Syslog, or Kafka. The Rust-based indexer automatically parses common formats (JSON, key-value, syslog) and stores them in Quickwit (full-text) and ClickHouse (analytics).
# Upload a log file
curl -X POST "http://localhost:8080/v1/uploads" \
-H "x-shieldlix-tenant: my-org" \
-F "file=@/var/log/auth.log"
# Send JSON events
curl -X POST "http://localhost:8080/v1/uploads" \
-H "x-shieldlix-tenant: my-org" \
-H "Content-Type: application/json" \
-d '{"event_type": "login_failed", "user": "admin", "src_ip": "10.0.0.5"}'2. Search
Use the pipeline search language to filter, transform, and aggregate data. Commands are chained with the pipe | character.
# Top 10 source IPs
index=auth | top limit=10 src_ip
# Failed logins in last hour
index=auth event_type=login_failed | stats count by user
# Time chart of events
index=* | timechart span=1h count() BY source
# Deduplicate by field
index=auth | dedup user | table user, src_ip, timestamp
# Regex extraction
index=auth | rex "(?<user>\w+)@(?<domain>\w+)" | table user, domain3. Dashboards
Create dashboards with drag-and-drop panels. Supported chart types: line, area, bar, pie, table, single value, and choropleth map. Panels auto-refresh every 60 seconds.
- Line / Area Chart: Time-series visualization with optional area fill
- Bar Chart: Horizontal bars for top-N aggregations
- Pie Chart: Donut chart with legend for proportional data
- Table: Paginated data table with sticky headers
- Single Value: Animated counter with color modes
- Choropleth Map: Geographic visualization for IP/location data
4. Alerts & Detection
Shieldlix includes 37,000+ detection rules across three types:
- Threshold Rules: Fire when event count exceeds a threshold within a time window
- Correlation Rules: Fire when an ordered sequence of event types occurs for an entity
- Anomaly Rules: Fire when event volume deviates from statistical baseline (mean + N*stddev)
Alerts generate risk scores (1-100) and are grouped into incidents by entity + 24-hour bucket. Each rule maps to MITRE ATT&CK tactics and techniques.
5. SOAR Playbooks
Automate incident response with playbooks. Pre-built playbooks include:
- Contain Ransomware: Collect evidence → Isolate host → Open recovery ticket
- Contain Identity Threat: Collect evidence → Revoke sessions → Disable user
- Data Exfiltration Response: Preserve DLP evidence → Block cloud share → Open privacy ticket
- Security Analytics Abuse: Collect query history → Restore rule state → Notify owner
6. Integrations
Connect to external tools via integration connectors. Supported connector types:
7. Case Management
Cases track incidents through their lifecycle. Features include:
- States: Open → In Progress → Pending Approval → Contained → Closed
- Automatic queue assignment based on severity
- SLA targets: Critical (15min), High (60min), Medium (4hr), Low (24hr)
- Full audit trail with append-only logging
- Evidence management with S3-backed storage and retention policies
API Reference
Query API (port 8080)
GET /v1/events/search # Search events
GET /v1/events/total # Event count
GET /v1/events/top # Top-N aggregation
GET /v1/events/timeline # Time series histogram
GET /v1/events/:id # Single event detail
POST /v1/uploads # Ingest events
POST /v1/ml/outliers # Outlier detection
POST /v1/ml/clustering # Event clustering
POST /v1/ml/forecast # Time series forecast
GET /health # Health checkSOAR API (port 8090)
GET /v1/cases # List cases
POST /v1/cases # Create case
PATCH /v1/cases/:id # Update case
POST /v1/cases/:id/close # Close case
POST /v1/alerts # Ingest alert (auto-groups)
POST /v1/playbooks/:id/simulate # Simulate playbook
POST /v1/cases/:id/playbooks # Run playbook
POST /v1/integrations # Register connector
POST /v1/integrations/:id/actions # Execute actionNeed help? Contact us or check the architecture docs.