NodeBeacon

Create CyVectors Account
Sign up for the Free 10-day evaluation by selecting the $0 "Get Started" button. Allow up to 24 hours for your account request to be processed. Once approved, you receive an email invitation to download and evaluate CyVectors sensors with ticketing support

The NodeBeacon application is a Windows service that functions as a lightweight system monitoring agent, periodically collecting and reporting key endpoint metrics such as CPU utilization, memory usage, disk space across drives, top CPU- and memory-consuming processes, logged-in users, OS version, and basic network activity indices (derived from interface utilization). Operating on a configurable scan rate (defaulting to 60 seconds via registry settings), it maintains short-term historical data in local text files for trend analysis over recent minutes, triggering alerts for sudden spikes (e.g., CPU >80%, memory >80%, disk free <10%) and sending enriched JSON-formatted syslog messages to a remote server. The service integrates AI for real-time metric assessments, logging raw data to a local file for debugging, and performs periodic (every 5 minutes) historical analyses to detect broader patterns, ensuring resilient operation with background threading, error handling, and graceful shutdowns.

This tool enhances Security Operations Centers (SOCs) and Managed Security Service Providers (MSSPs) by offering continuous, endpoint-level telemetry that fills gaps in traditional monitoring, such as detecting resource exhaustion from malware, unauthorized processes, or insider activities that might not trigger network alerts. Its syslog output—complete with timestamps, host details, metrics, and AI-flagged anomalies—seamlessly integrates with SIEM systems for automated correlation, enabling faster anomaly detection and response through contextual data like process lists and usage trends, thus reducing mean time to investigate (MTTI) in distributed environments. For businesses, it promotes operational resilience by preempting performance issues that could lead to downtime, data loss, or breaches, while supporting compliance through auditable logs of system health; deployed across fleets, it aids in capacity planning and threat prevention without user disruption, as it runs silently as a service with low overhead.

Utilizing ONNX runtime for inference on a pre-trained security model (loaded with safeguards against oversized or missing files), the app's AI processes normalized system metrics inputs—encompassing scaled numerics like CPU/memory/disk percentages, process counts, and timestamps—to output threat scores, anomaly flags, and issue types (e.g., "High_Threat" for sustained spikes). Adaptive thresholds evolve based on recent scores for contextual accuracy, with autonomous learning buffering data for model retraining (periodically checking for updated ONNX files). This ML capability empowers SIEM deployments to proactively identify threats like crypto-mining or persistence mechanisms via temporal patterns (e.g., variance in 5-minute windows), surpassing static endpoint monitors by leveraging heuristic trend analysis and historical queues, allowing aggregated feeds in ML-augmented SIEMs to forecast escalations from subtle resource anomalies not captured by signature-based tools.

Registry-Driven Configuration

Syslog settings (SyslogDest, SyslogPort) and scan interval (ScanRate) are loaded from HKLM\Software\Wow6432Node\CyVectorsNB. Invalid or missing values are logged, allowing SaaS monitors to detect configuration drift.

JSON Alert Composition with Metadata

Syslog JSON alerts include timestamp, hostname, OS version, username, CPU %, memory %, disk usage %, top processes, and active alerts (e.g., CPU above eighty percent). Ideal for dashboards and rule-based ingestion pipelines.

Logged-In User Attribution

Uses Win32_ComputerSystem WMI query to identify the currently logged-in user. Usernames are included in all logs and syslog reports, aiding attribution and threat modeling for high CPU/memory/disk events.

Threaded Heartbeat Engine

All metric collection runs on a background worker thread. Service start, stop, and crashes are gracefully handled and logged to disk.

Log Integrity and Crash Logging

Exceptions during telemetry collection or syslog transmission are caught and recorded with severity markers (Informational, Warning, Error, Critical). Each log entry includes UTC timestamp and contextual label.

Local System Awareness for Each Beacon

NodeBeacon includes the OS version, machine name, and logged-in user for every report. This metadata enables source attribution when reviewing logs from a fleet of endpoints.

Dynamic Scan Interval Control

Scan interval is configurable via the ScanRate registry value (in milliseconds). The service respects updates at runtime on the next loop cycle, supporting dynamic tuning without restart.

Execute Installer File - Installation Wizard
Welcome Screen: Read any welcome message or description provided and click "Next."
License Agreement: Carefully read the terms of the license agreement. If you agree, select the acceptance option and click "Next."
Verify Connection: This button-click will test your PC’s connectivity to the services required for Add-In installation. If this step fails, verify your firewall allows for https connectivity to cyvectors.com
Syslog Receiver IP of FQDN: on inbound email threats, end user email reporting, or logging into Outlook without full verification, your SIEM platform is kept informed for visibility into end user behavior and email outbreaks that may occur as end users receive an email attack across the managed network.
Syslog Receiver Port: The port your SIEM platform will receive syslog (commonly port 512)
Express Install (Eval or Easy Prod Setup) – Click Next for Advanced Install
Advanced Install (requires subscription license key)
Serial Number – To access custom install settings, purchase your subscription licensing at cyvectors.com

Post-Installation Steps

Verify Installation: Restart Windows node to begin sensor monitoring. If installing multiple sensors, install all sensors before rebooting to expedite installation times
Re-enable Antivirus: Don't forget to re-enable any antivirus software that was disabled prior to the installation, provide exclusions where needed to ensure Add-In run without errors. Since the Add-In runs under the outlook.exe Windows process, local endpoint firewall or anti-virus modifications are rare.

Troubleshooting
If you encounter errors during the installation, note any error messages and consult support@cyvectors.net. Your ticket will be automatically routed to a support engineer or escalation as needed.

Uninstallation
To uninstall the software, you can find an uninstaller in the "Add or Remove Programs" feature in the Windows Control Panel.

Customization
To modify the settings of this CyVectors Sensor, it is recommended to re-re-run the installer and provide the new information to the installer's install prompts.

Deployment automation supported using the following platforms:

Microsoft System Center Configuration Manager (SCCM): Now part of Microsoft Endpoint Configuration Manager, SCCM is a comprehensive tool for managing and deploying software across large networks of Windows computers.
PDQ Deploy: This is a software deployment tool used to keep Windows PCs up to date without leaving your desk. It can deploy MSI, EXE, and other packages to multiple Windows systems simultaneously.
ManageEngine Desktop Central: A unified endpoint management solution that helps in managing servers, laptops, desktops, smartphones, and tablets from a central location.
Ivanti Endpoint Manager (formerly LANDesk): This platform provides integrated solutions for asset management, software distribution, and endpoint security.
Altiris Deployment Solution (from Symantec): This is a set of tools for automating the deployment and provisioning of devices, including the installation and configuration of operating systems and applications.

Any standard .msi or .exe software delivery platform

Download