PTA Installation Guide

Privileged Threat Analytics (PTA)
Installation Guide
3.95
Copyright © 1999-2018 CyberArk Software Ltd. All rights reserved.

This document contains information and ideas, which are proprietary to CyberArk
Software Ltd. No part of this publication may be reproduced, stored in a retrieval system,
or transmitted, in any form or by any means, electronic, mechanical, photocopying,
recording, scanning, or otherwise, without the prior written permission of CyberArk
Software Ltd.
PTAINS003-95-0-1
2 Table of Contents
Table of Contents
Introducing CyberArk PTA 3

Install Privileged Threat Analytics Solution 5
Install PTA 6
System Requirements for PTA 7
Review PTA Package 12
Import the PTA Disk Image 12
Install PTA 16
PTA Post-Installation Procedures 32
Troubleshoot PTA Installation 42
Install PTA Windows Agents 44
System Requirements for PTA Windows Agent 44
Install PTA Windows Agents 45
Troubleshoot PTA Windows Agent Installation 49
Install PTA Network Sensors 53
Review PTA Network Sensor Package 54
System Requirements for PTA Network Sensor 54
Integrate the PTA Network Sensor 58
Network Sensor and PTA Windows Agent Post Installation 71
Add PTA Network Sensor Coverage or a PTA Windows Agent connection 72
Add PTA Network Sensor Coverage or a PTA Windows Agent connection with
Golden Ticket Detection 73
Upgrade PTA 79
Review PTA Upgrade Package 80
Upgrade to PTA Version 3.0 81
Migrate to CentOS 7 - PTA Version 3.6 85
Post Upgrade Configuration 91
Upgrade PTA Windows Agents 92
Revert the upgrade of the PTA Windows Agents 94
Upgrade PTA Network Sensor Software 95
Appendices 101
Configure System Properties 102
systemparm.properties 102
Configure Agent Properties 123
Time Zones 128
Manually Extend the PTA VM Disk Space 148
Extend the Logical Volume 148
PTA Windows Agents Benchmark Report 150
Benchmark Environment 150
PTA Server 150
PTA Windows Agent 151
PTA Windows Agent Bandwidth Impact 151
Conclusions 151
Privileged Threat Analytics

3
Introducing CyberArk PTA
Since privileged accounts are most often compromised as part of an attack, CyberArk
Privileged Threat Analytics (PTA) continuously monitors the use of privileged accounts
that are managed in the CyberArk Privileged Account Security (PAS) platform, as well as
accounts that are not yet managed by CyberArk, and looks for indications of abuse or
misuse of the CyberArk platform. PTA also looks for attackers who compromise
privileged accounts by running sophisticated attacks, such as Golden Ticket.
PTA is part of the CyberArk Privileged Account Security solution and provides an
additional security layer, which detects malicious activity caused by privileged accounts
and proactively contains in-progress attacks. PTA supports detection of malicious
activities in privileged accounts when authenticated either by passwords, or by SSH
Keys.
Using proprietary profiling algorithms, PTA distinguishes in real time between normal
and abnormal behavior, and raises an alert when abnormal activity is detected. In this
way, it leverages the capabilities of the CISO to reduce the risk of inside-threats,
malwares, targeted attacks and APTs that utilize privileged users to carry out attacks.
This significantly reduces the ability of these threat factors to infiltrate the system and
eliminates one of the biggest risks to your organization.
Using DPI technology and tapping the organization network, PTA can deterministically
detect and raise alerts on Kerberos attacks in real time.
PTA also proactively monitors critical privileged account related risks in the IT
environment that can be abused by an attacker. PTA sends alerts to the security team to
handle these risks before attackers abuse them.
PTA processes the network traffic and receives raw events from your organization’s
Vault, UNIX machines, and Windows machines, and receives additional inputs by

PTA Installation Guide 4
querying Active Directory, then detects security events in real time and sends them as
alerts by email, to the PTA’s proprietary dashboard, or to the SIEM dashboard.
In general, PTA does the following:
■ Detects privileged accounts related anomalies: Detect anomalies in the usage
of privileged accounts, such as usage that does not occur during the regular hours of
use.
■ Detects privileged accounts related security incidents: Detects security
incidents by running deep packet inspection and finding deterministic characteristics
of Kerberos attacks, and additional known attacks such as Golden Ticket and
Malicious Retrieval of Domain Accounts (DC Sync).
■ Detects privileged accounts related risks: Detects risks by monitoring and
alerting on critical risks in privileged accounts.
■ Contains security incidents: Generates actionable insights to support rapid and
automatically reactive incident containment.
In order to pinpoint abnormal activities of privileged users, PTA employs various
statistical algorithms. These algorithms generate profiles of system activities, and
subsequent activities are searched for deviations from these profiles. Deviations that are
suspicious and pose a potential risk are classified as security incidents.
For Example: A user who connects to a remote machine during hours which are deemed
irregular (when compared to the specific user’s connectivity profile as learned by PTA),
or from an unfamiliar IP.
In addition, PTA can detect Kerberos attacks in real-time. These Kerberos attacks can be
used by an attacker for privilege escalation, and to achieve persistency within the
network.

5
Install Privileged Threat Analytics Solution
This section describes how to install PTA, install PTA Windows Agents, and install
PTA with Network Sensors.
In this section:
Install PTA
Install PTA Windows Agents
Install PTA Network Sensors
Network Sensor and PTA Windows Agent Post Installation
Upgrade PTA
Upgrade PTA Windows Agents
Upgrade PTA Network Sensor Software

Install PTA
This section describes how to install PTA.
■ If you are installing PTA with the Network Sensor, see the end-to-end workflow:
Install PTA Network Sensors, page 53.
■ If you are upgrading PTA, see Upgrade PTA, page 79.
Step Comments Reference
Review PTA This includes reviewing the following: System

system ■ Supported browsers Requirements
requirements ■ IP requirements for PTA, page 7
■ DNS requirements
■ Domain requirements (for Golden Ticket
detection only)
■ LDAP/S requirements
■ CyberArk Vault compatibility
Review PTA Review PTA

package Package, page
12
Import the PTA Select the procedure for your environment: Import the PTA
disk image ■ VM Player Disk Image,
■ VMWare Workstation page 12
■ VM ESX
■ Hyper-V
Install PTA Install PTA ,

page 16
Review the post This includes managing the PTA machine PTA Post-
installation user accounts, and validating the self-signed Installation
procedures certificate on your browser Procedures,
page 32
(Optional) Troubleshoot
Review PTA PTA
installation Installation,
troubleshooting page 42
procedures

7 Install PTA
System Requirements for PTA

You will receive the PTA installation package from your CyberArk support
representative. It can be installed on the following platforms:
■ VMWare Player 6.x and above
■ VMWare Workstation 10.x and above
■ VMWare ESX/i 5.5 and above
■ Microsoft Hyper-V v6.3
Note:
Microsoft Hyper-V v6.3 can be installed on Windows Server 2008R2 or Windows Server
2012R2.
The PTA image must be installed on a dedicated machine that has access to the Vault, or
to the primary Vault in a distributed Vault environment, and also to either the
organizational SIEM solution, or UNIX inspected machines for syslogs.
The minimum requirements for installing this image on a VM machine are as follows:
■ 4 Core-CPU
■ 16 GB RAM memory
■ 500 GB hard disk storage
Supported Browsers
PTA currently supports the following browsers:
■ Internet Explorer 11.0 with Compatibility mode 9
■ Chrome - latest version
■ Firefox - latest version
IP Requirements
PTA requires an IP in one of the following forms:
■ Static Address: A static IP address.
■ DHCP: If the organization has a DHCP server which dynamically allocates IP
addresses, verify with the organization’s IT that the PTA machine’s IP address is
locked.
DNS Requirements
■ DNS: A DNS address record that maps the host name PTAServer to the IP
address of the PTA machine. The DNS configured in PTA must recognize all the
machines from which PTA will receive syslog messages. PTA requires both the
Forward (A record) and Reverse (PTR record) lookup.
Domain Requirements (for Golden Ticket Detection only)

■ PTA supports detection of Golden Ticket attacks for domains.

■ The domains should be on Windows Server 2008 and above, with Function level
2003 and above.
■ This applies both to domains and sub-domains.
LDAP/S Requirements
LDAP: PTA can integrate with LDAP to:
■ Enable LDAP authentication
■ Broaden and increase the accuracy of PTA detections
In order to integrate PTA with LDAP, define a group name in PTA which has the same
name as the group sAMAccountName, which appears in Active Directory.
Note:
To integrate with LDAP over SSL, create a dedicated security Base-64 encoded X.509
certificate.
LDAP login and query permission are required for the bind user.
Currently, PTA only integrates with Microsoft Active Directory LDAP.
Certificate Requirements
You can use the self-signed certificate created during PTA installation, or use your
organization's SSL certificate.
If you use your organization's SSL certificate:
■ The Certificate Signing Request (CSR) requires a Base-64 encoded X.509 SSL
certificate.
■ The SSL Certificate Chain requires a Base-64 encoded X.509 SSL certificate
■ The SSL Certificate Issuer Chain requires a Base-64 encoded X.509 SSL certificate
CyberArk Vault / PAS Compatibility

Integration Required Version
Integrate the Vault with SIEM and PTA CyberArk Vault version
7.2.5 or higher
Support automatic threat containment using PAS CyberArk Vault version

integration, for Overpass the Hash attack and Suspected 9.3 or higher
Credential Theft security events
Support automatically adding unmanaged privileged CyberArk Vault version

accounts to the pending accounts queue 9.7 or higher
Configure Golden Ticket detection CyberArk Vault version

9.8 or higher
Support the Privileged Session Management integration CyberArk Vault and

PVWA version 9.8 or
higher

9 Install PTA
Integration Required Version
Note:
Privileged
Session
Management
integration
works with
lower
versions of
CyberArk
Vault, but
without the
ability to
report
Privileged
Session
Analysis
results to
PVWA.
Support a distributed Vault environment CyberArk Vault version

9.9.5 or higher
Support sending PTA alerts to the Vault CyberArk Vault version

9.10 or higher
Support automatic session termination CyberArk Privileged

Account Security suite
version 10.1 or higher
Supported Input Data Formats

Following are general guidelines for the data sent to PTA:
■ PTA supports UTF-8 formatted data.
■ Windows: The integration with Windows is based on authentication events 4624,
4723, and 4724. PTA supports this event type, which is supported in Windows 2003
and higher.
Note:
In order for PTA to monitor activity of privileged accounts in Windows machines,
Windows security events 4624, 4723, and 4724 from each monitored Windows
machine must be forwarded to the SIEM and from the SIEM to PTA.
■ Unix: When collecting syslogs directly from Unix machines, PAM Unix is supported.
PAM Unix is supported by multiple Unix flavors, such as Red Hat Linux, HP-UX, and
Solaris.
Supported PAM Unix events include accepted public key, accepted password, and
session open.
■ Database: Oracle logon events are supported.
■ Network Sensor: Traffic is received from domain controllers in the environment.

■ Vault: Specific events are accepted. Supported device types are operating system
and database.
PTA Port Usage

Use the following tables as guidelines for PTA port usage.
■ PTA Port Redirection Rules, page 10
■ PTA Port Usage: Incoming Fixed Ports, page 10
■ PTA Port Usage: Incoming Optional Ports, page 11
■ PTA Port Usage: Outgoing Fixed Ports, page 11
■ PTA Port Usage: Outgoing Optional Ports, page 12
Note:
All blocked communication is logged to /var/log/iptables.log .
PTA Port Redirection Rules

Use the following table for the PTA port re-directional rules.
Source Destination
# Protocol Description
Port Port
1. TCP 80 8080 Redirect HTTP/S default ports to the

Tomcat Web Server web ports
2. TCP 443 8443
PTA Port Usage: Incoming Fixed Ports

The port numbers in the following table are fixed and cannot be changed.
# Protocol Port Description
1. TCP 80 Allow incoming HTTP communication for the

PTA web
2. TCP 8080 This is redirected to HTTPS by the Tomcat
Web Server
3. TCP 443 Allow incoming HTTPS communication for the

PTA web
4. TCP 8443
5. TCP 22 Allow remote access to the machine (SSH),

for both secure telnet and SFTP
6. UDP 67,68 Allow incoming data from the DHCP server
7. ICMP Echo Allow standard ICMP pings to this server

Request
Note:
Only echo-request is allowed
8. - - Allow all local traffic within the server
9. - - Allow replying to an already established

11 Install PTA
session
10. - - All other communication is logged and

rejected / dropped
PTA Port Usage: Incoming Optional Ports

The port numbers in the following table can be changed to different port numbers
according to the customer’s environment.
1. TCP 514, Allow incoming syslog messages (could be configured for

11514 authorized sources only for specific IP addresses)
2. UDP 514,
11514
3. TCP 6514, Allow incoming secure syslog messages for the

7514 PTA Windows Agent connection
PTA Port Usage: Outgoing Fixed Ports

The port numbers in the following table are fixed and cannot be changed.
1. TCP 514 Allow sending syslog messages in port 514
2. UDP 514
TCP 80 Allow an outgoing HTTP connection to CyberArk

PVWA for a specific IP address
TCP 443 Allow an outgoing HTTPS connection to CyberArk

PVWA for a specific IP address
3. ICMP Echo Allow standard ICMP pings from this server

Request
Note:
Only echo-request is allowed
4. UDP 53 Allow outgoing DNS requests
5. UDP 123 Allow outgoing NTP requests
6. - - Allow all local traffic within the server
7. TCP/UDP Broadcast Allow broadcast (255.255.255.255) for outgoing

DHCP requests
8. - - Allow replying to an already established session
9. - - All other communication is logged and rejected /

dropped

PTA Port Usage: Outgoing Optional Ports

The port numbers in the following table can be changed to different port numbers
according to the customer’s environment.
1. TCP 25 Allow sending SMTP (email) messages for specific IP

address
2. TCP 587
3. TCP 3268, LDAP for specific IP address

389
4. TCP 3269, LDAPS for specific IP address

636
5. TCP/UDP 1858 Allow outgoing connection to the CyberArk Vault for

specific IP address
6. TCP/UDP <port> Outbound connection (SIEM integration) for specific port

and IP address
Review PTA Package

You will receive the PTA installation package from your CyberArk support
representative. The package includes the following files for the PTA server:
■ PTA-Img-Server.mf
■ PTA-Img-Server.ovf
■ PTA-Img-Server-disk1.vmdk
■ PTA-Img-Server.vhd.zip
■ PTA.xsl
■ PTAPlugin.zip
The package also includes the following files for the PTA Windows Agents:
■ Privileged Threat Analytics Agent.msi
■ PTA Agent Script Creator.exe
On your local computer, create a new directory and from the CyberArk PTA installation
package, copy the Privileged Threat Analytics installation package to the new
directory. If you are installing PTA Windows Agents, also copy the PTA Windows
Agent files to the new directory.
If you are installing the PTA Network Sensor, see the workflow: Install PTA Network
Sensors, page 53.
Import the PTA Disk Image

This topic describes how to import the disk image. Perform the relevant procedure for
your type of software.
To Import the Image to VM Player:

1. From the main screen, click Open Virtual Machine; the Open Virtual Machine

13 Install PTA
window appears.
2. In the Files of Type list, select Open Virtual Machine Format Images (*.ovf,
*.ova).
3. Browse to the location of the PTA-Img-Server.ovf file, select it and then click Open.
4. Specify a name and choose a storage path for the new VM Image, or keep the default
values.
5. Click Import to begin the import process.
Progress is indicated in the progress window. When the import process is completed,
you can start using the VM Image from the main screen.
To Import the Image to VMWare Workstation:

1. In the main screen, from the File menu, select Open; the Open window appears.
2. In the Files of Type list, select Open Virtual Machine Format Images (*.ovf,
*.ova).
3. Browse to the location of the PTA-Img-Server.ovf file, select it and then click Open.
4. Specify a name and choose a storage path for the new VM Image, or keep the default
values.
5. Click Import to begin the import process.
To Import the Image to VM ESX:

1. Connect to the ESX host using a VI Client such as VMware vSphere Client.
2. In the main screen, from the File menu, select Deploy OVF Template.
■ (Optional) Deploy PTA without its full allocation. Do this to reduce the space that
PTA uses when installed, by deploying PTA with thin provisioning so as not to
use its full allocation of 500GB.

3. Browse to the location of the PTA-Img-Server.ovf file, select it and then click Next.
4. Make sure the displayed information is correct, then click Next.
5. Specify a name for the new VM Image, then click Next.
6. Select the resource pool where the template will be installed, then click Next.
Note:
To be able to perform this action, you must have root permission on the resource pool.
7. Select the datastore where the VM Image files will be stored, then click Next.
8. Select the storage format for the VM Image files, then click Next.
Note:
It is recommended to select the thick provisioned format, for maximum storage capacity.
9. Click Finish to begin the import process.

To Import the Image to Hyper-V:

1. Log on to the Hyper-V machine.
2. From the installation package, copy the *.vhd.zip file to the Hyper-V machine and
unzip it.

15 Install PTA
3. Open the Hyper-V Manager and, in the list of Hyper-V servers, select the Hyper-V
server to which you will import the image.
4. From the Action menu, select New and then Virtual Machine…; the New Virtual
Machine wizard appears.
5. In the Specify Name and Location page, in the Name field, specify the name of the
new virtual machine.
6. In the Assign Memory page, in the Startup memory, specify the size of required
RAM memory in MB. For more information, see System Requirements for PTA,
page 7.
7. In the Configure Networking page, select the network connection to use.
8. In the Connect Virtual Hard Disk page, select Use an existing virtual hard disk,
then click Browse and select the unzipped *.vhd file.
9. Click Finish to create the new virtual machine and import the PTA image; the new
virtual machine appears in the list of virtual machines.
10.Select the new virtual machine, then from the Action menu, select Settings …; the
Settings window for the selected virtual machine appears.
11.In the Hardware list, select Processor; the Processor details appear.
12.Specify the number of virtual processors, as defined in System Requirements for
PTA, page 7, then click OK.

Install PTA
Following is a table which lists the individual steps in the PTA installation wizard.
The full procedure is directly below. See To Install PTA Using the Wizard:, page 18.
Step Name Mandatory Step

(click to jump / Optional Dependency Mandatory
to step) Step for…
[Step 1/18 - End Mandatory -

User License
Agreement]
[Step 2/18 – Mandatory -

Network
configuration]
[Step 3/18 Optional -

cross-domain
names mapping
configuration]

Date and
TimeZone
configuration]

Database
initialization]

Configuring
internal
components]
[Step 7/18 – Optional - ■ Golden

Vault connection Ticket
configuration] attack
[Step 8/18 - Optional [Step 7/18 – Vault connection ■ Privileged

Loading user configuration] access
and safe during
activities report] irregular
hours
■ Excessive
access to
privileged
accounts
■ Accessing
the Vault
from
irregular IP

17 Install PTA

■ Active
dormant
user
Step 9/18 – Optional [Step 8/18 - Loading user and

Baselines safe activities report]
creation
[Step 10/18 - Optional [Step 7/18 – Vault connection ■ Suspected

Loading configuration] credentials
inventory report] theft
■ Unmanaged
privileged
account
[Step 11/18 – Mandatory [Step 10/18 - Loading inventory

Resolving report]
Addresses]
[Step 12/18 Mandatory -

Authorized
source hosts
configuration]
[Step 13/18 – Optional Before running the wizard for ■ PAC attack
Network sensor this step, make sure you have ■ Overpass
and PTA agent installed and configured the the Hash
connection Network Sensor. See Install attack
configuration] PTA Network Sensors, page ■ Malicious
53. retrieval of
domain
accounts
[Step 14/18 – Optional ■ [Step 7/18 – Vault ■ Golden

Golden Ticket connection configuration] Ticket
detection ■ [Step 13/18 – Network attack
configuration] sensor and PTA agent
connection configuration]
Before configuring Golden
Ticket, verify all relevant
prerequisite procedures were
performed. See Install PTA
Network Sensors, page 53.
[Step 15/18 – Optional -

Email
notifications
configuration]

PTA


maintenance
user
configuration]

Generating a
self-signed
certificate]
[Step 18/18 – Optional -

PTA
initialization]
To Install PTA Using the Wizard:

1. On the system console, log in as the root user using the following password:
DiamondAdmin123!
2. Before you can initiate the installation wizard, you are required to change the root
user’s password.
Changing password for root.
(current) UNIX password:
New Password:
Retype new password:
3. Enter the root user’s password, then enter a new password, and confirm it.
4. Navigate to the prepwiz folder using the PREPWIZDIR command.
5. At the command line, run the following command:
./run.sh
The installation wizard begins. Default values are displayed in brackets.
Note:
If you receive an error in any step, click Ctrl+C to exit the installation wizard, and run the
wizard again. When the wizard starts, you can select to resume the wizard from the step
where the error occurred.
6. To accept the default value, press Enter.

7. View the Usage Agreement and accept its terms.
[Step 1/18 - End User License Agreement]
Please read CyberArk's Privileged Threat Analytics End User

License Agreement, which determines the terms of use of this
software and all of its components.
CyberArk's Privileged Threat Analytics may include certain third
party components, which are listed in the About window in the
Privileged Threat Analytics dashboard.

19 Install PTA
To install CyberArk's Privileged Threat Analytics, you must

accept the End User License Agreement which you can view at
https://www.cyberark.com/product-detail/end-user-license-
agreement.
Do you accept all terms of this agreement (y/n)? y
End User License Agreement accepted successfully.
a. Enter y to accept the terms of the agreement and proceed to the next step of the
wizard.
b. Or, enter n to exit the wizard.
8. Specify the network configuration. .
[Step 2/18 – Network configuration]
a. If there is an existing IP address for the PTA Server, the following lines appear:
Found existing IP address:
Would you like to change the IP Address (y/n)?
b. If you entered y to change the IP address, or if there is no existing IP address for

the PTA Server, the following lines appear:
i. If there is only one available network interface:
Network interface <interface_id> was found and will be used
for the PTA server.
Specify the network configuration:
‘dhcp’ – To obtain an IP and DNS server address automatically
‘static’ – To set an IP address manually [dhcp]:
ii. If there are multiple available network interfaces:

There is more than one available network interface, select
the appropriate network interface [<interface_id>,<interface_
id>,...]:
iii. Enter the desired network interface. The following lines appear:
Specify the network configuration:
‘dhcp’ – To obtain an IP and DNS server address automatically
‘static’ – To set an IP address manually [dhcp]:
9. To detect an IP and DNS server address automatically (dhcp):

a. At the network configuration prompt, enter dhcp. This is the default value.
The IP and DNS server are detected and configured automatically and the
following lines appear.
The IP and DNS are configured automatically.
IP configuration finished successfully
DNS configuration
Found existing DNS server 1.1.1.1
Testing configuration … ping – to perform verification of DNS
Configuration test was completed successfully

After the first DNS server is configured successfully, the following prompt
appears, enabling you to specify an additional DNS server.
Would you like to specify an additional DNS server (y/n)?
[n]:
b. Enter y to specify an additional DNS server.

c. Or, enter n to continue directly to [Step 3/18 cross-domain names mapping
configuration].
10.To set an IP address manually (static):
a. At the network configuration prompt, enter static, then press Enter. The IP
address prompt appears.
Specify an IP address:
b. Enter the IP address to set, then press Enter. The Netmask prompt appears.
Netmask [255.255.255.0]:
c. Enter the netmask to configure, then press Enter. The Gateway prompt
appears.
Gateway:
d. Enter a gateway that will be used as the default gateway, then press Enter. The
process verifies the Gateway and displays a confirmation.
Testing configuration … ping – to perform verification of
Gateway
e. The static IP address is now configured and the confirmation appears.

IP configuration finished successfully
At this point, the following prompt appears to specify the IP address of a DNS
server.
DNS configuration
Specify full domain name (e.g. "domain.com"):
There were no existing DNS servers found
Specify a DNS server address:
f. Enter the IP address of a DNS server.

The process verifies the DNS server and displays the following:
Testing configuration… ping - to perform verification of DNS
At this point, a prompt appears, enabling you to specify an additional DNS server.
Would you like to specify an additional DNS server (y/n)?
[n]:
g. Enter y to specify an additional DNS server.

21 Install PTA
h. Or, enter n to continue directly to [Step 3/18 cross-domain names mapping

configuration].
i. If you entered y, a prompt appears requesting you to specify the IP address of the
additional DNS server.
Specify a DNS server address:
j. Enter the IP address of the DNS server, then press Enter.

The process verifies the DNS server and displays the following:
Testing configuration… ping - to perform verification of DNS
k. Specify additional DNS servers as needed. When you have completed specifying
any additional DNS servers, press n when prompted.
11.Configure cross-domain mapping:
[Step 3/18 cross-domain names mapping configuration]
If your environment is a multi-domain environment with trust

between these domains, PTA requires a list of these domains with
their corresponding pre-Windows 2000 names to better identify
them in the data. For more information specify ‘help’.
Would you like to specify cross-domain configuration (y/n)? [y]:
a. Enter y to begin configuration.

b. Or, enter n to exit the wizard.
The following message appears:
Specify mapping between pre-Windows 2000 and DNS domain
names:
Domain name:
pre-Windows 2000 name:
c. Enter the domain name and pre windows 2000 name, and then press Enter.
After the mapping is saved successfully, the following is displayed:
Configure another domain name with pre-Windows 2000 name
(y/n):
d. Enter y to configure another cross domain mapping, or n to continue directly to

the next step.
12.Configure the date and time zone:
a. At the following prompt, specify your time zone. For a list of available time zones,
see Time Zones, page 128.
[Step 4/18 – Date and TimeZone configuration]
Specify your time zone (example: America/Chicago). For a full

time zone list, specify ‘help’.
Time zone:

b. Enter the time zone, then press Enter. The date and time prompt appears.
Specify current date and time in 24h format “MM/DD/YYYY
hh:mm” (example: 11/21/2013 16:20):
c. Enter the current date and time using the format included in the prompt, then
press Enter. The following prompt appears, enabling you to synchronize the time
zone you are setting, with your NTP server.
Do you want to synchronize with NTP server (y/n)? [n]
d. Enter y to synchronize the time zone configuration with the NTP server.
e. Or, enter n to skip to [Step 5/18 – Database initialization] and finish the time zone
configuration without synchronizing with the NTP server.
f. If you specified y, the NTP server IP prompt appears:
Specify the NTP server IP:
g. Enter the IP address of the NTP server, then press Enter.

The date and time zone are now configured and the following confirmation is
displayed, and the installation proceeds to the next step.
Date and time zone configuration finished successfully
13.The wizard automatically initializes the database that will be used for the Privileged
Threat Analytics solution:
[Step 5/18 – Database initialization]
Starting database
Database initialization finished successfully.
After this step has finished successfully, the installation proceeds to the next step.
14.The wizard automatically configures the internal components:
[Step 6/18 – Configuring internal components]
Configuring internal components finished successfully.
After this step has finished successfully, the installation proceeds to the next step.
15.Configure the connection to the Vault. This connectivity authorizes the Vault as a
source host. It enables forwarding data from the Vault to PTA, retrieving reports from
the Vault, and configuring Golden Ticket detection.
Note:
When PTA is configured with a Vault that is deployed in a Cluster environment, configure the
Virtual IP in the Vault Connection Configuration step.
When PTA is configured with a Vault that is deployed in a distributed environment, configure the
IP for the primary Vault in the Vault Connection Configuration step.
[Step 7/18 – Vault connection configuration]

23 Install PTA
Establish connectivity between PTA and the Vault to authorize

the Vault as a source host. This is a prerequisite for:
Forwarding data from the Vault
Retrieving Vault reports
Configuring Golden Ticket detection
This step is optional. Would you like to configure it (y/n)?:
a. Enter y to integrate PTA with the Vault.

b. Or, enter n to install PTA without a Vault connection and continue directly to [Step
12/18 Authorized source hosts configuration].
c. If you entered y, specify the Vault server's IP address and port number, then
press Enter.
Specify the Vault server's IP address and port number.
IP:
Port [1858]:
The Disaster Recovery Vault prompt appears, where you specify the relevant DR
Vault IP/s.
Would you like to configure Vault DR (y/n)?
Specify the Vault DR IP address. If there are multiple DR
servers, list all the IPs separated by a comma.
IP/s:
d. Enter y to configure the DR Vault, making sure to use a comma if there are
multiple DR Vault servers, then press Enter.
e. Or, enter n to continue.
f. Specify the Username and Password of the Vault user who will create the PTA
environment in the Vault. This user must have administrator permissions.
Specify Vault username and password.
This user must have administrator permissions, and it will be
used to update the environment required for the PTA in the
Vault server.
Username [Administrator]:
Password:
Retype password:
Creating PTA Vault user.

User created successfully.
Creating PTAApp Vault user.
User created successfully.
The PTA environment is now created in the Vault. During this process, the PTA
Vault users were created to manage PTA activity in the Vault.
Note:
The PTAApp Vault user is created for Vault v9.6 and above.
If you receive an error in this step, click Ctrl+C to exit the installation wizard, and run the wizard
again. When the wizard starts, you can select to resume the wizard from this point.

g. Specify the time zone configured in the Vault.

Specify your vault time zone (example: America/Chicago). For
a full time zone list, specify 'help'.
Time zone [America/Chicago]:
After this is completed successfully, a confirmation message is displayed, and the

installation proceeds to the next step.
Vault configuration finished successfully.
16.If you configured the connection to the Vault, you are prompted to configure the Vault
activities report:
[Step 8/18 - Loading user and safe activities report]
a. Enter y to load the user and Safe activities report.

b. Or, enter n to continue directly to [Step 10/18 - Loading inventory report].
c. If you entered y, specify the number of previous days to be included when
creating the report.
Specify the number of previous days that will be included in
the user and safe activities report.
Number of days [180]:
The following activity message is displayed:

Generating the user and safe activities report...
Loading the user and safe activities report...
After the activity report was created and loaded successfully, a confirmation is
displayed and the installation proceeds to the next step.
User and safe activities report loading was completed
successfully.
17.If you configured the Vault activities report, you are prompted to create baselines for
the Privileged Threat Analytics algorithms:
Step 9/18 – Baselines creation
a. Enter y to create baselines.

b. Or, enter n to continue directly to [Step 10/18 - Loading inventory report].
c. If you entered y, the baselines creation begins:
Creating baseline for ‘Privileged access during irregular
hours’ algorithm...
Baseline created successfully
Creating baseline for ‘Excessive access to privileged
accounts’ algorithm...

25 Install PTA
Creating baseline for 'Accessing the Vault from irregular IP'

algorithm...
After the baselines were created successfully, the following confirmation is

Baselines creation finished successfully.
18.If you configured the connection to the Vault, you are prompted to load the Vault
inventory report:
[Step 10/18 - Loading inventory report]
a. Enter y to load the inventory report.

b. Or, enter n to continue directly to [Step 12/18 Authorized source hosts
configuration].
c. If you entered y, an inventory report is generated and prepares to load.
Generating the inventory report...
Loading the inventory report...
After the information was gathered successfully, a confirmation is displayed and

the installation proceeds to the next step.
Inventory report loading was completed successfully.
19.After configuring the Vault inventory report, the installation automatically launches
an address resolving process:
[Step 11/18 – Resolving Addresses]
Launched address resolving process successfully
A confirmation is displayed that the address resolving process launched successfully.

When the address resolving process is completed the confirmation appears in the
PTA installation log.
20.Specify source hosts. PTA must be configured to receive messages from
authorized sources only.
Note:
When PTA is configured with Vaults deployed in a Cluster environment, also add the External IPs
for all Vaults in all Clusters.
When PTA is configured with Vaults deployed in a distributed environment, also add the IPs for all
satellite Vaults.
[Step 12/18 Authorized source hosts configuration]

Specify the source host IPs that are authorized to forward

messages to PTA, separated by a comma (for example:
11.22.33.44,11.22.33.55).
To allow all hosts types to forward messages to PTA, specify
'All'.
To prevent any host type from forwarding messages to PTA,
specify 'None'.
PTA should only be permitted to receive messages from authorized

sources such as the CyberArk Vault, organizational SIEM solution
and any other server that sends messages directly to PTA.
If the Vault connection was configured, the Vault is
automatically considered to be an authorized source host (no
need to specify it in this step).
Authorized machines:
21.Configure the PTA Network Sensor and PTA Windows Agent connection.
Note:
Before you configure PTA Network Sensors, you must have already installed and
configured the Network Sensor. See Install PTA Network Sensors, page 53.
[Step 13/18 – Network sensor and PTA agent connection

configuration]
a. Enter y to configure a PTA Network Sensor connection, a PTA Windows

Agent connection, or both.
b. Or, enter n to install PTA without a PTA Network Sensor connection or a
PTA Windows Agent connection, and continue directly to [Step 15/18 – Email
notifications configuration].
c. If you entered y, the following appears.
The PTA Server can be configured to collect network traffic
with agents installed on your DCs or with Network Sensor
machines, or with both.
Will your implementation include PTA agents? (y/n)
d. Enter y to configure the PTA Windows Agent connection. The following appears.

The Server configuration for PTA agents was configured
successfully. After completing the PTA Server installation,
you must install the PTA agents.
e. The following appears.

Will your implementation include PTA network Sensor machines?
(y/n)
f. Enter y to configure the connection to the PTA Network Sensors.

27 Install PTA
The PTA Server must be configured with each PTA Network Sensor that was
installed. The following appears.
Configure the connection to the PTA Network Sensors:
The PTA Server must be configured with each PTA Network
Sensor that was installed.
Press [y] to configure a PTA Network Sensor. Press [n] to
skip this step:
g. Enter y to configure a PTA Network Sensor connection.

h. Or, enter n to continue directly to [Step 14/18 – Golden Ticket detection
configuration].
i. If you entered y, you are prompted to specify the IP of each machine on which
each PTA Network Sensor was installed.
IP:
j. Press Enter; the following message is displayed.

The PTA Network Sensor was configured successfully.
Press [y] to configure a PTA Network Sensor. Press [n] to
skip this step [y]:
k. If you have more than one Network Sensor, press y to continue specifying the IP
of each machine on which each PTA Network Sensor was installed.
l. When you have completed specifying the PTA Network Sensors, press n.
22.If you configured the PTA Network Sensor connection or the PTA Windows
Agent connection, the Golden Ticket detection prompt appears.
Note:
Before you configure Golden Ticket detection, you must have already installed and
configured the Network Sensor. See Install PTA Network Sensors, page 53. Specifically, the
following:
Stage 1: Adding Privileges to the Domain User , page 1
Stage 2: Adding the Domain User as an Account, page 1
[Step 14/18 – Golden Ticket detection configuration]
This step is optional. Would you like to configure it (y/n)?
a. Enter y to configure Golden Ticket detection.

b. Or, enter n to continue directly to [Step 15/18 – Email notifications configuration].
c. If you entered y, specify the Username and Password of the Vault user who
will configure the Golden Ticket detection. This user must have administrator
permissions.
Note:
This step only appears if the PTAApp Vault user was not created in [Step 7/18 – Vault connection

configuration], page 22.

Private Ark Vault users are supported. LDAP users are not supported.

used to update the environment required for the PTA in the
Vault server.
Password:
Retype password:
Creating PTA App Vault User.

PTA App Vault User created successfully.
d. Define the domain name to monitor for the Golden Ticket detection, and one of
its’ Domain Controller IPs.
PTA can monitor either a domain and its sub-domains, or a
single domain.
Specify the domain name to monitor:
Domain name:
Would you like to monitor the domain and its sub-domains?
(y/n)?
After specifying the domain name to monitor, specify whether to also monitor the
sub-domains.
e. Enter y to monitor the domain name and its sub-domains.
f. Or, enter n to monitor only the specified domain name.
g. If you entered y, you must specify the relevant Enterprise Admin account path
and its domain name.
Specify the relevant Enterprise Admin account path (Safe
name, Folder path, File name) and its' domain name.
Or, specify a path to an account which has Replicate
permissions in the monitored domain and its sub-domains.
The Enterprise Admin account will only be used for the
monitored domains.
Safe name:
Folder path:[Root]
File name:
Account Domain name:
h. If you entered n, you must specify one of the Domain Controllers IP’s and its
relevant Domain Admin account.
To do this, in the Active Directory define a user with the following privileges:
■ Replicating Directory Changes
■ Replicating Directory Changes All
■ Replicating Directory Changes In Filtered Set

29 Install PTA
Specify one of the Domain Controllers IP’s and relevant

Domain Admin account path (Safe name, Folder path, File
name).
Or, specify a path for an account with Replicate permissions
required for this domain.
Domain Controller IP:
Safe name:
Folder path:[Root]
File name:
After configuring the domain to monitor and one of its’ Domain Controller IPs, one
of the following messages is displayed:
■ If the safe was already configured with this user, the following message
is displayed:
PTA App Vault user ownership on the mentioned safe was
already defined.
■ If the safe was not already configured with a user, you are requested to
specify a Vault user who has owner permissions on the mentioned safe.
This user must have owner permissions on the mentioned safe.
This user will be used to manage the PTA App Vault user
ownership on the safe.
Username:
Password:
Retype password:
PTA App Vault user successfully received permission to the

safe.
i. Enter the username and password of the Vault user who has owner permissions
on the mentioned safe.
After completing this step, you will be asked if you want to specify an additional
domain.
Would you like to monitor an additional domain (y/n)? [n]:
j. Enter y to specify an additional domain to monitor.

k. Or, enter n to continue directly to the next step.
l. If you entered y, you must go back to the step, Define the domain name to
monitor for the Golden Ticket detection, and one of its’ Domain Controller IPs.
m. Repeat for each domain that you need to monitor.
After completing this step, the following confirmation is displayed, and the
installation proceeds to the next step.
Golden ticket detection configuration finished successfully.
23.Configure email notifications:

[Step 15/18 – Email notifications configuration]


[y]:
a. Enter y to configure email notifications, then press Enter. These notifications will
be sent when the Privileged Threat Analytics solution detects anomalies.
b. Or, enter n to continue directly to [Step 16/18 – PTA maintenance user
configuration].
c. If you entered y, the email server IP address prompt appears.
Enter the IP address of the email server in your organization, then press Enter.
Specify the email server IP address:
The SMTP port prompt appears.

Specify SMTP port [25]:
d. Enter the port of the SMTP server, then press Enter. The following prompt
appears.
Specify the sender’s email address (in the following format:
user@domain.com):
e. Specify the email address, in lowercase characters, of the user whose name will
be included as the sender in notifications, then press Enter. The following prompt
appears.
Specify the recipient’s email address (in the following
format: user@domain.com). Separate multiple addresses with
‘;’ (semi-colon):
f. Specify the email address(es), in lowercase characters, of the notification

recipient(s), then press Enter. Separate multiple recipient addresses with a
semi-colon. The mail server authentication prompt appears.
Does the mail server require authentication (y/n)? [y]:
g. Enter y if the mail server requires authentication, then press Enter.

h. Or, enter n if the mail server does not require authentication and proceed to [Step
16/18 – PTA maintenance user configuration].
The sender’s credentials prompts appear:
Setting the sender’s credentials
Enter username and password for the user that will send email
notifications.
Username:
Password:
Retype password:
i. Enter the user name and password of the user in the email system who will send
notifications, then press Enter. After the sender’s credentials are saved
successfully, the following confirmation is displayed.
The sender's credentials saved successfully.

31 Install PTA
j. After the email notifications are configured successfully, the following

confirmation is displayed, and the installation proceeds to the next step.
Email notifications configuration finished successfully.
24.Configure the PTA maintenance user:

a. Enter the password of the PTA maintenance user, ptauser, then press Enter.
[Step 16/18 – PTA maintenance user configuration]
Creating a user for system maintenance.

Specify a password for this user:
Retype password:
After installation, you can use this user to perform maintenance activities on the
PTA machine.
b. After this user has been created and its user credentials are saved successfully,
the following confirmation is displayed, and the installation proceeds to the next
step.
PTA maintenance user was created successfully.
25.The installation automatically generates a self-signed certificate.

[Step 17/18 – Generating a self-signed certificate]
Generating a certificate finished successfully.
The certificate contains the hostname of the server. The hostname must not be
changed, or the certificate becomes invalid.
After a self-signed certificate is generated successfully, confirmation is displayed, and
the installation proceeds to the next step.
26.The installation automatically initializes the Privileged Threat Analytics solution.
[Step 18/18 – PTA initialization]
a. Enter y to begin initialization.

Starting PTA
PTA initialization finished successfully.
After successful initialization, confirmation of successful initialization is displayed,

and the installation is complete.

PTA Post-Installation Procedures

Use the following procedures after you have installed PTA.
We recommend installing VMWare Tools on the virtual machine.
We recommended managing the PTA machine root and ptauser user accounts with the
CyberArk Privileged Account Security (PAS) solution.
In this section:
Manage SSL Certificates, page 32
Validate the Self-signed Certificate on your Browser, page 32
Import your Organization's SSL Certificate, page 41
Manage SSL Certificates

You can use the self-signed certificate created during PTA installation, or use your
organization's SSL certificate.
■ Validate the Self-signed Certificate on your Browser, page 32.
■ Import your Organization's SSL Certificate, page 41
Validate the Self-signed Certificate on your Browser

The following instructions show you how to import the self-signed certificate created
during PTA installation to your browser. After completing the import process, your
browser will trust the certificate.
To Validate the Self-signed Certificate on your Browser:

Before starting the import process on your browser, retrieve the certificate file as follows:
1. Connect to the PTA machine using an SFTP session (SSH) as the root user.
2. Navigate to the following address: /opt/tomcat/ca.
3. Save the ca-cyberark.cert certificate file in a folder on your machine.
4. Depending on your browser, proceed with one of the following.
To Launch Internet Explorer Certificates Manager:

1. Make sure you first followed the steps in the previous procedure, To Validate the
Self-signed Certificate on your Browser:, page 32.
2. As an administrative user, run the following command in a command line interface to
launch the Certificates Manager:
certmgr.msc
The Certificates Manager is displayed.

3. In the Certificates tree, navigate to Trusted Root Certification Authorities, then
to Certificates.
4. Right-click Certificates then, from the pop-up menu, select All Tasks, then Import.
The Certificate Import Wizard is displayed.

33 Install PTA
5. Click Next to begin the certificate import wizard.

6. At the first step of the wizard, click Browse and find the ca-cyberark.cert certificate
file.
7. Click Open. The certificate file name is displayed in the File name field.
8. Click Next to continue to the next step in the wizard. The Certificate Store window
appears.

By default, Place all certificates in the following store appears selected and the
certificate store name is displayed.
9. Leave the default settings, and click Next to continue to the final step in the wizard.
The Completing the Certificate Import Wizard window appears and displays the
details of the selected certificate.
10.Click Finish. Internet Explorer displays a Security Warning.

35 Install PTA
11.Click Yes to install the certificate. When the installation is successful, a confirmation is
displayed.
12.Click OK to close the confirmation box and complete the certificate import process.
13.Shut down all running instances of Internet Explorer, then restart Internet Explorer.
To Launch Chrome Certificates Manager:
Note:
If you have imported the self-signed certificate on Internet Explorer, you do not need to
import it again on Chrome.
1. Make sure you first followed the steps in the previous procedure, Validate the Self-
signed Certificate on your Browser, page 32.
2. As an administrative user, run PTA on Chrome using the following URL:
https://ptaserver.
3. From the Chrome menu, select Settings and then Show advanced settings.
4. In the HTTPS/SSL section, click Manage Certificates. The Certificates screen is
displayed.

5. Display the Trusted Root Certification Authorities tab, then click Import. The
first screen of the Certificate Import Wizard is displayed.
6. Click Next to begin the certificate import wizard.

7. At the first step of the wizard, click Browse and find the ca-cyberark.cert certificate
file.
8. Click Open. The certificate file name is displayed in the File name field.

37 Install PTA
9. Click Next to continue to the next step in the wizard. The Certificate Store window
appears.
By default, Place all certificates in the following store is selected and the
certificate store name is displayed.

10.Keep the default settings and click Next to continue to the final step in the wizard. The
Completing the Certificate Import Wizard window appears and displays the details of
the selected certificate.
11.Click Finish. Chrome displays a Security Warning.
12.Click Yes to install the certificate. When the installation is successful, a confirmation is
displayed.

39 Install PTA
13.Click OK to close the confirmation box and complete the certificate import process.
14.Shut down all running instances of Chrome, then restart Chrome.
To Launch Firefox Certificates Manager:

1. Make sure you first followed the steps in the previous procedure, Validate the Self-
signed Certificate on your Browser, page 32.
2. As an administrative user, run PTA on Firefox using the following URL:
https://ptaserver.
3. From the Tools menu, select Options; the Options window is displayed.
4. Click the Advanced icon, then display the Encryption tab.

5. Click View certificates. The Certificate Manager window is displayed.
6. Display the Servers tab, then click Import.

7. Find the ca-cyberark.cert certificate file, then click Open. The certificate is added to
the list in the Servers tab.
8. Select the PTAServer certificate in the list, then click Edit Trust; the Edit website
certificate trust settings window is displayed.

41 Install PTA
9. Select Trust the authenticity of this certificate, then click OK.

10.Shut down all running instances of Firefox, then restart Firefox.
Import your Organization's SSL Certificate

The following instructions show you how to import your organization's SSL certificate.
To Import your Organization's SSL Certificate:

1. On the system console, log in as the root user using the password you specified
during installation.
2. Start the PTA utility by running the following command:
/opt/tomcat/utility/run.sh
3. Select 14. Generating a Certificate Signing Request (CSR).

4. Specify the certificate details.
Note:
You can enter multiple alternative DNS and/or IP values in the Subject Alternative
Names field. The format is <field name>:<alternative_name>,<field
name>:<alternative_name>. For example,
dns:pta.com,ip:10.10.10.10,dns:pta2.com,ip:11.11.11.11
The Certificate Signing Request (CSR) is created in the pta_server.CSR file located
at /opt/tomcat/ca.
5. Start the PTA utility by running the following command:
6. Select 15. Installing SSL Certificate Chain (Root, Intermediate(s), PTA Server
certificates).
7. Specify the SSL certificate chain details.
The SSL Certificate Chain is created.
8. Run the service appmgr restart command to restart PTA.

Troubleshoot PTA Installation

Verify the configuration
Log on to the PTA machine as a root user and run the PTA diagnostic tool using the
RUN_DIAGNOSTICS command to verify that PTA works properly with the new
configuration.
Use any of the following to troubleshoot issues that might arise during PTA installation.
Invalid Certificate – Bad Signature Error

During PTA installation, the installation wizard creates PTA HTTPS and CA certificates.
After installation, you added the CA certificate to your browser’s certificate store.
If you run the installation again, the wizard will create new HTTPS and CA certificates.
When you connect to the PTA web interface for the first time after reinstalling PTA, the
following error is displayed: SSL certificate is invalid.
To resolve this issue:
1. Remove the CA certificate you added to the certificates store after the first
installation.
2. Import the new CA certificate to the certificates store again, as explained in Validate
the Self-signed Certificate on your Browser, page 32.
Running the PTA Installation Wizard Multiple Times
Note:
Running the wizard more than once is not recommended .
If PTA is installed, and if you need to run the PTA wizard again, you must first stop all
PTA processes before you run the installation wizard again.
To Stop all PTA Processes:
1. Run the PTA utility, using the following command:
2. Select 3 - Stop application processes.
Test PTA Services

After PTA is installed, you can check the PTA services to ensure that they are all running.
To Determine if PTA Services are Running:

1. Run the following command:
sudo -u monit /opt/monit/bin/monit status
All services should be running.

43 Install PTA
Note:
The Ptadcaserverd process runs only when PTA Window Agent is enabled. The
Ptacasosservicesd process runs only when Golden ticket detection is enabled.
2. If not all services are running, run the following command:

service appmgr restart
3. To stop PTA services, run the following command:

service appmgr stop
4. To start PTA services, run the following command:

service appmgr start
5. To send a test email, log on to the PTA machine using the root user and run the
following command:
/opt/diag-tool/ptaInternalDiagTool.sh email –send
If no error is shown on the screen, check your inbox for the test mail.


After completing the installation of the PTA Server, you install PTA Windows Agents on
your DC machines or Windows Event Forwarding servers to gather information for
reporting events in PTA. You must have configured a PTA Windows Agent connection
while running the Installation Wizard, as shown in [Step 13/18 – Network sensor and
PTA agent connection configuration], page 26.
Review PTA Windows System

Agent system Requirements for
requirements PTA Windows
Agent, page 44
Install PTA Windows Run the script to generate the CLI Install

Agents command to install the PTA Windows
PTA Windows Agents on your Agents, page 45
DCs.
(Optional) Troubleshoot
Review PTA Windows PTA Windows
Agent installation Agent Installation,
troubleshooting page 49
procedures
System Requirements for PTA Windows Agent

■ Server authentication requires that a third-party certificate or your company's
certificate is installed on your PTA Server machine.
Note:
Create a dedicated Base-64 encoded X.509 SSL certificate.
■ Client authentication requires a SHA-256 certificate issued for the Domain

Controller with the Microsoft Enhanced RSA and AES Cryptographic
Provider CSP enabled for the Template. This CSP is disabled by default.
Note:
Create a dedicated Base-64 encoded X.509 SSL certificate.
■ PTA Windows Agent works with the following Windows servers:

■ Windows 2008 R2 64-bit
■ Windows 2012 R2 64-bit
■ Windows 2016 64-bit

45 Install PTA Windows Agents

After completing the installation of the PTA Server, you install PTA Windows Agents on
your DC machines or Windows Event Forwarding servers to gather information for
reporting events in PTA. You must have configured a PTA Windows Agent connection
while running the Installation Wizard, as shown in [Step 13/18 – Network sensor and
PTA agent connection configuration], page 26.
Server authentication requires that a third-party certificate or your company's certificate
is installed on your PTA Server machine.
Client authentication requires a SHA-256 certificate issued for the Machine with the
Microsoft Enhanced RSA and AES Cryptographic Provider CSP enabled for the
Template. This CSP is disabled by default.
Install the Server Certificate

1. Follow the instructions in Import your Organization's SSL Certificate, page 41.
2. Verify that the certificate authority chain of the PTA Server is located in the Trusted
Root Authorities for the machine account:
a. Start > Run.
b. Type mmc.
c. File > Add/Remove snap In.
d. Certificate.
e. Computer Account.
f. Local Machine.
g. OK.
h. Navigate to Certificates >Trusted Root Certifications Authorities
>Certificates.
i. Locate the root certificate of the chain.
j. Navigate to Certificates >Intermediate Certification Authorities
>Certificates.
k. Locate the Intermediate certificate of the chain.
Configure and Install the Client Certificate

1. Verify that the current issued certificate template includes the Microsoft Enhanced
RSA and AES Cryptographic Provider CSP.
a. Log on to the machine where the PTA Agent will be installed.
b. Start > Run > mmc.
c. File > Add/Remove snap-in.
d. Certificate > Computer Account > Finish.
e. Navigate to Certificates (Local Computer) > Personal > Certificates.
f. Open certificate properties > Details tab > Certificate Template
Information.
g. Write down the major and minor version.
h. Log on to the Certificate Authority machine.
i. Start > Run > mmc.

j. File > Add/Remove snap-in.

k. Certificate Templates.
l. Locate the copied major and minor version in the Version column.
m. Open the template properties.
n. Navigate to the Cryptography tab.
Note:
If the Cryptography tab is missing, navigate to the Request Handling tab.
o. Locate Microsoft Enhanced RSA and AES Cryptographic Provider.

i. If the provider is selected, no further certificate configuration is required in the
Domain Controller.
ii. If the provider is not selected, continue below.
2. Configure the Template.
a. Log on to the Certificate Authority machine.
d. Certificate Templates > Finish.
e. Navigate to Certificate Templates.
f. Right click on the template and select Duplicate Template.
g. Under General, enter the Template display name and the Template name.
h. Under Providers, select Microsoft Enhanced RSA and AES Cryptographic
Provider.
i. Under Subject Name select Supply in the request.
j. Under Security, add the relevant machine group with Enroll permissions, and
remove any unnecessary groups.
k. Click OK to save the template.
3. Publish the Template.
a. Log on to the Certificate Authority machine.
d. Certificate Authority > Local computer > Finish > OK.
e. Right click on Certificate Templates > New > Certificate Template to Issue/
f. Select the certificate template created in step 2 and click OK.
4. Enroll the certificate for the computer machine.
a. Issue a new certificate for the machine using the newly created template.
Note:
Specify Common Name as the Subject Name Type. The new certificate must be unique on
the machine.
Repeat this step on every machine where the PTA Windows Agent will be installed.

Install the PTA Windows Agents

To install the PTA Windows Agents, you first run an installation script that creates a CLI
command for the silent PTA Windows Agent installation.
Run the Installation Script
1. From the directory containing the installation package, run the PTA Agent Script
Creator.exe file.
2. Enter your PTA IP Address.
Welcome to the CyberArk PTA Agent Silent Installer Script
Creator.
Enter your PTA IP Address (for example, 198.196.10.10):
3. Enter the PTA Management Port.

Enter the ports configured in PTA.
PTA Management Port (used for managing Agents) [7514]:
Note:
If you do not enter a value for the PTA Management Port, the default value of 7514 is
used.
4. Enter the PTA Data Port.

PTA Data Port (used for receiving Agent data) [6514]:
Note:
If you do not enter a value for the PTA Data Port, the default value of 6514 is used.
5. Set the trusted agent connection.

By default, the PTA server certificate is validated by the
agent, making the connection trusted. Do you want to keep the
trusted connection? Y/N
6. Set the client authentication configuration.

By default, the Agent connection to PTA is configured with
client authentication. Do you want to keep this configuration?
Y/N
If you select Y, enter the Client Certificates subject name.

Please enter the "subject name" of the client certificates
installed on your DCs or WEF server. You can use an asterisk as
a wildcard.
Client Certificates subject name:
7. Set the installation log location.

By default, the installation log is located in %temp%. Do you

want to change the location? Y/N
If you select Y, enter the installation log location.

Please enter the installation log path and file name (Example:
c:\install.log):
8. Set the MSI file location.

If the MSI path is found:
The MSI file was found in the following path:
Do you want to enter a different path? Y/N
If you select Y, enter the MSI path.

MSI Path and file name (Example: c:\Privileged Threat Analytics
Agent.msi):
If the MSI path is not found, enter the MSI path.

Please enter the MSI file path.
MSI Path and file name:
9. Determine whether the PTA Windows Agent analyzes Network data or Windows

events. The default selection is Network data.
The PTA Agent can analyze either Network data or Windows events.
By default, the PTA Agent analyzes Network data. Would you like
the PTA Agent to analyze Windows events instead? Y/N
If you select Y, the PTA Windows Agent analyzes Windows events. If you select N,
the PTA Windows Agent analyzes Network data.
10.The CLI command for installing the PTA Windows Agents is created. For your
convenience, a copy of the CLI command is created in the
PTAAgentInstallerOutput.txt file in the same location as the MSI file.
The CLI command for silent installation has been created
successfully. Run the following command as an Administrator to
install the Agents on your DCs or WEF server. This command can
also be found in the PTAAgentInstallerOutput.txt file in the
current directory.
"PrivilegedThreatAnalyticsAgent.msi" /qn /L*v "c:\Install.log"
DATA_ANALYSIS=Windows_Logs PTA_IP="198.196.10.10" DATA_PORT=6514
CONTROL_PORT=7514 TRUSTED=true CLIENT_AUTH=true SUBJECT_
NAME="DomainController.domain.com" DATA_ANALYSIS=Network_Tapping
Install the PTA Windows Agent

1. Run the CLI command generated above, either locally on the Domain Controller or
on the Windows Event Forwarding server, or via your deployment tool. It must be run
as an Administrator.Wait about 30 seconds for the installation to complete.
2. Run the Services settings.
Services.msc
3. Verify that CyberArk PTA Agent Client Service is running.

Troubleshoot PTA Windows Agent Installation
Verify the PTA Windows Agent Connection

From the Domain Controller:
1. Log on to the Domain Controller.
2. Navigate to the installation folder.
C:\Program Files\CyberArk\PTA Agent
3. Run the PTAAgentAdmin.exe file.

PTAAgentAdmin.exe
4. Select option 1, Print statistics.

C:\Program Files\CyberArk\PTA Agent>PTAAgentAdmin.exe -a
127.0.0.1
Configured:
Server IPv4 Address: 127.0.0.1
Agent IPv4 Address: 127.0.0.1
Legend:
1. Print statistics
2. Print Pool statistics
3. Print Machine Monitoring
4. Get statistics (loop) and write to CSV
q. Quit
5. Continue with From the PTA Server or the Domain Controller:, page 50.
From the PTA Server:

/opt/agentshell/run.sh
Note:
If there are no Agents configured in your environment, the PTAAgentAdmin utility ends.
2. Enter the Domain Controller IP address you want to verify.

Agent IP
1.1.1.1
2.2.2.2
Select an Agent IP for managing and monitoring remotely
Agent IP:
3. Select option 1, Print statistics.
Configured:
Server IPv4 Address: 127.0.0.1

Agent IPv4 Address: 1.1.1.1

Legend:
1. Print statistics
2. Print Pool statistics
3. Print Machine Monitoring
4. Get statistics (loop) and write to CSV
a. Change Agent IP
q. Quit
4. Continue with From the PTA Server or the Domain Controller:, page 50.
From the PTA Server or the Domain Controller:

1. Verify that both instances of # of successful connects are valued with a positive
number.
INFO CONSOLE - *******************************************
INFO CONSOLE - ***************** START *******************
INFO CONSOLE - *******************************************
INFO CONSOLE - Current Date/Time: 04-07-2017T16:02:12
INFO CONSOLE - Version: 1.0.0.76
INFO CONSOLE - Uptime: 7
INFO CONSOLE - Max Sessions: 100000
INFO CONSOLE - ***************** Global Statistics
*****************
INFO CONSOLE - Total RX packets: 514
INFO CONSOLE - Total Seen packets: 0
INFO CONSOLE - Total new sessions: 0
INFO CONSOLE - Total packets matching existing session:0
INFO CONSOLE - Total No Event Buffer: 0
INFO CONSOLE - Closed sessions: 0
INFO CONSOLE - Agg examine pkt: 0
INFO CONSOLE - Unknown applications: 0
INFO CONSOLE - Allocated Fragments buffers: 0
INFO CONSOLE - Freed Fragments buffers: 0
INFO CONSOLE - Ignored Fragments: 0
INFO CONSOLE - Ignored Retransmitted Packets: 0
INFO CONSOLE - --------------------------------------
INFO CONSOLE - **** General Error Counters ****
INFO CONSOLE - Missing fcb: 0
INFO CONSOLE - Illegal packet len: 0
INFO CONSOLE - Illegal session id: 0
INFO CONSOLE - Illegal IP total length field: 0
INFO CONSOLE - --------------------------------------
INFO CONSOLE - **** # of Event Statistics ****
INFO CONSOLE - Total created events: 0
INFO CONSOLE - Locks consistency: OK
INFO CONSOLE - total events written to ring: 0
INFO CONSOLE - failed events writing to ring: 0
INFO CONSOLE - total events read from ring: 0
INFO CONSOLE - success sending to srv: 0
INFO CONSOLE - failed sending to srv: 0
INFO CONSOLE - setting write event failed: 0

INFO CONSOLE - resetting write event failed: 0

INFO CONSOLE - illegal lenght event reading from ring:0
INFO CONSOLE - Ring read Idx: 0
INFO CONSOLE - Ring write Idx: 0
INFO CONSOLE - --------------------------------------
INFO CONSOLE - **** KRB General Counters ****
INFO CONSOLE - # of Total KRB packets: 0
INFO CONSOLE - # of KRB AS requests: 0
INFO CONSOLE - # of KRB AS responses: 0
INFO CONSOLE - # of KRB AS requests errors: 0
INFO CONSOLE - # of KRB AS Events: 0
INFO CONSOLE - # of KRB AS failure Events: 0
INFO CONSOLE - # of KRB AS success Events: 0
INFO CONSOLE - # of KRB TGS requests: 0
INFO CONSOLE - # of KRB TGS responses: 0
INFO CONSOLE - # of KRB TGS requests errors: 0
INFO CONSOLE - # of KRB TGS Events: 0
INFO CONSOLE - # of KRB TGS failure Events: 0
INFO CONSOLE - # of KRB TGS success Events: 0
INFO CONSOLE - # of KRB unknown error MSGs: 0
INFO CONSOLE - --------------------------------------
INFO CONSOLE - **** KRB Error Counters ****
INFO CONSOLE - # of TLV error too long: 0
INFO CONSOLE - --------------------------------------
INFO CONSOLE - **** LDAP General Counters ****
INFO CONSOLE - # of Total LDAP packets: 0
INFO CONSOLE - # of LDAP Bind Request events: 0
INFO CONSOLE - --------------------------------------
INFO CONSOLE - **** Connectivity to Server - DATA path ****
INFO CONSOLE - # of attempts to connect: 1
INFO CONSOLE - # of successful connects: 1
INFO CONSOLE - # of failed connects: 0
INFO CONSOLE - --------------------------------------
INFO CONSOLE - **** Connectivity to Server - CONTROL path ****
INFO CONSOLE - # of attempts to connect: 1
INFO CONSOLE - # of successful connects: 1
INFO CONSOLE - # of failed connects: 0
INFO CONSOLE - --------------------------------------
INFO CONSOLE - **** Authentication and Certificates ****
INFO CONSOLE - MAX of attempts to verify: 10
INFO CONSOLE - Validate server certificate: false
INFO CONSOLE - Client certificate enabled: false
INFO CONSOLE - Client certificate subject name: UNDEFINED
INFO CONSOLE - *******************************************
INFO CONSOLE - ***************** END ******************
INFO CONSOLE - *******************************************
Enable Server verification post PTA Windows Agent installation

2. Navigate to the installation folder located at: c:\program files\Cyberark\PTA Agent\.

3. Open the config.ini file.

4. Remove the Server_Verification_Required=false row.
5. Restart the CyberArk Privileged Threat Analytics Client Service service.
6. Repeat these steps on each domain controller where the PTA Windows Agent is
installed.
Note:
To disable Server verification add the Server_Verification_Required=false row under
[DCInfo] .
Enable Client verification post PTA Windows Agent installation

1. Log on to the PTA Server using the root user.
2. Edit the local systemparm.properties file using LOCALPARM.
3. Remove the enable_client_verification=false row.
4. Save the file using the :wq! command.
5. Restart the PTA Server application using the service appmgr restart command.
9. Change Client_Certificate_Enabled to True.
10.Update the certificate subject name in the SubjectName= parameter.
11.Restart the CyberArk Privileged Threat Analytics Client Service service.
12.Repeat steps 6-11 on each domain controller where the PTA Windows Agent is
installed.
Change the PTA Windows Agent ports

The ports of the PTA Windows Agent on all the Domain Controllers and the PTA Server
must be aligned.
Change the ports on the PTA Server:

2. Edit the local systemparm.properties file using LOCALPARM.
3. Set the requested ports using the following parameters:
■ syslog_port_ssl_control_tcp=7514
■ syslog_port_ssl_data_tcp=6514
Change the ports on the Domain Controller:

4. Set the requested ports using the following parameters:
■ SSL_Data_Port=6514
■ SSL_Control_Port=7514

53 Install PTA Network Sensors
Install PTA Network Sensors

The PTA Network Sensor is a software component that taps the network and collects
network traffic. The PTA Server connects to the PTA Network Sensors and runs DPI
(deep packet inspection) algorithms on top of the network traffic data feed to detect cyber
attacks, such as Golden Ticket.
A single PTA server can be configured with multiple PTA Network Sensors.
It is recommended to manage the PTA Network Sensor machine root user account with
the CyberArk Privileged Account Security (PAS) solution.
Note:
To install PTA without the Network Sensor, see Install PTA, page 6.

Network Network Sensor
Sensor Package, page 54
package
Review PTA System

Network Requirements for
Sensor PTA Network
requirements Sensor, page 54
Add privileges Configure or allocate a privileged domain user Stage 1: Add

to the Domain that will be used for Golden Ticket detection. Privileges to the
User (Mandatory for Golden Ticket detection) Domain User ,
page 58
Add the In the PVWA, add this account and configure it Stage 2: Add the
Domain user to be managed automatically by the CPM to Domain User as an
as an Account store the privileged domain user in the Vault. Account, page 58
in the PVWA (Mandatory for Golden Ticket detection)
Deploy and Deploy the Network Sensor, depending on the Stage 3: Deploy
configure PTA machine at your site; VM or physical machine. the PTA Network
Network Sensor, page 59
Sensor
Verify the PTA Run a diagnostic tool to verify the PTA (Optional) Verify
Network Network Sensor installation and deployment. PTA Network
Sensor This step is optional. Sensor
deployment Deployment, page
69
Install and Using the PTA wizard, install and configure Install PTA, page 6
configure PTA PTA, including the Network Sensor.

Review PTA Network Sensor Package

You will receive the PTA Network Sensor package from your CyberArk support
representative. The package includes the following files:
■ Virtual Machine:
■ PTA-Network-Sensor-V5.1B12.mf
■ PTA-Network-Sensor-V5.1B12.ovf
■ PTA-Network-Sensor-V5.1B12-disk1.vmdk
■ Physical Machine:
■ agcls-5.1-12.tgz
■ ag-nms-inst.sh
■ Add ons:
■ ag_pkg_v49.tgz
■ ag_pkg_inst.sh
System Requirements for PTA Network Sensor

The PTA Network Sensor software can be installed on the following:
Hardware See Reference
Physical Refer to one of the following requirements lists:

server: ■ PTA Network Sensor: Physical Hardware Requirements: Standard
Configuration (Recommended), page 54
■ PTA Network Sensor: Physical Hardware Requirements: Lighter
Configurations, page 55
VM: Support VMware ESXi version 5.5 and higher, hardware version 8 and
higher.
Refer to one of the following requirements lists:

■ PTA Network Sensor: VM Requirements: Standard Configuration
(Recommended), page 56
■ PTA Network Sensor: VM Requirements: Lighter Configurations, page
57
PTA Network Sensor: Physical Hardware Requirements: Standard

Configuration (Recommended)
PTA Network Sensor software requires the following:
Note:
These are the minimum mandatory requirements. You must follow these requirements
when installing the PTA Network Sensor.

Physical
Requirement
Hardware
OS CentOS 7.2 64-bit "minimal installation" build 1611
RAM 8GB
CPU 8 cores
Hard Disk 250GB

Storage (SSD is recommended).
Management A NIC with a static IP address.

NIC
Traffic The physical or virtual network interface that listens to the network traffic.
Monitoring
NIC
NICs In order to optimize the PTA Network Sensor performance, it is

recommended to install an Intel NIC with one of the following chipsets:
■ 82540, 82545, 82546
■ 82571..82574, 82583, ICH8..ICH10, PCH..PCH2
■ 82575..82576, 82580, I210, I211, I350, I354, DH89xx
■ 82598..82599, X540, X550
■ X710, XL710
PTA Network Sensor: Physical Hardware Requirements: Lighter

Configurations
In lighter environments, PTA Network Sensor software requires the following:
Note:
Physical
Requirement
Hardware
OS CentOS 7.2 64-bit "minimal installation" build 1611
RAM 4GB
CPU 4 cores
Hard Disk 80GB

Management A NIC with a static IP address.

NIC
Traffic The physical or virtual network interface that listens to the network traffic.
Monitoring
NIC

Physical
Requirement
Hardware
NICs In order to optimize the PTA Network Sensor performance, it is

recommended to install an Intel NIC with one of the following chipsets:
■ 82540, 82545, 82546
■ 82571..82574, 82583, ICH8..ICH10, PCH..PCH2
■ 82575..82576, 82580, I210, I211, I350, I354, DH89xx
■ 82598..82599, X540, X550
■ X710, XL710
PTA Network Sensor: VM Requirements: Standard Configuration

(Recommended)
IMPORTANT: Only the below configurations are supported!
PTA Network Sensor software requires the following VM requirements:
Note:
Virtual Machine Requirement
RAM 8GB
CPU 8 cores
Hard Disk 40GB

VM ■ Use the ESXi setup to define the PTA Network Sensor VM as

High Priority.
■ Configure promiscuous mode or port mirroring on the ESXi
server.
VM Network VMXNET3
Driver
NICs Any NIC
Note:
It is recommended to run the PTA Network Sensor in the Standard recommended
configuration, in order to allow PTA to scale up to the expected network traffic load.

PTA Network Sensor: VM Requirements: Lighter Configurations

IMPORTANT: Only the below configurations are supported!
In lighter environments, PTA Network Sensor software requires the following VM
requirements:
Note:
Virtual Machine Requirement
RAM 4 GB
CPU 4 cores
Hard Disk 40 GB
VM ■ Use the ESXi setup to define the PTA Network Sensor VM as

High Priority.
■ Configure promiscuous mode or port mirroring on the ESXi
server.
VM Network VMXNET3
Driver
NICs Any NIC
Note:
It is recommended to run the PTA Network Sensor in the Standard recommended
configuration, in order to allow PTA to scale up to the expected network traffic load.

Integrate the PTA Network Sensor

Integrating the PTA Network Sensor is comprised of the following stages:
1. Stage 1: Add Privileges to the Domain User , page 58 to configure a privileged
domain user (for Golden Ticket detection only).
2. Stage 2: Add the Domain User as an Account, page 58 to store the privileged
domain user in the Vault (for Golden Ticket detection only).
3. Stage 3: Deploy the PTA Network Sensor, page 59, including configuration.
4. Configuring the PTA Network Sensor in the PTA installation wizard:Install PTA,
page 6.
Stage 1: Add Privileges to the Domain User

■ If you want to configure Golden Ticket detection, you must perform the following
steps.
■ If you do not want to configure Golden Ticket detection, proceed to Stage 3: Deploy
the PTA Network Sensor, page 59.
Before you install the PTA Network Sensor, you must configure or allocate a privileged
domain user that will be used for Golden Ticket detection.
Golden Ticket detection functionality supports multiple domain coverage. You can either
use:
■ The Enterprise Admin account, or
■ A privileged domain user must be defined in the Active Directory for each of the
domains that the PTA Network Sensors will monitor for Golden Ticket detection.
To Add Privileges to the Domain User:

1. In the Domain Controller Active Directory, set the domain user privileges in one of the
following ways:
■ Add the user as a member of the Domain Admins group, or
■ Grant the domain user the following replication permissions:
2. Proceed to Stage 2: Add the Domain User as an Account, page 58.
Stage 2: Add the Domain User as an Account

■ If you have Golden Ticket detection, you must perform the following steps.
■ If you do not have Golden Ticket detection, proceed to Stage 3: Deploy the PTA
Network Sensor, page 59.
To Add the Domain User as an Account:

1. In the PVWA, add the Domain User account and configure it to be managed
automatically by the CPM.

Note:
The account can be configured in the PVWA, or any other method. For further
information, see the Privilige Account Security Implementation Guide.
2. Write down the Safe and Account names as you will need them when configuring
Golden Ticket detection in the PTA installation ([Step 14/18 – Golden Ticket detection
configuration], page 27 in the PTA wizard).
3. Continue to Stage 3: Deploy the PTA Network Sensor, page 59.
Stage 3: Deploy the PTA Network Sensor

Install the PTA Network Sensor on a virtual or a physical machine:
■ Virtual Machine: Deploy and Configure the PTA Network Sensor, page 59
■ Physical Machine: Install the PTA Network Sensor , page 61
Virtual Machine: Deploy and Configure the PTA Network Sensor
This section describes how to configure a PTA Network Sensor image using the ESXi
console.
Before You Begin:
■ Make sure you install VMWare Tools on the virtual machine.
To Configure a PTA Network Sensor Image using the ESXi Console:

1. From the PTA installation package access the following files:
■ PTA-Network-Sensor-V5.1B12.mf.
■ PTA-Network-Sensor-V5.1B12.ovf
■ PTA-Network-Sensor-V5.1B12-disk1.vmdk
2. Import the PTA Network sensor image: PTA-Network-Sensor-V5.1B12.ovf
3. Log on to the PTA Network Sensor machine using the default admin username and
password:
■ Username: admin
■ Password: DiamondAdmin123!
Note:
The PTA Network Sensor machine is hardened for security reasons. As such, you can
only log on to it using the admin user.
4. You are prompted to set a new password for the admin user.
5. Change the user to root by using the following command: su –
Enter the same password: DiamondAdmin123!
6. You are prompted to set a new password for the root user.
7. Navigate to the directory: /opt/ag/bin
8. Run the command ./ns_setup.sh.
a. Select and enter the management interface name: ens192
b. Enter the Static IP.

c. Enter the NetmaskIP.

d. Enter the GatewayIP.
e. Leave the default MTU settings as 1500.
f. Enter y to approve the modified changes.
g. Press y to update the Firewall SSH IP with the new IP. The Firewall rules are
saved.
h. Press Enter. You do not need to enter user credentials.
i. Press Enter. You do not need to modify the hostname.
j. Configure NTP servers and the Time zone.
Note:
The NTP server used with the PTA Network Sensor server must be the same server
used with the PTA server.
9. Reboot the PTA Network Sensor machine.

10.After the machine reboots, log in again and escalate to root user.
11.To validate the network configuration, run the command: ifconfig
You will see two network cards:
■ The first one is used for management purposes.
■ The second one is used for listening to the network traffic. This network card
should be defined when configuring promiscuous mode or port mirroring in the
ESXi server level.
The PTA Network Sensor installation and configuration on the Virtual machine is
complete.
12.(For lighterPTA Network configurations only): To run the PTA Network Sensor
for lighter configurations (see PTA Network Sensor: VM Requirements: Lighter
Configurations, page 57) you must configure the virtual machine using the following
additional steps. No further configuration is required in the Network Sensor.
a. Verify that the Virtual Machine is off and shut down.
b. In the ESXi main window, right-click the relevant virtual machine and select Edit
Settings. The Virtual Machine Properties window opens.
c. Click the Hardware tab, then make the following changes:

Change To
Memory 4GB
CPU 4 cores
d. Click OK to save your settings.

Physical Machine: Install the PTA Network Sensor
For successful PTA Network Sensor installation on a physical machine, perform these
procedures in the following order:
Reference to Procedure Comment
Procedure A: Installing
Linux CentOS, page 62
Procedure B: Installing the The PTA Network Sensor software requires additional
PTA Network Sensor Add- packages to be installed on the machine. This procedure
ons, page 62 must only be performed once.
Procedure C: Hardening This step removes unnecessary software and limits the
the PTA Network Sensor access to the PTA Network Sensor.
Machine, page 65
Procedure D: Installing the

PTA Network Sensor
Software, page 67
Note:
The installation steps can be performed on a VM as well. However, it is highly
recommended to use the PTA Network Sensor virtual appliance for VM.

Use the following guidelines:

■ No Internet access is required.
■ In some steps, the installation wizard checks for the required packages. If some
packages are missing, it will ask for permission to install the missing package.
■ If the installation step ends successfully, proceed to next step; otherwise run the
installation wizard again, or contact CyberArk technical support.
■ On completion of the PTA Network Sensor installation, a reboot of the PTA Network
Sensor machine is required.
P r ocedur e A : Installing Linux C entOS
Use the following procedure to install Linux CentOS on the physical machine.
To Install Linux CentOS:

1. Log on to the PTA Network Sensor machine and install Centos 7.2, 64 bit and higher
with the following requirements:
■ Minimal installation
■ Build 1611 (http://archive.kernel.org/centos-vault/7.3.1611/isos/x86_
64/CentOS-7-x86_64-Minimal-1611.iso)
2. During the installation, you will be required to enter a password for root user.
3. Configure the following:
■ Time Zone and NTP.
Note:
The NTP server used with the PTA Network Sensor server must be the same server
used with the PTA server.
■ Management Port – A static IP address is required. It is recommended to set the

first interface with the Mgmt IP, and the second interface for listening to the
network traffic.
Note:
Do not install additional software on this device that is not related to the PTA Network
Sensor.
P r ocedur e B : Installing the P TA N etwor k S ensor A dd-ons

Use the following procedure to install PTA Network Sensor Add-ons, on the physical
machine.
To Install the PTA Network Sensor Add-ons:

1. From the PTA installation package that you received from your CyberArk
representative, access the following files:
■ ag_pkg_v49.tgz
■ ag_pkg_inst.sh
2. Log on to the PTA Network Sensor machine as root user, and enter the password
which you entered during the CentOS installation, in Procedure A: Installing Linux
CentOS, page 62.

3. Navigate to and download the package files using the SCP utility.
4. In the command line, change the directory to the path where the add-on files were
saved.
5. To verify that the installation add-on scripts can be executed, run the following
command:
chmod +x *.sh
6. Execute the installation add-on scripts by running the following command:

./ag_pkg_inst.sh
7. Follow the steps that appear in the installation wizard, and when prompted, press y to
verify that all the tasked were done and completed successfully.
When the verification is complete, the message Done Successfully appears.
See the following example:
root@localhost ag_pkg_v<#>]# ./ag_pkg_inst.sh
Installing ./ag_pkg_v<#>.tgz, Please wait...
CyberArk Privileged Threat Analytics may include certain third
party components. Their licenses and acknowledgments are listed
in the About window in CyberArk's Privileged Thread Analytics
dashboard.
Do you accept all terms of the Usage Agreement (y/n)?

If you choose n, this installation wizard will close.
To install CyberArk Privileged Threat Analytics, you must accept
this agreement.
yStarting, please wait...

Welcome to automatic installation procedure. Ver.<#>
Executing procedure number: 1 - Packages
================================================================
=======================================
Running Verification Tasks for 'Packages'...
Executing task: './tasks/Packages/task001.sh ' - Verifying
'ROOT' login... [ OK ]
Executing task: './tasks/Packages/task002.sh ' - Verifying Linux
version, expecting 'Centos 7 64 bit'... [ OK ]
Executing task: './tasks/Packages/task003.sh ' - Verifying Local
Repository... [ FAIL ]
Executing task: './tasks/Packages/task004.sh ' - Verifying OS
updates... [ FAIL ]
SELINUX Disabled ... [ FAIL ]
Executing task: './tasks/Packages/task007.sh ' - Verifying NTP
Configuration... [ FAIL ]
Apache... [ FAIL ]
MySQL... [ FAIL ]

PHP... [ FAIL ]
phpMyAdmin... [ FAIL ]
Log4Cxx... [ FAIL ]
/home/AG_TLV... [ FAIL ]
pciutils package... [ FAIL ]
internal NIC IP & MTU... [ FAIL ]
crontab... [ OK ]
'admin' user... [ FAIL ]
incron... [ FAIL ]
shadow file is readable... [ FAIL ]
'broker' user... [ FAIL ]
Shellshock security issue... [ OK ]
Executing task: './tasks/Packages/task029.sh ' - Check Prelink
... [ FAIL ]
Executing task: './tasks/Packages/task031.sh ' - Verifying net-
tools... [ FAIL ]
Executing task: './tasks/Packages/task032.sh ' - Disable "You
have mail..." message... [ FAIL ]
openssh clients... [ OK ]
Executing task: './tasks/Packages/task034.sh ' - Verfying
/home/ag... [ FAIL ]
rsync... [ FAIL ]
Executing task: './tasks/Packages/task038.sh ' - Verifying vim-
common... [ FAIL ]
tmpwatch... [ FAIL ]
Executing task: './tasks/Packages/task040.sh ' - Verifying DPDK
environment... [ FAIL ]
Executing task: './tasks/Packages/task041.sh ' - Verifying UI
Images... [ FAIL ]
- Tasks report -------------------------------------------------

--------------------
- 1. Successful tasks: 5
- 2. Failed tasks with ABORT code: 0
- 3. Failed tasks that can be fixed automatically: 24
- 4. Failed tasks that can't be fixed automatically: 0
- 5. Skipped tasks: 0

- 7. Fixed tasks: 0
- 8. Warning tasks: 0
- 9. Other tasks: 0
-
----------------------------------------------------------------
-------------------
Would you like to fix issues ('y' key = Yes / Other key = No) ?
y
Fixing issue with task '003'... Please wait... Done

P r ocedur e C : H ar dening the P TA N etwor k S ensor Machine

Use the following procedure to harden the PTA Network Sensor physical machine.
To Harden the PTA Network Sensor Machine:

1. Execute the installation hardening scripts by running the following command:
./ag_pkg_inst.sh security
2. Follow the hardening installation wizard, and when prompted, press y to verify that all
the tasked were done and completed successfully.
a. When the verification is complete, the message Done Successfully appears.
b. See the below example:
[root@localhost ag_pkg_v<#>]# ./ag_pkg_inst.sh security
Installing ./ag_pkg_v<#>.tgz, Please wait...
dashboard.
this agreement.
yStarting, please wait...
Welcome to automatic installation procedure. Ver.<#>
Executing procedure number: 2 - Security
================================================================
Running Verification Tasks for 'Security'...
Executing task: './tasks/Security/task000.sh ' - Verify 'ROOT'
login [ OK ]
Executing task: './tasks/Security/task001.sh ' - Verifying
Network Interfaces... [ OK ]
Linux version, expecting 'Centos 7.0 64 bit'... [ OK ]
IPTables configuration ... [ FAIL ]
Executing task: './tasks/Security/task005.sh ' - Verifying no

dhclient... [ FAIL ]
Shellshock security issue... [ OK ]
users... [ OK ]
direct 'root' via SSH... [ FAIL ]
Executing task: './tasks/Security/task010.sh ' - Verifying SSH
protocol 2 only... [ FAIL ]
SELINUX Enabled ... [ OK ]
Executing task: './tasks/Security/task013.sh ' - Disable
IPv6... [ FAIL ]
master smtp... [ OK ]
'grub' password protected... [ FAIL ]
Executing task: './tasks/Security/task017.sh ' - Disable USBs
interfaces... [ FAIL ]
swap... [ OK ]
Executing task: './tasks/Security/task020.sh ' - Verifying NTP
Configuration... [ OK ]
HTTP Daemon 'ServerName'... [ FAIL ]
Executing task: './tasks/Security/task023.sh ' - Verifying PHP
(expose_php)... [ FAIL ]
Executing task: './tasks/Security/task024.sh ' - Check only
SSH/NTP/ICMP server listen to mgmt. port... [ FAIL ]
Executing task: './tasks/Security/task029.sh ' - Check
secured mariaDB... [ FAIL ]
telnet... [ OK ]
TFTP client... [ OK ]
TCP dump... [ OK ]
Ser2Net... [ OK ]
FTP... [ OK ]
sshpass... [ OK ]
wget. [ OK ]
PCI utils... [ OK ]
Ctrl+Alt+Del reboot function... [ FAIL ]
Executing task: './tasks/Security/task042.sh ' - Verify

zeroconf & IPv6... [ FAIL ]

chmod 700 ... [ OK ]
Executing task: './tasks/Security/task044.sh ' - Check
uncommon protocols... [ FAIL ]
Executing task: './tasks/Security/task045.sh ' - Verify no
audit deamon... [ FAIL ]
Executing task: './tasks/Security/task046.sh ' - Verify
disabled core dumps... [ FAIL ]
SSH disabled host base authentication and .rhosts... [
FAIL ]
sftp... [ FAIL ]
internet connectivity (Ping 'google.com')... [ OK ]
- Tasks report -----------------------------------------------
- 1. Successful tasks: 19
- 2. Failed tasks with ABORT code: 0
- 3. Failed tasks that can be fixed automatically: 18
- 4. Failed tasks that can't be fixed automatically: 0
- 5. Skipped tasks: 0
- 7. Fixed tasks: 0
- 8. Warning tasks: 0
- 9. Other tasks: 0
P r ocedur e D : Installing the P TA N etwor k S ensor S oftwar e

Use the following procedure to install the PTA Network Sensor on the physical machine.
To Install the PTA Network Sensor Software:

1. Make sure you have the following files:
■ ag-nms-inst.sh
2. Write down the names of the NICs that will be allocated to tap the network traffic (for
example, eth1, eth2). You will need to provide these names during the installation.
Note:
To access the NIC names, use the command ip a.
3. Log on to the PTA Network Sensor device as admin, and enter the password
admin123.
4. Change the user to root by using the following command: su –
5. Enter the root password. This is the root password you entered in Procedure B:
Installing the PTA Network Sensor Add-ons, page 62.
6. Download the installation files into the device using the SCP utility.
7. In the command line, change the directory to the path where the add-on files were
saved.
8. To verify that the installation script can be executed, run the following command:

chmod +x *.sh
9. Execute the installation script by running the command: /ag-nms-inst.sh
10.Follow the steps that appear in the installation wizard.
See the PTA Network Sensor installation wizard example below.
11.When the installation wizard ends successfully, reboot the PTA Network Sensor
machine.
The PTA Network Sensor installation and configuration on the physical machine is
complete. See the PTA Network Sensor installation wizard example:
[root@localhost B<#>]# ./ag-nms-inst.sh
dashboard.
this agreement.
y
Installing AG-NMS[Management] Version <#> Build <#>
Please enter PTA Network Sensor's interfaces
(lo|eno16780032|eno33559296): eno33559296
................................................................
Installation finished successfully. Please reboot the device.
Would you like to reboot now (y/n) [y]?
y
Rebooting system.

(Optional) Verify PTA Network Sensor Deployment

After you have installed and configured PTA Network Sensor, you can run a diagnostic
tool to verify the installation/upgrade and deployment.
You can also use this tool for troubleshooting the PTA Network Sensor installation.
If you need to modify some of these properties, see the PTA Implementation Guide.
Before Running this Tool:
Make sure you wait a few moments after the PTA Network Sensor installation, to
ensure that the diagnostic tool gathers and assesses the most up to date criteria.
To Verify PTA Network Sensor Installation and Deployment:

1. On the PTA Network Sensor machine, navigate to: /opt/ag/bin/
2. Run the following command: ./ns_diag.sh
The diagnostic tool gathers relevant data and requirements, and updates the status
next to each log on the list. For example:
- PTA Network Sensor hardening:[ OK ]
3. Review each line in the log and when necessary, perform the suggested action.
Make sure there are no ERRORS.
Example of the diagnostic tool script:
[root@@localhost ~]# /opt/ag/bin/ns_diag.sh
Self diagnostic tool. Ver. <Latest version>

----------------------------------------------------------------
----------------------------------------------------
Current time: Sun Jul 17 19:10:00 IDT 2016
- PTA Network Sensor IP: inet <PTA Network Sensor
IP>/16 brd 10.10.255.255 scope global eno16780032 #
- PTA Network Sensor uptime: 19:10:00 up 7 min, 1
user, load average: 4.94, 3.43, 1.57
- PTA Network Sensor version: [ OK ] (Version <#> Build <#>)
- PTA Network Sensor interfaces: eno33559296
- PTA Network Sensor hardening: [ OK ]

- Iptables SSH configuration: [ OK ]
- PTA Network Sensor mgmt. port: [ SKIP, Due to firewall
rules ]
- # of CPU (At least 8 cores): [ ERROR, Please make sure
at least 8 cores are available. 4 cores should be used only for
low performance environments. ]
- Free memory (At least 8 GB): [ OK ]
- Free HDD (Utilization < 80%): [ OK ]
- Check files integrity: [ OK ]
- PTA Network Sensor is up: [ OK ]
- PTA Network Sensor is active: [ OK ]
- Aggregator is up and active: [ OK ] (Uptime: 272 sec)
- PTA IP: [ Not Connected ]
- Last PTA connection: [ None ]

- 'broker' user credentials: [ DEFAULT ]

---------------------------------------------------------------
- NIC receives network traffic: [ OK ]
- Network Kerberos connections: [ OK ]
- Generation of Kerberos records: [ OK ]
- Last Kerberos event file: [ CHECK ] Jul 17 19:07
DR1_EVENTS.Kerberos_927_20160717160700_20160717160730.csv
- Last DCE-RPC event file: [ CHECK ] Jul 17 19:00
DR1_EVENTS.DCE-RPC_937_20160717160030_20160717160100.csv
----------------------------------------------------------------
----------------------------------------------------
- Gathering domain controllers statistics, please wait...
-
- List of Domain Controllers (DC) & Statistics:
[ DC: <DC IP 1>,
First Timestamp UTC: 2016-07-11 16:23:25, Last Timestamp UTC:
2016-07-17 16:12:49, # AS: 5, # RENEW: 0, # TGS: 87,
# ERROR: 900, Total: 992 ]
[ DC: <DC IP 2>,
2016-07-16 15:14:54, # AS: 9, # RENEW: 0, # TGS: 86,
# ERROR: 249, Total: 344 ]
[ DC: <DC IP 3>,
2016-07-17 16:43:55, # AS: 224, # RENEW: 0, # TGS: 685,
# ERROR: 613, Total: 1522 ]
- Number of events/jsons in last minute: 3

--------------------------------------------------------
[root@@localhost ~]#

71 Network Sensor and PTA Windows Agent Post Installation
Network Sensor and PTA Windows Agent Post

Installation
After PTA is already installed, add any one, or all, of the following to your PTA system:
■ Network Sensor coverage
■ PTA Windows Agent initial connection configuration
■ Golden Ticket detection functionality
■ Additional domains for Golden Ticket detection functionality
Note:
To add Golden Ticket functionality, the Vault user and Network Sensors or PTA Windows
Agents must be configured.
If the Vault user is already configured, or if Network Sensors and PTA Windows Agents are
already configured, specify n in the first question of the relevant steps, then specify y to add
Golden Ticket detection functionality.
To add Network Sensor coverage or a PTA Windows Agent connection without Golden Ticket

detection, go to Add PTA Network Sensor Coverage or a PTA Windows Agent connection, page
72.
To add Network Sensor coverage or a PTA Windows Agent connection with Golden Ticket
detection, go to Add PTA Network Sensor Coverage or a PTA Windows Agent connection with
Golden Ticket Detection , page 73.

Add PTA Network Sensor Coverage or a PTA Windows

Agent connection
You do this by running the networkSensorConfiguration.sh file.
Caution:
To configure additional Network Sensors, a PTA Windows Agent connection, or
both with Golden Ticket detection, do NOT perform the below procedure! Instead,
follow the procedure Add PTA Network Sensor Coverage or a PTA Windows Agent
connection with Golden Ticket Detection , page 73.
To Add PTA Network Sensors, a PTA Windows Agent connection, or both:

2. Navigate to the utility folder using the UTILITYDIR command.
networkSensorConfiguration.sh
A message appears informing you that configuring additional PTA Network Sensors,
a PTA Windows Agent connection, or both on the PTA Server is optional.
[Step 1/1 - Network sensor connection and PTA agent
configuration]
This step is optional. Would you like to configure it (y/n)?: y
4. Specify y to enable PTA Network Sensor connectivity, a PTA Windows

Agent connection, or both on the PTA Server.
5. If you specified y, the following appears.
The PTA Server can be configured to collect network traffic with
agents installed on your DCs or with Network Sensor machines, or
with both.
6. Specify y to configure the PTA Windows Agent connection. The following appears.

successfully. After completing the PTA Server installation, you
must install the PTA agents.
7. The following appears.

(y/n)
If you specified y,the following message appears.


The PTA Server must be configured with each PTA Network Sensor
that was installed.
Press [y] to configure a PTA Network Sensor. Press [n] to skip
this step: n
8. Specify y to enable PTA Network Sensor connectivity on the PTA Server.

You are prompted to specify the IP of each machine on which each PTA Network
Sensor was installed:
IP:
9. Enter the IP, then press Enter. The following message is displayed:
The PTA Network Sensor was configured successfully
this step [y]:
10.If you have more than one Network Sensor, press y to continue specifying the IP of
each machine on which each PTA Network Sensor was installed.
11.When you have completed specifying the PTA Network Sensors, press n, then press
Enter to exit the Network Sensor configuration.
Run the PTA diagnostic tool using the RUN_DIAGNOSTICS command to verify that
PTA works properly with the new configuration.
Add PTA Network Sensor Coverage or a PTA Windows

Agent connection with Golden Ticket Detection
■ Golden Ticket detection functionality
■ Additional domains for Golden Ticket detection functionality
Note:
To add Golden Ticket functionality, the Vault user and Network Sensors or PTA Windows
Agents must be configured.
If the Vault user is already configured, or if Network Sensors and PTA Windows Agents are
already configured, specify n in the first question of the relevant steps, then specify y to add
Golden Ticket detection functionality.
Caution:
To add only Network Sensor coverage, a PTA Windows Agent connection, or both
without Golden Ticket detection, do not perform the below procedure! Instead,

follow the procedure Add PTA Network Sensor Coverage or a PTA Windows Agent
connection, page 72.
To Add PTA Network Sensor Coverage, a PTA Windows Agent connection, or

both, and Golden Ticket Detection Functionality:
1. Navigate to the utility folder using the UTILITYDIR command.
goldenTicketConfiguration.sh
The Vault connection configuration begins.

Step 1/3 - Vault connection configuration]
[y]:
Establish connectivity between PTA and the Vault to authorize
the Vault as a source host. This is a prerequisite for:
Forwarding data from the Vault
Retrieving Vault reports
Configuring Golden Ticket detection
Configure the Vault connection to authorize the Vault as a source host. Do this if you
need to define one of the following:
■ Forwarding data from the Vault
■ Retrieving Vault reports
■ Configuring Golden Ticket detection
3. To configure the Vault connection, specify y. A message appears requesting that
you specify the Vault server’s IP and port number.
Specify the Vault server's IP address and port number.
IP: 10.10.10.10
Port [1858]:
a. Specify the Vault server’s IP address.
Note:
When PTA is configured with a Vault that is deployed in a distributed environment,
configure the IP for the primary Vault in the Vault Connection Configuration step.
b. Specify the Vault server’s Port number 1858, then press Enter.
A message appears asking if you want to define the Vault server’s DR.
Would you like to configure Vault DR (y/n)? n
4. To configure the Vault DR, specify y, making sure to use a comma if there are
multiple DR Vault servers, then press Enter.
5. To skip this step, specify n. A message appears requesting you to define the Vault
username and password.

used to update the environment required for the PTA in the Vault
server.
Password:
Retype password:
This user must have administrator permissions as this user will be used to update
the environment required for PTA in the Vault server.
a. Specify the Vault Administrator Username.
b. Specify the Vault Administrator Password, and retype the Password then press
Enter. The following message appears.
Creating PTA Vault User.
PTA Vault User created successfully.
You are requested to specify the Vault time zone.

Specify your vault time zone (example: America/Chicago). For
a full time zone list, specify 'help'.
Time zone [Perth]:
c. Specify the Vault time zone. For a list of available time zones, specify help. See
also Time Zones, page 128.
d. Press Enter. A message appears informing that the Vault configuration
completed successfully.
Vault configuration finished successfully.
A message appears asking if you want to configure additional PTA Network

Sensors, a PTA Windows Agent connection, or both on the PTA Server.
Step 2/3 - Network sensor and PTA agent connection
configuration]
y
6. This step is optional. Specify y to enable PTA Network Sensor connectivity, a

PTA Windows Agent connection, or both on the PTA Server.
7. Or, specify n to skip this step.
8. If you specified y, the following appears.
The PTA Server can be configured to collect network traffic with
agents installed on your DCs or with Network Sensor machines, or
with both.
9. Specify y to configure the PTA Windows Agent connection. The following appears.

successfully. After completing the PTA Server installation, you
must install the PTA agents.

10.The following appears.

(y/n)
11.If you specified y, the following message appears.

The PTA Server must be configured with each PTA Network Sensor
that was installed.
this step: n
12.Specify y to enable PTA Network Sensor connectivity on the PTA Server.

You are prompted to specify the IP of each machine on which each PTA Network
Sensor was installed:
Please specify the IP of the machine on which the network
sensor was installed:
IP:
a. Press Enter; the following message is displayed:

PTA Network Sensor was configured successfully
Press [y] to configure additional PTA Network Sensors or [n]
to continue with the next step.
b. If you have more than one Network Sensor, press y to continue specifying the IP
of each machine on which each PTA Network Sensor was installed.
c. When you have completed specifying the PTA Network Sensors, press n, then
press Enter.
The Golden Ticket detection configuration step appears.
Step 3/3 - Golden Ticket detection configuration]
y
13.This step is optional. Specify y to configure Golden Ticket detection.

14.Or, specify n to skip this step.
If you specified y, the following message appears.
used to update the environment required for the PTA in the Vault
server.
Password:
Retype password:
15.Specify the Username and Password of the Vault user who has owner permissions
on the mentioned safe.
This user must have Administrator permissions as this user will be used to update
the environment required for PTA in the Vault server

16.Retype the Password, then press Enter. The following message appears.
Creating PTA App Vault User.
PTA App Vault User created successfully.
You are requested now to define a domain to monitor for the Golden Ticket detection.
PTA can monitor either a domain and its sub-domains, or a single
domain.
Specify the domain name to monitor:
Domain name:
Would you like to monitor the domain and its sub-domains? (y/n)?
After specifying the domain name to monitor, specify whether to also monitor the sub-
domains.
Enter y to monitor the domain name and its sub-domains.
Or, enter n to monitor only the specified domain name.
If you entered y, you must specify the relevant Enterprise Admin account path
and its' domain name.
Specify the relevant Enterprise Admin account path (Safe name,
Folder path, File name) and its' domain name.
Or, specify a path to an account which has Replicate permissions
in the monitored domain and its sub-domains.
The Enterprise Admin account will only be used for the monitored
domains.
Safe name:
Folder path:[Root]
File name:
Account Domain name:
If you entered n, you must specify one of the Domain Controllers IP’s and its
relevant Domain Admin account.
To do this, in the Active Directory define a user with the following privileges:
Specify one of the Domain Controllers IP’s and relevant Domain
Admin account path (Safe name, Folder path, File name).
Or, specify a path for an account with Replicate permissions
required for this domain.
Domain Controller IP:
Safe name:
Folder path:[Root]
File name:
17.Define the domain to monitor for the Golden Ticket detection.

After configuring the domain to monitor and one of its Domain Controller IPs, one of
the following messages is displayed:

■ If the safe was already configured with this user, the following message is
displayed:
PTA App Vault user ownership on the mentioned safe was
already defined.
■ If the safe was not already configured with a user, you are requested to
specify a Vault user who has owner permissions on the mentioned safe.
This user must have owner permissions on the mentioned safe.
This user will be used to manage the PTA App Vault user
ownership on the safe.
Username:
Password:
Retype password:
PTA App Vault user successfully received permission to the

safe.
Enter the username and password of the Vault user who has owner permissions on
the mentioned safe.
After completing this step, you will be asked if you want to specify an additional
domain.
Would you like to monitor an additional domain (y/n)?: n
Enter y to specify an additional domain to monitor.

Or, enter n to continue directly to the next step.
If you entered y, you must repeat this entire step for each domain that you need to
monitor.
Repeat for each domain that you need to monitor.
After completing this step, the following confirmation is displayed, and the installation
proceeds to the next step.
Golden Ticket detection configuration finished successfully.
18.The system shuts down, then restarts. Press OK to exit all utilities.
Exiting utility.
[ OK ]
System restart complete.
[root@PTAServer ~]#

configuration.

79 Upgrade PTA
Upgrade PTA
Upgrade is supported from version 3.0 and higher. Use the below workflow:
Review PTA The minimum requirements for installing the System

system PTA image on a VM machine include 16 GB RAM Requirements
requirements memory. If you currently have 8GB RAM memory, for PTA, page
you must increase the RAM memory to 16 GB. 7

upgrade Upgrade
package Package,
page 80
(Mandatory if If you are upgrading from below PTA v3.0, you must Upgrade to
you are first upgrade to PTA v3.0. PTA Version
upgrading 3.0, page 81
from below
version 3.0)
Upgrade to
PTA v3.0
(Mandatory if Use this procedure to upgrade from version 3.0 and Upgrade to
you are higher. PTA Version
upgrading 3.5, page 83
from below
version 3.5)
Upgrade to
PTA version
3.5
Install Install PTA version 3.6 with CentOS 7 on a new Import the

PTA version machine before migrating your existing data. PTA Disk
3.6 on a new Image, page
machine 12
Migrate to Migrate your data to Centos 7. Migrate to

CentOS 7 CentOS 7 -
PTA Version
3.6, page 85
Upgrade to Once you have migrated to PTA version 3.6, Upgrade to

the current upgrade to the current version of PTA. PTA Version
version of 3.95, page 89
PTA
Note:
If you are upgrading from below
PTA v3.95, the upgrade will take longer
due to database structure changes.
Add PTAApp To send PTA alerts to the Vault, add the PTAApp Post Upgrade

Vault User Vault user. Configuration,

page 91
Upgrade Use this procedure to upgrade PTA Windows Upgrade

PTA Windows Agents. PTA Windows
Agents Agents, page
92
(Mandatory for Use this procedure to upgrade PTA Network Upgrade PTA
Network Sensors at your environment. Network
Sensors) Sensor
Upgrade PTA Software,
Network page 95
Sensors

configuration.
Review PTA Upgrade Package

You will receive the PTA upgrade package from your CyberArk support representative.
The package includes the following files:
■ pta_upgrade.sh
■ pta_upgrade-3.95.0.tgz
■ PTA.xsl
If you are upgrading from below PTA version 3.0, you will also receive the following
updated files:
■ upgrade_releases.tar.gz
■ upgradeManager.sh
■ PTA.xsl
If you are upgrading from below PTA version 3.5, you will also receive the following
updated files:
■ pta_upgrade.sh
■ PTA.xsl

81 Upgrade PTA
Upgrade to PTA Version 3.0

Use the following procedure to upgrade your PTA to version 3.0.
After upgrading to PTA version 3.0, continue to Upgrade to PTA Version 3.5, page 83.
To Upgrade PTA to Version 3.0:

1. Save a snapshot of the PTA image.
Note:
Do not snapshot the virtual machine's memory.
2. On the PTA system console, log in as the root user using the password you specified
for the root user during installation.
3. Using WinSCP or a similar tool, copy the following files from the CyberArk PTA
upgrade package to the /tmp directory of the PTA machine:
■ upgradeManager.sh.
■ upgrade_releases.tar.gz
4. Change the upgradeManager.sh file permissions by running the following
command:
chmod 700 /tmp/upgradeManager.sh
5. At a command line, in the /tmp folder, run the following command:

./upgradeManager.sh
The PTA starts the upgrade process and displays output according to the PTA
version currently installed at your site.
PTA installs each PTA version in increments, until it finally installs the version to
which you are upgrading.
****************************************************************

party components.
Their licenses and acknowledgments are listed in the About
window in CyberArk's Privileged Threat Analytics dashboard.
****************************************************************
Checking current version...
The current PTA version is <version currently being installed>
## Stopping application services...
## Application services were successfully stopped
************* completed 1/1 <PTA version installed>
*************
## Starting application services...
## Application services started successfully.
If any error messages appear, navigate to the log and resolve the issue. When you
open the log, address the error by searching for the version number in which the error

occurred.
Note:
When upgrading to version 2.6.4, the upgrade process issues the following message
which you can ignore.
cp : cannot stat '/opt/ag/conf/*': No such file or directory
6. The PTA upgrade process is now finished and the following confirmation is
displayed:
## Upgrade process finished successfully.
7. If the PTA upgrade process does not complete successfully, revert the PTA machine
using the snapshot that was saved in Step 1.
a. At the command line, in the /opt/tomcat/utility/ folder, run the
vaultConfiguration.sh command to reconfigure the Vault connection.
Note:
This step is not needed when the reversion procedure occurs on the same day as the
upgrade process.
b. If PTA is installed with Golden Ticket Detection configured, run the

goldenTicketConfiguration.sh command to reactivate the PTAApp Vault user.
Note:
upgrade process.
c. Run the service appmgr restart command to restart PTA.

8. If your site will use PTA Network Sensors, you must integrate the PTA Network
Sensors now. See Integrate the PTA Network Sensor, page 58.
9. Copy the PTA.xsl file from the CyberArk PTA upgrade folder, to the Syslog
subdirectory of the Vault installation folder. By default, the subdirectory is:
C:\Program Files (x86)\PrivateArk\Server\Syslog.
10.Continue with Upgrade to PTA Version 3.5, page 83.

83 Upgrade PTA

Use the following procedure to upgrade your PTA, from version 3.0 and above.
To Upgrade PTA:
2. On the PTA system console, log in as the root user using the password you
specified for the root user during installation.
■ pta_upgrade.sh
4. Change the pta_upgrade.sh file permissions by running the following command:
chmod 700 /tmp/pta_upgrade.sh

./pta_upgrade.sh
PTA starts the upgrade process and displays output according to the PTA version
currently installed at your site.
Welcome to Privileged Threat Analytics version 3.5 upgrade tool.
Upgrade is supported from version 3.0 and above.
Taking a snapshot before performing an upgrade is highly

recommended.
Do you want to continue? [Y/N]
Verifying login as 'ROOT' user... [ OK ]

Verifying Linux OS version, expecting 'Centos 6 64-bit'...[ OK ]
Verifying HDD free space... [ OK ]
Verifying PTA version, expecting version 3.0… [ OK ]
Stopping PTA AppMgr service... [ OK ]
Verifying JAVA version... [ OK ]
Verifying Mongo DB version... [ OK ]
Verifying Tomcat version... [ OK ]
Verifying ActiveMQ version... [ OK ]
Verifying Monit version... [ OK ]
Verifying PTA Users... [ OK ]
Upgrading PTA components... [ OK ]
Applying PTA files and directories permissions… [ OK ]
Upgrading configuration files... [ OK ]
Starting PTA AppMgr service... [ OK ]
6. If any error messages appear, navigate to the log and resolve the issue. When you
open the log, address the error by searching for the version number and the task in
which the error occurred.
7. The PTA upgrade process is now complete and the following confirmation is
displayed:

## Upgrade process finished successfully.
Note:
upgrade process.
b. If PTA is installed with Network Sensors, revert the Network Sensors using the
snapshot that was saved in Step 1.
c. If PTA is installed with Golden Ticket Detection configured, run the
goldenTicketConfiguration.sh command to reactivate the PTAApp Vault user.
Note:
upgrade process.
d. Run the service appmgr restart command to restart PTA.

e. If PTA is installed with Network Sensors, run the diagnostic tool to verify that the
Network Sensors were properly reverted. See (Optional) Verify PTA Network
Sensor Deployment, page 69.

85 Upgrade PTA
Migrate to CentOS 7 - PTA Version 3.6

Use the following procedure to migrate your data to CentOS 7, from PTA version 3.5.
Note:
You must install PTA v3.6 with CentOS 7 on a separate machine.
The migration script runs in the background. The script can run for up to a few hours. Refer to the
migration log (/tmp/migrate_centos6_to_centos7.log) for details on the progress of the script.
Important messages are also written to the screen.
To migrate to CentOS 7:
1. Save a snapshot of the PTA image with CentOS 7 on the new PTA machine.
2. At a command line, in the /opt/tomcat/utility/ folder, run the following command:
./migrate_centos6_to_centos7.sh
The migration script begins. The script can run for up to a few hours.
Before running the migration, save a snapshot of the PTA image
on the new (CentOS 7) PTA machine.
While the migration script runs in the background, the existing
(CentOS 6) PTA machine will be down and you will not receive any
data.
After the migration process ends successfully, all PTA data will
be contained on the new PTA machine, with PTA version 3.6.
3. Provide the details of the existing (CentOS 6) PTA machine.
Note:
The existing (CentOS 6) PTA machine must have version 3.5 of PTA installed. If the
script cannot connect to the existing (CentOS 6) PTA machine after three attempts,
contact your administrator.
Provide the details of the existing (CentOS 6) PTA machine.

Enter the existing PTA machine IP:
Enter the existing PTA machine root user password:
4. The migration script opens SSH port 22 on the new PTA machine to migrate the data
from the existing (CentOS 6) PTA machine.
Opening port 22 on the new (CentOS 7) PTA machine for SSH
communication with the existing (CentOS 6) PTA machine.
5. The migration script stops the PTA Server on the existing PTA machine.

The PTA Server will be stopped on the existing PTA machine
(<IP>) - Press Enter to continue.
Shutting down application:
Starting utility, please wait....
Attempting to stop process monit...
Action completed successfully!
Attempting to stop process ptaservicesd...


Attempting to stop process ptalistenerd...
Attempting to stop process ptasamplerd...
Attempting to stop process ptadcaserverd...
Attempting to stop process ptabschedulerd...
Attempting to stop process ptastatisticsd...
Attempting to stop process tomcat...
Attempting to stop process ptacasosservicesd...
PTA firewall configuration finished successfully.
Attempting to stop process loggersocket...
Attempting to stop process activemq...
Attempting to stop process mongod...
All services were successfully stopped.
6. If there is no NTP server configuration on the existing PTA machine, the following
prompt appears.
Note:
If there is an NTP server configuration on the existing PTA machine, the migration script
copies the NTP server configuration to the new PTA machine.
Would you like to provide the time synchronization details

(y/n)?
7. If you entered y, the following prompt appears.
Note:
If you entered n , the migration script copies the date and time from the existing
PTA machine to the new PTA machine.
Specify your time zone (example: America/Chicago). For a full

time zone list, specify ‘help’.
Time zone:
a. Enter the time zone, then press Enter. The date and time prompt appears.
Specify current date and time in 24h format “MM/DD/YYYY
hh:mm” (example: 11/21/2013 16:20):

87 Upgrade PTA
b. Enter the current date and time using the format included in the prompt, then
press Enter. The following prompt appears, enabling you to synchronize the time
zone you are setting, with your NTP server.
Do you want to synchronize with NTP server (y/n)? [n]
c. If you specified y, the NTP server IP prompt appears:

Specify the NTP server IP:
d. Enter the IP address of the NTP server, then press Enter.

The date and time zone are now configured and the following confirmation is
Date and time zone configuration finished successfully
8. The migration process begins.

The migration script is running in the background. Refer to the
migration log (/tmp/migrate_centos6_to_centos7.log) for details
on the progress of the script.
Start migrating data...
Copying the configuration files...
Copying the PTA logs...
Copying the database files...
Note:
If the data migration process does not complete successfully, revert the new PTA
machine using the snapshot that was saved in Step 1 and rerun the migration script.
10.The data migration process is now complete and the following confirmation is
displayed:
Data migration completed successfully.
11.The existing (CentOS 6) PTA machine is shut down and the PTA Server is started on
the new (CentOS 7) PTA machine.
a. If the IP of the existing PTA machine is configured as static, the migration script
shuts down the existing PTA machine, sets the new PTA machine with the
existing IP, and starts PTA on the new machine.
Changing machine IP...
Shutting down the existing (CentOS 6) PTA machine.
Restarting network service...If you are using a terminal,
connect to the new IP - 10.10.10.10 - where PTA 3.6 is up and
running.
Starting PTA service on the new (CentOS 7) machine...
The migration process completed successfully. PTA is up and

running.
Install VMWare Tools on the new (Centos 7) machine.
b. If the IP of the existing PTA machine is configured using DHCP, perform the
following:
The IP address of the existing (CentOS 6) PTA machine is
configured using DHCP. Perform the following:
1. Save the IP address for later reference.
2. Shut down the existing PTA machine.
3. Assign the saved IP address to the new (CentOS 7) PTA
machine in the DHCP server configuration. You might need your
IT team's assistance.
4. Start the PTA Server on the new (CentOS 7) machine.
5. Install VMWare Tools on the new (Centos 7) machine.

89 Upgrade PTA

Use the following procedure to upgrade your PTA, from version 3.6 and above.
To Upgrade PTA:
2. On the PTA system console, log in as the root user using the password you
specified for the root user during installation.
■ pta_upgrade.sh
4. Change the pta_upgrade.sh file permissions by running the following command:
chmod 700 /tmp/pta_upgrade.sh

./pta_upgrade.sh
PTA starts the upgrade process and displays output according to the PTA version
currently installed at your site.
Welcome to Privileged Threat Analytics version 3.95 upgrade
tool.
Upgrade is supported from version 3.6 and above.
CyberArk Privileged Threat Analytics may include certain third-
in the About window in the CyberArk Privileged Threat Analytics
dashboard.
The upgrade process may take up to two hours.

Taking a snapshot before performing an upgrade is highly
recommended.
Do you want to continue? [Y/N]
Verifying that you are logged on as 'root' user... [ OK ]

Verifying Linux OS version, expecting 'Centos 7 64 bit'...[ OK ]
Verifying Hard drive free space... [ OK ]
Verifying PTA version… [ OK ]
Stopping PTA AppMgr service... [ OK ]
Upgrading JAVA... [ OK ]
Upgrading MongoDB... [ OK ]
Upgrading Tomcat... [ OK ]
Upgrading ActiveMQ... [ OK ]
Extracting repository... [ OK ]
Creating third-party repository... [ OK ]
Upgrading OS packages... [ OK ]
Hardening PTA server... [ OK ]
Configuring PTA users and groups... [ OK ]
Removing old PTA components... [ OK ]
Upgrading PTA components... [ OK ]

Handling MongoDB Purge... [ OK ]

Migrating Database... [ OK ]
Starting PTA AppMgr service... [ OK ]
Verifying PTA Network Sensors configuration... [ OK ]
7. The PTA upgrade process is now complete and the following confirmation is
displayed:
## Upgrade completed successfully. The log is available at:
/tmp/pta_upgrade.log
We recommend that you install VMware Tools on the PTA Server.
Note:
upgrade process.
b. If PTA is installed with Network Sensors, revert the Network Sensors using the
snapshot that was saved in Step 1.
c. Run the service appmgr restart command to restart PTA.
d. If PTA is installed with Network Sensors, run the diagnostic tool to verify that the
Network Sensors were properly reverted. See (Optional) Verify PTA Network
Sensor Deployment, page 69.
9. If your site has PTA Network Sensors, you must run the PTA Network Sensor
upgrade now. See Upgrade PTA Network Sensor Software, page 95.
10.Copy the PTA.xsl file from the CyberArk PTA upgrade folder, to the Syslog
subdirectory of the Vault installation folder. By default, the subdirectory is:
C:\Program Files (x86)\PrivateArk\Server\Syslog
11.Update the DBparm.ini file for new Vault codes. For details, see the
PTA Implementation Guide.
12.If you installed VMWare Tools on the virtual machine, uninstall and reinstall the
VMWare Tools.
13.Restart PTA.

91 Upgrade PTA
Post Upgrade Configuration
Send Alerts to Vault group membership

To send PTA alerts to the Vault, add the PTAApp Vault user to the Auditors group in the
Vault using an administrator user.
Update your Administrator Password in CyberArk Privileged Account

Security
If you manage your PTA Dashboard Administrator password via CyberArk Privileged
Account Security, follow the instructions in the Manage your Password section in the
PTA Implementation Guide.
Update Vault Codes Sent to PTA

Ensure that the codes sent from the Vault to PTA are updated with the latest codes. The
current list of valid codes is:
7, 24, 31, 294, 295, 300, 302, 308, 359, 361, 372, 373, 411, 412, 427, 428, 436
Update Windows Event Codes Sent to PTA

Ensure that the Windows Event codes sent from your SIEM solution to PTA are updated
with the latest codes. The current list of valid codes is:
4624, 4723, 4724
Update the HP ArcSight filter file

If your SIEM solution uses HP ArcSight, upgrade to the new version of the dedicated
ArcSight_to_PTA_Filter.arb filter file.
Terminate Session group membership

To terminate a suspicious PSM session, after upgrading PTA, you must add PTA and
PTAAPP Vault users to the PSMLiveSessionTerminators group in the Vault using an
administrator user.

Upgrade PTA Windows Agents

To upgrade the PTA Windows Agents, you first run an installation script that creates a
CLI command for the silent PTA Windows Agent installation.
Run the Installation Script
1. From the directory containing the installation package, run the PTA Agent Script
Creator.exe file.
2. Enter your PTA IP Address.
Welcome to the CyberArk PTA Agent Silent Installer Script
Creator.
Enter your PTA IP Address (for example, 198.196.10.10):
3. Enter the PTA Management Port.

Enter the ports configured in PTA.
PTA Management Port (used for managing Agents) [7514]:
Note:
If you do not enter a value for the PTA Management Port, the default value of 7514 is
used.
4. Enter the PTA Data Port.

PTA Data Port (used for receiving Agent data) [6514]:
Note:
If you do not enter a value for the PTA Data Port, the default value of 6514 is used.
5. Set the trusted agent connection.

By default, the PTA server certificate is validated by the
agent, making the connection trusted. Do you want to keep the
trusted connection? Y/N
6. Set the client authentication configuration.

By default, the Agent connection to PTA is configured with
client authentication. Do you want to keep this configuration?
Y/N
If you select Y, enter the Client Certificates subject name.

Please enter the "subject name" of the client certificates
installed on your DCs or WEF server. You can use an asterisk as
a wildcard.
Client Certificates subject name:
7. Set the installation log location.

93 Upgrade PTA Windows Agents
By default, the installation log is located in %temp%. Do you

want to change the location? Y/N
If you select Y, enter the installation log location.

Please enter the installation log path and file name (Example:
c:\install.log):
8. Set the MSI file location.

If the MSI path is found:
The MSI file was found in the following path:
Do you want to enter a different path? Y/N
If you select Y, enter the MSI path.

MSI Path and file name (Example: c:\Privileged Threat Analytics
Agent.msi):
If the MSI path is not found, enter the MSI path.

Please enter the MSI file path.
MSI Path and file name:
9. Determine whether the PTA Windows Agent analyzes Network data or Windows

events. The default selection is Network data.
The PTA Agent can analyze either Network data or Windows events.
By default, the PTA Agent analyzes Network data. Would you like
the PTA Agent to analyze Windows events instead? Y/N
If you select Y, the PTA Windows Agent analyzes Windows events. If you select N,
the PTA Windows Agent analyzes Network data.
10.The CLI command for installing the PTA Windows Agents is created. For your
convenience, a copy of the CLI command is created in the
PTAAgentInstallerOutput.txt file in the same location as the MSI file.
The CLI command for silent installation has been created
successfully. Run the following command as an Administrator to
install the Agents on your DCs or WEF server. This command can
also be found in the PTAAgentInstallerOutput.txt file in the
current directory.
"PrivilegedThreatAnalyticsAgent.msi" /qn /L*v "c:\Install.log"
DATA_ANALYSIS=Windows_Logs PTA_IP="198.196.10.10" DATA_PORT=6514
CONTROL_PORT=7514 TRUSTED=true CLIENT_AUTH=true SUBJECT_
NAME="DomainController.domain.com" DATA_ANALYSIS=Network_Tapping
Upgrade the PTA Windows Agent

1. Run the CLI command generated above, either locally on the Domain Controller or
on the Windows Event Forwarding server, or via your deployment tool. It must be run
as an Administrator.Wait about 30 seconds for the installation to complete.
2. Run the Services settings.
Services.msc
3. Verify that CyberArk PTA Agent Client Service is running.

Revert the upgrade of the PTA Windows Agents

To revert back to the previous version of the PTA Windows Agent, unpack the data
backed up during the upgrade in the %PROGRAMDATA% folder, and copy it to
C:\Program Files\CyberArk\PTA Agent.

95 Upgrade PTA Network Sensor Software
Upgrade PTA Network Sensor Software

Use the following procedures to upgrade PTA Network Sensors at your environment.
With each Network Sensor machine that you upgrade, there is a downtime of a few
minutes.
This procedure will detect and perform a centralized upgrade of all the PTA Network
Sensors that are installed and configured in your environment.
You must upgrade the PTA Network Sensor add-ons first, and then upgrade the
PTA Network Sensors. You can update the PTA Network Sensors using self
installation, by running the standard installation wizard, or manually.
To Upgrade the PTA Network Sensor add-ons:

1. Connect to the PTA Network Sensor using WinSCP as admin user.
2. Upload the latest add-ons package to /tmp/addons/. The files are listed in Review
PTA Network Sensor Package, page 54.
3. Connect to the PTA Network Sensor using Putty as admin user.
4. Change the user to root by using the following command: su –.
5. Install the latest third-party add-ons. For details, see Procedure B: Installing the PTA
Network Sensor Add-ons, page 62.
To Upgrade the PTA Network Sensor Application using self installation:
Note:
Self installation is supported from Network Sensor version 5.1 build 8 and above. For
earlier versions, use the To Upgrade the PTA Network Sensor Application by running the
standard installation wizard procedure or the To Manually Upgrade the PTA Network
Sensor Application procedure.
1. Connect to the PTA machine using Putty, and log in as root.

2. Change to the user agbroker by entering the following command: su agbroker.
3. Enter the following command: /opt/ag/bin/deviceMgmt.sh self_install
The PTA Network Sensor prepares the upgrade on the machine, and checks the
status of every PTA Network Sensor in the environment. When prompted, enter Y to
update the Network Sensors. Entering anything else will cancel the process.
Preparing 'Version 5.1 Build 12' installation...
Checking PTA Network Sensors status:

SSH access to device : Probe1(1) at 10.10.13.11 - Failed.
SSH access to device : 10(3) at 10.10.13.13 - Failed.
SSH access to device : Probe4(4) at 10.10.13.30 - Succeeded.
Version 5.1 Build 12. Software version already installed.
Skipping.

Version 5.1 Build 10. ==> PTA Network Sensor will be modified.
Version 5.1 Build 10. ==> PTA Network Sensor will be modified.
The following PTA Network Sensors will be modified:
--------------------------------------------------------
- Device ID: 5
- Device Name: Probe5
- Device IP: 10.10.13.27
- Device Comment:
========================================================
--------------------------------------------------------
- Device ID: 7
- Device Name: Probe8
- Device IP: 10.10.13.21
- Device Comment:
========================================================
################################################################
###########################################################
## WARNING: Please note that not all PTA Network Sensors will be
modified. It may cause synchronization issues with PTA. ##
################################################################
###########################################################
Are you sure you want to proceed (y/Any) ? y (if Any operation
is aborted)
Uploading installation files to : 10.10.13.27 - Done
Uploading installation files to : 10.10.13.21 - Done
Waiting 2 minutes for PTA Network Sensors to do internal
verification for a successful upgrade...
Checking Network Sensor 10.10.13.27 readiness for software
upgrade... Ready
Checking Network Sensor 10.10.13.21 readiness for software
upgrade... Ready
Starting installation at : 10.10.13.27 ...
Starting installation at : 10.10.13.21 ...
Waiting 5 minutes for PTA Network Sensors to finish software
installation...
Checking that PTA Network Sensor 10.10.13.27 was upgraded
successfully... Ready
Checking that PTA Network Sensor 10.10.13.21 was upgraded
successfully... Ready
To Upgrade the PTA Network Sensor Application by running the standard

installation wizard:
1. Connect to the PTA machine using Putty, and log in as root.
2. Change to the user agbroker by entering the following command: su agbroker.
3. Enter the following command: /opt/ag/bin/deviceMgmt.sh install
4. By default, the Network Sensor installation files are located at /tmp/ns. If the files are
in a different location, enter their location:

Please enter the location of the PTA Network Sensor software

installation files [/tmp/ns/]:
The PTA Network Sensor prepares the upgrade on the machine, and checks the
status of every PTA Network Sensor in the environment.
Preparing '<Upgrade Version>' installation...

SSH access to device '<Device IP>'(<#Device ID>) at <#Device
ID> <Device IP>'... Succeeded. <Previous Version>. ==> PTA
Network Sensor will be modified.

--------------------------------------------------------
- Device ID: <#Device ID>
- Device Name: <Device Name>
- Device IP: <Device IP>
- Device Comment:
A list appears showing all the PTA Network Sensors that are installed, and you are
prompted to proceed.
Are you sure you want to proceed (y/Any) ? y
5. Press y, to proceed and modify a PTA Network Sensor.

6. After you modify the PTA Network Sensor, you are informed that the PTA Network
Sensor machine will reboot, and you are prompted to repeat the modification for
each PTA Network Sensor in the environment. Press y for each Network Sensor.
Modifying PTA Network Sensor '<Device IP>'...
admin@<Device IP>'s password:
agcls-5.1-<Build#>.tgz 100% 17MB 17.1MB/s
00:01
ag-nms-inst.sh 100% 20KB 20.3KB/s 00:00
7. After you have modified all the PTA Network Sensors, you are prompted to enter the
root user password.
Please Enter root@Password:
8. You are prompted to accept the Usage Agreement. Press y.

dashboard.
The PTA Network Sensor upgrade proceeds.

9. When the installation is complete, you are prompted to reboot the PTA Network
Sensor machine. Press y to reboot the PTA Network Sensor machine.
Rebooting system.
See below an example of the PTA Network Sensor upgrage script.

10.When the PTA Network Sensor machine has rebooted, run the diagnostic tool to
verify the PTA Network Sensor upgrade in your environment. See (Optional) Verify
PTA Network Sensor Deployment, page 69.
Example of the PTA Network Sensor upgrade script.
[root@PTAServer ~]#
[root@PTAServer ~]#
[root@PTAServer ~]# su agbroker
[agbroker@PTAServer root]$ /opt/ag/bin/deviceMgmt.sh install
Please enter the location of the PTA Network Sensor software

installation files: /opt/ag/<Latest Build Number>/
Preparing '<Upgrade Version>' installation...

SSH access to device '<Device IP>'(<#Device ID>) at <#Device
ID> <Device IP>'... Succeeded. <Previous Version>. ==> PTA
Network Sensor will be modified.

--------------------------------------------------------
- Device ID: <#Device ID>
- Device Name: <Device Name>
- Device IP: <Device IP>
- Device Comment:
========================================================
Are you sure you want to proceed (y/Any) ? y
Modifying PTA Network Sensor '<Device IP>'...

agcls-5.1-<Build#>.tgz 100% 17MB 17.1MB/s 00:01
ag-nms-inst.sh 100%
20KB 20.3KB/s 00:00
Please Enter root@Password:
dashboard.


this agreement.
................................................................
Installing AG-NMS[Management] Version <#> Build <#>
Rebooting system.
Write failed: Broken pipe
Finished installation version at IP '10.10.10.10', please wait

few minutes and run './deviceMgmt.sh diag' command
[agbroker@PTAServer root]$
To Manually Upgrade the PTA Network Sensor Application:

1. Using WinSCP, connect to the PTA Network Sensor using the admin user.
2. Upload the following PTA Network Sensor files to: /tmp/<Latest Build Number>
■ ag-nms-inst.sh
3. Connect using Putty, and log in as admin. You are requested to enter the admin
password.
4. Specify the admin Password.
admin@10.10.8.15's password:
5. Enter SU so you are able to log in as the root user, then enter the root user
password.
[admin@localhost ~]$ su -
Password:
6. Navigate to the PTA Network Sensor installation folder:

/tmp/<Latest Build Number>
[root@localhost ~]# cd /tmp/<Latest Build Number>
7. For execute permissions, run the following command:

chmod +x *.sh
8. Enter the following command:

/ag-nms-inst.sh
The following message appears:



dashboard.
this agreement.
9. Specify y to accept the agreement, then press Enter.

The system upgrades the PTA Network Sensor.
................................................................
Installing AG-NMS[Management] Version <> Build <>
10.When the upgrade is complete, you are requested to reboot the machine. Specify y,
then press Enter.
Rebooting system.
11.Repeat the entire procedure for each PTA Network Sensor at your site.

101
Appendices
This section contains the following appendices:

Configure System Properties
Configure Agent Properties
Time Zones
Manually Extend the PTA VM Disk Space
PTA Windows Agents Benchmark Report

Configure System Properties

The systemparm.properties file configures PTA. The default properties file is stored in
the /opt/tomcat/diamond-resources/default directory. This file contains all the
available properties with their default values, if they exist. This file cannot be edited.
The properties file that can be edited is stored in the /opt/tomcat/diamond-
resources/local directory.
To Change Default Property Values:

1. In the /opt/tomcat/diamond-resources/default directory, open the
systemparm.properties file.
2. Copy the relevant property parameter, then close the file.
3. In the /opt/tomcat/diamond-resources/local directory, open the
systemparm.properties file.
4. Paste the copied property parameter and specify its value.
5. Save the file and close it.
6. Run the service appmgr restart command to restart PTA.
The tables below list all the parameters of the systemparm.properties file, with a brief
explanation. You can copy any parameters you require when configuring the properties
file.
Note:
All parameters must be specified without spaces.
systemparm.properties
Section: Data Loading
date_format
Description Date format of the organization. For example, for US users the
format is MM/dd/yyyy.
Acceptable Values MM/dd/yyyy, dd/MM/yyyy
Default Value MM/dd/yyyy
vault_log_records_csv
Description The full pathname of the loglist.csv report generated by the

ExportVaultData utility.
Acceptable Values Full pathname. For example, /tmp/loglist.csv.
Default Value None
pvwa_privileged_accounts_report_csv

103 Configure System Properties
Section: Data Loading
Description The full pathname of the PVWA Inventory Report .csv file.
Acceptable Values Full pathname
Default Value None
Section: LDAP
ldap_connection_protocol
Description The protocol to use for the LDAP connection.
Acceptable Values Valid protocol
Default Value None
ldap_base
Description The LDAP base context.
Acceptable Values String
Default Value None
ldap_port
Description The port of the LDAP server.
Acceptable Values Number between 1024 and 65535
Default Value None
ldap_server
Description The IP of the LDAP server to integrate with.
Acceptable Values IP
Default Value None
ldap_domain
Description The name of the domain where the LDAP server resides.
Default Value None
ldap_group_name
Description The name of the LDAP PTA group.
Default Value PTA_GROUP
ldap_pre2000
Description The netbios (Pre2000) name of the domain.

Section: LDAP
Default Value None
Section: Syslog
syslog_outbound
Description Outbound configuration that enables PTA to integrate with your SIEM.
Acceptable A list of the following information: {siem, format, host, port, protocol}
Values Acceptable values are:
■ siem – HP ArcSight, McAfee, QRadar, RSA, Splunk
■ format – CEF or LEEF
■ host - Host/IP
■ port – number
■ protocol - UDP
Default None
Value
syslog_port_tcp
Description The port used for incoming syslog records sent from the Vault machine and
Unix machines on the TCP port.
Acceptable Number between 1 and 65535. The number must represent an unused port.
Values
Default 514
Value
syslog_port_udp
Description The port used for incoming syslog records sent from the Vault machine and
Unix machines on the UDP port.
Values
Default 514
Value
vault_timezone
Description The timezone configured in the Vault.
Acceptable NA
Values
Default The PTA machine timezone.

Value
syslog_non_human_filter
Description List of non-human usernames whose syslog messages PTA will ignore.
Acceptable Vault users

Section: Syslog
Values
Default passwordmanager,prov_,pvwaappuser,psmapp
Value
syslog_port_ssl_data_tcp
Description The port used to receive syslog data in a secure channel.
Values
Default 6514
Value
syslog_port_ssl_control_tcp
Description The port used to receive statistics data in a secure channel.
Values
Default 7514
Value
send_pta_events_to_pas_enabled
Description Enable or disable the option to send PTA events to the Vault.
Acceptable true/false
Values
Default true
Value
Section: Syslog
Sub-section: Syslog
custom_vault_device_types
Description Device Types from PVWA that PTA monitors. The value is case

sensitive.
Acceptable String
Values
Default Value None
Section: Syslog
Sub-section: Syslog format legacy
syslog_format_regex_legacy
Description A regular expression that defines the legacy syslog format.
Acceptable Regular expression

Section: Syslog
Sub-section: Syslog format legacy
Values
Default (<\\d+>)?([\\d\\.]+)?\\s*([a-zA-Z]+\\s+\\d{1,2}\\s+\\d{1,2}:\\d{1,2}:\\d
Value {1,2})\\s+([^\\s]+)\\s+(.*)
syslog_field_index_date_legacy
Description The index that corresponds to the date field defined in the syslog_format_
regex_legacy property.
Acceptable Number greater than zero

Values
Default 3
Value
syslog_field_index_machine_legacy
Description The index that corresponds to the machine field defined in the syslog_
format_regex_legacy property.

Values
Default 4
Value
syslog_field_index_body_legacy
Description The index that corresponds to the body field defined in the syslog_format_
regex_legacy property.

Values
Default 5
Value
Section: Syslog
Sub-section: Syslog format 5424
syslog_format_regex_5424
Description A regular expression that defines the syslog format 5424.

Values
Default <(\\d+)>([\\d\\.]+)\\s+(\\d{4}-\\d{2}-\\d{1,2}T\\d{1,2}:\\d{1,2}:\\d{1,2}Z)\\s+
Value ([^\\s]+)\\s+(.*)
syslog_field_index_date_5424
Description The index that corresponds to the date field defined in the syslog_format_
regex_5424 property.

Section: Syslog
Sub-section: Syslog format 5424

Values
Default 3
Value
syslog_field_index_machine_5424
Description The index that corresponds to the machine field defined in the syslog_
format_regex_5424 property.

Values
Default 4
Value
syslog_field_index_body_5424
Description The index that corresponds to the body field defined in the syslog_format_
regex_5424 property.

Values
Default 5
Value
Section: Syslog
Sub-section: Audit creator for vault retrieve password
audit_creator_body_regex_vault_retrieve_password
Description A regular expression that defines the data format in a syslog string that the
audit creator detects.

Values
Default \\s*\\|\\s*([^\\s\\|]+)\\s*\\|\\s*([^\\|]*)\\s*\\|\\s*(Retrieve password|Use

Value Password)\\s*\\|\\s*([^\\s\\|]*)\\s*\\|\\s*([^\\s\\|]*)\\s*\\|(.*)
body_field_index_vault_retrieve_password_user
Description The index that corresponds to the user who retrieved the password from the
Vault in the audit_creator_body_regex_vault_retrieve_password property.

Values
Default 1
Value
body_field_index_vault_retrieve_password_date
Description The index that corresponds to the date when the password was retrieved

Section: Syslog
Sub-section: Audit creator for vault retrieve password
from the Vault in the audit_creator_body_regex_vault_retrieve_ password

property.

Values
Default 2
Value
body_field_index_vault_retrieve_password_account_user
Description The index that corresponds to the user specified in the account that was
retrieved from the Vault in the audit_creator_body_regex_vault_retrieve_
password property.

Values
Default 4
Value
body_field_index_vault_retrieve_password_account_address
Description The index that corresponds to the address specified in the account that was
retrieved from the Vault in the audit_creator_body_regex_vault_retrieve_
password property.

Values
Default 5
Value
Section: Syslog
Sub-section: Audit creator for unix session opened
audit_creator_body_regex_unix_session_opened
Description A regular expression that defines the data format in a syslog string that
the audit creator detects.

Values
Default Value \\s*[a-zA-Z0-9\\[\\]]+:\\s+pam_unix\$(.+):session\$:\\s*session opened

for user\\s+(\\S+) by.*
body_field_index_unix_session_opened_user
Description The index of the user who opened the unix session in the audit_creator_
body_regex_unix_session_opened property.

Values

Section: Syslog
Sub-section: Audit creator for unix session opened
Default Value 2
body_field_index_unix_session_opened_session_type
Description The index of the type of session that was opened in the audit_creator_
body_regex_unix_session_opened property.

Values
Default Value 1
Section: Syslog
Sub-section: Audit creator for CEF
audit_creator_body_regex_cef
Description A regular expression that defines the data format in a syslog string that the
audit creator detects.

Values
Default CEF:(?<cefVersion>\\d+)\\|(?<vendor>(?:[^\\\\\\|]|\\\\.)*+)\\|(?<product>(?:
Value [^\\\\\\|]|\\\\.)*+)\\|(?<version>(?:[^\\\\\\|]|\\\\.)*+)\\|(?<id>(?:[^\\\\\\|]|\\\\.)*+)\\|
(?<name>(?:[^\\\\\\|]|\\\\.)*+)\\|(?<severity>(?:[^\\\\\\|]|\\\\.)*+)\\|
(?<extension>.*)
custom_CEF_Windows_plugin_parameter
Description Custom vendor and product name for Windows logon support
Acceptable Json string

Values
Default [{\"Vendor\":\"Microsoft\",\"Product\":\"Microsoft Windows\"}]

Value
Section: Schedulers
excessive_access_task_trigger
Description The time for frequent updates of the excessive access (user) baseline.
The default is midnight of every day.
Acceptable Cron expression

Values
Default 0 0 0 * * ?
Value
irregular_ip_task_trigger
Description The time for frequent updates of the irregular IP (user) baseline. The

Section: Schedulers
default is midnight of every day.

Values
Default 0 0 0 * * ?
Value
vault_accounts_reload_task_trigger
Description The time for frequent updates of the Vault accounts reload. The default is
1:00 AM of every day.

Values
Default 0 0 1 * * ?
Value
human_vault_user_cache_reload_task_trigger
Description The time for frequent updates of the Vault users reload. The default is
midnight of every day.

Values
Default 0 0 0 * * ?
Value
irregular_hours_asset_task_trigger
Description The time for frequent updates of the irregular hours (machine) baseline.
The default is midnight of every day.

Values
Default 0 0 0 * * ?
Value
irregular_hours_user_task_trigger
Description The time for frequent updates of the irregular hours (user) baseline. The
default is midnight of every day.

Values
Default 0 0 0 * * ?
Value
audits_retention_task_trigger
Description The time for deleting raw data that has passed the retention period. The
default is 3:30 AM every day.

Values

Section: Schedulers
Default 0 30 3 * * ?
Value
Section: Algorithms
disabled_detection_algorithms
Description The list of anomalies whose detections are disabled.
Acceptable ■ ActiveDormantUserAnomalyAlgorithm
Values ■ AggregativeIceAnomalyAlgorithm
■ BaseICEAnomalyAlgorithm
■ ExcessiveAccessAnomalyAlgorithm
■ ExcessiveAccessAssetAnomalyAlgorithm
■ ExcessiveAccessUserAnomalyAlgorithm
■ GoldenTicketAnomalyAlgorithm
■ InteractiveLogonWithServiceAccountAnomalyAlgorithm
■ IrregularHoursAssetAnomalyAlgorithm
■ IrregularHoursUserAnomalyAlgorithm
■ LogonIrrSourceMachineToTgtMachineByTgtAccAnomalyAlgorithm
■ LogonIrrTgtAccFromMachineAnomalyAlgorithm
■ LogonIrrTgtMachineByTgtAccAnomalyAlgorithm
■ MachineAccessViaIrregularIpAnomalyAlgorithm
■ MaliciousRetrievalOfDomainAccountsAnomalyAlgorithm
■ OverPassTheHashAnomalyAlgorithm
■ PacAsRequestAttackAnomalyAlgorithm
■ PSMRiskyCommandAnomalyAlgorithm
■ PSMVaultAnomalyAlgorithm
■ SuspectedCredentialsTheftAnomalyAlgorithm
■ UnmanagedPrivilegedAccessAnomalyAlgorithm
■ VaultAccessViaIrregularIpAnomalyAlgorithm
■ RiskySPNRisk
■ IrregularDayUserAnomaly
Default Value ExcessiveAccessAssetAnomalyAlgorithm,

LogonIrrSourceMachineToTgtMachineByTgtAccAnomalyAlgorithm,
LogonIrrTgtAccFromMachineAnomalyAlgorithm,
LogonIrrTgtMachineByTgtAccAnomalyAlgorithm,
MachineAccessViaIrregularIpAnomalyAlgorithm
Section: Algorithms
Sub-section: irregular hours
irr_hours_excluded_usernames_list
Description The list of users to be excluded from the Irregular Hours baseline

Section: Algorithms
Sub-section: irregular hours
calculation. Multiple names must be separated by commas.
Acceptable Vault users

Values
Default None
Value
irr_hours_baseline_range_start
Description The starting-point of training data (vault_log) in the range, for baseline
calculation.
Acceptable 0.0-1 (where 1 is 100%)

Values
Default 0
Value
irr_hours_baseline_range_end
Description The endpoint of training data (vault_log) in the range, for baseline
calculation.
Acceptable 0.0-1 (where 1 is 100%)

Values
Default 1
Value
irr_hours_baseline_debug
Description Determines how the baseline is created.
Note:
This parameter is for internal debugging purposes.
Values
Default false
Value
Section: Algorithms
Sub-section: DC Replication
dc_replication_whitelist
Description The list of machines which are allowed to execute DC replication

operations. Multiple names must be separated by commas.
Acceptable Fully-qualified machine names, IPs

Values

Section: Algorithms
Sub-section: DC Replication
Default None
Value
Section: Algorithms
Sub-section: Unmanaged privileged access
privileged_users_list
Description A list of users considered privileged in the organization, and who should be
managed by CyberArk’s Privileged Account Security solution.
Acceptable A list of the following information: {platform, case sensitivity of user, regular
Values expression}
Acceptable values are:
■ Platform – WINDOWS/UNIX/ORACLE (upper case)
■ Case sensitivity – true/false
■ Regex – string
Default If this value is not defined by the user, the system will use the following
Value default value:
[{"mPlatform":"UNIX","mIsCaseSensitive":true, "mUsers" :[root]},
{"mPlatform":"WINDOWS","mIsCaseSensitive":false,"mUsers":
[.*admin.*]},{"mPlatform":"ORACLE", "mIsCaseSensitive":
false,"mUsers":[sys,system,sysman]}]
privileged_groups_list
Description A list of groups considered privileged in the organization, and whose

members should be managed by CyberArk’s Privileged Account Security
solution.
Acceptable A list of the following information: {Domain, Group_name}

■ Domain
■ Group Name
Default None
Value
Unmanaged_Privileged_Access_Score
Description The unmanaged privileged access anomaly score.
Acceptable Number between 1-100

Values
Default 30
Value

Section: Algorithms
Sub-section: vault access via irregular ip
irregular_ip_tail_proporion_exp_base
Description The base taken in the exponent of the proportion of the tail of the given IP
which was not spanned by the tree.
Specify a number greater than ‘1’.
Acceptable ■ Double
Values
Default 8.0
Value
irr_ip_excluded_usernames_list
Description A list of usernames that PTA will ignore when analyzing Vault access via
irregular IP addresses.
Acceptable ■ Vault users

Values
Default DR,BATCH,BACKUP
Value
irr_ip_excluded_sourceIP_list
Description A list of IP addresses that PTA will ignore when analyzing Vault access
via irregular IP addresses.
Acceptable IPs
Values
Default Configured PVWA IP

Value
Section: Algorithms
Sub-section: ICE - asset connection words algorithms
asset_connection_excluded_domain_account_list
Description The list of domain accounts to be excluded from the Asset

Connection baseline calculation.
Acceptable Values A list of the following information: {domain, list of users that belong
to the domain}
■ Domain – any valid domain name (string)
■ Users – string of users name separated by comma
Default Value N/A

Section: Algorithms
Sub-section: Suspected credentials theft
not_via_pim_time_window
Description The number of minutes of the default check-out time period of a password.
Acceptable Number
Values
Default 480
Value
sct_excluded_account_list
Description A list of usernames that PTA will ignore when analyzing connections to
remote machines without first retrieving the required credentials from the
Vault.
Acceptable A list of the following information: {platform, Machine/domain, DB instance,

Values User}
■ Platform – WINDOWS/UNIX/ORACLE (upper case)
■ Machine – either IP or FQDN
■ Domain – relevant only for WINDOWS platforms, when the account is
a domain account
■ DB Instance – if the Platform is ORACLE, the instance name must be
mentioned
■ User – string
All fields except Platform can be configured as a list with a ‘,’ delimiter and
support asterisks.
For example: #sct_excluded_account_list=[{"mPlatforms":
["WINDOWS"],"mUsers":["user"],"mDomains":["domain.com"]},
{"mPlatforms":["WINDOWS"],"mUsers":["localUser"],"mMachines":
["prod.domain.com"]},{"mPlatforms":["ORACLE"],"mUsers":
["localUser"],"mMachines":["prodDB.domain.com","mInstanceNames":
["MyDB"]}]
Default None
Value
Section: Algorithms
Sub-section: Suspicious Password Change
suspicious_password_change_time_window_minutes
Description The time, in minutes, PTA waits before indicating a password change
was not done by CPM and is suspicious.

Values
Default Value 2

Section: Algorithms
Sub-section: Suspicious Password Change
suspicious_password_change_score
Description The suspicious password change anomaly score.

Values
Default Value 80
Section: Algorithms
Sub-section: Suspicious activities detected in a privileged session
risky_command_configuration
Descri A regular expression that defines the suspicious session activities that
ption PTA analyzes.
Accept A list of the following information: {regular expression of the command, score,
able description, category}
■ Regex – string
■ Score – 1-100
■ Description (optional) – string
■ Category - Universal keystrokes, SCP, SQL, SSH, Windows titles
■ Response - NONE, TERMINATE, SUSPEND
■ Active - true/false
For example:{"regex":"kill
(.*)","score":"70","description":"description2","category":"SSH","response
":"NONE",“active”:true}]
Default A set of best practices that CyberArk recommends.

Value
Section: Algorithms
Sub-section: Risky SPN
risky_spn_excluded_account_list
Description A list of usernames, domains and service principal names that PTA will
ignore when analyzing privileged accounts that contain service principal
names.
Acceptable A list of the following information: {user, domain, service}

■ User – string
■ Domain – domain name, such as domain.com
■ Service principal name – service principal name in the format of
host\service

Section: Algorithms
Sub-section: Risky SPN
All fields can be configured as a list with a ‘,’ delimiter, and can support
asterisks.
For example:
risky_spn_excluded_account_list=[{"mUsers":["user1"],"domain":
["domain.com"],"service":["host\service","fqdn\service"]},{"mUsers":
["sqladmin"],"domain":["domain.com"],"service":["*"]}]
Default None
Value
Section: Email
mail.smtp.host
Description The IP of the mail server in the organization.
Acceptable IP address
Values
Default None
Value
mail.smtp.port
Description The SMTP port for emails.
Acceptable 25, 587

Values
Default 25
Value
mail.smtp.auth
Description Whether the authentication method is on.
Values
Default true
Value
mail.debug
Description Whether the debug messages of the email process appear in the log.
Values
Default false
Value
email_from
Description The email address of the sender.

Section: Email
Acceptable Email address in lowercase characters.

Values
Default None
Value
email_recipient
Description A list of the recipient email addresses that will receive an email when an
incident is discovered. Specify email addresses using only lowercase
characters. Multiple addresses are separated by a semi-colon (;).
Acceptable Email address; email address, ...

Values
Default None
Value
Section: DNS
dns_srv_record_format
Description The format of a DNS service record (SRV).

Values
Default \\s*\\d+\\s+\\d+\\s+\\d+\\s+((?=.{1,255}$)[0-9A-Za-z](?:(?:[0-9A-Za-z]|-)
Value {0,61}[0-9A-Za-z])?(?:\\.[0-9A-Za-z](?:(?:[0-9A-Za-z]|-){0,61}[0-9A-Za-
z])?)*\\.?)\\.
dns_ldap_domain_srv_record_name_prefix
Description The prefix that identifies an SRV record for a domain.
Acceptable String
Values
Default _ldap._tcp.dc._msdcs.
Value
dns_resolving_timeout
Description The timeout period for DNS resolving, in milliseconds.
Acceptable Numbers in milliseconds

Values
Default 10000
Value
Section: Domain
domain_controllers

Section: Domain
Description List of domain and domain controllers.
Acceptable {"domain_name":[{"mAddress":"dc1_ip_address","mHostName":"dc1_
Values host_name"},{"mAddress":"dc2_ip_address","mHostName":"dc2_host_
address"}]}
Default None
Value
pre2000_domain_list
Description List of DNS names with their corresponding pre-Windows 2000 names.
Acceptable {"preWin2000DomainName":"fullDNSDomainName",
Values "preWin2000DomainName2":"fullDNSDomainName2"}
Default None
Value
epv_https_enabled
Description Whether PTA will connect to PAS though https.
Values
Default true
Value
epv_host
Description The name of PAS that PTA will connect to. Enter the FQDN.
Acceptable String
Values
Default -
Value
epv_port
Description The port through which PTA will connect to PAS.
Acceptable Port number

Values
Default ■ https: 443

Value ■ http: 80
epv_root_context
Description The PVWA application name.
Acceptable String
Values
Default PasswordVault
Value

Section: Domain
send_psm_session_related_data
Description Whether PTA will send a privileged session risk score to PSM to make the
score available in PVWA.
Values
Default true
Value
Section: UI
numberOfIncidentsToGroupBy
Description The number of suspicious session activity incidents for the selected
timeframe that will be displayed in individual bubbles on the dashboard.
The rest of the incidents will be displayed in a single aggregated bubble.
Acceptable Number
Values
Default Value 0
Section: Mitigation
epvintegrationRotatePasswordExcludeList
Description The list of anomalies to be excluded from the automatically rotate

password reaction for credentials theft.
Acceptable ■ SuspectedCredentialsTheft
Values ■ OverPassTheHash
■ SuspiciousPasswordChange
Default Value SuspectedCredentialsTheft,OverPassTheHash,SuspiciousPasswo

rdChange
EnableAutomaticMitigationByEPV
Description Determines whether PTA will integrate with PAS to react

automatically to detected credential thefts.
Values
Default Value ■ When integration with PAS is not configured, this parameter is
not relevant.
■ When integration with PAS is configured, this parameter is
automatically set to true.
epvIntegrationEnableAddPendingAccount
Description Determines whether PTA will integrate with PAS to automatically

Section: Mitigation
add unmanaged privileged accounts to the PVWA pending accounts

queue.
Acceptable ■ True – automatic adding of unmanaged privileged accounts is

Values enabled
■ False – automatic adding of unmanaged privileged accounts is
disabled
Default Value False
epv_integration_rotate_password
Description Determines whether PTA will integrate with PAS to automatically

rotate passwords to accounts.
Acceptable ■ True – automatic rotate passwords to accounts is enabled

Values ■ False – automatic rotate passwords to accounts is disabled
Default Value False
epv_integration_reconcile_password
Description Determines whether PTA will integrate with PAS to react

automatically to any detected CyberArk Password Manager bypass.
Acceptable ■ True – automatic password reconciliation is enabled

Values ■ False – automatic password reconciliation is disabled
Default Value False
psm_mitigation_enabled
Description Allows a user to enable or all automatic mitigation of PSM

suspicious activities.
Acceptable ■ True – automatic mitigation is enabled

Values ■ False – automatic mitigation is disabled
Default Value True
psm_mitigation_termination_enabled
Description Allows a user to enable or disable automatic mitigation session

termination of PSM suspicious activities.
Acceptable ■ True – automatic mitigation session termination is enabled

Values ■ False – automatic mitigation session termination is disabled
Default Value False
psm_mitigation_suspension_enabled
Description Allows a user to enable or disable automatic mitigation session

suspension of PSM suspicious activities.
Acceptable ■ True – automatic mitigation session suspension is enabled

Values ■ False – automatic mitigation session suspension is disabled
Default Value False

Section: Auto Purge
audits_retention_period_in_days
Description The retention period for raw data to be stored in PTA before it will be
deleted. This does not apply to events that PTA has detected.
Acceptable Number
Values
Default 90
Value
Section: PTA Agent
enable_client_verification
Description Enables client verification for the secured syslog.
Acceptable ■ True – client verification for the secured syslog is enabled

Values ■ False – client verification for the secured syslog is disabled
Default Value True
enable_dcagent_connection
Description Enables PTA Windows Agent connection to the PTA Server.
Acceptable ■ True – PTA Windows Agent connection to the PTA Server is

Values enabled
■ False – PTA Windows Agent connection to the PTA Server is
disabled
Default Value True

123 Configure Agent Properties
Configure Agent Properties

The config.ini file configures the PTA Windows Agent. The configuration file is stored in
C:\Program Files\cyberark\PTA Agent\ directory.
To Change Default Property Values:

1. Navigate to C:\Program Files\cyberark\PTA Agent\ directory.
2. Locate the needed property from the documentation below.
3. Add to the end of the file the property's header from the documentation below (if the
header is missing).
4. Add the relevant value below the property header.
Note:
All parameters must be specified without spaces.
Section: ServerInfo
PTA_IP_Address
Description The IP of the PTA Server.
Acceptable Values IP address
Default Value None
SSL_Data_Port
Description The port used to send syslog data to PTA in a secure channel.
Default Value 6514
SSL_Control_Port
Description The port used to send statistics data to PTA in a secure channel.
Default Value 7514
Section: DCInfo
Server_Verification_Required
Description Determines whether the PTA Server certificate is validated by the

PTA Windows Agent, making the connection trusted.
Values
Default true

Section: DCInfo
Value
Network_Interface_ID
Description The network interface that the PTA Windows Agent uses.
Acceptable Number
Values
Default 1
Value
KeepAlive_Interval_msec
Description The milliseconds between each heartbeat to the PTA Server.
Acceptable Number
Values
Default 2000 (2 seconds)

Value
Network_Enabled
Description Data analysis mode to inspect Network traffic.
Acceptable ■ True – data analysis mode to inspect Network traffic is enabled

Values ■ False – data analysis mode to inspect Network traffic is disabled
Default True
Value
Windows_Event_Enabled
Description Data analysis mode to inspect Windows events.
Acceptable ■ True – data analysis mode to inspect Windows events is enabled

Values ■ False – data analysis mode to inspect Windows events is disabled
Default False
Value
Section: Debug
Write_Events_To_Log
Description Set the debug events flag. This parameter is for internal debugging
purposes.
Acceptable ■ 0 - false
Values ■ 1 - true
Default Value 0 (false)

Section: Monitoring
Machine_Monitoring_Enabled_Global
Description Determines whether monitoring options

are available.
Acceptable Values true/false
Default Value true
Machine_Monitoring_Enabled_Memory
Description Determines whether Memory monitoring

is available.
Default Value true
Machine_Monitoring_Enabled_CPU
Description Determines whether CPU monitoring is

available.
Default Value true
Machine_Monitoring_Enabled_Network
Description Determines whether Network monitoring

is available.
Default Value true
Machine_Monitoring_To_Log
Description Determines whether the monitoring

results are written to the log file.
Default Value true
Machine_Monitoring_Interval_sec
Description The interval to query the Machine for the

resources data
Acceptable Values Number
Default Value 10
Section: ClientCertificate
Client_Certificate_Enabled
Description Determines whether the client sends the certificate to the PTA Server
for verification .

Section: ClientCertificate
Values
Default Value true
Client_Certificate_Subject_Name
Description The subject name of the client certificates installed on the

PTA Windows Agent machine.
Acceptable String
Values
Default Value None
Section: Enforcement
Process_CPU_Enabled
Description Determines whether the CPU based enforcement is enabled.
Default Value true
Process_CPU_Monitoring_Time_Window
Description The time window to monitor CPU exceptions.
Default Value 60
Process_CPU_Percent_Threshold
Description The CPU Threshold percentage limit.
Default Value 35
Process_CPU_Percent_Exceeded_Samples_sec
Description The allowed percentage of the exceeded threshold.
Default Value 70
Section: Forwarder
Windows_Event_Log
Description The Windows event log name from which the PTA Windows Agent
reads the events.
Acceptable String
Values

Section: Forwarder
Default Value ForwardedEvents

Time Zones
The PTA installation wizard requires you to configure your time zone. The following table
lists the available time zones.
EST5EDT MET WET
GB Iran Mexico/BajaSur
Mexico/BajaNorte Mexico/General Israel
NZ Asia/Macao Asia/Irkutsk
Asia/Shanghai Asia/Chongqing Asia/Anadyr
Asia/Hovd Asia/Urumqi Asia/Harbin
Asia/Thimphu Asia/Bishkek Asia/Dhaka
Asia/Hong_Kong Asia/Jakarta Asia/Vientiane
Asia/Pyongyang Asia/Baghdad Asia/Gaza
Asia/Samarkand Asia/Tashkent Asia/Beirut
Asia/Oral Asia/Jerusalem Asia/Calcutta
Asia/Tokyo Asia/Taipei Asia/Omsk
Asia/Dushanbe Asia/Kolkata Asia/Brunei
Asia/Dili Asia/Istanbul Asia/Baku
Asia/Ashgabat Asia/Jayapura Asia/Colombo
Asia/Tbilisi Asia/Ulan_Bator Asia/Kuching
Asia/Novosibirsk Asia/Phnom_Penh Asia/Novokuznetsk
Asia/Ujung_Pandang Asia/Thimbu Asia/Ashkhabad
Asia/Bahrain Asia/Vladivostok Asia/Kamchatka
Asia/Seoul Asia/Chungking Asia/Sakhalin
Asia/Aqtau Asia/Magadan Asia/Kuwait
Asia/Singapore Asia/Kuala_Lumpur Asia/Amman
Asia/Kathmandu Asia/Krasnoyarsk Asia/Rangoon
Asia/Pontianak Asia/Dubai Asia/Yekaterinburg
Asia/Yakutsk Asia/Aden Asia/Aqtobe
Asia/Qatar Asia/Muscat Asia/Nicosia
Asia/Qyzylorda Asia/Macau Asia/Hebron
Asia/Kabul Asia/Choibalsan Asia/Riyadh87

129 Time Zones
Asia/Tel_Aviv Asia/Saigon Asia/Yerevan
Asia/Kashgar Asia/Manila Asia/Ulaanbaatar
Asia/Makassar Asia/Riyadh89 Asia/Ho_Chi_Minh
Asia/Dacca Asia/Bangkok Asia/Riyadh
Asia/Tehran Asia/Damascus Asia/Katmandu
Asia/Karachi Asia/Almaty Asia/Riyadh88
Canada/East- Canada/Central Canada/Newfoundland

Saskatchewan
Canada/Atlantic Canada/Eastern Canada/Yukon
Canada/Mountain Canada/Pacific Canada/Saskatchewan
Greenwich Africa/Accra Africa/Khartoum
Africa/Kigali Africa/Bangui Africa/Timbuktu
Africa/Juba Africa/Ouagadougou Africa/Dar_es_Salaam
Africa/Monrovia Africa/Maputo Africa/Tripoli
Africa/Windhoek Africa/Bissau Africa/Ndjamena
Africa/Asmera Africa/Lome Africa/Ceuta
Africa/Blantyre Africa/Cairo Africa/Tunis
Africa/Mbabane Africa/Porto-Novo Africa/Bamako
Africa/Nouakchott Africa/Maseru Africa/Niamey
Africa/Nairobi Africa/Algiers Africa/Johannesburg
Africa/Lagos Africa/Kinshasa Africa/Gaborone
Africa/Banjul Africa/Brazzaville Africa/Sao_Tome
Africa/Mogadishu Africa/Djibouti Africa/Luanda
Africa/Casablanca Africa/Addis_Ababa Africa/Douala
Africa/Lusaka Africa/Conakry Africa/Abidjan
Africa/Freetown Africa/Malabo Africa/Dakar
Africa/Asmara Africa/Libreville Africa/Bujumbura
Africa/Lubumbashi Africa/Harare Africa/Kampala
Africa/El_Aaiun Zulu Japan
Indian/Maldives Indian/Antananarivo Indian/Chagos
Indian/Reunion Indian/Mayotte Indian/Christmas
Indian/Mauritius Indian/Kerguelen Indian/Mahe
Indian/Cocos Indian/Comoro NZ-CHAT
Eire UTC Universal

EET Brazil/Acre Brazil/West
Brazil/East Brazil/DeNoronha MST7MDT
Mideast/Riyadh87 Mideast/Riyadh89 Mideast/Riyadh88
Libya EST UCT
Atlantic/St_Helena Atlantic/South_Georgia Atlantic/Canary
Atlantic/Cape_Verde Atlantic/Faroe Atlantic/Azores
Atlantic/Jan_Mayen Atlantic/Reykjavik Atlantic/Faeroe
Atlantic/Bermuda Atlantic/Madeira Atlantic/Stanley
HST Hongkong posix/EST5EDT
posix/MET posix/WET posix/GB
posix/Iran posix/Mexico/BajaSur posix/Mexico/BajaNorte
posix/Mexico/General posix/Israel posix/NZ
posix/Asia/Macao posix/Asia/Irkutsk posix/Asia/Shanghai
posix/Asia/Chongqing posix/Asia/Anadyr posix/Asia/Hovd
posix/Asia/Urumqi posix/Asia/Harbin posix/Asia/Thimphu
posix/Asia/Bishkek posix/Asia/Dhaka posix/Asia/Hong_Kong
posix/Asia/Jakarta posix/Asia/Vientiane posix/Asia/Pyongyang
posix/Asia/Baghdad posix/Asia/Gaza posix/Asia/Samarkand
posix/Asia/Tashkent posix/Asia/Beirut posix/Asia/Oral
posix/Asia/Jerusalem posix/Asia/Calcutta posix/Asia/Tokyo
posix/Asia/Taipei posix/Asia/Omsk posix/Asia/Dushanbe
posix/Asia/Kolkata posix/Asia/Brunei posix/Asia/Dili
posix/Asia/Istanbul posix/Asia/Baku posix/Asia/Ashgabat
posix/Asia/Jayapura posix/Asia/Colombo posix/Asia/Tbilisi
posix/Asia/Ulan_Bator posix/Asia/Kuching posix/Asia/Novosibirsk
posix/Asia/Phnom_Penh posix/Asia/Novokuznetsk posix/Asia/Ujung_

Pandang
posix/Asia/Thimbu posix/Asia/Ashkhabad posix/Asia/Bahrain
posix/Asia/Vladivostok posix/Asia/Kamchatka posix/Asia/Seoul
posix/Asia/Chungking posix/Asia/Sakhalin posix/Asia/Aqtau
posix/Asia/Magadan posix/Asia/Kuwait posix/Asia/Singapore
posix/Asia/Kuala_Lumpur posix/Asia/Amman posix/Asia/Kathmandu
posix/Asia/Krasnoyarsk posix/Asia/Rangoon posix/Asia/Pontianak
posix/Asia/Dubai posix/Asia/Yekaterinburg posix/Asia/Yakutsk

131 Time Zones
posix/Asia/Aden posix/Asia/Aqtobe posix/Asia/Qatar
posix/Asia/Muscat posix/Asia/Nicosia posix/Asia/Qyzylorda
posix/Asia/Macau posix/Asia/Hebron posix/Asia/Kabul
posix/Asia/Choibalsan posix/Asia/Riyadh87 posix/Asia/Tel_Aviv
posix/Asia/Saigon posix/Asia/Yerevan posix/Asia/Kashgar
posix/Asia/Manila posix/Asia/Ulaanbaatar posix/Asia/Makassar
posix/Asia/Riyadh89 posix/Asia/Ho_Chi_Minh posix/Asia/Dacca
posix/Asia/Bangkok posix/Asia/Riyadh posix/Asia/Tehran
posix/Asia/Damascus posix/Asia/Katmandu posix/Asia/Karachi
posix/Asia/Almaty posix/Asia/Riyadh88 posix/Canada/

East-Saskatchewan
posix/Canada/Central posix/Canada/Newfoundl posix/Canada/Atlantic

and
posix/Canada/Eastern posix/Canada/Yukon posix/Canada/Mountain
posix/Canada/Pacific posix/Canada/Saskatche posix/Greenwich

wan
posix/Africa/Accra posix/Africa/Khartoum posix/Africa/Kigali
posix/Africa/Bangui posix/Africa/Timbuktu posix/Africa/Juba
posix/Africa/Ouagadougou posix/Africa/Dar_es_ posix/Africa/Monrovia

Salaam
posix/Africa/Maputo posix/Africa/Tripoli posix/Africa/Windhoek
posix/Africa/Bissau posix/Africa/Ndjamena posix/Africa/Asmera
posix/Africa/Lome posix/Africa/Ceuta posix/Africa/Blantyre
posix/Africa/Cairo posix/Africa/Tunis posix/Africa/Mbabane
posix/Africa/Porto-Novo posix/Africa/Bamako posix/Africa/Nouakchott
posix/Africa/Maseru posix/Africa/Niamey posix/Africa/Nairobi
posix/Africa/Algiers posix/Africa/Johannesbur posix/Africa/Lagos

g
posix/Africa/Kinshasa posix/Africa/Gaborone posix/Africa/Banjul
posix/Africa/Brazzaville posix/Africa/Sao_Tome posix/Africa/Mogadishu
posix/Africa/Djibouti posix/Africa/Luanda posix/Africa/Casablanca
posix/Africa/Addis_Ababa posix/Africa/Douala posix/Africa/Lusaka
posix/Africa/Conakry posix/Africa/Abidjan posix/Africa/Freetown
posix/Africa/Malabo posix/Africa/Dakar posix/Africa/Asmara
posix/Africa/Libreville posix/Africa/Bujumbura posix/Africa/Lubumbashi

posix/Africa/Harare posix/Africa/Kampala posix/Africa/El_Aaiun
posix/Zulu posix/Japan posix/Indian/Maldives
posix/Indian/Antananarivo posix/Indian/Chagos posix/Indian/Reunion
posix/Indian/Mayotte posix/Indian/Christmas posix/Indian/Mauritius
posix/Indian/Kerguelen posix/Indian/Mahe posix/Indian/Cocos
posix/Indian/Comoro posix/NZ-CHAT posix/Eire
posix/UTC posix/Universal posix/EET
posix/Brazil/Acre posix/Brazil/West posix/Brazil/East
posix/Brazil/DeNoronha posix/MST7MDT posix/Mideast/Riyadh87
posix/Mideast/Riyadh89 posix/Mideast/Riyadh88 posix/Libya
posix/EST posix/UCT posix/Atlantic/St_Helena
posix/Atlantic/South_ posix/Atlantic/Canary posix/Atlantic/Cape_

Georgia Verde
posix/Atlantic/Faroe posix/Atlantic/Azores posix/Atlantic/Jan_Mayen
posix/Atlantic/Reykjavik posix/Atlantic/Faeroe posix/Atlantic/Bermuda
posix/Atlantic/Madeira posix/Atlantic/Stanley posix/HST
posix/Hongkong posix/CST6CDT posix/US/Alaska
posix/US/Indiana-Starke posix/US/Central posix/US/Michigan
posix/US/Aleutian posix/US/East-Indiana posix/US/Eastern
posix/US/Pacific-New posix/US/Hawaii posix/US/Mountain
posix/US/Arizona posix/US/Samoa posix/US/Pacific
posix/MST posix/GMT+0 posix/ROC
posix/Singapore posix/Turkey posix/GMT0
posix/Poland posix/Chile/Continental posix/Chile/EasterIsland
posix/Iceland posix/America/Antigua posix/America/Swift_

Current
posix/America/Inuvik posix/America/Juneau posix/America/Porto_

Velho
posix/America/Sao_Paulo posix/America/Cuiaba posix/America/Santarem
posix/America/Buenos_ posix/America/Lima posix/America/Recife

Aires
posix/America/Lower_ posix/America/Panama posix/America/

Princes Cambridge_Bay
posix/America/Montevideo posix/America/Argentina/ posix/America/Argentina/

Buenos_Aires Salta

133 Time Zones
posix/America/Argentina/ posix/America/Argentina/ posix/America/Argentina/

San_Juan ComodRivadavia Tucuman

San_Luis Ushuaia Jujuy

Rio_Gallegos Mendoza La_Rioja
posix/America/Argentina/C posix/America/Argentina/ posix/America/Nassau

atamarca Cordoba
posix/America/Shiprock posix/America/Manaus posix/America/Rosario
posix/America/Nome posix/America/Danmarks posix/America/Resolute

havn
posix/America/Rio_Branco posix/America/Vancouver posix/America/

Campo_Grande
posix/America/Ensenada posix/America/Belem posix/America/Rankin_

Inlet
posix/America/Thunder_ posix/America/St_ posix/America/St_Vincent

Bay Thomas
posix/America/North_ posix/America/North_ posix/America/North_

Dakota/ Dakota/ Dakota/Beulah
New_Salem Center
posix/America/Dawson posix/America/Fortaleza posix/America/Monterrey
posix/America/Montserrat posix/America/Sitka posix/America/Atikokan
posix/America/Regina posix/America/Winnipeg posix/America/Paramaribo
posix/America/Rainy_River posix/America/Mazatlan posix/America/Edmonton
posix/America/Port-au- posix/America/Moncton posix/America/Mexico_

Prince City
posix/America/Matamoros posix/America/Nipigon posix/America/Indianapoli

s
posix/America/Los_Angeles posix/America/New_York posix/America/El_

Salvador
posix/America/Coral_ posix/America/Miquelon posix/America/Tortola

Harbour
posix/America/Kralendijk posix/America/Knox_IN posix/America/Goose_

Bay
posix/America/Curacao posix/America/Santa_ posix/America/

Isabel Dawson_Creek
posix/America/Tegucigalpa posix/America/Barbados posix/America/Godthab
posix/America/Caracas posix/America/Puerto_ posix/America/Santiago

Rico

posix/America/St_Johns posix/America/St_ posix/America/Aruba

Barthelemy
posix/America/Martinique posix/America/St_Lucia posix/America/Phoenix
posix/America/Yakutat posix/America/Hermosillo posix/America/Kentucky/L

ouisville
posix/America/Kentucky/ posix/America/Bahia_ posix/America/Thule

Monticello Banderas
posix/America/Yellowknife posix/America/Havana posix/America/Scoresbys

und
posix/America/Halifax posix/America/Adak posix/America/Creston
posix/America/Boise posix/America/Grand_ posix/America/Araguaina

Turk
posix/America/Guayaquil posix/America/Belize posix/America/Anguilla
posix/America/Maceio posix/America/Anchorage posix/America/Dominica
posix/America/Costa_Rica posix/America/Chicago posix/America/St_Kitts
posix/America/Pangnirtung posix/America/Louisville posix/America/Toronto
posix/America/Bogota posix/America/Menomine posix/America/Porto_Acre

e
posix/America/Blanc- posix/America/Jujuy posix/America/Bahia

Sablon
posix/America/Santo_ posix/America/Eirunepe posix/America/Indiana/

Domingo Marengo
posix/America/Indiana/ posix/America/Indiana/ posix/America/Indiana/Ve

Petersburg Indianapolis vay
posix/America/Indiana/ posix/America/Indiana/Wi posix/America/Indiana/

Tell_City namac Vincennes
posix/America/Indiana/Kno posix/America/Cayenne posix/America/Virgin

x
posix/America/Guatemala posix/America/Whitehors posix/America/Ojinaga

e
posix/America/Cayman posix/America/Mendoza posix/America/Noronha
posix/America/Cancun posix/America/Glace_ posix/America/Port_of_

Bay Spain
posix/America/Iqaluit posix/America/Fort_ posix/America/Merida

Wayne
posix/America/Detroit posix/America/Tijuana posix/America/Metlakatla
posix/America/Managua posix/America/La_Paz posix/America/Montreal
posix/America/Jamaica posix/America/Marigot posix/America/Catamarca

135 Time Zones
posix/America/Cordoba posix/America/Guyana posix/America/Asuncion
posix/America/Guadeloupe posix/America/Denver posix/America/Atka
posix/America/Chihuahua posix/America/Boa_Vista posix/America/Grenada
posix/GMT-0 posix/Kwajalein posix/Arctic/Longyearbyen
posix/PST8PDT posix/Australia/North posix/Australia/ACT
posix/Australia/Lord_Howe posix/Australia/NSW posix/Australia/Darwin
posix/Australia/Currie posix/Australia/Melbourne posix/Australia/Lindeman
posix/Australia/Queensland posix/Australia/Victoria posix/Australia/Canberra
posix/Australia/West posix/Australia/Broken_ posix/Australia/Hobart

Hill
posix/Australia/LHI posix/Australia/Yancowin posix/Australia/Eucla

na
posix/Australia/South posix/Australia/Tasmania posix/Australia/Brisbane
posix/Australia/Adelaide posix/Australia/Sydney posix/Australia/Perth
posix/GB-Eire posix/Europe/Riga posix/Europe/Luxembourg
posix/Europe/Kaliningrad posix/Europe/Andorra posix/Europe/Kiev
posix/Europe/Malta posix/Europe/Lisbon posix/Europe/Sofia
posix/Europe/Samara posix/Europe/Brussels posix/Europe/Prague
posix/Europe/Bratislava posix/Europe/Minsk posix/Europe/Amsterdam
posix/Europe/Paris posix/Europe/Zaporozhye posix/Europe/Chisinau
posix/Europe/Isle_of_Man posix/Europe/Madrid posix/Europe/Istanbul
posix/Europe/Tiraspol posix/Europe/Belgrade posix/Europe/London
posix/Europe/Tallinn posix/Europe/Vilnius posix/Europe/Warsaw
posix/Europe/San_Marino posix/Europe/Podgorica posix/Europe/Copenhagen
posix/Europe/Zurich posix/Europe/Mariehamn posix/Europe/Monaco
posix/Europe/Jersey posix/Europe/Skopje posix/Europe/Gibraltar
posix/Europe/Nicosia posix/Europe/Belfast posix/Europe/Zagreb
posix/Europe/Volgograd posix/Europe/Athens posix/Europe/Berlin
posix/Europe/Budapest posix/Europe/Dublin posix/Europe/Moscow
posix/Europe/Bucharest posix/Europe/Vatican posix/Europe/Stockholm
posix/Europe/Oslo posix/Europe/Tirane posix/Europe/Vienna
posix/Europe/Sarajevo posix/Europe/Uzhgorod posix/Europe/Rome
posix/Europe/Guernsey posix/Europe/Ljubljana posix/Europe/Simferopol
posix/Europe/Vaduz posix/Europe/Helsinki posix/Egypt

posix/Navajo posix/PRC posix/Jamaica
posix/ROK posix/GMT posix/Etc/GMT-9
posix/Etc/GMT-2 posix/Etc/GMT+9 posix/Etc/GMT-4
posix/Etc/GMT+8 posix/Etc/GMT+10 posix/Etc/GMT-5
posix/Etc/Greenwich posix/Etc/Zulu posix/Etc/GMT-11
posix/Etc/GMT-7 posix/Etc/GMT-10 posix/Etc/GMT-14
posix/Etc/UTC posix/Etc/Universal posix/Etc/GMT-8
posix/Etc/UCT posix/Etc/GMT+2 posix/Etc/GMT+0
posix/Etc/GMT0 posix/Etc/GMT+3 posix/Etc/GMT+5
posix/Etc/GMT+12 posix/Etc/GMT-3 posix/Etc/GMT-0
posix/Etc/GMT-13 posix/Etc/GMT+4 posix/Etc/GMT-12
posix/Etc/GMT posix/W-SU posix/CET
posix/Cuba posix/Antarctica/McMurd posix/Antarctica/Davis

o
posix/Antarctica/South_ posix/Antarctica/Casey posix/Antarctica/Vostok

Pole
posix/Antarctica/Syowa posix/Antarctica/Rothera posix/Antarctica/Mawson
posix/Antarctica/Macquarie posix/Antarctica/Palmer posix/Antarctica/

DumontDUrville
posix/Pacific/Chuuk posix/Pacific/Noumea posix/Pacific/Saipan
posix/Pacific/Pitcairn posix/Pacific/Marquesas posix/Pacific/Fiji
posix/Pacific/Tahiti posix/Pacific/Majuro posix/Pacific/Funafuti
posix/Pacific/Yap posix/Pacific/Midway posix/Pacific/Palau
posix/Pacific/Rarotonga posix/Pacific/Chatham posix/Pacific/Auckland
posix/Pacific/Guam posix/Pacific/Tarawa posix/Pacific/Truk
posix/Pacific/Apia posix/Pacific/Efate posix/Pacific/Norfolk
posix/Pacific/Nauru posix/Pacific/Johnston posix/Pacific/Wallis
posix/Pacific/Niue posix/Pacific/Ponape posix/Pacific/Kiritimati
posix/Pacific/Pohnpei posix/Pacific/Enderbury posix/Pacific/Port_

Moresby
posix/Pacific/Galapagos posix/Pacific/Tongatapu posix/Pacific/Gambier
posix/Pacific/Guadalcanal posix/Pacific/Pago_Pago posix/Pacific/Kwajalein

137 Time Zones
posix/Pacific/Wake posix/Pacific/Fakaofo posix/Pacific/Kosrae
posix/Pacific/Easter posix/Pacific/Samoa posix/Pacific/Honolulu
posix/Portugal CST6CDT US/Alaska
US/Indiana-Starke US/Central US/Michigan
US/Aleutian US/East-Indiana US/Eastern
US/Pacific-New US/Hawaii US/Mountain
US/Arizona US/Samoa US/Pacific
MST GMT+0 ROC
Singapore Turkey GMT0
Poland posixrules right/EST5EDT
right/MET right/WET right/GB
right/Iran right/Mexico/BajaSur right/Mexico/BajaNorte
right/Mexico/General right/Israel right/NZ
right/Asia/Macao right/Asia/Irkutsk right/Asia/Shanghai
right/Asia/Chongqing right/Asia/Anadyr right/Asia/Hovd
right/Asia/Urumqi right/Asia/Harbin right/Asia/Thimphu
right/Asia/Bishkek right/Asia/Dhaka right/Asia/Hong_Kong
right/Asia/Jakarta right/Asia/Vientiane right/Asia/Pyongyang
right/Asia/Baghdad right/Asia/Gaza right/Asia/Samarkand
right/Asia/Tashkent right/Asia/Beirut right/Asia/Oral
right/Asia/Jerusalem right/Asia/Calcutta right/Asia/Tokyo
right/Asia/Taipei right/Asia/Omsk right/Asia/Dushanbe
right/Asia/Kolkata right/Asia/Brunei right/Asia/Dili
right/Asia/Istanbul right/Asia/Baku right/Asia/Ashgabat
right/Asia/Jayapura right/Asia/Colombo right/Asia/Tbilisi
right/Asia/Ulan_Bator right/Asia/Kuching right/Asia/Novosibirsk
right/Asia/Phnom_Penh right/Asia/Novokuznetsk right/Asia/Ujung_Pandang
right/Asia/Thimbu right/Asia/Ashkhabad right/Asia/Bahrain
right/Asia/Vladivostok right/Asia/Kamchatka right/Asia/Seoul
right/Asia/Chungking right/Asia/Sakhalin right/Asia/Aqtau
right/Asia/Magadan right/Asia/Kuwait right/Asia/Singapore
right/Asia/Kuala_Lumpur right/Asia/Amman right/Asia/Kathmandu
right/Asia/Krasnoyarsk right/Asia/Rangoon right/Asia/Pontianak

right/Asia/Dubai right/Asia/Yekaterinburg right/Asia/Yakutsk
right/Asia/Aden right/Asia/Aqtobe right/Asia/Qatar
right/Asia/Muscat right/Asia/Nicosia right/Asia/Qyzylorda
right/Asia/Macau right/Asia/Hebron right/Asia/Kabul
right/Asia/Choibalsan right/Asia/Riyadh87 right/Asia/Tel_Aviv
right/Asia/Saigon right/Asia/Yerevan right/Asia/Kashgar
right/Asia/Manila right/Asia/Ulaanbaatar right/Asia/Makassar
right/Asia/Riyadh89 right/Asia/Ho_Chi_Minh right/Asia/Dacca
right/Asia/Bangkok right/Asia/Riyadh right/Asia/Tehran
right/Asia/Damascus right/Asia/Katmandu right/Asia/Karachi
right/Asia/Almaty right/Asia/Riyadh88 right/Canada/East-

Saskatchewan
right/Canada/Central right/Canada/Newfoundla right/Canada/Atlantic

nd
right/Canada/Eastern right/Canada/Yukon right/Canada/Mountain
right/Canada/Pacific right/Canada/Saskatche right/Greenwich

wan
right/Africa/Accra right/Africa/Khartoum right/Africa/Kigali
right/Africa/Bangui right/Africa/Timbuktu right/Africa/Juba
right/Africa/Ouagadougou right/Africa/Dar_es_ right/Africa/Monrovia

Salaam
right/Africa/Maputo right/Africa/Tripoli right/Africa/Windhoek
right/Africa/Bissau right/Africa/Ndjamena right/Africa/Asmera
right/Africa/Lome right/Africa/Ceuta right/Africa/Blantyre
right/Africa/Cairo right/Africa/Tunis right/Africa/Mbabane
right/Africa/Porto-Novo right/Africa/Bamako right/Africa/Nouakchott
right/Africa/Maseru right/Africa/Niamey right/Africa/Nairobi
right/Africa/Algiers right/Africa/Johannesburg right/Africa/Lagos
right/Africa/Kinshasa right/Africa/Gaborone right/Africa/Banjul
right/Africa/Brazzaville right/Africa/Sao_Tome right/Africa/Mogadishu
right/Africa/Djibouti right/Africa/Luanda right/Africa/Casablanca
right/Africa/Addis_Ababa right/Africa/Douala right/Africa/Lusaka
right/Africa/Conakry right/Africa/Abidjan right/Africa/Freetown
right/Africa/Malabo right/Africa/Dakar right/Africa/Asmara

139 Time Zones
right/Africa/Libreville right/Africa/Bujumbura right/Africa/Lubumbashi
right/Africa/Harare right/Africa/Kampala right/Africa/El_Aaiun
right/Zulu right/Japan right/Indian/Maldives
right/Indian/Antananarivo right/Indian/Chagos right/Indian/Reunion
right/Indian/Mayotte right/Indian/Christmas right/Indian/Mauritius
right/Indian/Kerguelen right/Indian/Mahe right/Indian/Cocos
right/Indian/Comoro right/NZ-CHAT right/Eire
right/UTC right/Universal right/EET
right/Brazil/Acre right/Brazil/West right/Brazil/East
right/Brazil/DeNoronha right/MST7MDT right/Mideast/Riyadh87
right/Mideast/Riyadh89 right/Mideast/Riyadh88 right/Libya
right/EST right/UCT right/Atlantic/St_Helena
right/Atlantic/South_ right/Atlantic/Canary right/Atlantic/Cape_Verde

Georgia
right/Atlantic/Faroe right/Atlantic/Azores right/Atlantic/Jan_Mayen
right/Atlantic/Reykjavik right/Atlantic/Faeroe right/Atlantic/Bermuda
right/Atlantic/Madeira right/Atlantic/Stanley right/HST
right/Hongkong right/CST6CDT right/US/Alaska
right/US/Indiana-Starke right/US/Central right/US/Michigan
right/US/Aleutian right/US/East-Indiana right/US/Eastern
right/US/Pacific-New right/US/Hawaii right/US/Mountain
right/US/Arizona right/US/Samoa right/US/Pacific
right/MST right/GMT+0 right/ROC
right/Singapore right/Turkey right/GMT0
right/Poland right/Chile/Continental right/Chile/EasterIsland
right/Iceland right/America/Antigua right/America/Swift_

Current
right/America/Inuvik right/America/Juneau right/America/Porto_Velho
right/America/Sao_Paulo right/America/Cuiaba right/America/Santarem
right/America/Buenos_Aires right/America/Lima right/America/Recife
right/America/Lower_ right/America/Panama right/America/

Princes Cambridge_Bay
right/America/Montevideo right/America/Argentina/ right/America/Argentina/

Buenos_Aires Salta
right/America/Argentina/ right/America/Argentina/ right/America/Argentina/

San_Juan ComodRivadavia Tucuman

San_Luis Ushuaia Jujuy

Rio_Gallegos Mendoza La_Rioja
right/America/Argentina/Cat right/America/Argentina/ right/America/Nassau

amarca Cordoba
right/America/Shiprock right/America/Manaus right/America/Rosario
right/America/Nome right/America/Danmarksh right/America/Resolute

avn
right/America/Rio_Branco right/America/Vancouver right/America/

Campo_Grande
right/America/Ensenada right/America/Belem right/America/Rankin_Inlet
right/America/Thunder_Bay right/America/St_Thomas right/America/St_Vincent
right/America/North_ right/America/North_ right/America/North_

Dakota/ Dakota/ Dakota/Beulah
New_Salem Center
right/America/Dawson right/America/Fortaleza right/America/Monterrey
right/America/Montserrat right/America/Sitka right/America/Atikokan
right/America/Regina right/America/Winnipeg right/America/Paramaribo
right/America/Rainy_River right/America/Mazatlan right/America/Edmonton
right/America/Port-au- right/America/Moncton right/America/Mexico_City

Prince
right/America/Matamoros right/America/Nipigon right/America/Indianapolis
right/America/Los_Angeles right/America/New_York right/America/El_Salvador
right/America/Coral_ right/America/Miquelon right/America/Tortola

Harbour
right/America/Kralendijk right/America/Knox_IN right/America/Goose_Bay
right/America/Curacao right/America/Santa_ right/America/Dawson_

Isabel Creek
right/America/Tegucigalpa right/America/Barbados right/America/Godthab
right/America/Caracas right/America/Puerto_ right/America/Santiago

Rico
right/America/St_Johns right/America/St_ right/America/Aruba

Barthelemy
right/America/Martinique right/America/St_Lucia right/America/Phoenix
right/America/Yakutat right/America/Hermosillo right/America/Kentucky/

Louisville

141 Time Zones
right/America/Kentucky/ right/America/Bahia_ right/America/Thule

Monticello Banderas
right/America/Yellowknife right/America/Havana right/America/Scoresbysu

nd
right/America/Halifax right/America/Adak right/America/Creston
right/America/Boise right/America/Grand_Turk right/America/Araguaina
right/America/Guayaquil right/America/Belize right/America/Anguilla
right/America/Maceio right/America/Anchorage right/America/Dominica
right/America/Costa_Rica right/America/Chicago right/America/St_Kitts
right/America/Pangnirtung right/America/Louisville right/America/Toronto
right/America/Bogota right/America/Menominee right/America/Porto_Acre
right/America/Blanc-Sablon right/America/Jujuy right/America/Bahia
right/America/Santo_ right/America/Eirunepe right/America/Indiana/

Domingo Marengo
right/America/Indiana/ right/America/Indiana/ right/America/Indiana/Vev

Petersburg Indianapolis ay
right/America/Indiana/ right/America/Indiana/Wi right/America/Indiana/

Tell_City namac Vincennes
right/America/Indiana/Knox right/America/Cayenne right/America/Virgin
right/America/Guatemala right/America/Whitehorse right/America/Ojinaga
right/America/Cayman right/America/Mendoza right/America/Noronha
right/America/Cancun right/America/Glace_Bay right/America/Port_of_

Spain
right/America/Iqaluit right/America/Fort_ right/America/Merida

Wayne
right/America/Detroit right/America/Tijuana right/America/Metlakatla
right/America/Managua right/America/La_Paz right/America/Montreal
right/America/Jamaica right/America/Marigot right/America/Catamarca
right/America/Cordoba right/America/Guyana right/America/Asuncion
right/America/Guadeloupe right/America/Denver right/America/Atka
right/America/Chihuahua right/America/Boa_Vista right/America/Grenada
right/GMT-0 right/Kwajalein right/Arctic/Longyearbyen
right/PST8PDT right/Australia/North right/Australia/ACT
right/Australia/Lord_Howe right/Australia/NSW right/Australia/Darwin
right/Australia/Currie right/Australia/Melbourne right/Australia/Lindeman

right/Australia/Queensland right/Australia/Victoria right/Australia/Canberra
right/Australia/West right/Australia/Broken_ right/Australia/Hobart

Hill
right/Australia/LHI right/Australia/Yancowinn right/Australia/Eucla

a
right/Australia/South right/Australia/Tasmania right/Australia/Brisbane
right/Australia/Adelaide right/Australia/Sydney right/Australia/Perth
right/GB-Eire right/Europe/Riga right/Europe/Luxembourg
right/Europe/Kaliningrad right/Europe/Andorra right/Europe/Kiev
right/Europe/Malta right/Europe/Lisbon right/Europe/Sofia
right/Europe/Samara right/Europe/Brussels right/Europe/Prague
right/Europe/Bratislava right/Europe/Minsk right/Europe/Amsterdam
right/Europe/Paris right/Europe/Zaporozhye right/Europe/Chisinau
right/Europe/Isle_of_Man right/Europe/Madrid right/Europe/Istanbul
right/Europe/Tiraspol right/Europe/Belgrade right/Europe/London
right/Europe/Tallinn right/Europe/Vilnius right/Europe/Warsaw
right/Europe/San_Marino right/Europe/Podgorica right/Europe/Copenhagen
right/Europe/Zurich right/Europe/Mariehamn right/Europe/Monaco
right/Europe/Jersey right/Europe/Skopje right/Europe/Gibraltar
right/Europe/Nicosia right/Europe/Belfast right/Europe/Zagreb
right/Europe/Volgograd right/Europe/Athens right/Europe/Berlin
right/Europe/Budapest right/Europe/Dublin right/Europe/Moscow
right/Europe/Bucharest right/Europe/Vatican right/Europe/Stockholm
right/Europe/Oslo right/Europe/Tirane right/Europe/Vienna
right/Europe/Sarajevo right/Europe/Uzhgorod right/Europe/Rome
right/Europe/Guernsey right/Europe/Ljubljana right/Europe/Simferopol
right/Europe/Vaduz right/Europe/Helsinki right/Egypt
right/Navajo right/PRC right/Jamaica
right/ROK right/GMT right/Etc/GMT-9
right/Etc/GMT-2 right/Etc/GMT+9 right/Etc/GMT-4
right/Etc/GMT+8 right/Etc/GMT+10 right/Etc/GMT-5
right/Etc/Greenwich right/Etc/Zulu right/Etc/GMT-11
right/Etc/GMT-7 right/Etc/GMT-10 right/Etc/GMT-14

143 Time Zones
right/Etc/UTC right/Etc/Universal right/Etc/GMT-8
right/Etc/UCT right/Etc/GMT+2 right/Etc/GMT+0
right/Etc/GMT0 right/Etc/GMT+3 right/Etc/GMT+5
right/Etc/GMT+12 right/Etc/GMT-3 right/Etc/GMT-0
right/Etc/GMT-13 right/Etc/GMT+4 right/Etc/GMT-12
right/Etc/GMT right/W-SU right/CET
right/Cuba right/Antarctica/McMurdo right/Antarctica/Davis
right/Antarctica/South_Pole right/Antarctica/Casey right/Antarctica/Vostok
right/Antarctica/Syowa right/Antarctica/Rothera right/Antarctica/Mawson
right/Antarctica/Macquarie right/Antarctica/Palmer right/Antarctica/

DumontDUrville
right/Pacific/Chuuk right/Pacific/Noumea right/Pacific/Saipan
right/Pacific/Pitcairn right/Pacific/Marquesas right/Pacific/Fiji
right/Pacific/Tahiti right/Pacific/Majuro right/Pacific/Funafuti
right/Pacific/Yap right/Pacific/Midway right/Pacific/Palau
right/Pacific/Rarotonga right/Pacific/Chatham right/Pacific/Auckland
right/Pacific/Guam right/Pacific/Tarawa right/Pacific/Truk
right/Pacific/Apia right/Pacific/Efate right/Pacific/Norfolk
right/Pacific/Nauru right/Pacific/Johnston right/Pacific/Wallis
right/Pacific/Niue right/Pacific/Ponape right/Pacific/Kiritimati
right/Pacific/Pohnpei right/Pacific/Enderbury right/Pacific/Port_Moresby
right/Pacific/Galapagos right/Pacific/Tongatapu right/Pacific/Gambier
right/Pacific/Guadalcanal right/Pacific/Pago_Pago right/Pacific/Kwajalein
right/Pacific/Wake right/Pacific/Fakaofo right/Pacific/Kosrae
right/Pacific/Easter right/Pacific/Samoa right/Pacific/Honolulu
right/Portugal Chile/Continental Chile/EasterIsland
Iceland zone.tab America/Antigua
America/Swift_Current America/Inuvik America/Juneau
America/Porto_Velho America/Sao_Paulo America/Cuiaba
America/Santarem America/Buenos_Aires America/Lima
America/Recife America/Lower_Princes America/Panama
America/Cambridge_Bay America/Montevideo America/Argentina/

Buenos_Aires

America/Argentina/Salta America/Argentina/San_ America/Argentina/

Juan ComodRivadavia
America/Argentina/Tucuma America/Argentina/San_ America/Argentina/Ushuai

n Luis a
America/Argentina/Jujuy America/Argentina/Rio_ America/Argentina/Mendo

Gallegos za
America/Argentina/La_Rioja America/Argentina/Cata America/Argentina/Cordob

marca a
America/Nassau America/Shiprock America/Manaus
America/Rosario America/Nome America/Danmarkshavn
America/Resolute America/Rio_Branco America/Vancouver
America/Campo_Grande America/Ensenada America/Belem
America/Rankin_Inlet America/Thunder_Bay America/St_Thomas
America/St_Vincent America/North_Dakota/ America/North_Dakota/

New_Salem Center
America/North_ America/Dawson America/Fortaleza

Dakota/Beulah
America/Monterrey America/Montserrat America/Sitka
America/Atikokan America/Regina America/Winnipeg
America/Paramaribo America/Rainy_River America/Mazatlan
America/Edmonton America/Port-au-Prince America/Moncton
America/Mexico_City America/Matamoros America/Nipigon
America/Indianapolis America/Los_Angeles America/New_York
America/El_Salvador America/Coral_Harbour America/Miquelon
America/Tortola America/Kralendijk America/Knox_IN
America/Goose_Bay America/Curacao America/Santa_Isabel
America/Dawson_Creek America/Tegucigalpa America/Barbados
America/Godthab America/Caracas America/Puerto_Rico
America/Santiago America/St_Johns America/St_Barthelemy
America/Aruba America/Martinique America/St_Lucia
America/Phoenix America/Yakutat America/Hermosillo
America/Kentucky/Louisvill America/Kentucky/Monti America/Bahia_Banderas

e cello
America/Thule America/Yellowknife America/Havana
America/Scoresbysund America/Halifax America/Adak

145 Time Zones
America/Creston America/Boise America/Grand_Turk
America/Araguaina America/Guayaquil America/Belize
America/Anguilla America/Maceio America/Anchorage
America/Dominica America/Costa_Rica America/Chicago
America/St_Kitts America/Pangnirtung America/Louisville
America/Toronto America/Bogota America/Menominee
America/Porto_Acre America/Blanc-Sablon America/Jujuy
America/Bahia America/Santo_Domingo America/Eirunepe
America/Indiana/Marengo America/Indiana/Petersb America/Indiana/Indianapo

urg lis
America/Indiana/Vevay America/Indiana/Tell_City America/Indiana/Winamac
America/Indiana/Vincennes America/Indiana/Knox America/Cayenne
America/Virgin America/Guatemala America/Whitehorse
America/Ojinaga America/Cayman America/Mendoza
America/Noronha America/Cancun America/Glace_Bay
America/Port_of_Spain America/Iqaluit America/Fort_Wayne
America/Merida America/Detroit America/Tijuana
America/Metlakatla America/Managua America/La_Paz
America/Montreal America/Jamaica America/Marigot
America/Catamarca America/Cordoba America/Guyana
America/Asuncion America/Guadeloupe America/Denver
America/Atka America/Chihuahua America/Boa_Vista
America/Grenada GMT-0 Kwajalein
Arctic/Longyearbyen PST8PDT Australia/North
Australia/ACT Australia/Lord_Howe Australia/NSW
Australia/Darwin Australia/Currie Australia/Melbourne
Australia/Lindeman Australia/Queensland Australia/Victoria
Australia/Canberra Australia/West Australia/Broken_Hill
Australia/Hobart Australia/LHI Australia/Yancowinna
Australia/Eucla Australia/South Australia/Tasmania
Australia/Brisbane Australia/Adelaide Australia/Sydney
Australia/Perth GB-Eire Europe/Riga
Europe/Luxembourg Europe/Kaliningrad Europe/Andorra
Europe/Kiev Europe/Malta Europe/Lisbon

Europe/Sofia Europe/Samara Europe/Brussels
Europe/Prague Europe/Bratislava Europe/Minsk
Europe/Amsterdam Europe/Paris Europe/Zaporozhye
Europe/Chisinau Europe/Isle_of_Man Europe/Madrid
Europe/Istanbul Europe/Tiraspol Europe/Belgrade
Europe/London Europe/Tallinn Europe/Vilnius
Europe/Warsaw Europe/San_Marino Europe/Podgorica
Europe/Copenhagen Europe/Zurich Europe/Mariehamn
Europe/Monaco Europe/Jersey Europe/Skopje
Europe/Gibraltar Europe/Nicosia Europe/Belfast
Europe/Zagreb Europe/Volgograd Europe/Athens
Europe/Berlin Europe/Budapest Europe/Dublin
Europe/Moscow Europe/Bucharest Europe/Vatican
Europe/Stockholm Europe/Oslo Europe/Tirane
Europe/Vienna Europe/Sarajevo Europe/Uzhgorod
Europe/Rome Europe/Guernsey Europe/Ljubljana
Europe/Simferopol Europe/Vaduz Europe/Helsinki
Egypt Navajo PRC
Jamaica ROK GMT
Etc/GMT-9 Etc/GMT-2 Etc/GMT+9
Etc/GMT-4 Etc/GMT+8 Etc/GMT+10
Etc/GMT-6 Etc/Greenwich Etc/Zulu
Etc/GMT-11 Etc/GMT-7 Etc/GMT-10
Etc/GMT-14 Etc/UTC Etc/Universal
Etc/GMT-8 Etc/UCT Etc/GMT+2
Etc/GMT+0 Etc/GMT0 Etc/GMT+3
Etc/GMT+5 Etc/GMT+12 Etc/GMT-3
Etc/GMT-0 Etc/GMT-13 Etc/GMT+4
Etc/GMT-1 Etc/GMT W-SU
CET Cuba Antarctica/McMurdo
Antarctica/Davis Antarctica/South_Pole Antarctica/Casey

147 Time Zones
Antarctica/Vostok Antarctica/Syowa Antarctica/Rothera
Antarctica/Mawson Antarctica/Macquarie Antarctica/Palmer
Antarctica/DumontDUrville Pacific/Chuuk Pacific/Noumea
Pacific/Saipan Pacific/Pitcairn Pacific/Marquesas
Pacific/Fiji Pacific/Tahiti Pacific/Majuro
Pacific/Funafuti Pacific/Yap Pacific/Midway
Pacific/Palau Pacific/Rarotonga Pacific/Chatham
Pacific/Auckland Pacific/Guam Pacific/Tarawa
Pacific/Truk Pacific/Apia Pacific/Efate
Pacific/Norfolk Pacific/Nauru Pacific/Johnston
Pacific/Wallis Pacific/Niue Pacific/Ponape
Pacific/Kiritimati Pacific/Pohnpei Pacific/Enderbury
Pacific/Port_Moresby Pacific/Galapagos Pacific/Tongatapu
Pacific/Gambier Pacific/Guadalcanal Pacific/Pago_Pago
Pacific/Kwajalein Pacific/Wake Pacific/Fakaofo
Pacific/Kosrae Pacific/Easter Pacific/Samoa
Pacific/Honolulu Portugal iso3166.tab

Manually Extend the PTA VM Disk Space

The following steps are based on KB 1006371 by VMWare. For more information, see
http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=10
06371.
Note:
It is recommended to have a complete backup of the virtual machine before you make
these changes.
Extend the Logical Volume

To Extend the Storage allocated to the VM:
1. Check the current size of the disk, by running the following command:
fdisk -l
Check the output of the command, specifically at the row that states "Disk /dev/sda:
<SIZE_OF_DISK>".
2. Power off the virtual machine.
3. Edit the virtual machine settings and extend the virtual disk size. For more
information, see the VMWare KB 1004047, 'Increasing the size of a virtual disk'.
4. Power on the virtual machine.
5. Confirm the new size of the disk, by running the following command:
fdisk –l
To Create a New Primary Partition:

fdisk /dev/sda
a. Press p to print the partition table and identify the number of partitions. By default
there are three partitions: sda1, sda2 and sda3.
b. Press n to create a new primary partition.
c. Press p for primary.
d. Press 4 for the partition number (depending on the output of the partition table
print).
e. Press Enter twice.
f. Press t to change the system's partition ID.
g. Press 4 to select the newly created partition.
h. Type 8e to change the Hex Code of the partition for Linux LVM.
i. Press w to write the changes to the partition table.
2. Restart the virtual machine, by running the following command:

149 Manually Extend the PTA VM Disk Space
reboot
3. Verify that the changes were saved to the partition table and that the new partition
has an 8e type, by running the following command:
fdisk –l
Make sure that the new partition, /dev/sda4, was added to the list.
4. Convert the new partition to a physical volume, by running the following command:
pvcreate /dev/sda4
Note:
The number for the sda may change, depending on system setup. Use the sda number
that you created in step 1.
5. Extend the physical volume, by running the following command:

vgextend vg_centos64bitbase /dev/sda4
6. Verify the number of physical extents are available to the Volume Group, by running
the following command:
vgdisplay vg_centos64bitbase | grep "Free"
7. Extend the Logical Volume, by running the following command:

lvextend -L+#G / dev/vg_centos64bitbase/lv_root
Note:
# represents the number of free space in GB that is available according to the previous
command. Use the full number output from step 6, including any decimals.
To determine which logical volume to extend, use the command lvdisplay.
8. Expand the filesystem online, inside the Logical Volume, by running the following
command:
resize2fs /dev/vg_centos64bitbase/lv_root
9. Verify that the / filesystem has the new space available, by running the following
command:
df -h /

150 Table of Contents
PTA Windows Agents Benchmark Report
Benchmark Environment
Environment Topology
Our benchmark testing was performed within a customer-like environment, which
includes the PTA Server and a PTA Windows Agent running on a Domain Controller.
Tested Components
In the Performance Testing Environment, the following have been used:
■ 1 CyberArk PTA v3.6
■ 1 CyberArk PTA v3.6 PTA Windows Agent running on the Domain Controller
Following are measured results of performance testing of PTA Windows Agents,
performed in a PTA lab environment that implements CyberArk’s common customer
environment.
Server Specifications
Type OS HW Details HW Type
PTA CentOS 6.4 Spec of the VM VM

64bit
Domain SRVER 2012 CPU: Intel core i7 3.6GHz, VM

Controller R2 64bit Memory:2G,Disk Space: 500G
Performance and Load Tests
In all the tests, the following scenario was used:
■ The PTA Windows Agents send only Kerberos events to the PTA Server.
■ PTA creates a security event for every 1000 Kerberos events
■ The only data feed to PTA is the PTA Windows Agent
PTA Server
ESXI spec: Dell Inc. PowerEdge M630, CPU: 20 CPUs x 2.294 GHz, Processor Type:
Intel(R) Xeon(R) CPU E5-2650v3 @2.30 GHz.
Static
Events Storage CPU Memory
CPU Memory DCA Server
per per Day Usage Usage
(cores) (GB) Storage
Second (GB) (%) (%)
(GB)
300 2 8 70 ~12 60-70 99
600 4 16 125 ~24 55-65 99
900 8 32 185 ~35 40-50 99

Table of Contents 151
PTA Windows Agent
Running on Windows server 2012 R2, X64 VMWare, 2GB Ram, Intel core i7 3.6Ghz, 2
cores
Process
Memory
Packets Memory CPU Memory
CPU Memory Usage
per Pool Usage Usage
(cores) (GB) Average
Second Size Average (MB)
(%)
(%)
2,000 20,000 2 4 5 22 200
2,000 20,000 4 4 0.3 4 200
5,000 50,000 2 4 8 28 440
5,000 50,000 4 4 0.4 8 440
10,000 75,000 2 4 12 39 580
10,000 75,000 4 4 0.4 11 580
PTA Windows Agent Bandwidth Impact

The following table describes the maximal bandwidth caused by the PTA Windows
Agent.
The maximum message length is 9,000 Bytes. The calculated bandwidth is in mega bits
per second. So, for 1,000 events per second the bandwidth is 1,000 x 9,000 * 8 = 72
Mbps.
Events per Second Average Message Length (bytes) Bandwidth (Mbps)
1,000 9,000 72
2,000 9,000 144
5,000 9,000 360
Conclusions
■ The PTA Windows Agent impact on the Domain Controller is minimal, even for
loaded Domain Controllers with very low specs.
■ As the PTA Server increases, its ability to handle loads of events increases.
■ The bandwidth impact of the communication between the PTA Windows Agent and
the PTA Server is limited, even for very loaded domain controllers.

PTA Installation Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PTA Installation Guide

Uploaded by

Copyright:

Available Formats

Privileged Threat Analytics (PTA)

Copyright © 1999-2018 CyberArk Software Ltd. All rights reserved.

Introducing CyberArk PTA 3

Privileged Threat Analytics

Introducing CyberArk PTA

Privileged Threat Analytics

Privileged Threat Analytics

Install Privileged Threat Analytics Solution

Privileged Threat Analytics

Review PTA This includes reviewing the following: System

Review PTA Review PTA

Install PTA Install PTA ,

Privileged Threat Analytics

System Requirements for PTA

Domain Requirements (for Golden Ticket Detection only)

Privileged Threat Analytics

CyberArk Vault / PAS Compatibility

Support automatic threat containment using PAS CyberArk Vault version

Support automatically adding unmanaged privileged CyberArk Vault version

Configure Golden Ticket detection CyberArk Vault version

Support the Privileged Session Management integration CyberArk Vault and

Privileged Threat Analytics

Integration Required Version

Support a distributed Vault environment CyberArk Vault version

Support sending PTA alerts to the Vault CyberArk Vault version

Support automatic session termination CyberArk Privileged

Supported Input Data Formats

Privileged Threat Analytics

PTA Port Usage

PTA Port Redirection Rules

1. TCP 80 8080 Redirect HTTP/S default ports to the

PTA Port Usage: Incoming Fixed Ports

# Protocol Port Description

1. TCP 80 Allow incoming HTTP communication for the

3. TCP 443 Allow incoming HTTPS communication for the

5. TCP 22 Allow remote access to the machine (SSH),

6. UDP 67,68 Allow incoming data from the DHCP server

7. ICMP Echo Allow standard ICMP pings to this server

8. - - Allow all local traffic within the server

9. - - Allow replying to an already established

Privileged Threat Analytics

# Protocol Port Description

10. - - All other communication is logged and

PTA Port Usage: Incoming Optional Ports

# Protocol Port Description

1. TCP 514, Allow incoming syslog messages (could be configured for

3. TCP 6514, Allow incoming secure syslog messages for the

PTA Port Usage: Outgoing Fixed Ports

# Protocol Port Description

1. TCP 514 Allow sending syslog messages in port 514

TCP 80 Allow an outgoing HTTP connection to CyberArk

TCP 443 Allow an outgoing HTTPS connection to CyberArk

3. ICMP Echo Allow standard ICMP pings from this server

4. UDP 53 Allow outgoing DNS requests

5. UDP 123 Allow outgoing NTP requests

6. - - Allow all local traffic within the server

7. TCP/UDP Broadcast Allow broadcast (255.255.255.255) for outgoing

8. - - Allow replying to an already established session

9. - - All other communication is logged and rejected /

Privileged Threat Analytics

PTA Port Usage: Outgoing Optional Ports

# Protocol Port Description

1. TCP 25 Allow sending SMTP (email) messages for specific IP

3. TCP 3268, LDAP for specific IP address