PTA System Requirements

3.9

Copyright © 1999-2017 CyberArk Software Ltd. All rights reserved.

This document contains information and ideas, which are proprietary to CyberArk
Software Ltd. No part of this publication may be reproduced, stored in a retrieval system,
or transmitted, in any form or by any means, electronic, mechanical, photocopying,
recording, scanning, or otherwise, without the prior written permission of CyberArk
Software Ltd.
PTASR003-9-0-1
2 Table of Contents

Table of Contents

System Requirements - Privileged Threat Analytics 3

System Requirements for PTA 4
Supported Browsers 4
IP Requirements 4
DNS Requirements 4
Domain Requirements (for Golden Ticket Detection only) 5
LDAP/S Requirements 5
System Requirements for PTA Windows Agent 5
Certificate Requirements 6
CyberArk Vault / PAS Compatibility 6
Supported Input Data Formats 6
PTA Port Usage 7
PTA Port Redirection Rules 7
PTA Port Usage: Incoming Fixed Ports 8
PTA Port Usage: Incoming Optional Ports 8
PTA Port Usage: Outgoing Fixed Ports 9
PTA Port Usage: Outgoing Optional Ports 9
System Requirements for PTA Network Sensor 10
PTA Network Sensor: Physical Hardware Requirements: Standard Configuration
(Recommended) 11
PTA Network Sensor: Physical Hardware Requirements: Lighter Configurations 12
PTA Network Sensor: VM Requirements: Standard Configuration
(Recommended) 13
PTA Network Sensor: VM Requirements: Lighter Configurations 14

Privileged Threat Analytics

 3

System Requirements - Privileged Threat

Analytics

The following sections describe the PTA system requirements:

■ System Requirements for PTA, page 4
■ Supported Browsers, page 4
■ IP Requirements, page 4
■ DNS Requirements, page 4
■ Domain Requirements (for Golden Ticket Detection only), page 5
■ LDAP/S Requirements, page 5
■ System Requirements for PTA Windows Agent, page 5
■ Certificate Requirements, page 6
■ CyberArk Vault / PAS Compatibility, page 6
■ Supported Input Data Formats, page 6
■ PTA Port Usage, page 7

Privileged Threat Analytics

PTA System Requirements 4

System Requirements for PTA

You will receive the PTA installation package from your CyberArk support
representative. It can be installed on the following platforms:
■ VMWare Player 6.x and above
■ VMWare Workstation 10.x and above
■ VMWare ESX/i 5.5 and above
■ Microsoft Hyper-V v6.3

Note:
Microsoft Hyper-V v6.3 can be installed on Windows Server 2008R2 or Windows Server
2012R2.

The PTA image must be installed on a dedicated machine that has access to the Vault, or
to the primary Vault in a distributed Vault environment, and also to either the
organizational SIEM solution, or UNIX inspected machines for syslogs.
The minimum requirements for installing this image on a VM machine are as follows:
■ 4 Core-CPU
■ 16 GB RAM memory
■ 500 GB hard disk storage

Supported Browsers
PTA currently supports the following browsers:
■ Internet Explorer 11.0 with Compatibility mode 9
■ Chrome - latest version
■ Firefox - latest version

IP Requirements
PTA requires an IP in one of the following forms:
■ Static Address: A static IP address.
■ DHCP: If the organization has a DHCP server which dynamically allocates IP
addresses, verify with the organization’s IT that the PTA machine’s IP address is
locked.

DNS Requirements
■ DNS: A DNS address record that maps the host name PTAServer to the IP address
of the PTA machine. The DNS configured in PTA must recognize all the machines

Privileged Threat Analytics

5 Domain Requirements (for Golden Ticket Detection only)

from which PTA will receive syslog messages. PTA requires both the Forward (A
record) and Reverse (PTR record) lookup.

Domain Requirements (for Golden Ticket Detection

only)
■ PTA supports detection of Golden Ticket attacks for domains.
■ The domains should be on Windows Server 2008 and above, with Function level
2003 and above.
■ This applies both to domains and sub-domains.

LDAP/S Requirements
LDAP: PTA can integrate with LDAP to:
■ Enable LDAP authentication
■ Broaden and increase the accuracy of PTA detections
In order to integrate PTA with LDAP, define a group name in PTA which has the same
name as the group sAMAccountName, which appears in Active Directory.

Note:
To integrate with LDAP over SSL, create a dedicated security Base-64 encoded X.509 certificate.
LDAP login and query permission are required for the bind user.
Currently, PTA only integrates with Microsoft Active Directory LDAP.

System Requirements for PTA Windows Agent

■ Server authentication requires that a third-party certificate or your company's
certificate is installed on your PTA Server machine.

Note:
Create a dedicated Base-64 encoded X.509 SSL certificate.

■ Client authentication requires a SHA-256 certificate issued for the Domain Controller
with the Microsoft Enhanced RSA and AES Cryptographic Provider CSP
enabled for the Template. This CSP is disabled by default.

Note:
Create a dedicated Base-64 encoded X.509 SSL certificate.

■ PTA Windows Agent works with the following Windows servers:

■ Windows 2008 R2 64-bit

Privileged Threat Analytics

PTA System Requirements 6

■ Windows 2012 R2 64-bit

■ Windows 2016 64-bit

Certificate Requirements
You can use the self-signed certificate created during PTA installation, or use your
organization's SSL certificate.
If you use your organization's SSL certificate:
■ The Certificate Signing Request (CSR) requires a Base-64 encoded X.509 SSL
certificate.
■ The SSL Certificate Chain requires a Base-64 encoded X.509 SSL certificate
■ The SSL Certificate Issuer Chain requires a Base-64 encoded X.509 SSL certificate

CyberArk Vault / PAS Compatibility

■ To integrate the Vault with SIEM and PTA, a CyberArk Vault version 7.2.5 or higher
is required.
■ To support automatic threat containment using PAS integration, for Overpass the
Hash attack and Suspected Credential Theft security events, CyberArk Vault
version 9.3 or higher is required.
■ To configure Golden Ticket detection, CyberArk Vault version 9.6 or higher is
required.
■ To support automatically adding unmanaged privileged accounts to the
pending accounts queue, CyberArk Vault version 9.7 or higher is required.
■ To configure more than one domain for Golden Ticket detection, CyberArk
Vault version 9.7 or higher is required.
■ To support the Privileged Session Management integration, CyberArk Vault and
PVWA version 9.8 or higher is required. Privileged Session Management integration
works with lower versions of CyberArk Vault, but without the ability to report
Privileged Session Analysis results to PVWA.
■ To support a distributed Vault environment, CyberArk Vault version 9.9.5 or higher is
required.
■ To support sending PTA alerts to the Vault, CyberArk Vault version 9.10 or higher is
required.
■ To support automatic session termination, the CyberArk Privileged Account Security
suite version 10.1 or higher is required.

Supported Input Data Formats

Following are general guidelines for the data sent to PTA:
■ PTA supports UTF-8 formatted data.

Privileged Threat Analytics

7 PTA Port Usage

■ Windows: The integration with Windows is based on authentication events 4624,

4723, and 4724. PTA supports this event type, which is supported in Windows 2003
and higher.

Note:
In order for PTA to monitor activity of privileged accounts in Windows machines,
Windows security events 4624, 4723, and 4724 from each monitored Windows
machine must be forwarded to the SIEM and from the SIEM to PTA.

■ Unix: When collecting syslogs directly from Unix machines, PAM Unix is supported.
PAM Unix is supported by multiple Unix flavors, such as Red Hat Linux, HP-UX, and
Solaris.
Supported PAM Unix events include accepted public key, accepted password, and
session open.
■ Database: Oracle logon events are supported.
■ Network Sensor: Traffic is received from domain controllers in the environment.
■ Vault: Specific events are accepted. Supported device types are operating system
and database.

PTA Port Usage

Use the following tables as guidelines for PTA port usage.
■ PTA Port Redirection Rules, page 7
■ PTA Port Usage: Incoming Fixed Ports, page 8
■ PTA Port Usage: Incoming Optional Ports, page 8
■ PTA Port Usage: Outgoing Fixed Ports, page 9
■ PTA Port Usage: Outgoing Optional Ports, page 9

Note:
All blocked communication is logged to /var/log/iptables.log .

PTA Port Redirection Rules

Use the following table for the PTA port re-directional rules.

Source Destination
# Protocol Description
Port Port

1. TCP 80 8080 Redirect HTTP/S default ports to the

Tomcat Web Server web ports
2. TCP 443 8443

Privileged Threat Analytics

PTA System Requirements 8

PTA Port Usage: Incoming Fixed Ports

The port numbers in the following table are fixed and cannot be changed.

# Protocol Port Description

1. TCP 80 Allow incoming HTTP communication for the

PTA web
2. TCP 8080 This is redirected to HTTPS by the Tomcat
Web Server

3. TCP 443 Allow incoming HTTPS communication for the

PTA web
4. TCP 8443

5. TCP 22 Allow remote access to the machine (SSH),

for both secure telnet and SFTP

6. UDP 67,68 Allow incoming data from the DHCP server

7. ICMP Echo Allow standard ICMP pings to this server

Request
Note:
Only echo-request is allowed

8. - - Allow all local traffic within the server

9. - - Allow replying to an already established

session

10. - - All other communication is logged and

rejected / dropped

PTA Port Usage: Incoming Optional Ports

The port numbers in the following table can be changed to different port numbers
according to the customer’s environment.

# Protocol Port Description

1. TCP 514, Allow incoming syslog messages (could be configured for

11514 authorized sources only for specific IP addresses)

2. UDP 514,
11514

3. TCP 6514, Allow incoming secure syslog messages for the

7514 PTA Windows Agent connection

Privileged Threat Analytics

9 PTA Port Usage

PTA Port Usage: Outgoing Fixed Ports

The port numbers in the following table are fixed and cannot be changed.

# Protocol Port Description

1. TCP 514 Allow sending syslog messages in port 514

2. UDP 514

TCP 80 Allow an outgoing HTTP connection to CyberArk

PVWA for a specific IP address

TCP 443 Allow an outgoing HTTPS connection to CyberArk

PVWA for a specific IP address

3. ICMP Echo Allow standard ICMP pings from this server

Request
Note:
Only echo-request is allowed

4. UDP 53 Allow outgoing DNS requests

5. UDP 123 Allow outgoing NTP requests

6. - - Allow all local traffic within the server

7. TCP/UDP Broadcast Allow broadcast (255.255.255.255) for outgoing

DHCP requests

8. - - Allow replying to an already established session

9. - - All other communication is logged and rejected /

dropped

PTA Port Usage: Outgoing Optional Ports

The port numbers in the following table can be changed to different port numbers
according to the customer’s environment.

# Protocol Port Description

1. TCP 25 Allow sending SMTP (email) messages for specific IP

address
2. TCP 587

3. TCP 3268, LDAP  for specific IP address

389

4. TCP 3269, LDAPS  for specific IP address

636

5. TCP/UDP 1858 Allow outgoing connection to the CyberArk Vault for

specific IP address

6. TCP/UDP <port> Outbound connection (SIEM integration) for specific port

and IP address

Privileged Threat Analytics

 10

System Requirements for PTA Network

Sensor

The PTA Network Sensor software can be installed on the following:

Hardware See Reference

Physical Refer to one of the following requirements lists:

server: ■ PTA Network Sensor: Physical Hardware Requirements: Standard
Configuration (Recommended), page 11
■ PTA Network Sensor: Physical Hardware Requirements: Lighter
Configurations, page 12

VM: Support VMware ESXi version 5.5 and higher, hardware version 8 and
higher.

Refer to one of the following requirements lists:

■ PTA Network Sensor: VM Requirements: Standard Configuration
(Recommended), page 13
■ PTA Network Sensor: VM Requirements: Lighter Configurations, page
14

Privileged Threat Analytics

PTA System Requirements 11

PTA Network Sensor: Physical Hardware

Requirements: Standard Configuration
(Recommended)
PTA Network Sensor software requires the following:

Note:
These are the minimum mandatory requirements. You must follow these requirements
when installing the PTA Network Sensor.

Physical
Requirement
Hardware

OS CentOS 7.2 64-bit "minimal installation" build 1611

RAM 8GB

CPU 8 cores

Hard Disk 250GB

Storage (SSD is recommended).

Management A NIC with a static IP address.

NIC

Traffic The physical or virtual network interface that listens to the network traffic.
Monitoring
NIC

NICs In order to optimize the PTA Network Sensor performance, it is

recommended to install an Intel NIC with one of the following chipsets:
■ 82540, 82545, 82546
■ 82571..82574, 82583, ICH8..ICH10, PCH..PCH2
■ 82575..82576, 82580, I210, I211, I350, I354, DH89xx
■ 82598..82599, X540, X550
■ X710, XL710

Privileged Threat Analytics

12 PTA Network Sensor: Physical Hardware Requirements: Lighter Configurations

PTA Network Sensor: Physical Hardware

Requirements: Lighter Configurations
In lighter environments, PTA Network Sensor software requires the following:

Note:
These are the minimum mandatory requirements. You must follow these requirements
when installing the PTA Network Sensor.

Physical
Requirement
Hardware

OS CentOS 7.2 64-bit "minimal installation" build 1611

RAM 4GB

CPU 4 cores

Hard Disk 80GB

Storage (SSD is recommended).

Management A NIC with a static IP address.

NIC

Traffic The physical or virtual network interface that listens to the network traffic.
Monitoring
NIC

NICs In order to optimize the PTA Network Sensor performance, it is

recommended to install an Intel NIC with one of the following chipsets:
■ 82540, 82545, 82546
■ 82571..82574, 82583, ICH8..ICH10, PCH..PCH2
■ 82575..82576, 82580, I210, I211, I350, I354, DH89xx
■ 82598..82599, X540, X550
■ X710, XL710

Privileged Threat Analytics

PTA System Requirements 13

PTA Network Sensor: VM Requirements: Standard

Configuration (Recommended)
IMPORTANT: Only the below configurations are supported!
PTA Network Sensor software requires the following VM requirements:

Note:
These are the minimum mandatory requirements. You must follow these requirements
when installing the PTA Network Sensor.

Virtual Machine Requirement

RAM 8GB

CPU 8 cores

Hard Disk 40GB

Storage (SSD is recommended).

VM ■ Use the ESXi setup to define the PTA Network Sensor VM as

High Priority.
■ Configure promiscuous mode or port mirroring on the ESXi
server.

VM Network VMXNET3
Driver

NICs Any NIC

Note:
It is recommended to run the PTA Network Sensor in the Standard recommended
configuration, in order to allow PTA to scale up to the expected network traffic load.

Privileged Threat Analytics

14 PTA Network Sensor: VM Requirements: Lighter Configurations

PTA Network Sensor: VM Requirements: Lighter

Configurations
IMPORTANT: Only the below configurations are supported!
In lighter environments, PTA Network Sensor software requires the following VM
requirements:

Note:
These are the minimum mandatory requirements. You must follow these requirements
when installing the PTA Network Sensor.

Virtual Machine Requirement

RAM 4 GB

CPU 4 cores

Hard Disk 40 GB
Storage (SSD is recommended).

VM ■ Use the ESXi setup to define the PTA Network Sensor VM as

High Priority.
■ Configure promiscuous mode or port mirroring on the ESXi
server.

VM Network VMXNET3
Driver

NICs Any NIC

Note:
It is recommended to run the PTA Network Sensor in the Standard recommended
configuration, in order to allow PTA to scale up to the expected network traffic load.

Privileged Threat Analytics