CyberEYE Documentation

Welcome to the official documentation for CyberEYE, the next-generation SOC automation platform designed to integrate seamlessly with Wazuh.

CyberEYE acts as an automated Tier-1 Security Analyst. It ingests thousands of raw alerts, filters out known noise, establishes User and Entity Behavior Analytics (OpenUBA) baselines, and utilizes a state-of-the-art Multi-Agent AI architecture to triage and classify alerts with unprecedented accuracy.

Feature Traditional SOC CyberEYE Automated SOC
Alert Triage Time 15-30 Minutes per alert < 5 Seconds per alert
Noise Handling Manual acknowledgement, high fatigue Auto-dropped via Regex, Tags, and AI
Context Gathering Analyst manually searches IPs and histories Fully automated Threat Intel & Company Memory injection
Response Manual firewall block creation Auto-remediation via synced Blocklist Manager

How the Alert Triage Process Works

CyberEYE is built on a highly optimized, cost-effective pipeline designed to reduce API token usage while maximizing accuracy.

graph TD A[Wazuh Indexer] -->|Polls every 30s| B(Pre-AI Noise Filter) B -->|Matches Exclusions| C[Dropped / Marked Excluded] B -->|Passes Filter| D{OpenUBA Baseline Check} D -->|Records Event Volume| E[Tumbling Window Grouper] E -->|Groups identical IPs| F[Multi-Agent AI Debate] F -->|L1 Agents Argue| G[L2 Lead Agent Verdict] G --> H{Final Classification} H -->|False Positive| I[Auto Closed] H -->|True Positive| J[Escalated to Analyst] J -->|Recommends Block| K[Added to Blocklist] style A fill:#1e293b,stroke:#3b82f6,color:#fff style B fill:#1e293b,stroke:#3b82f6,color:#fff style C fill:#450a0a,stroke:#ef4444,color:#fca5a5 style D fill:#1e293b,stroke:#3b82f6,color:#fff style E fill:#1e293b,stroke:#3b82f6,color:#fff style F fill:#312e81,stroke:#8b5cf6,color:#fff style G fill:#312e81,stroke:#8b5cf6,color:#fff style H fill:#1e293b,stroke:#3b82f6,color:#fff style I fill:#064e3b,stroke:#10b981,color:#a7f3d0 style J fill:#7f1d1d,stroke:#ef4444,color:#fca5a5 style K fill:#7f1d1d,stroke:#ef4444,color:#fca5a5

Dashboard

The Dashboard is the command center of CyberEYE. It provides a real-time, high-level overview of your SOC's health and automation metrics.

  • Alert Funnel: Visualizes the exact number of raw alerts ingested, noise filtered out, and finally triaged by AI.
  • True/False Positive Ratio: Easily identify if your network is under active attack or experiencing misconfiguration noise.
  • Recent Threat Feed: A rolling feed of the most critical True Positives discovered in the last 24 hours.

Alert Center

The Alert Center is where analysts investigate the findings produced by CyberEYE's AI agents.

Each alert card provides deep context, including:

  • What Happened & Reasoning: A short, human-readable summary generated by the L2 Lead Agent explaining exactly why the alert was classified as a TP or FP.
  • Confidence Score: The AI's certainty level (0.0 to 1.0). Alerts with high FP confidence (>85%) are often Auto-Closed by the system.
  • Threat Intel: Data from AbuseIPDB, AlienVault OTX, and GreyNoise if the source is an external IP.
Analyst Overrides: If the AI makes a mistake, analysts can override the classification. This feeds directly into the "Company Memory" engine, making the AI smarter on the next run!

Blocklist Manager

CyberEYE goes beyond detection and offers active remediation.

When the AI determines an alert is a True Positive and recommends blocking the Source IP, the IP is added to the Blocklist Manager.

  • Temporary Blocks: IPs are blocked for 24 hours by default.
  • Active Sync: The blocklist can be exported or synchronized with external firewalls.
  • Conflict Resolution: If an analyst overrides a True Positive to a False Positive, the associated IP is automatically removed from the blocklist.

System Intelligence

System Intelligence is a built-in proactive advisor.

If CyberEYE notices that a specific Wazuh rule is generating an excessive amount of False Positives (e.g., thousands of alerts a day that the AI marks as safe), the system will generate a Rule Tuning Suggestion.

These suggestions tell your engineering team exactly which rules in Wazuh need to be muted or reconfigured, saving massive amounts of AI API tokens.

OpenUBA (User & Entity Behavior Analytics)

OpenUBA is CyberEYE's baseline profiling engine.

The system constantly tracks the hourly volume of every rule triggered by every agent and IP. After 48 hours of observation, a "Candidate" pattern becomes "Established".

If an agent that normally triggers a rule 5 times an hour suddenly triggers it 500 times, OpenUBA generates a massive Deviation Score. This score is injected directly into the AI's prompt, allowing the AI to easily catch "low and slow" attacks or sudden volumetric bursts.

Settings & Providers

CyberEYE is completely agnostic to AI providers. You can bring your own keys or run locally!

  • Supported Providers: DeepSeek, Gemini, Groq, LiteLLM, and Ollama (Local LLMs).
  • Key Pool Manager: CyberEYE utilizes a robust Key Pool Manager. If one API key hits a rate limit (HTTP 429), the system instantly fails over to the next available key without dropping the alert.
  • Global Configurations: Adjust AI confidence thresholds, startup lookback windows, and UI preferences directly from the Settings tab.

Advanced Multi-Agent Architecture

Traditional SOC automation uses a single prompt to ask an LLM if an alert is bad. This is highly prone to hallucination. CyberEYE uses a debate model:

  1. TP Agent (Prosecutor): Argues solely for why the alert is malicious.
  2. FP Agent (Defense): Argues solely for why the alert is benign or misconfigured.
  3. L2 Lead Agent (Judge): Reviews both arguments, context, and UBA baselines to deliver the final verdict.