Use the CyberArk Identity User Behavior Analytics sensor

The primary purpose of the sensor is data collection. The CyberArk Identity User Behavior Analytics sensor is part of CyberArk Identity User Behavior Analytics and is an installable software package. As a general data collector, the CyberArk Identity User Behavior Analytics sensor supports the following operating environments:

  • Windows - Installation utilizes a standard wizard process.
  • Mac - Installation utilizes a standard Mac software installation wizard.

The CyberArk Identity User Behavior Analytics sensor can collect data from the following data sources:

  • Generic log files that you can write your own filter for
  • Any syslog event
  • Any Windows Event Log
  • Any application or network device log

  • Palo Alto Networks Cloud Services - Reading logging information from Palo Alto Network's Cortex Data Lake

  • Any external models, such as a scanner report or relational database

Install the CyberArk Identity User Behavior Analytics sensor

This section describes how to install the CyberArk Identity User Behavior Analytics sensor.

  1. Navigate to the CyberArk Identity User Behavior Analytics Portal.
  2. In the left-hand Navigation pane, click Settings to expand it and then click sensor from the menu.

  3. At the top of the Sensors page, click Add sensor.

    The Add sensor window appears.

  4. In the Step 1 section, locate and click the Windows download link to start the download.
  5. In the Step 2 section, follow the instructions to retrieve or create a sensor Access Token.

  6. Launch the Windows installer you downloaded.

    If a Windows security alert window appears, click Run Anyway to proceed.

  7. Complete the installation wizard by accepting the defaults.

    At the end of the installation (if you accepted the default to start the sensor after the installation completed), the Register window appears.

  8. Return to the CyberArk Identity User Behavior Analytics Portal and click API from the Navigation pane. At the top of the window, click New.

    The Add API Access Token window appears.

  9. Enter a name for the token and choose one of the Expiration options:

    • Limited - The token will expire on a designated date. Click the Expiration Time field to open a calendar. Then, navigate to the date you wish the token to expire.
    • Unlimited - The token will not expire.

  10. Click Create to obtain the token.

  11. Click the small icon to the right of the token, which copies the token to the clipboard. Then, click Done.
  12. For safe keeping, open a text editor or some other program and paste the token where you can save it.
  13. Return to the installer and paste the sensor Access Token into the field. Then, click Register.
  1. Navigate to the CyberArk Identity User Behavior Analytics Portal.
  2. In the left-hand Navigation panel, click Settings > sensor.

  3. At the top of the Sensors page, click Add sensor.

    The Add sensor window appears.

  4. In the Step 1 section, locate and click the Mac download link to start the download.
  5. In the Step 2 section, follow the instructions to create a sensor Access Token.

  6. Open the Analytics-sensor-Installer.dmg file downloaded previously and continue with the interactive installation.

    If you encounter an error preventing you from opening the .dmg file because it is from an unidentified developer, you can open it anyway from Security & Privacy preferences.

  7. Select Run Analytics sensor then click Finish when you reach the end of the interactive installation.

  8. Enter the sensor Access Token that you copied previously to register the sensor.

  9. Select Show Advanced Options and verify that the URL matches the URL for your CyberArk Identity User Behavior Analytics portal, then click Next.

  10. (Optional) Select Use custom proxy settings and enter details for your proxy server, if you are using one.

    You can also edit the proxy settings after the sensor is registered by clicking Settings... and then selecting the Proxy tab.

  11. Click Register to finish adding the sensor.

Manage the sensor

The menu bar at the top of the sensor page provides a variety of functions for the management of the sensors.

The following features of the menu bar are indicated in the illustration, above:

  1. Filter menu. Click the drop-down to choose one of the following filters:
    • All - Display all available sensors
    • Running - Display only sensors that are currently running
    • Stopped - Display only sensors that are currently stopped
    • Offline - Display only offline sensors
    • Error - Display sensors that have an error condition
  2. Search bar. Enter a search term for any field in the sensor table.
  3. Add sensor button. Click to add a new sensor
  4. Action menu. Allows you to click one or more check boxes beside the sensors and then choose one of the following actions:
    • Delete - Delete all selected sensors
    • Start - Start all selected sensors (that have not already started)
    • Restart - Restarts all selected sensors
    • Stop - Stops all selected sensors that are currently running
  5. Auto-Refresh menu. Click this drop-down menu to select a time interval at which the sensor page information will be refreshed. Intervals range from 5 seconds to 5 hours. There is also a manual setting, which would allow a refresh only when the Refresh button was clicked.
  6. Show All Running Commands and Expand All buttons
    • Show All Running Commands opens an All Running Commands popup window
    • Expand All, when clicked, shows all sources under all the sensors in the table. Clicking the button again hides the sensors again
  7. Refresh. This button manually refreshes the information for all sensors on the sensor page.
  1. Launch the CyberArk Identity User Behavior Analytics Portal.

  2. In the left-hand navigation pane, click Settings to expand the menu. Then, click sensor.

    The table of sensor information appears in the main window.

  3. If they are not visible in the table, scroll to the right to view the action links.

  4. Click the right-most button (three horizontal dots) to open the Manage submenu, which includes the following functions:

    • Restart. Restarts the sensor. If the start failed, it can only be brought back on the client side.
    • Stop. Stops the sensor. After it has stopped, it can only be brought back on the client side.
    • Configuration. Allow you to configure sensor parameters.
    • Show Events. Displays events that were collected by this sensor.
    • Show sensor Log. Displays system logs for this sensor (usually, the error log).

To open the sensor Configuration window, choose Configuration from the Manage sub menu.

You can perform the following configuration functions in the sensor Configuration window:

  • Name. Enter a new display name for the sensor, which appears in the first column of the table.
  • Heartbeat Interval. Enter, in milliseconds, how frequently the sensor communicates with server, if it the sensor is idle
  • Status Interval. Enter, in milliseconds, how frequently the sensor updates its status, if it is idle.
  • Status Event Interval Enter, in milliseconds, how frequently the sensor sends its status to CyberArk Identity User Behavior Analytics for Explorer
  • Log Forward. Use this toggle button to choose whether to send a sensor log to CyberArk Identity User Behavior Analytics. That log can be queried by the Show sensor Log.
  • Log Forward Level. Enter the log level for the Log Forward function.

Manage a sensor Source

  1. Launch CyberArk Identity Analytics Portal.

  2. In the left-hand navigation pane, click Settings to expand the menu. Then, click sensor.

    The table of sensor information appears in the main window.

  3. If they are not visible in the table, scroll to the right to view the action links.

  4. Click the Add Source link.

    The Add an Event Source windows appears. The window has three successive pages.

  5. In the Choose Source page, select one of the available sources and then click Next.

    The Configuration page appears.

  6. Enter and configure this source, as appropriate, and then click Next.

    The Choose Filter page appears.

  7. Click the blank field to display a drop-down menu of available filters. Then, select one and click the plus (+) button to add that filter to the filter chain.
  8. After you finish selecting filters, you can use drag-and-drop to rearrange the filters in the filter chain to the desired order.

  9. Click Done to complete the process.

    The Running Commands window appears, showing the progress of your source being added to the sensor.

    If you receive an error, scroll to the right to view any errors that occurred.
  1. Launch CyberArk Identity Analytics Portal.

  2. In the left-hand navigation pane, click Settings to expand the menu. Then, click sensor.

    The table of sensor information appears in the main window.

  3. Click the plus (+) to the left of a sensor in the table to view the sources for that sensor.

    The sources for the sensor sources appear under the sensor information.

  4. Click the Delete link beside the source you want to delete.

    A popup window appears to confirm whether you want to delete the source.

  5. Click Yes to complete the deletion.
  1. Launch CyberArk Identity Analytics Portal.

  2. In the left-hand navigation pane, click Settings to expand the menu. Then, click sensor.

    The table of sensor information appears in the main window.

  3. Click the plus (+) to the left of a sensor in the table to view the sources for that sensor.

    The sources for the sensor sources appear under the sensor information.

  4. Click the Edit link beside the source you want to delete.

    The Edit an Event Source window appears.

  5. Adjust the details about this source, as needed. Then, click Save and Apply.

    While you click Save, your changes are saved to the server, but not applied to the sensor. An icon appears to indicate that the sensor is out of sync. When you Save and Apply, it saves to the server and also restarts the sensor. This brings the sensor and server into sync.

Update the CyberArk Identity User Behavior Analytics sensor

Repeat the installation process to update the sensor. The sensor installer detects the previous installation and suggests an update. See Install the CyberArk Identity User Behavior Analytics sensor for details.

You must stop the sensor prior to updating it.

Uninstall a CyberArk Identity User Behavior Analytics sensor

This section describes how to uninstall the CyberArk Identity User Behavior Analytics sensor.

  1. Open the sensor UI.

  2. At the bottom of the sensor window, click Stop sensor .

    The status changes from Running to Stopped.

  3. Close the UI.
  4. To verify that the sensor is, indeed, stopped, open Task Manager. Then, check the Applications and Services tabs.
  5. Navigate to the CyberArk Identity User Behavior Analytics sensor folder (the default installation location is C:\Program Files\AnalyticsSensor).
  6. Double-click the uninstall icon to start the wizard and complete the uninstall process.
  7. (Optional) To be thorough, you can also remove the conf, data, and logs folders from the CyberArk Identity User Behavior Analytics sensor folder. If you do this, also remove the Analytics folder from C:\ProgramData\CyberArk.
  1. Open the sensor UI.

  2. At the bottom of the sensor window, click Stop sensor.

    The status changes from RUNNING to STOPPED.

  3. At the top of the sensor window, click Delete, then click OK on the verification prompt.

  4. Close the sensor UI after it returns to the registration screen.
  5. Open Finder, then navigate to the Applications folder and double-click Analytics sensor Uninstaller to start the wizard and complete the uninstall process.
  6. (Optional) To be thorough, you can also remove the confdata, and logs folders from the /Applications/Analytics sensor folder.

Models