Professional Documents
Culture Documents
Installation Guide
3.95
Table of Contents
Since privileged accounts are most often compromised as part of an attack, CyberArk
Privileged Threat Analytics (PTA) continuously monitors the use of privileged accounts
that are managed in the CyberArk Privileged Account Security (PAS) platform, as well as
accounts that are not yet managed by CyberArk, and looks for indications of abuse or
misuse of the CyberArk platform. PTA also looks for attackers who compromise
privileged accounts by running sophisticated attacks, such as Golden Ticket.
PTA is part of the CyberArk Privileged Account Security solution and provides an
additional security layer, which detects malicious activity caused by privileged accounts
and proactively contains in-progress attacks. PTA supports detection of malicious
activities in privileged accounts when authenticated either by passwords, or by SSH
Keys.
Using proprietary profiling algorithms, PTA distinguishes in real time between normal
and abnormal behavior, and raises an alert when abnormal activity is detected. In this
way, it leverages the capabilities of the CISO to reduce the risk of inside-threats,
malwares, targeted attacks and APTs that utilize privileged users to carry out attacks.
This significantly reduces the ability of these threat factors to infiltrate the system and
eliminates one of the biggest risks to your organization.
Using DPI technology and tapping the organization network, PTA can deterministically
detect and raise alerts on Kerberos attacks in real time.
PTA also proactively monitors critical privileged account related risks in the IT
environment that can be abused by an attacker. PTA sends alerts to the security team to
handle these risks before attackers abuse them.
PTA processes the network traffic and receives raw events from your organization’s
Vault, UNIX machines, and Windows machines, and receives additional inputs by
querying Active Directory, then detects security events in real time and sends them as
alerts by email, to the PTA’s proprietary dashboard, or to the SIEM dashboard.
In general, PTA does the following:
■ Detects privileged accounts related anomalies: Detect anomalies in the usage
of privileged accounts, such as usage that does not occur during the regular hours of
use.
■ Detects privileged accounts related security incidents: Detects security
incidents by running deep packet inspection and finding deterministic characteristics
of Kerberos attacks, and additional known attacks such as Golden Ticket and
Malicious Retrieval of Domain Accounts (DC Sync).
■ Detects privileged accounts related risks: Detects risks by monitoring and
alerting on critical risks in privileged accounts.
■ Contains security incidents: Generates actionable insights to support rapid and
automatically reactive incident containment.
In order to pinpoint abnormal activities of privileged users, PTA employs various
statistical algorithms. These algorithms generate profiles of system activities, and
subsequent activities are searched for deviations from these profiles. Deviations that are
suspicious and pose a potential risk are classified as security incidents.
For Example: A user who connects to a remote machine during hours which are deemed
irregular (when compared to the specific user’s connectivity profile as learned by PTA),
or from an unfamiliar IP.
In addition, PTA can detect Kerberos attacks in real-time. These Kerberos attacks can be
used by an attacker for privilege escalation, and to achieve persistency within the
network.
This section describes how to install PTA, install PTA Windows Agents, and install
PTA with Network Sensors.
In this section:
Install PTA
Install PTA Windows Agents
Install PTA Network Sensors
Network Sensor and PTA Windows Agent Post Installation
Upgrade PTA
Upgrade PTA Windows Agents
Upgrade PTA Network Sensor Software
Install PTA
This section describes how to install PTA.
■ If you are installing PTA with the Network Sensor, see the end-to-end workflow:
Install PTA Network Sensors, page 53.
■ If you are upgrading PTA, see Upgrade PTA, page 79.
Step Comments Reference
Import the PTA Select the procedure for your environment: Import the PTA
disk image ■ VM Player Disk Image,
■ VMWare Workstation page 12
■ VM ESX
■ Hyper-V
Review the post This includes managing the PTA machine PTA Post-
installation user accounts, and validating the self-signed Installation
procedures certificate on your browser Procedures,
page 32
(Optional) Troubleshoot
Review PTA PTA
installation Installation,
troubleshooting page 42
procedures
Note:
Microsoft Hyper-V v6.3 can be installed on Windows Server 2008R2 or Windows Server
2012R2.
The PTA image must be installed on a dedicated machine that has access to the Vault, or
to the primary Vault in a distributed Vault environment, and also to either the
organizational SIEM solution, or UNIX inspected machines for syslogs.
The minimum requirements for installing this image on a VM machine are as follows:
■ 4 Core-CPU
■ 16 GB RAM memory
■ 500 GB hard disk storage
Supported Browsers
PTA currently supports the following browsers:
■ Internet Explorer 11.0 with Compatibility mode 9
■ Chrome - latest version
■ Firefox - latest version
IP Requirements
PTA requires an IP in one of the following forms:
■ Static Address: A static IP address.
■ DHCP: If the organization has a DHCP server which dynamically allocates IP
addresses, verify with the organization’s IT that the PTA machine’s IP address is
locked.
DNS Requirements
■ DNS: A DNS address record that maps the host name PTAServer to the IP
address of the PTA machine. The DNS configured in PTA must recognize all the
machines from which PTA will receive syslog messages. PTA requires both the
Forward (A record) and Reverse (PTR record) lookup.
■ The domains should be on Windows Server 2008 and above, with Function level
2003 and above.
■ This applies both to domains and sub-domains.
LDAP/S Requirements
LDAP: PTA can integrate with LDAP to:
■ Enable LDAP authentication
■ Broaden and increase the accuracy of PTA detections
In order to integrate PTA with LDAP, define a group name in PTA which has the same
name as the group sAMAccountName, which appears in Active Directory.
Note:
To integrate with LDAP over SSL, create a dedicated security Base-64 encoded X.509
certificate.
LDAP login and query permission are required for the bind user.
Currently, PTA only integrates with Microsoft Active Directory LDAP.
Certificate Requirements
You can use the self-signed certificate created during PTA installation, or use your
organization's SSL certificate.
If you use your organization's SSL certificate:
■ The Certificate Signing Request (CSR) requires a Base-64 encoded X.509 SSL
certificate.
■ The SSL Certificate Chain requires a Base-64 encoded X.509 SSL certificate
■ The SSL Certificate Issuer Chain requires a Base-64 encoded X.509 SSL certificate
Integrate the Vault with SIEM and PTA CyberArk Vault version
7.2.5 or higher
Note:
Privileged
Session
Management
integration
works with
lower
versions of
CyberArk
Vault, but
without the
ability to
report
Privileged
Session
Analysis
results to
PVWA.
Note:
In order for PTA to monitor activity of privileged accounts in Windows machines,
Windows security events 4624, 4723, and 4724 from each monitored Windows
machine must be forwarded to the SIEM and from the SIEM to PTA.
■ Unix: When collecting syslogs directly from Unix machines, PAM Unix is supported.
PAM Unix is supported by multiple Unix flavors, such as Red Hat Linux, HP-UX, and
Solaris.
Supported PAM Unix events include accepted public key, accepted password, and
session open.
■ Database: Oracle logon events are supported.
■ Network Sensor: Traffic is received from domain controllers in the environment.
■ Vault: Specific events are accepted. Supported device types are operating system
and database.
Note:
All blocked communication is logged to /var/log/iptables.log .
Source Destination
# Protocol Description
Port Port
session
2. UDP 514,
11514
2. UDP 514
window appears.
2. In the Files of Type list, select Open Virtual Machine Format Images (*.ovf,
*.ova).
3. Browse to the location of the PTA-Img-Server.ovf file, select it and then click Open.
4. Specify a name and choose a storage path for the new VM Image, or keep the default
values.
5. Click Import to begin the import process.
Progress is indicated in the progress window. When the import process is completed,
you can start using the VM Image from the main screen.
3. Browse to the location of the PTA-Img-Server.ovf file, select it and then click Next.
4. Make sure the displayed information is correct, then click Next.
5. Specify a name for the new VM Image, then click Next.
6. Select the resource pool where the template will be installed, then click Next.
Note:
To be able to perform this action, you must have root permission on the resource pool.
7. Select the datastore where the VM Image files will be stored, then click Next.
8. Select the storage format for the VM Image files, then click Next.
Note:
It is recommended to select the thick provisioned format, for maximum storage capacity.
3. Open the Hyper-V Manager and, in the list of Hyper-V servers, select the Hyper-V
server to which you will import the image.
4. From the Action menu, select New and then Virtual Machine…; the New Virtual
Machine wizard appears.
5. In the Specify Name and Location page, in the Name field, specify the name of the
new virtual machine.
6. In the Assign Memory page, in the Startup memory, specify the size of required
RAM memory in MB. For more information, see System Requirements for PTA,
page 7.
7. In the Configure Networking page, select the network connection to use.
8. In the Connect Virtual Hard Disk page, select Use an existing virtual hard disk,
then click Browse and select the unzipped *.vhd file.
9. Click Finish to create the new virtual machine and import the PTA image; the new
virtual machine appears in the list of virtual machines.
10.Select the new virtual machine, then from the Action menu, select Settings …; the
Settings window for the selected virtual machine appears.
11.In the Hardware list, select Processor; the Processor details appear.
12.Specify the number of virtual processors, as defined in System Requirements for
PTA, page 7, then click OK.
Install PTA
Following is a table which lists the individual steps in the PTA installation wizard.
The full procedure is directly below. See To Install PTA Using the Wizard:, page 18.
■ Active
dormant
user
[Step 13/18 – Optional Before running the wizard for ■ PAC attack
Network sensor this step, make sure you have ■ Overpass
and PTA agent installed and configured the the Hash
connection Network Sensor. See Install attack
configuration] PTA Network Sensors, page ■ Malicious
53. retrieval of
domain
accounts
maintenance
user
configuration]
3. Enter the root user’s password, then enter a new password, and confirm it.
4. Navigate to the prepwiz folder using the PREPWIZDIR command.
5. At the command line, run the following command:
./run.sh
Note:
If you receive an error in any step, click Ctrl+C to exit the installation wizard, and run the
wizard again. When the wizard starts, you can select to resume the wizard from the step
where the error occurred.
a. Enter y to accept the terms of the agreement and proceed to the next step of the
wizard.
b. Or, enter n to exit the wizard.
8. Specify the network configuration. .
[Step 2/18 – Network configuration]
a. If there is an existing IP address for the PTA Server, the following lines appear:
Found existing IP address:
Would you like to change the IP Address (y/n)?
iii. Enter the desired network interface. The following lines appear:
Specify the network configuration:
‘dhcp’ – To obtain an IP and DNS server address automatically
‘static’ – To set an IP address manually [dhcp]:
DNS configuration
Found existing DNS server 1.1.1.1
Testing configuration … ping – to perform verification of DNS
Configuration test was completed successfully
After the first DNS server is configured successfully, the following prompt
appears, enabling you to specify an additional DNS server.
Would you like to specify an additional DNS server (y/n)?
[n]:
b. Enter the IP address to set, then press Enter. The Netmask prompt appears.
Netmask [255.255.255.0]:
c. Enter the netmask to configure, then press Enter. The Gateway prompt
appears.
Gateway:
d. Enter a gateway that will be used as the default gateway, then press Enter. The
process verifies the Gateway and displays a confirmation.
Testing configuration … ping – to perform verification of
Gateway
Configuration test was completed successfully
At this point, the following prompt appears to specify the IP address of a DNS
server.
DNS configuration
Specify full domain name (e.g. "domain.com"):
There were no existing DNS servers found
Specify a DNS server address:
At this point, a prompt appears, enabling you to specify an additional DNS server.
Would you like to specify an additional DNS server (y/n)?
[n]:
k. Specify additional DNS servers as needed. When you have completed specifying
any additional DNS servers, press n when prompted.
11.Configure cross-domain mapping:
[Step 3/18 cross-domain names mapping configuration]
c. Enter the domain name and pre windows 2000 name, and then press Enter.
After the mapping is saved successfully, the following is displayed:
Configure another domain name with pre-Windows 2000 name
(y/n):
b. Enter the time zone, then press Enter. The date and time prompt appears.
Specify current date and time in 24h format “MM/DD/YYYY
hh:mm” (example: 11/21/2013 16:20):
c. Enter the current date and time using the format included in the prompt, then
press Enter. The following prompt appears, enabling you to synchronize the time
zone you are setting, with your NTP server.
Do you want to synchronize with NTP server (y/n)? [n]
d. Enter y to synchronize the time zone configuration with the NTP server.
e. Or, enter n to skip to [Step 5/18 – Database initialization] and finish the time zone
configuration without synchronizing with the NTP server.
f. If you specified y, the NTP server IP prompt appears:
Specify the NTP server IP:
13.The wizard automatically initializes the database that will be used for the Privileged
Threat Analytics solution:
[Step 5/18 – Database initialization]
Starting database
Database initialization finished successfully.
After this step has finished successfully, the installation proceeds to the next step.
14.The wizard automatically configures the internal components:
[Step 6/18 – Configuring internal components]
After this step has finished successfully, the installation proceeds to the next step.
15.Configure the connection to the Vault. This connectivity authorizes the Vault as a
source host. It enables forwarding data from the Vault to PTA, retrieving reports from
the Vault, and configuring Golden Ticket detection.
Note:
When PTA is configured with a Vault that is deployed in a Cluster environment, configure the
Virtual IP in the Vault Connection Configuration step.
When PTA is configured with a Vault that is deployed in a distributed environment, configure the
IP for the primary Vault in the Vault Connection Configuration step.
The Disaster Recovery Vault prompt appears, where you specify the relevant DR
Vault IP/s.
Would you like to configure Vault DR (y/n)?
Specify the Vault DR IP address. If there are multiple DR
servers, list all the IPs separated by a comma.
IP/s:
d. Enter y to configure the DR Vault, making sure to use a comma if there are
multiple DR Vault servers, then press Enter.
e. Or, enter n to continue.
f. Specify the Username and Password of the Vault user who will create the PTA
environment in the Vault. This user must have administrator permissions.
Specify Vault username and password.
This user must have administrator permissions, and it will be
used to update the environment required for the PTA in the
Vault server.
Username [Administrator]:
Password:
Retype password:
The PTA environment is now created in the Vault. During this process, the PTA
Vault users were created to manage PTA activity in the Vault.
Note:
The PTAApp Vault user is created for Vault v9.6 and above.
If you receive an error in this step, click Ctrl+C to exit the installation wizard, and run the wizard
again. When the wizard starts, you can select to resume the wizard from this point.
16.If you configured the connection to the Vault, you are prompted to configure the Vault
activities report:
[Step 8/18 - Loading user and safe activities report]
After the activity report was created and loaded successfully, a confirmation is
displayed and the installation proceeds to the next step.
User and safe activities report loading was completed
successfully.
17.If you configured the Vault activities report, you are prompted to create baselines for
the Privileged Threat Analytics algorithms:
Step 9/18 – Baselines creation
18.If you configured the connection to the Vault, you are prompted to load the Vault
inventory report:
[Step 10/18 - Loading inventory report]
19.After configuring the Vault inventory report, the installation automatically launches
an address resolving process:
[Step 11/18 – Resolving Addresses]
Note:
When PTA is configured with Vaults deployed in a Cluster environment, also add the External IPs
for all Vaults in all Clusters.
When PTA is configured with Vaults deployed in a distributed environment, also add the IPs for all
satellite Vaults.
Note:
Before you configure PTA Network Sensors, you must have already installed and
configured the Network Sensor. See Install PTA Network Sensors, page 53.
The PTA Server must be configured with each PTA Network Sensor that was
installed. The following appears.
Configure the connection to the PTA Network Sensors:
The PTA Server must be configured with each PTA Network
Sensor that was installed.
Press [y] to configure a PTA Network Sensor. Press [n] to
skip this step:
k. If you have more than one Network Sensor, press y to continue specifying the IP
of each machine on which each PTA Network Sensor was installed.
l. When you have completed specifying the PTA Network Sensors, press n.
22.If you configured the PTA Network Sensor connection or the PTA Windows
Agent connection, the Golden Ticket detection prompt appears.
Note:
Before you configure Golden Ticket detection, you must have already installed and
configured the Network Sensor. See Install PTA Network Sensors, page 53. Specifically, the
following:
Stage 1: Adding Privileges to the Domain User , page 1
Stage 2: Adding the Domain User as an Account, page 1
Note:
This step only appears if the PTAApp Vault user was not created in [Step 7/18 – Vault connection
d. Define the domain name to monitor for the Golden Ticket detection, and one of
its’ Domain Controller IPs.
PTA can monitor either a domain and its sub-domains, or a
single domain.
Specify the domain name to monitor:
Domain name:
Would you like to monitor the domain and its sub-domains?
(y/n)?
After specifying the domain name to monitor, specify whether to also monitor the
sub-domains.
e. Enter y to monitor the domain name and its sub-domains.
f. Or, enter n to monitor only the specified domain name.
g. If you entered y, you must specify the relevant Enterprise Admin account path
and its domain name.
Specify the relevant Enterprise Admin account path (Safe
name, Folder path, File name) and its' domain name.
Or, specify a path to an account which has Replicate
permissions in the monitored domain and its sub-domains.
The Enterprise Admin account will only be used for the
monitored domains.
Safe name:
Folder path:[Root]
File name:
Account Domain name:
h. If you entered n, you must specify one of the Domain Controllers IP’s and its
relevant Domain Admin account.
To do this, in the Active Directory define a user with the following privileges:
■ Replicating Directory Changes
■ Replicating Directory Changes All
■ Replicating Directory Changes In Filtered Set
After configuring the domain to monitor and one of its’ Domain Controller IPs, one
of the following messages is displayed:
■ If the safe was already configured with this user, the following message
is displayed:
PTA App Vault user ownership on the mentioned safe was
already defined.
■ If the safe was not already configured with a user, you are requested to
specify a Vault user who has owner permissions on the mentioned safe.
Specify Vault username and password.
This user must have owner permissions on the mentioned safe.
This user will be used to manage the PTA App Vault user
ownership on the safe.
Username:
Password:
Retype password:
i. Enter the username and password of the Vault user who has owner permissions
on the mentioned safe.
After completing this step, you will be asked if you want to specify an additional
domain.
Would you like to monitor an additional domain (y/n)? [n]:
a. Enter y to configure email notifications, then press Enter. These notifications will
be sent when the Privileged Threat Analytics solution detects anomalies.
b. Or, enter n to continue directly to [Step 16/18 – PTA maintenance user
configuration].
c. If you entered y, the email server IP address prompt appears.
Enter the IP address of the email server in your organization, then press Enter.
Specify the email server IP address:
d. Enter the port of the SMTP server, then press Enter. The following prompt
appears.
Specify the sender’s email address (in the following format:
user@domain.com):
e. Specify the email address, in lowercase characters, of the user whose name will
be included as the sender in notifications, then press Enter. The following prompt
appears.
Specify the recipient’s email address (in the following
format: user@domain.com). Separate multiple addresses with
‘;’ (semi-colon):
i. Enter the user name and password of the user in the email system who will send
notifications, then press Enter. After the sender’s credentials are saved
successfully, the following confirmation is displayed.
The sender's credentials saved successfully.
After installation, you can use this user to perform maintenance activities on the
PTA machine.
b. After this user has been created and its user credentials are saved successfully,
the following confirmation is displayed, and the installation proceeds to the next
step.
PTA maintenance user was created successfully.
The certificate contains the hostname of the server. The hostname must not be
changed, or the certificate becomes invalid.
After a self-signed certificate is generated successfully, confirmation is displayed, and
the installation proceeds to the next step.
26.The installation automatically initializes the Privileged Threat Analytics solution.
[Step 18/18 – PTA initialization]
8. Click Next to continue to the next step in the wizard. The Certificate Store window
appears.
By default, Place all certificates in the following store appears selected and the
certificate store name is displayed.
9. Leave the default settings, and click Next to continue to the final step in the wizard.
The Completing the Certificate Import Wizard window appears and displays the
details of the selected certificate.
11.Click Yes to install the certificate. When the installation is successful, a confirmation is
displayed.
12.Click OK to close the confirmation box and complete the certificate import process.
13.Shut down all running instances of Internet Explorer, then restart Internet Explorer.
Note:
If you have imported the self-signed certificate on Internet Explorer, you do not need to
import it again on Chrome.
1. Make sure you first followed the steps in the previous procedure, Validate the Self-
signed Certificate on your Browser, page 32.
2. As an administrative user, run PTA on Chrome using the following URL:
https://ptaserver.
3. From the Chrome menu, select Settings and then Show advanced settings.
4. In the HTTPS/SSL section, click Manage Certificates. The Certificates screen is
displayed.
5. Display the Trusted Root Certification Authorities tab, then click Import. The
first screen of the Certificate Import Wizard is displayed.
9. Click Next to continue to the next step in the wizard. The Certificate Store window
appears.
By default, Place all certificates in the following store is selected and the
certificate store name is displayed.
10.Keep the default settings and click Next to continue to the final step in the wizard. The
Completing the Certificate Import Wizard window appears and displays the details of
the selected certificate.
12.Click Yes to install the certificate. When the installation is successful, a confirmation is
displayed.
13.Click OK to close the confirmation box and complete the certificate import process.
14.Shut down all running instances of Chrome, then restart Chrome.
7. Find the ca-cyberark.cert certificate file, then click Open. The certificate is added to
the list in the Servers tab.
8. Select the PTAServer certificate in the list, then click Edit Trust; the Edit website
certificate trust settings window is displayed.
Note:
You can enter multiple alternative DNS and/or IP values in the Subject Alternative
Names field. The format is <field name>:<alternative_name>,<field
name>:<alternative_name>. For example,
dns:pta.com,ip:10.10.10.10,dns:pta2.com,ip:11.11.11.11
The Certificate Signing Request (CSR) is created in the pta_server.CSR file located
at /opt/tomcat/ca.
5. Start the PTA utility by running the following command:
/opt/tomcat/utility/run.sh
6. Select 15. Installing SSL Certificate Chain (Root, Intermediate(s), PTA Server
certificates).
7. Specify the SSL certificate chain details.
The SSL Certificate Chain is created.
8. Run the service appmgr restart command to restart PTA.
Note:
Running the wizard more than once is not recommended .
If PTA is installed, and if you need to run the PTA wizard again, you must first stop all
PTA processes before you run the installation wizard again.
To Stop all PTA Processes:
1. Run the PTA utility, using the following command:
/opt/tomcat/utility/run.sh
Note:
The Ptadcaserverd process runs only when PTA Window Agent is enabled. The
Ptacasosservicesd process runs only when Golden ticket detection is enabled.
5. To send a test email, log on to the PTA machine using the root user and run the
following command:
/opt/diag-tool/ptaInternalDiagTool.sh email –send
If no error is shown on the screen, check your inbox for the test mail.
(Optional) Troubleshoot
Review PTA Windows PTA Windows
Agent installation Agent Installation,
troubleshooting page 49
procedures
Note:
Create a dedicated Base-64 encoded X.509 SSL certificate.
Note:
Create a dedicated Base-64 encoded X.509 SSL certificate.
Note:
If the Cryptography tab is missing, navigate to the Request Handling tab.
Note:
Specify Common Name as the Subject Name Type. The new certificate must be unique on
the machine.
Repeat this step on every machine where the PTA Windows Agent will be installed.
Note:
If you do not enter a value for the PTA Management Port, the default value of 7514 is
used.
Note:
If you do not enter a value for the PTA Data Port, the default value of 6514 is used.
If you select Y, the PTA Windows Agent analyzes Windows events. If you select N,
the PTA Windows Agent analyzes Network data.
10.The CLI command for installing the PTA Windows Agents is created. For your
convenience, a copy of the CLI command is created in the
PTAAgentInstallerOutput.txt file in the same location as the MSI file.
The CLI command for silent installation has been created
successfully. Run the following command as an Administrator to
install the Agents on your DCs or WEF server. This command can
also be found in the PTAAgentInstallerOutput.txt file in the
current directory.
"PrivilegedThreatAnalyticsAgent.msi" /qn /L*v "c:\Install.log"
DATA_ANALYSIS=Windows_Logs PTA_IP="198.196.10.10" DATA_PORT=6514
CONTROL_PORT=7514 TRUSTED=true CLIENT_AUTH=true SUBJECT_
NAME="DomainController.domain.com" DATA_ANALYSIS=Network_Tapping
5. Continue with From the PTA Server or the Domain Controller:, page 50.
Note:
If there are no Agents configured in your environment, the PTAAgentAdmin utility ends.
Configured:
Server IPv4 Address: 127.0.0.1
4. Continue with From the PTA Server or the Domain Controller:, page 50.
Note:
To disable Server verification add the Server_Verification_Required=false row under
[DCInfo] .
Note:
To install PTA without the Network Sensor, see Install PTA, page 6.
Add the In the PVWA, add this account and configure it Stage 2: Add the
Domain user to be managed automatically by the CPM to Domain User as an
as an Account store the privileged domain user in the Vault. Account, page 58
in the PVWA (Mandatory for Golden Ticket detection)
Deploy and Deploy the Network Sensor, depending on the Stage 3: Deploy
configure PTA machine at your site; VM or physical machine. the PTA Network
Network Sensor, page 59
Sensor
Verify the PTA Run a diagnostic tool to verify the PTA (Optional) Verify
Network Network Sensor installation and deployment. PTA Network
Sensor This step is optional. Sensor
deployment Deployment, page
69
Install and Using the PTA wizard, install and configure Install PTA, page 6
configure PTA PTA, including the Network Sensor.
VM: Support VMware ESXi version 5.5 and higher, hardware version 8 and
higher.
Note:
These are the minimum mandatory requirements. You must follow these requirements
when installing the PTA Network Sensor.
Physical
Requirement
Hardware
RAM 8GB
CPU 8 cores
Traffic The physical or virtual network interface that listens to the network traffic.
Monitoring
NIC
Note:
These are the minimum mandatory requirements. You must follow these requirements
when installing the PTA Network Sensor.
Physical
Requirement
Hardware
RAM 4GB
CPU 4 cores
Traffic The physical or virtual network interface that listens to the network traffic.
Monitoring
NIC
Physical
Requirement
Hardware
Note:
These are the minimum mandatory requirements. You must follow these requirements
when installing the PTA Network Sensor.
RAM 8GB
CPU 8 cores
VM Network VMXNET3
Driver
Note:
It is recommended to run the PTA Network Sensor in the Standard recommended
configuration, in order to allow PTA to scale up to the expected network traffic load.
Note:
These are the minimum mandatory requirements. You must follow these requirements
when installing the PTA Network Sensor.
RAM 4 GB
CPU 4 cores
Hard Disk 40 GB
Storage (SSD is recommended).
VM Network VMXNET3
Driver
Note:
It is recommended to run the PTA Network Sensor in the Standard recommended
configuration, in order to allow PTA to scale up to the expected network traffic load.
Note:
The account can be configured in the PVWA, or any other method. For further
information, see the Privilige Account Security Implementation Guide.
2. Write down the Safe and Account names as you will need them when configuring
Golden Ticket detection in the PTA installation ([Step 14/18 – Golden Ticket detection
configuration], page 27 in the PTA wizard).
3. Continue to Stage 3: Deploy the PTA Network Sensor, page 59.
Note:
The PTA Network Sensor machine is hardened for security reasons. As such, you can
only log on to it using the admin user.
4. You are prompted to set a new password for the admin user.
5. Change the user to root by using the following command: su –
Enter the same password: DiamondAdmin123!
6. You are prompted to set a new password for the root user.
7. Navigate to the directory: /opt/ag/bin
8. Run the command ./ns_setup.sh.
a. Select and enter the management interface name: ens192
b. Enter the Static IP.
Note:
The NTP server used with the PTA Network Sensor server must be the same server
used with the PTA server.
Change To
Memory 4GB
CPU 4 cores
Procedure A: Installing
Linux CentOS, page 62
Procedure B: Installing the The PTA Network Sensor software requires additional
PTA Network Sensor Add- packages to be installed on the machine. This procedure
ons, page 62 must only be performed once.
Procedure C: Hardening This step removes unnecessary software and limits the
the PTA Network Sensor access to the PTA Network Sensor.
Machine, page 65
Note:
The installation steps can be performed on a VM as well. However, it is highly
recommended to use the PTA Network Sensor virtual appliance for VM.
Note:
The NTP server used with the PTA Network Sensor server must be the same server
used with the PTA server.
Note:
Do not install additional software on this device that is not related to the PTA Network
Sensor.
3. Navigate to and download the package files using the SCP utility.
4. In the command line, change the directory to the path where the add-on files were
saved.
5. To verify that the installation add-on scripts can be executed, run the following
command:
chmod +x *.sh
7. Follow the steps that appear in the installation wizard, and when prompted, press y to
verify that all the tasked were done and completed successfully.
When the verification is complete, the message Done Successfully appears.
See the following example:
root@localhost ag_pkg_v<#>]# ./ag_pkg_inst.sh
Installing ./ag_pkg_v<#>.tgz, Please wait...
CyberArk Privileged Threat Analytics may include certain third
party components. Their licenses and acknowledgments are listed
in the About window in CyberArk's Privileged Thread Analytics
dashboard.
PHP... [ FAIL ]
Executing task: './tasks/Packages/task012.sh ' - Verifying
phpMyAdmin... [ FAIL ]
Executing task: './tasks/Packages/task013.sh ' - Verifying
Log4Cxx... [ FAIL ]
Executing task: './tasks/Packages/task014.sh ' - Verifying
/home/AG_TLV... [ FAIL ]
Executing task: './tasks/Packages/task020.sh ' - Verifying
pciutils package... [ FAIL ]
Executing task: './tasks/Packages/task021.sh ' - Verifying
internal NIC IP & MTU... [ FAIL ]
Executing task: './tasks/Packages/task022.sh ' - Verifying
crontab... [ OK ]
Executing task: './tasks/Packages/task023.sh ' - Verifying
'admin' user... [ FAIL ]
Executing task: './tasks/Packages/task025.sh ' - Verifying
incron... [ FAIL ]
Executing task: './tasks/Packages/task026.sh ' - Verifying
shadow file is readable... [ FAIL ]
Executing task: './tasks/Packages/task027.sh ' - Verifying
'broker' user... [ FAIL ]
Executing task: './tasks/Packages/task028.sh ' - Verifying
Shellshock security issue... [ OK ]
Executing task: './tasks/Packages/task029.sh ' - Check Prelink
... [ FAIL ]
Executing task: './tasks/Packages/task031.sh ' - Verifying net-
tools... [ FAIL ]
Executing task: './tasks/Packages/task032.sh ' - Disable "You
have mail..." message... [ FAIL ]
Executing task: './tasks/Packages/task033.sh ' - Verifying
openssh clients... [ OK ]
Executing task: './tasks/Packages/task034.sh ' - Verfying
/home/ag... [ FAIL ]
Executing task: './tasks/Packages/task037.sh ' - Verifying
rsync... [ FAIL ]
Executing task: './tasks/Packages/task038.sh ' - Verifying vim-
common... [ FAIL ]
Executing task: './tasks/Packages/task039.sh ' - Verifying
tmpwatch... [ FAIL ]
Executing task: './tasks/Packages/task040.sh ' - Verifying DPDK
environment... [ FAIL ]
Executing task: './tasks/Packages/task041.sh ' - Verifying UI
Images... [ FAIL ]
- 7. Fixed tasks: 0
- 8. Warning tasks: 0
- 9. Other tasks: 0
-
----------------------------------------------------------------
-------------------
Would you like to fix issues ('y' key = Yes / Other key = No) ?
y
2. Follow the hardening installation wizard, and when prompted, press y to verify that all
the tasked were done and completed successfully.
a. When the verification is complete, the message Done Successfully appears.
b. See the below example:
[root@localhost ag_pkg_v<#>]# ./ag_pkg_inst.sh security
Installing ./ag_pkg_v<#>.tgz, Please wait...
CyberArk Privileged Threat Analytics may include certain third
party components. Their licenses and acknowledgments are listed
in the About window in CyberArk's Privileged Thread Analytics
dashboard.
Do you accept all terms of the Usage Agreement (y/n)?
If you choose n, this installation wizard will close.
To install CyberArk Privileged Threat Analytics, you must accept
this agreement.
yStarting, please wait...
Welcome to automatic installation procedure. Ver.<#>
Executing procedure number: 2 - Security
================================================================
Running Verification Tasks for 'Security'...
Executing task: './tasks/Security/task000.sh ' - Verify 'ROOT'
login [ OK ]
Executing task: './tasks/Security/task001.sh ' - Verifying
Network Interfaces... [ OK ]
Executing task: './tasks/Security/task003.sh ' - Verifying
Linux version, expecting 'Centos 7.0 64 bit'... [ OK ]
Executing task: './tasks/Security/task004.sh ' - Verifying
IPTables configuration ... [ FAIL ]
Executing task: './tasks/Security/task005.sh ' - Verifying no
dhclient... [ FAIL ]
Executing task: './tasks/Security/task006.sh ' - Verifying
Shellshock security issue... [ OK ]
Executing task: './tasks/Security/task008.sh ' - Verifying
users... [ OK ]
Executing task: './tasks/Security/task009.sh ' - Verifying no
direct 'root' via SSH... [ FAIL ]
Executing task: './tasks/Security/task010.sh ' - Verifying SSH
protocol 2 only... [ FAIL ]
Executing task: './tasks/Security/task011.sh ' - Verifying
SELINUX Enabled ... [ OK ]
Executing task: './tasks/Security/task013.sh ' - Disable
IPv6... [ FAIL ]
Executing task: './tasks/Security/task015.sh ' - Disable
master smtp... [ OK ]
Executing task: './tasks/Security/task016.sh ' - Verifying
'grub' password protected... [ FAIL ]
Executing task: './tasks/Security/task017.sh ' - Disable USBs
interfaces... [ FAIL ]
Executing task: './tasks/Security/task019.sh ' - Disable
swap... [ OK ]
Executing task: './tasks/Security/task020.sh ' - Verifying NTP
Configuration... [ OK ]
Executing task: './tasks/Security/task021.sh ' - Verifying
HTTP Daemon 'ServerName'... [ FAIL ]
Executing task: './tasks/Security/task023.sh ' - Verifying PHP
(expose_php)... [ FAIL ]
Executing task: './tasks/Security/task024.sh ' - Check only
SSH/NTP/ICMP server listen to mgmt. port... [ FAIL ]
Executing task: './tasks/Security/task029.sh ' - Check
secured mariaDB... [ FAIL ]
Executing task: './tasks/Security/task031.sh ' - Verifying no
telnet... [ OK ]
Executing task: './tasks/Security/task032.sh ' - Verifying no
TFTP client... [ OK ]
Executing task: './tasks/Security/task033.sh ' - Verifying no
TCP dump... [ OK ]
Executing task: './tasks/Security/task035.sh ' - Verifying no
Ser2Net... [ OK ]
Executing task: './tasks/Security/task036.sh ' - Verifying no
FTP... [ OK ]
Executing task: './tasks/Security/task037.sh ' - Verifying no
sshpass... [ OK ]
Executing task: './tasks/Security/task038.sh ' - Verifying no
wget. [ OK ]
Executing task: './tasks/Security/task039.sh ' - Verifying no
PCI utils... [ OK ]
Executing task: './tasks/Security/task040.sh ' - Disable
Ctrl+Alt+Del reboot function... [ FAIL ]
Executing task: './tasks/Security/task042.sh ' - Verify
Note:
To access the NIC names, use the command ip a.
3. Log on to the PTA Network Sensor device as admin, and enter the password
admin123.
4. Change the user to root by using the following command: su –
5. Enter the root password. This is the root password you entered in Procedure B:
Installing the PTA Network Sensor Add-ons, page 62.
6. Download the installation files into the device using the SCP utility.
7. In the command line, change the directory to the path where the add-on files were
saved.
8. To verify that the installation script can be executed, run the following command:
chmod +x *.sh
9. Execute the installation script by running the command: /ag-nms-inst.sh
10.Follow the steps that appear in the installation wizard.
See the PTA Network Sensor installation wizard example below.
11.When the installation wizard ends successfully, reboot the PTA Network Sensor
machine.
The PTA Network Sensor installation and configuration on the physical machine is
complete. See the PTA Network Sensor installation wizard example:
[root@localhost B<#>]# ./ag-nms-inst.sh
CyberArk Privileged Threat Analytics may include certain third
party components. Their licenses and acknowledgments are listed
in the About window in CyberArk's Privileged Thread Analytics
dashboard.
Do you accept all terms of the Usage Agreement (y/n)?
If you choose n, this installation wizard will close.
To install CyberArk Privileged Threat Analytics, you must accept
this agreement.
y
Installing AG-NMS[Management] Version <#> Build <#>
Please enter PTA Network Sensor's interfaces
(lo|eno16780032|eno33559296): eno33559296
................................................................
Installation finished successfully. Please reboot the device.
Would you like to reboot now (y/n) [y]?
y
Rebooting system.
3. Review each line in the log and when necessary, perform the suggested action.
Make sure there are no ERRORS.
Example of the diagnostic tool script:
[root@@localhost ~]# /opt/ag/bin/ns_diag.sh
[root@@localhost ~]#
Note:
To add Golden Ticket functionality, the Vault user and Network Sensors or PTA Windows
Agents must be configured.
If the Vault user is already configured, or if Network Sensors and PTA Windows Agents are
already configured, specify n in the first question of the relevant steps, then specify y to add
Golden Ticket detection functionality.
Caution:
To configure additional Network Sensors, a PTA Windows Agent connection, or
both with Golden Ticket detection, do NOT perform the below procedure! Instead,
follow the procedure Add PTA Network Sensor Coverage or a PTA Windows Agent
connection with Golden Ticket Detection , page 73.
A message appears informing you that configuring additional PTA Network Sensors,
a PTA Windows Agent connection, or both on the PTA Server is optional.
[Step 1/1 - Network sensor connection and PTA agent
configuration]
This step is optional. Would you like to configure it (y/n)?: y
9. Enter the IP, then press Enter. The following message is displayed:
The PTA Network Sensor was configured successfully
Press [y] to configure a PTA Network Sensor. Press [n] to skip
this step [y]:
10.If you have more than one Network Sensor, press y to continue specifying the IP of
each machine on which each PTA Network Sensor was installed.
11.When you have completed specifying the PTA Network Sensors, press n, then press
Enter to exit the Network Sensor configuration.
Verify the configuration
Run the PTA diagnostic tool using the RUN_DIAGNOSTICS command to verify that
PTA works properly with the new configuration.
Note:
To add Golden Ticket functionality, the Vault user and Network Sensors or PTA Windows
Agents must be configured.
If the Vault user is already configured, or if Network Sensors and PTA Windows Agents are
already configured, specify n in the first question of the relevant steps, then specify y to add
Golden Ticket detection functionality.
Caution:
To add only Network Sensor coverage, a PTA Windows Agent connection, or both
without Golden Ticket detection, do not perform the below procedure! Instead,
follow the procedure Add PTA Network Sensor Coverage or a PTA Windows Agent
connection, page 72.
Configure the Vault connection to authorize the Vault as a source host. Do this if you
need to define one of the following:
■ Forwarding data from the Vault
■ Retrieving Vault reports
■ Configuring Golden Ticket detection
3. To configure the Vault connection, specify y. A message appears requesting that
you specify the Vault server’s IP and port number.
Specify the Vault server's IP address and port number.
IP: 10.10.10.10
Port [1858]:
Note:
When PTA is configured with a Vault that is deployed in a distributed environment,
configure the IP for the primary Vault in the Vault Connection Configuration step.
b. Specify the Vault server’s Port number 1858, then press Enter.
A message appears asking if you want to define the Vault server’s DR.
Would you like to configure Vault DR (y/n)? n
4. To configure the Vault DR, specify y, making sure to use a comma if there are
multiple DR Vault servers, then press Enter.
5. To skip this step, specify n. A message appears requesting you to define the Vault
username and password.
Specify Vault username and password.
This user must have administrator permissions, and it will be
used to update the environment required for the PTA in the Vault
server.
Username [Administrator]:
Password:
Retype password:
This user must have administrator permissions as this user will be used to update
the environment required for PTA in the Vault server.
a. Specify the Vault Administrator Username.
b. Specify the Vault Administrator Password, and retype the Password then press
Enter. The following message appears.
Creating PTA Vault User.
PTA Vault User created successfully.
c. Specify the Vault time zone. For a list of available time zones, specify help. See
also Time Zones, page 128.
d. Press Enter. A message appears informing that the Vault configuration
completed successfully.
Vault configuration finished successfully.
b. If you have more than one Network Sensor, press y to continue specifying the IP
of each machine on which each PTA Network Sensor was installed.
c. When you have completed specifying the PTA Network Sensors, press n, then
press Enter.
The Golden Ticket detection configuration step appears.
Step 3/3 - Golden Ticket detection configuration]
This step is optional. Would you like to configure it (y/n)?:
y
15.Specify the Username and Password of the Vault user who has owner permissions
on the mentioned safe.
This user must have Administrator permissions as this user will be used to update
the environment required for PTA in the Vault server
16.Retype the Password, then press Enter. The following message appears.
Creating PTA App Vault User.
PTA App Vault User created successfully.
You are requested now to define a domain to monitor for the Golden Ticket detection.
PTA can monitor either a domain and its sub-domains, or a single
domain.
Specify the domain name to monitor:
Domain name:
Would you like to monitor the domain and its sub-domains? (y/n)?
After specifying the domain name to monitor, specify whether to also monitor the sub-
domains.
Enter y to monitor the domain name and its sub-domains.
Or, enter n to monitor only the specified domain name.
If you entered y, you must specify the relevant Enterprise Admin account path
and its' domain name.
Specify the relevant Enterprise Admin account path (Safe name,
Folder path, File name) and its' domain name.
Or, specify a path to an account which has Replicate permissions
in the monitored domain and its sub-domains.
The Enterprise Admin account will only be used for the monitored
domains.
Safe name:
Folder path:[Root]
File name:
Account Domain name:
If you entered n, you must specify one of the Domain Controllers IP’s and its
relevant Domain Admin account.
To do this, in the Active Directory define a user with the following privileges:
■ Replicating Directory Changes
■ Replicating Directory Changes All
■ Replicating Directory Changes In Filtered Set
Specify one of the Domain Controllers IP’s and relevant Domain
Admin account path (Safe name, Folder path, File name).
Or, specify a path for an account with Replicate permissions
required for this domain.
Domain Controller IP:
Safe name:
Folder path:[Root]
File name:
■ If the safe was already configured with this user, the following message is
displayed:
PTA App Vault user ownership on the mentioned safe was
already defined.
■ If the safe was not already configured with a user, you are requested to
specify a Vault user who has owner permissions on the mentioned safe.
Specify Vault username and password.
This user must have owner permissions on the mentioned safe.
This user will be used to manage the PTA App Vault user
ownership on the safe.
Username:
Password:
Retype password:
Enter the username and password of the Vault user who has owner permissions on
the mentioned safe.
After completing this step, you will be asked if you want to specify an additional
domain.
Would you like to monitor an additional domain (y/n)?: n
18.The system shuts down, then restarts. Press OK to exit all utilities.
Exiting utility.
[ OK ]
System restart complete.
[root@PTAServer ~]#
Upgrade PTA
Upgrade is supported from version 3.0 and higher. Use the below workflow:
(Mandatory if If you are upgrading from below PTA v3.0, you must Upgrade to
you are first upgrade to PTA v3.0. PTA Version
upgrading 3.0, page 81
from below
version 3.0)
Upgrade to
PTA v3.0
(Mandatory if Use this procedure to upgrade from version 3.0 and Upgrade to
you are higher. PTA Version
upgrading 3.5, page 83
from below
version 3.5)
Upgrade to
PTA version
3.5
Add PTAApp To send PTA alerts to the Vault, add the PTAApp Post Upgrade
(Mandatory for Use this procedure to upgrade PTA Network Upgrade PTA
Network Sensors at your environment. Network
Sensors) Sensor
Upgrade PTA Software,
Network page 95
Sensors
Note:
Do not snapshot the virtual machine's memory.
2. On the PTA system console, log in as the root user using the password you specified
for the root user during installation.
3. Using WinSCP or a similar tool, copy the following files from the CyberArk PTA
upgrade package to the /tmp directory of the PTA machine:
■ upgradeManager.sh.
■ upgrade_releases.tar.gz
4. Change the upgradeManager.sh file permissions by running the following
command:
chmod 700 /tmp/upgradeManager.sh
The PTA starts the upgrade process and displays output according to the PTA
version currently installed at your site.
PTA installs each PTA version in increments, until it finally installs the version to
which you are upgrading.
****************************************************************
****************************************************************
Checking current version...
The current PTA version is <version currently being installed>
## Stopping application services...
## Application services were successfully stopped
************* completed 1/1 <PTA version installed>
*************
## Starting application services...
## Application services started successfully.
If any error messages appear, navigate to the log and resolve the issue. When you
open the log, address the error by searching for the version number in which the error
occurred.
Note:
When upgrading to version 2.6.4, the upgrade process issues the following message
which you can ignore.
cp : cannot stat '/opt/ag/conf/*': No such file or directory
6. The PTA upgrade process is now finished and the following confirmation is
displayed:
## Upgrade process finished successfully.
7. If the PTA upgrade process does not complete successfully, revert the PTA machine
using the snapshot that was saved in Step 1.
a. At the command line, in the /opt/tomcat/utility/ folder, run the
vaultConfiguration.sh command to reconfigure the Vault connection.
Note:
This step is not needed when the reversion procedure occurs on the same day as the
upgrade process.
Note:
This step is not needed when the reversion procedure occurs on the same day as the
upgrade process.
To Upgrade PTA:
1. Save a snapshot of the PTA image.
2. On the PTA system console, log in as the root user using the password you
specified for the root user during installation.
3. Using WinSCP or a similar tool, copy the following files from the CyberArk PTA
upgrade package to the /tmp directory of the PTA machine:
■ pta_upgrade.sh
■ pta_upgrade-3.5.0.tgz
4. Change the pta_upgrade.sh file permissions by running the following command:
chmod 700 /tmp/pta_upgrade.sh
PTA starts the upgrade process and displays output according to the PTA version
currently installed at your site.
Welcome to Privileged Threat Analytics version 3.5 upgrade tool.
Upgrade is supported from version 3.0 and above.
6. If any error messages appear, navigate to the log and resolve the issue. When you
open the log, address the error by searching for the version number and the task in
which the error occurred.
7. The PTA upgrade process is now complete and the following confirmation is
displayed:
8. If the PTA upgrade process does not complete successfully, revert the PTA machine
using the snapshot that was saved in Step 1.
a. At the command line, in the /opt/tomcat/utility/ folder, run the
vaultConfiguration.sh command to reconfigure the Vault connection.
Note:
This step is not needed when the reversion procedure occurs on the same day as the
upgrade process.
b. If PTA is installed with Network Sensors, revert the Network Sensors using the
snapshot that was saved in Step 1.
c. If PTA is installed with Golden Ticket Detection configured, run the
goldenTicketConfiguration.sh command to reactivate the PTAApp Vault user.
Note:
This step is not needed when the reversion procedure occurs on the same day as the
upgrade process.
Note:
You must install PTA v3.6 with CentOS 7 on a separate machine.
The migration script runs in the background. The script can run for up to a few hours. Refer to the
migration log (/tmp/migrate_centos6_to_centos7.log) for details on the progress of the script.
Important messages are also written to the screen.
To migrate to CentOS 7:
1. Save a snapshot of the PTA image with CentOS 7 on the new PTA machine.
2. At a command line, in the /opt/tomcat/utility/ folder, run the following command:
./migrate_centos6_to_centos7.sh
The migration script begins. The script can run for up to a few hours.
Before running the migration, save a snapshot of the PTA image
on the new (CentOS 7) PTA machine.
While the migration script runs in the background, the existing
(CentOS 6) PTA machine will be down and you will not receive any
data.
After the migration process ends successfully, all PTA data will
be contained on the new PTA machine, with PTA version 3.6.
Note:
The existing (CentOS 6) PTA machine must have version 3.5 of PTA installed. If the
script cannot connect to the existing (CentOS 6) PTA machine after three attempts,
contact your administrator.
4. The migration script opens SSH port 22 on the new PTA machine to migrate the data
from the existing (CentOS 6) PTA machine.
Opening port 22 on the new (CentOS 7) PTA machine for SSH
communication with the existing (CentOS 6) PTA machine.
6. If there is no NTP server configuration on the existing PTA machine, the following
prompt appears.
Note:
If there is an NTP server configuration on the existing PTA machine, the migration script
copies the NTP server configuration to the new PTA machine.
Note:
If you entered n , the migration script copies the date and time from the existing
PTA machine to the new PTA machine.
a. Enter the time zone, then press Enter. The date and time prompt appears.
Specify current date and time in 24h format “MM/DD/YYYY
hh:mm” (example: 11/21/2013 16:20):
b. Enter the current date and time using the format included in the prompt, then
press Enter. The following prompt appears, enabling you to synchronize the time
zone you are setting, with your NTP server.
Do you want to synchronize with NTP server (y/n)? [n]
9. If any error messages appear, navigate to the log and resolve the issue. When you
open the log, address the error by searching for the version number and the task in
which the error occurred.
Note:
If the data migration process does not complete successfully, revert the new PTA
machine using the snapshot that was saved in Step 1 and rerun the migration script.
10.The data migration process is now complete and the following confirmation is
displayed:
Data migration completed successfully.
11.The existing (CentOS 6) PTA machine is shut down and the PTA Server is started on
the new (CentOS 7) PTA machine.
a. If the IP of the existing PTA machine is configured as static, the migration script
shuts down the existing PTA machine, sets the new PTA machine with the
existing IP, and starts PTA on the new machine.
Changing machine IP...
Shutting down the existing (CentOS 6) PTA machine.
Restarting network service...If you are using a terminal,
connect to the new IP - 10.10.10.10 - where PTA 3.6 is up and
running.
Starting PTA service on the new (CentOS 7) machine...
The migration process completed successfully. PTA is up and
running.
Install VMWare Tools on the new (Centos 7) machine.
b. If the IP of the existing PTA machine is configured using DHCP, perform the
following:
The IP address of the existing (CentOS 6) PTA machine is
configured using DHCP. Perform the following:
1. Save the IP address for later reference.
2. Shut down the existing PTA machine.
3. Assign the saved IP address to the new (CentOS 7) PTA
machine in the DHCP server configuration. You might need your
IT team's assistance.
4. Start the PTA Server on the new (CentOS 7) machine.
5. Install VMWare Tools on the new (Centos 7) machine.
To Upgrade PTA:
1. Save a snapshot of the PTA image.
2. On the PTA system console, log in as the root user using the password you
specified for the root user during installation.
3. Using WinSCP or a similar tool, copy the following files from the CyberArk PTA
upgrade package to the /tmp directory of the PTA machine:
■ pta_upgrade.sh
■ pta_upgrade-3.95.0.tgz
4. Change the pta_upgrade.sh file permissions by running the following command:
chmod 700 /tmp/pta_upgrade.sh
PTA starts the upgrade process and displays output according to the PTA version
currently installed at your site.
Welcome to Privileged Threat Analytics version 3.95 upgrade
tool.
Upgrade is supported from version 3.6 and above.
CyberArk Privileged Threat Analytics may include certain third-
party components. Their licenses and acknowledgments are listed
in the About window in the CyberArk Privileged Threat Analytics
dashboard.
6. If any error messages appear, navigate to the log and resolve the issue. When you
open the log, address the error by searching for the version number and the task in
which the error occurred.
7. The PTA upgrade process is now complete and the following confirmation is
displayed:
## Upgrade completed successfully. The log is available at:
/tmp/pta_upgrade.log
We recommend that you install VMware Tools on the PTA Server.
8. If the PTA upgrade process does not complete successfully, revert the PTA machine
using the snapshot that was saved in Step 1.
a. At the command line, in the /opt/tomcat/utility/ folder, run the
vaultConfiguration.sh command to reconfigure the Vault connection.
Note:
This step is not needed when the reversion procedure occurs on the same day as the
upgrade process.
b. If PTA is installed with Network Sensors, revert the Network Sensors using the
snapshot that was saved in Step 1.
c. Run the service appmgr restart command to restart PTA.
d. If PTA is installed with Network Sensors, run the diagnostic tool to verify that the
Network Sensors were properly reverted. See (Optional) Verify PTA Network
Sensor Deployment, page 69.
9. If your site has PTA Network Sensors, you must run the PTA Network Sensor
upgrade now. See Upgrade PTA Network Sensor Software, page 95.
10.Copy the PTA.xsl file from the CyberArk PTA upgrade folder, to the Syslog
subdirectory of the Vault installation folder. By default, the subdirectory is:
C:\Program Files (x86)\PrivateArk\Server\Syslog
11.Update the DBparm.ini file for new Vault codes. For details, see the
PTA Implementation Guide.
12.If you installed VMWare Tools on the virtual machine, uninstall and reinstall the
VMWare Tools.
13.Restart PTA.
Note:
If you do not enter a value for the PTA Management Port, the default value of 7514 is
used.
Note:
If you do not enter a value for the PTA Data Port, the default value of 6514 is used.
If you select Y, the PTA Windows Agent analyzes Windows events. If you select N,
the PTA Windows Agent analyzes Network data.
10.The CLI command for installing the PTA Windows Agents is created. For your
convenience, a copy of the CLI command is created in the
PTAAgentInstallerOutput.txt file in the same location as the MSI file.
The CLI command for silent installation has been created
successfully. Run the following command as an Administrator to
install the Agents on your DCs or WEF server. This command can
also be found in the PTAAgentInstallerOutput.txt file in the
current directory.
"PrivilegedThreatAnalyticsAgent.msi" /qn /L*v "c:\Install.log"
DATA_ANALYSIS=Windows_Logs PTA_IP="198.196.10.10" DATA_PORT=6514
CONTROL_PORT=7514 TRUSTED=true CLIENT_AUTH=true SUBJECT_
NAME="DomainController.domain.com" DATA_ANALYSIS=Network_Tapping
Note:
Self installation is supported from Network Sensor version 5.1 build 8 and above. For
earlier versions, use the To Upgrade the PTA Network Sensor Application by running the
standard installation wizard procedure or the To Manually Upgrade the PTA Network
Sensor Application procedure.
Version 5.1 Build 10. ==> PTA Network Sensor will be modified.
SSH access to device : Probe6(6) at 10.10.13.14 - Failed.
SSH access to device : Probe8(7) at 10.10.13.21 - Succeeded.
Version 5.1 Build 10. ==> PTA Network Sensor will be modified.
The following PTA Network Sensors will be modified:
--------------------------------------------------------
- Device ID: 5
- Device Name: Probe5
- Device IP: 10.10.13.27
- Device Comment:
========================================================
--------------------------------------------------------
- Device ID: 7
- Device Name: Probe8
- Device IP: 10.10.13.21
- Device Comment:
========================================================
################################################################
###########################################################
## WARNING: Please note that not all PTA Network Sensors will be
modified. It may cause synchronization issues with PTA. ##
################################################################
###########################################################
Are you sure you want to proceed (y/Any) ? y (if Any operation
is aborted)
Uploading installation files to : 10.10.13.27 - Done
Uploading installation files to : 10.10.13.21 - Done
Waiting 2 minutes for PTA Network Sensors to do internal
verification for a successful upgrade...
Checking Network Sensor 10.10.13.27 readiness for software
upgrade... Ready
Checking Network Sensor 10.10.13.21 readiness for software
upgrade... Ready
Starting installation at : 10.10.13.27 ...
Starting installation at : 10.10.13.21 ...
Waiting 5 minutes for PTA Network Sensors to finish software
installation...
Checking that PTA Network Sensor 10.10.13.27 was upgraded
successfully... Ready
Checking that PTA Network Sensor 10.10.13.21 was upgraded
successfully... Ready
The PTA Network Sensor prepares the upgrade on the machine, and checks the
status of every PTA Network Sensor in the environment.
Preparing '<Upgrade Version>' installation...
A list appears showing all the PTA Network Sensors that are installed, and you are
prompted to proceed.
Are you sure you want to proceed (y/Any) ? y
7. After you have modified all the PTA Network Sensors, you are prompted to enter the
root user password.
Please Enter root@Password:
9. When the installation is complete, you are prompted to reboot the PTA Network
Sensor machine. Press y to reboot the PTA Network Sensor machine.
Installation finished successfully. Please reboot the device.
Would you like to reboot now (y/n) [y]?
Rebooting system.
................................................................
Installing AG-NMS[Management] Version <#> Build <#>
Installation finished successfully. Please reboot the device.
Would you like to reboot now (y/n) [y]?
Rebooting system.
5. Enter SU so you are able to log in as the root user, then enter the root user
password.
[admin@localhost ~]$ su -
Password:
10.When the upgrade is complete, you are requested to reboot the machine. Specify y,
then press Enter.
Installation finished successfully. Please reboot the device.
Would you like to reboot now (y/n) [y]?
Rebooting system.
11.Repeat the entire procedure for each PTA Network Sensor at your site.
Appendices
Note:
All parameters must be specified without spaces.
systemparm.properties
Section: Data Loading
date_format
Description Date format of the organization. For example, for US users the
format is MM/dd/yyyy.
vault_log_records_csv
pvwa_privileged_accounts_report_csv
Description The full pathname of the PVWA Inventory Report .csv file.
Section: LDAP
ldap_connection_protocol
ldap_base
ldap_port
ldap_server
Acceptable Values IP
ldap_domain
Description The name of the domain where the LDAP server resides.
ldap_group_name
ldap_pre2000
Section: LDAP
Section: Syslog
syslog_outbound
Description Outbound configuration that enables PTA to integrate with your SIEM.
Acceptable A list of the following information: {siem, format, host, port, protocol}
Values Acceptable values are:
■ siem – HP ArcSight, McAfee, QRadar, RSA, Splunk
■ format – CEF or LEEF
■ host - Host/IP
■ port – number
■ protocol - UDP
Default None
Value
syslog_port_tcp
Description The port used for incoming syslog records sent from the Vault machine and
Unix machines on the TCP port.
Acceptable Number between 1 and 65535. The number must represent an unused port.
Values
Default 514
Value
syslog_port_udp
Description The port used for incoming syslog records sent from the Vault machine and
Unix machines on the UDP port.
Acceptable Number between 1 and 65535. The number must represent an unused port.
Values
Default 514
Value
vault_timezone
Acceptable NA
Values
syslog_non_human_filter
Description List of non-human usernames whose syslog messages PTA will ignore.
Section: Syslog
Values
Default passwordmanager,prov_,pvwaappuser,psmapp
Value
syslog_port_ssl_data_tcp
Acceptable Number between 1 and 65535. The number must represent an unused port.
Values
Default 6514
Value
syslog_port_ssl_control_tcp
Acceptable Number between 1 and 65535. The number must represent an unused port.
Values
Default 7514
Value
send_pta_events_to_pas_enabled
Description Enable or disable the option to send PTA events to the Vault.
Acceptable true/false
Values
Default true
Value
Section: Syslog
Sub-section: Syslog
custom_vault_device_types
Acceptable String
Values
Section: Syslog
Sub-section: Syslog format legacy
syslog_format_regex_legacy
Section: Syslog
Sub-section: Syslog format legacy
Values
Default (<\\d+>)?([\\d\\.]+)?\\s*([a-zA-Z]+\\s+\\d{1,2}\\s+\\d{1,2}:\\d{1,2}:\\d
Value {1,2})\\s+([^\\s]+)\\s+(.*)
syslog_field_index_date_legacy
Description The index that corresponds to the date field defined in the syslog_format_
regex_legacy property.
Default 3
Value
syslog_field_index_machine_legacy
Description The index that corresponds to the machine field defined in the syslog_
format_regex_legacy property.
Default 4
Value
syslog_field_index_body_legacy
Description The index that corresponds to the body field defined in the syslog_format_
regex_legacy property.
Default 5
Value
Section: Syslog
Sub-section: Syslog format 5424
syslog_format_regex_5424
Default <(\\d+)>([\\d\\.]+)\\s+(\\d{4}-\\d{2}-\\d{1,2}T\\d{1,2}:\\d{1,2}:\\d{1,2}Z)\\s+
Value ([^\\s]+)\\s+(.*)
syslog_field_index_date_5424
Description The index that corresponds to the date field defined in the syslog_format_
regex_5424 property.
Section: Syslog
Sub-section: Syslog format 5424
Default 3
Value
syslog_field_index_machine_5424
Description The index that corresponds to the machine field defined in the syslog_
format_regex_5424 property.
Default 4
Value
syslog_field_index_body_5424
Description The index that corresponds to the body field defined in the syslog_format_
regex_5424 property.
Default 5
Value
Section: Syslog
Sub-section: Audit creator for vault retrieve password
audit_creator_body_regex_vault_retrieve_password
Description A regular expression that defines the data format in a syslog string that the
audit creator detects.
body_field_index_vault_retrieve_password_user
Description The index that corresponds to the user who retrieved the password from the
Vault in the audit_creator_body_regex_vault_retrieve_password property.
Default 1
Value
body_field_index_vault_retrieve_password_date
Description The index that corresponds to the date when the password was retrieved
Section: Syslog
Sub-section: Audit creator for vault retrieve password
Default 2
Value
body_field_index_vault_retrieve_password_account_user
Description The index that corresponds to the user specified in the account that was
retrieved from the Vault in the audit_creator_body_regex_vault_retrieve_
password property.
Default 4
Value
body_field_index_vault_retrieve_password_account_address
Description The index that corresponds to the address specified in the account that was
retrieved from the Vault in the audit_creator_body_regex_vault_retrieve_
password property.
Default 5
Value
Section: Syslog
Sub-section: Audit creator for unix session opened
audit_creator_body_regex_unix_session_opened
Description A regular expression that defines the data format in a syslog string that
the audit creator detects.
body_field_index_unix_session_opened_user
Description The index of the user who opened the unix session in the audit_creator_
body_regex_unix_session_opened property.
Section: Syslog
Sub-section: Audit creator for unix session opened
Default Value 2
body_field_index_unix_session_opened_session_type
Description The index of the type of session that was opened in the audit_creator_
body_regex_unix_session_opened property.
Default Value 1
Section: Syslog
Sub-section: Audit creator for CEF
audit_creator_body_regex_cef
Description A regular expression that defines the data format in a syslog string that the
audit creator detects.
Default CEF:(?<cefVersion>\\d+)\\|(?<vendor>(?:[^\\\\\\|]|\\\\.)*+)\\|(?<product>(?:
Value [^\\\\\\|]|\\\\.)*+)\\|(?<version>(?:[^\\\\\\|]|\\\\.)*+)\\|(?<id>(?:[^\\\\\\|]|\\\\.)*+)\\|
(?<name>(?:[^\\\\\\|]|\\\\.)*+)\\|(?<severity>(?:[^\\\\\\|]|\\\\.)*+)\\|
(?<extension>.*)
custom_CEF_Windows_plugin_parameter
Description Custom vendor and product name for Windows logon support
Section: Schedulers
excessive_access_task_trigger
Description The time for frequent updates of the excessive access (user) baseline.
The default is midnight of every day.
Default 0 0 0 * * ?
Value
irregular_ip_task_trigger
Description The time for frequent updates of the irregular IP (user) baseline. The
Section: Schedulers
Default 0 0 0 * * ?
Value
vault_accounts_reload_task_trigger
Description The time for frequent updates of the Vault accounts reload. The default is
1:00 AM of every day.
Default 0 0 1 * * ?
Value
human_vault_user_cache_reload_task_trigger
Description The time for frequent updates of the Vault users reload. The default is
midnight of every day.
Default 0 0 0 * * ?
Value
irregular_hours_asset_task_trigger
Description The time for frequent updates of the irregular hours (machine) baseline.
The default is midnight of every day.
Default 0 0 0 * * ?
Value
irregular_hours_user_task_trigger
Description The time for frequent updates of the irregular hours (user) baseline. The
default is midnight of every day.
Default 0 0 0 * * ?
Value
audits_retention_task_trigger
Description The time for deleting raw data that has passed the retention period. The
default is 3:30 AM every day.
Section: Schedulers
Default 0 30 3 * * ?
Value
Section: Algorithms
disabled_detection_algorithms
Acceptable ■ ActiveDormantUserAnomalyAlgorithm
Values ■ AggregativeIceAnomalyAlgorithm
■ BaseICEAnomalyAlgorithm
■ ExcessiveAccessAnomalyAlgorithm
■ ExcessiveAccessAssetAnomalyAlgorithm
■ ExcessiveAccessUserAnomalyAlgorithm
■ GoldenTicketAnomalyAlgorithm
■ InteractiveLogonWithServiceAccountAnomalyAlgorithm
■ IrregularHoursAssetAnomalyAlgorithm
■ IrregularHoursUserAnomalyAlgorithm
■ LogonIrrSourceMachineToTgtMachineByTgtAccAnomalyAlgorithm
■ LogonIrrTgtAccFromMachineAnomalyAlgorithm
■ LogonIrrTgtMachineByTgtAccAnomalyAlgorithm
■ MachineAccessViaIrregularIpAnomalyAlgorithm
■ MaliciousRetrievalOfDomainAccountsAnomalyAlgorithm
■ OverPassTheHashAnomalyAlgorithm
■ PacAsRequestAttackAnomalyAlgorithm
■ PSMRiskyCommandAnomalyAlgorithm
■ PSMVaultAnomalyAlgorithm
■ SuspectedCredentialsTheftAnomalyAlgorithm
■ UnmanagedPrivilegedAccessAnomalyAlgorithm
■ VaultAccessViaIrregularIpAnomalyAlgorithm
■ RiskySPNRisk
■ IrregularDayUserAnomaly
Section: Algorithms
Sub-section: irregular hours
irr_hours_excluded_usernames_list
Description The list of users to be excluded from the Irregular Hours baseline
Section: Algorithms
Sub-section: irregular hours
Default None
Value
irr_hours_baseline_range_start
Description The starting-point of training data (vault_log) in the range, for baseline
calculation.
Default 0
Value
irr_hours_baseline_range_end
Description The endpoint of training data (vault_log) in the range, for baseline
calculation.
Default 1
Value
irr_hours_baseline_debug
Note:
This parameter is for internal debugging purposes.
Acceptable true/false
Values
Default false
Value
Section: Algorithms
Sub-section: DC Replication
dc_replication_whitelist
Section: Algorithms
Sub-section: DC Replication
Default None
Value
Section: Algorithms
Sub-section: Unmanaged privileged access
privileged_users_list
Description A list of users considered privileged in the organization, and who should be
managed by CyberArk’s Privileged Account Security solution.
Acceptable A list of the following information: {platform, case sensitivity of user, regular
Values expression}
Acceptable values are:
■ Platform – WINDOWS/UNIX/ORACLE (upper case)
■ Case sensitivity – true/false
■ Regex – string
Default If this value is not defined by the user, the system will use the following
Value default value:
[{"mPlatform":"UNIX","mIsCaseSensitive":true, "mUsers" :[root]},
{"mPlatform":"WINDOWS","mIsCaseSensitive":false,"mUsers":
[.*admin.*]},{"mPlatform":"ORACLE", "mIsCaseSensitive":
false,"mUsers":[sys,system,sysman]}]
privileged_groups_list
Default None
Value
Unmanaged_Privileged_Access_Score
Default 30
Value
Section: Algorithms
Sub-section: vault access via irregular ip
irregular_ip_tail_proporion_exp_base
Description The base taken in the exponent of the proportion of the tail of the given IP
which was not spanned by the tree.
Specify a number greater than ‘1’.
Acceptable ■ Double
Values
Default 8.0
Value
irr_ip_excluded_usernames_list
Description A list of usernames that PTA will ignore when analyzing Vault access via
irregular IP addresses.
Default DR,BATCH,BACKUP
Value
irr_ip_excluded_sourceIP_list
Description A list of IP addresses that PTA will ignore when analyzing Vault access
via irregular IP addresses.
Acceptable IPs
Values
Section: Algorithms
Sub-section: ICE - asset connection words algorithms
asset_connection_excluded_domain_account_list
Acceptable Values A list of the following information: {domain, list of users that belong
to the domain}
Acceptable values are:
■ Domain – any valid domain name (string)
■ Users – string of users name separated by comma
Section: Algorithms
Sub-section: Suspected credentials theft
not_via_pim_time_window
Description The number of minutes of the default check-out time period of a password.
Acceptable Number
Values
Default 480
Value
sct_excluded_account_list
Description A list of usernames that PTA will ignore when analyzing connections to
remote machines without first retrieving the required credentials from the
Vault.
Default None
Value
Section: Algorithms
Sub-section: Suspicious Password Change
suspicious_password_change_time_window_minutes
Description The time, in minutes, PTA waits before indicating a password change
was not done by CPM and is suspicious.
Default Value 2
Section: Algorithms
Sub-section: Suspicious Password Change
suspicious_password_change_score
Default Value 80
Section: Algorithms
Sub-section: Suspicious activities detected in a privileged session
risky_command_configuration
Descri A regular expression that defines the suspicious session activities that
ption PTA analyzes.
Accept A list of the following information: {regular expression of the command, score,
able description, category}
Values Acceptable values are:
■ Regex – string
■ Score – 1-100
■ Description (optional) – string
■ Category - Universal keystrokes, SCP, SQL, SSH, Windows titles
■ Response - NONE, TERMINATE, SUSPEND
■ Active - true/false
For example:{"regex":"kill
(.*)","score":"70","description":"description2","category":"SSH","response
":"NONE",“active”:true}]
Section: Algorithms
Sub-section: Risky SPN
risky_spn_excluded_account_list
Description A list of usernames, domains and service principal names that PTA will
ignore when analyzing privileged accounts that contain service principal
names.
Section: Algorithms
Sub-section: Risky SPN
All fields can be configured as a list with a ‘,’ delimiter, and can support
asterisks.
For example:
risky_spn_excluded_account_list=[{"mUsers":["user1"],"domain":
["domain.com"],"service":["host\service","fqdn\service"]},{"mUsers":
["sqladmin"],"domain":["domain.com"],"service":["*"]}]
Default None
Value
Section: Email
mail.smtp.host
Acceptable IP address
Values
Default None
Value
mail.smtp.port
Default 25
Value
mail.smtp.auth
Acceptable true/false
Values
Default true
Value
mail.debug
Description Whether the debug messages of the email process appear in the log.
Acceptable true/false
Values
Default false
Value
email_from
Section: Email
Default None
Value
email_recipient
Description A list of the recipient email addresses that will receive an email when an
incident is discovered. Specify email addresses using only lowercase
characters. Multiple addresses are separated by a semi-colon (;).
Default None
Value
Section: DNS
dns_srv_record_format
Default \\s*\\d+\\s+\\d+\\s+\\d+\\s+((?=.{1,255}$)[0-9A-Za-z](?:(?:[0-9A-Za-z]|-)
Value {0,61}[0-9A-Za-z])?(?:\\.[0-9A-Za-z](?:(?:[0-9A-Za-z]|-){0,61}[0-9A-Za-
z])?)*\\.?)\\.
dns_ldap_domain_srv_record_name_prefix
Acceptable String
Values
Default _ldap._tcp.dc._msdcs.
Value
dns_resolving_timeout
Default 10000
Value
Section: Domain
domain_controllers
Section: Domain
Acceptable {"domain_name":[{"mAddress":"dc1_ip_address","mHostName":"dc1_
Values host_name"},{"mAddress":"dc2_ip_address","mHostName":"dc2_host_
address"}]}
Default None
Value
pre2000_domain_list
Description List of DNS names with their corresponding pre-Windows 2000 names.
Acceptable {"preWin2000DomainName":"fullDNSDomainName",
Values "preWin2000DomainName2":"fullDNSDomainName2"}
Default None
Value
epv_https_enabled
Acceptable true/false
Values
Default true
Value
epv_host
Description The name of PAS that PTA will connect to. Enter the FQDN.
Acceptable String
Values
Default -
Value
epv_port
epv_root_context
Acceptable String
Values
Default PasswordVault
Value
Section: Domain
send_psm_session_related_data
Description Whether PTA will send a privileged session risk score to PSM to make the
score available in PVWA.
Acceptable true/false
Values
Default true
Value
Section: UI
numberOfIncidentsToGroupBy
Description The number of suspicious session activity incidents for the selected
timeframe that will be displayed in individual bubbles on the dashboard.
The rest of the incidents will be displayed in a single aggregated bubble.
Acceptable Number
Values
Default Value 0
Section: Mitigation
epvintegrationRotatePasswordExcludeList
Acceptable ■ SuspectedCredentialsTheft
Values ■ OverPassTheHash
■ SuspiciousPasswordChange
EnableAutomaticMitigationByEPV
Acceptable true/false
Values
Default Value ■ When integration with PAS is not configured, this parameter is
not relevant.
■ When integration with PAS is configured, this parameter is
automatically set to true.
epvIntegrationEnableAddPendingAccount
Section: Mitigation
epv_integration_rotate_password
epv_integration_reconcile_password
psm_mitigation_enabled
psm_mitigation_termination_enabled
psm_mitigation_suspension_enabled
audits_retention_period_in_days
Description The retention period for raw data to be stored in PTA before it will be
deleted. This does not apply to events that PTA has detected.
Acceptable Number
Values
Default 90
Value
Section: PTA Agent
enable_client_verification
enable_dcagent_connection
Note:
All parameters must be specified without spaces.
Section: ServerInfo
PTA_IP_Address
SSL_Data_Port
Description The port used to send syslog data to PTA in a secure channel.
SSL_Control_Port
Description The port used to send statistics data to PTA in a secure channel.
Section: DCInfo
Server_Verification_Required
Acceptable true/false
Values
Default true
Section: DCInfo
Value
Network_Interface_ID
Acceptable Number
Values
Default 1
Value
KeepAlive_Interval_msec
Acceptable Number
Values
Network_Enabled
Default True
Value
Windows_Event_Enabled
Default False
Value
Section: Debug
Write_Events_To_Log
Description Set the debug events flag. This parameter is for internal debugging
purposes.
Acceptable ■ 0 - false
Values ■ 1 - true
Section: Monitoring
Machine_Monitoring_Enabled_Global
Machine_Monitoring_Enabled_Memory
Machine_Monitoring_Enabled_CPU
Machine_Monitoring_Enabled_Network
Machine_Monitoring_To_Log
Machine_Monitoring_Interval_sec
Default Value 10
Section: ClientCertificate
Client_Certificate_Enabled
Description Determines whether the client sends the certificate to the PTA Server
for verification .
Section: ClientCertificate
Acceptable true/false
Values
Client_Certificate_Subject_Name
Acceptable String
Values
Section: Enforcement
Process_CPU_Enabled
Process_CPU_Monitoring_Time_Window
Default Value 60
Process_CPU_Percent_Threshold
Default Value 35
Process_CPU_Percent_Exceeded_Samples_sec
Default Value 70
Section: Forwarder
Windows_Event_Log
Description The Windows event log name from which the PTA Windows Agent
reads the events.
Acceptable String
Values
Section: Forwarder
Time Zones
The PTA installation wizard requires you to configure your time zone. The following table
lists the available time zones.
GB Iran Mexico/BajaSur
NZ Asia/Macao Asia/Irkutsk
Note:
It is recommended to have a complete backup of the virtual machine before you make
these changes.
Check the output of the command, specifically at the row that states "Disk /dev/sda:
<SIZE_OF_DISK>".
2. Power off the virtual machine.
3. Edit the virtual machine settings and extend the virtual disk size. For more
information, see the VMWare KB 1004047, 'Increasing the size of a virtual disk'.
4. Power on the virtual machine.
5. Confirm the new size of the disk, by running the following command:
fdisk –l
a. Press p to print the partition table and identify the number of partitions. By default
there are three partitions: sda1, sda2 and sda3.
b. Press n to create a new primary partition.
c. Press p for primary.
d. Press 4 for the partition number (depending on the output of the partition table
print).
e. Press Enter twice.
f. Press t to change the system's partition ID.
g. Press 4 to select the newly created partition.
h. Type 8e to change the Hex Code of the partition for Linux LVM.
i. Press w to write the changes to the partition table.
2. Restart the virtual machine, by running the following command:
reboot
3. Verify that the changes were saved to the partition table and that the new partition
has an 8e type, by running the following command:
fdisk –l
Make sure that the new partition, /dev/sda4, was added to the list.
4. Convert the new partition to a physical volume, by running the following command:
pvcreate /dev/sda4
Note:
The number for the sda may change, depending on system setup. Use the sda number
that you created in step 1.
6. Verify the number of physical extents are available to the Volume Group, by running
the following command:
vgdisplay vg_centos64bitbase | grep "Free"
Note:
# represents the number of free space in GB that is available according to the previous
command. Use the full number output from step 6, including any decimals.
To determine which logical volume to extend, use the command lvdisplay.
8. Expand the filesystem online, inside the Logical Volume, by running the following
command:
resize2fs /dev/vg_centos64bitbase/lv_root
9. Verify that the / filesystem has the new space available, by running the following
command:
df -h /
Benchmark Environment
Environment Topology
Our benchmark testing was performed within a customer-like environment, which
includes the PTA Server and a PTA Windows Agent running on a Domain Controller.
Tested Components
In the Performance Testing Environment, the following have been used:
■ 1 CyberArk PTA v3.6
■ 1 CyberArk PTA v3.6 PTA Windows Agent running on the Domain Controller
Following are measured results of performance testing of PTA Windows Agents,
performed in a PTA lab environment that implements CyberArk’s common customer
environment.
Server Specifications
PTA Server
ESXI spec: Dell Inc. PowerEdge M630, CPU: 20 CPUs x 2.294 GHz, Processor Type:
Intel(R) Xeon(R) CPU E5-2650v3 @2.30 GHz.
Static
Events Storage CPU Memory
CPU Memory DCA Server
per per Day Usage Usage
(cores) (GB) Storage
Second (GB) (%) (%)
(GB)
PTA Windows Agent
Running on Windows server 2012 R2, X64 VMWare, 2GB Ram, Intel core i7 3.6Ghz, 2
cores
Process
Memory
Packets Memory CPU Memory
CPU Memory Usage
per Pool Usage Usage
(cores) (GB) Average
Second Size Average (MB)
(%)
(%)
1,000 9,000 72
Conclusions
■ The PTA Windows Agent impact on the Domain Controller is minimal, even for
loaded Domain Controllers with very low specs.
■ As the PTA Server increases, its ability to handle loads of events increases.
■ The bandwidth impact of the communication between the PTA Windows Agent and
the PTA Server is limited, even for very loaded domain controllers.