PTA Implementation Guide
Uploaded by
Bahareh AkhlaghiPTA Implementation Guide
Uploaded by
Bahareh AkhlaghiPrivileged Threat Analytics (PTA)
Implementation Guide
3.95
Copyright © 1999-2018 CyberArk Software Ltd. All rights reserved.
This document contains information and ideas, which are proprietary to CyberArk
Software Ltd. No part of this publication may be reproduced, stored in a retrieval system,
or transmitted, in any form or by any means, electronic, mechanical, photocopying,
recording, scanning, or otherwise, without the prior written permission of CyberArk
Software Ltd.
PTAIMP003-95-0-1
2 Table of Contents
Table of Contents
Introducing CyberArk PTA 4
What Detections Does PTA Report? 6
Use PTA for the First Time 10
Log on to PTA for the First Time 11
Upload the License File 13
Configure and Implement PTA 14
Configure LDAP 15
Create an Active Directory Query User for LDAP Users 15
Configure LDAP Connection Details 15
Configure LDAP Authentication to PTA (Optional) 17
Configure PTA for PAS Integration 18
Configure PTA for Privileged Session Manager (PSM) Integration 21
PTA and PSM Integration Architecture 21
Configure PTA for PSM Integration 22
Configure Suspicious Session Activities in PTA 23
Configure PTA for Endpoint Privilege Manager (EPM) Integration 25
Review the Golden Ticket and Network Sensors Configuration 27
Configure Privileged Users 27
Whitelist: Configure a List of Allowed Machines to Perform DC Replication 29
Configure PTA for Authorized Hosts 31
Configure PTA to Support Vault DR 33
Troubleshoot PTA Configuration 34
Use the PTA Utility for Troubleshooting 35
Use the diamond.log for Troubleshooting 35
Domain Controllers – View the List and Manage the Cache 46
Test the PTA Network Sensor Connection to the PTA Server 47
Reset PTA Network Sensor Connection with the PTA Server 47
Modify or Troubleshoot PTA Network Sensor Configurations 48
Troubleshoot PAS Integration 48
PTAAppUser is Suspended - Reactivate CasosService 49
Integrate PTA 51
Integrate PTA with PAS 52
CyberArk Vault / PAS Compatibility 52
Configure the Vault to Forward syslog Messages to PTA 53
Configure the PVWA for PTA Integration with PAS 55
Integrate PTA with PSM 56
Integrate PTA with EPM 57
Forward Log Data to PTA 58
Configure Windows Event Forwarder server to forward Windows events to PTA 59
Configure HP ArcSight to Forward syslog Messages to PTA 59
Configure Splunk to Forward syslog Messages to PTA 59
Configure QRadar to Forward syslog Messages to PTA 61
Configure LogRhythm to Forward syslog Messages to PTA 63
Configure RSA to Forward syslog Messages to PTA 63
Privileged Threat Analytics
Table of Contents 3
Configure McAfee ESM to Forward syslog Messages to PTA 63
Configure UNIX Hosts to Forward syslog Messages to PTA 68
Send PTA Data 71
Send PTA syslog Records to SIEM 71
Send PTA Alerts to Email 77
Send PTA Alerts to the Vault 78
Use PTA 79
Access and Use PTA 80
Log on to PTA 81
Log off from PTA 82
Change your Password 82
Reset your Password 83
Manage your Password 83
Access PTA Information 85
Use and Understand the Dashboard 87
Select a Time Frame 88
View Current Incidents 88
View System Activities 90
View the Incident Summary 91
Close an Incident 93
View Privileged Related Risks 95
Generate Reports 103
Generate a PTA Report 103
Understanding the User Activities Report 105
Understanding the Privileged Threat Assessment Report 106
Manage PTA 114
Manage your License 115
View your License Settings 115
View License Usage 116
Upload a License 116
Updating an Expired License File 117
Use the Inclusion and Exclusion Lists 117
Run the PTA Management Utility 120
Other PTA Utilities 121
Logging 123
PTA Logging 123
PTA Windows Agent Logging 125
File Size and Rolling 126
Reset PTA to Clear All Data 126
Monitor PTA 127
Collect Data from PTA 128
Import PTA to a New Machine 129
Appendices 132
Configure System Properties 133
systemparm.properties 133
Configure Agent Properties 154
Time Zones 158
Privileged Threat Analytics
4
Introducing CyberArk PTA
Since privileged accounts are most often compromised as part of an attack, CyberArk
Privileged Threat Analytics (PTA) continuously monitors the use of privileged accounts
that are managed in the CyberArk Privileged Account Security (PAS) platform, as well as
accounts that are not yet managed by CyberArk, and looks for indications of abuse or
misuse of the CyberArk platform. PTA also looks for attackers who compromise
privileged accounts by running sophisticated attacks, such as Golden Ticket.
PTA is part of the CyberArk Privileged Account Security solution and provides an
additional security layer, which detects malicious activity caused by privileged accounts
and proactively contains in-progress attacks. PTA supports detection of malicious
activities in privileged accounts when authenticated either by passwords, or by SSH
Keys.
Using proprietary profiling algorithms, PTA distinguishes in real time between normal
and abnormal behavior, and raises an alert when abnormal activity is detected. In this
way, it leverages the capabilities of the CISO to reduce the risk of inside-threats,
malwares, targeted attacks and APTs that utilize privileged users to carry out attacks.
This significantly reduces the ability of these threat factors to infiltrate the system and
eliminates one of the biggest risks to your organization.
Using DPI technology and tapping the organization network, PTA can deterministically
detect and raise alerts on Kerberos attacks in real time.
PTA also proactively monitors critical privileged account related risks in the IT
environment that can be abused by an attacker. PTA sends alerts to the security team to
handle these risks before attackers abuse them.
PTA processes the network traffic and receives raw events from your organization’s
Vault, UNIX machines, and Windows machines, and receives additional inputs by
Privileged Threat Analytics
PTA Implementation Guide 5
querying Active Directory, then detects security events in real time and sends them as
alerts by email, to the PTA’s proprietary dashboard, or to the SIEM dashboard.
In general, PTA does the following:
■ Detects privileged accounts related anomalies: Detect anomalies in the usage
of privileged accounts, such as usage that does not occur during the regular hours of
use.
■ Detects privileged accounts related security incidents: Detects security
incidents by running deep packet inspection and finding deterministic characteristics
of Kerberos attacks, and additional known attacks such as Golden Ticket and
Malicious Retrieval of Domain Accounts (DC Sync).
■ Detects privileged accounts related risks: Detects risks by monitoring and
alerting on critical risks in privileged accounts.
■ Contains security incidents: Generates actionable insights to support rapid and
automatically reactive incident containment.
In order to pinpoint abnormal activities of privileged users, PTA employs various
statistical algorithms. These algorithms generate profiles of system activities, and
subsequent activities are searched for deviations from these profiles. Deviations that are
suspicious and pose a potential risk are classified as security incidents.
For Example: A user who connects to a remote machine during hours which are deemed
irregular (when compared to the specific user’s connectivity profile as learned by PTA),
or from an unfamiliar IP.
In addition, PTA can detect Kerberos attacks in real-time. These Kerberos attacks can be
used by an attacker for privilege escalation, and to achieve persistency within the
network.
For a complete list of PTA detections, indicators of compromise and their descriptions,
see What Detections Does PTA Report?, page 6.
All system activity and analysis is displayed in a dashboard that provides details about
current and past privileged accounts related incidents, latest privileged accounts related
risks, and a summary of system activity. The dashboard presents all this information in
multiple graphic analyses of system activity and security incidents that enable you to see
and understand system activity at a glance.
Privileged Threat Analytics
6 What Detections Does PTA Report?
PTA detects different types of suspicious privileged account activity and ranks these
detections in terms of severity. It then classifies them in different risk levels. PTA also
correlates multiple security events that occur during a certain period and which are
related to each other, into one or more incidents, so that they tell a more comprehensive
story and enable initial investigation.
When PTA performs a real-time data analysis, colorful bubbles in the Incidents chart
display suspicious activities. The Risk Index is denoted by the color of the bubble and its
risk index. The higher the bubble appears in the chart, the more risk it reflects. For further
details, see Use and Understand the Dashboard, page 87.
PTA enables you to generate a high-level report of all incidents for a particular Vault user
during a specified period. The report gives you an immediate understanding of a user’s
profile (normal behavior), security events, and audit records over a given timeframe. For
further details, see Generate Reports, page 103.
What Detections Does PTA Report?
PTA reports multiple suspicious activities and indicators of compromise.
Event
Detection / Required
Event Description Type
Event Name Sensor
ID
Suspected Detected when a user connects to a Logs 21
credentials machine without first retrieving the Vault
theft required credentials from the Vault.
Unmanaged Detected when a connection to a Logs 22
privileged machine is made with a privileged Vault
access account that is not stored in the Vault. AD
(optional)
Privileged Detected when a user retrieves a Vault 23
access to the privileged account password at an
Privileged Threat Analytics
PTA Implementation Guide 7
Event
Detection / Required
Event Description Type
Event Name Sensor
ID
Vault during irregular hour for that user.
irregular hours
Excessive Detected when a user retrieves Vault 24
access to privileged accounts more frequently
privileged than normal for that user.
accounts in the
Vault
Privileged Detected when a user accesses the Vault 25
access to the Vault from an unusual IP address or
Vault from subnet.
irregular IP
Active dormant Detected when PTA detects Vault 26
Vault user indications of activity from a Vault
dormant user.
Machine Detected when a machine is accessed Logs 27
accessed at an irregular hour.
during irregular
hours
Anomalous Detected when an account logged onto Network 30
access to a high number of machines during a Sensor
multiple relatively short time. PTA Wind
machines ows Agent
PAC attack Detected when PTA detects Network 31
indications of a PAC (Privilege Sensor
Account Certificate) attack in the PTA Wind
network. ows Agent
OverPass the Detected when PTA detects Network 32
Hash attack indications of an Overpass the Hash Sensor
attack in the network. PTA Wind
ows Agent
Golden Ticket Detected when PTA detects Network 33
attack indications of a Golden Ticket attack in Sensor
the network. PTA Wind
ows Agent
Suspected Detected or blocked when EPM 34
LSASS EPM suspects LSASS credentials
credentials harvesting occurred on a specific
harvesting endpoint.
Suspected Detected or blocked when EPM 35
SAM hash EPM suspects SAM hash harvesting
harvesting occurred on a specific endpoint.
Privileged Threat Analytics
8 What Detections Does PTA Report?
Event
Detection / Required
Event Description Type
Event Name Sensor
ID
Malicious Detected when there is a potentially Network 36
retrieval of malicious retrieval of credentials from Sensor
domain the domain controller (DCSync). PTA Wind
accounts ows Agent
Exposed Detected when services connecting Network 37
credentials with LDAP expose accounts Sensor
credentials in clear text. PTA Wind
ows Agent
Unconstrained Accounts with unconstrained AD 38
delegation delegation are accounts that are
granted permissive delegation
privileges and thereby expose the
domain to a high risk.
Suspicious Detected when PTA identifies a Vault 39
activities privileged session with activities
detected in a (commands and Vault anomalies)
privileged defined as suspicious.
session
Suspected Detected or blocked when EPM 40
credentials EPM suspects credentials theft from
theft from Chrome occurred on a specific
Chrome endpoint.
Suspected Detected or blocked when EPM 41
credentials EPM suspects credentials theft from
theft from Firefox occurred on a specific
Firefox endpoint.
Suspected Detected or blocked when EPM 43
credentials EPM suspects credentials theft from
theft from VNC VNC occurred on a specific endpoint.
Suspected Detected or blocked when EPM 44
credentials EPM suspects credentials theft from
theft from WinSCP occurred on a specific
WinSCP endpoint.
Suspected Detected or blocked when EPM 46
credentials EPM suspects credentials theft from a
theft from service account occurred on a specific
service endpoint.
account
Suspected Detected or blocked when EPM 47
domain EPM suspects domain credentials
credentials theft from the local cache occurred on
theft from local a specific endpoint.
cache
Privileged Threat Analytics
PTA Implementation Guide 9
Event
Detection / Required
Event Description Type
Event Name Sensor
ID
Suspicious Detected or blocked by EPM when a EPM 49
request to boot request to boot a machine in safe
in safe mode mode occurred.
Suspected Detected or blocked when EPM 50
credentials EPM suspects credentials theft from
theft from mRemoteNG occurred on a specific
mRemoteNG endpoint.
Suspected Detected or blocked when EPM 51
credentials EPM suspects credentials theft from
theft from CheckPoint Endpoint Security VPN
CheckPoint occurred on a specific endpoint.
Endpoint
Security VPN
Service Detected when PTA identifies an Logs 52
account logged interactive logon with a service Vault
on interactively account. (optional)
AD
(optional)
Risky SPN Privileged accounts with SPN (service AD 53
principal name) configuration can be
vulnerable to offline brute-forcing and
dictionary attacks, allowing a
malicious insider to recover the
account's clear-text password.
Privileged Detected when a user retrieves a Vault 54
access to the privileged account password on an
Vault during irregular day for that user.
irregular days
Suspicious Detected when PTA identifies a Logs 55
password request to change or reset a password Vault
change by bypassing the Password Manager.
Privileged Threat Analytics
10
Use PTA for the First Time
As a first time PTA user, you must perform the following procedures to log on to PTA for
the first time, and to authenticate to PTA.
Users can log on to PTA using username and password authentication. After successful
authentication, all communication between the browser and PTA is encrypted using the
industry-standard Secure Socket Layer (SSL) encryption.
Log on to PTA for the First Time
Upload the License File
Privileged Threat Analytics
PTA Implementation Guide 11
Log on to PTA for the First Time
When you log on to PTA for the first time, you are required to change the initial password
so that only you know what the password is.
To Log on to PTA for the First Time:
1. In your browser, navigate to the following URL: https://ptaserver
The PTA Sign In window is displayed.
2. In the Sign In window, do the following:
a. In Username, type administrator.
b. In Password, type the initial password provided by CyberArk: Administrator.
c. Click Sign In; the Change Password window appears.
Privileged Threat Analytics
12 Log on to PTA for the First Time
3. In Current Password, type Administrator.
4. In New Password, specify a password that meets all of the following criteria:
■ A minimum of twelve characters
■ At least two uppercase and two lowercase letters
■ At least two digits
5. In Confirm Password, retype the new password, then click Change password;
PTA changes the administrator’s password, authenticates you and displays the PTA
dashboard.
6. Continue with Upload the License File, page 13.
Privileged Threat Analytics
PTA Implementation Guide 13
Upload the License File
After you have authenticated successfully to PTA for the first time, the License
Required page is displayed. This page also appears when an existing license has
expired.
To Upload the License File:
1. In the License Required page, click Browse and select the license file which was
provided by your CyberArk support representative.
2. Click Upload to upload the file. When the license file is uploaded successfully, the
PTA dashboard is displayed.
Privileged Threat Analytics
14
Configure and Implement PTA
This section describes how to configure and implement PTA.
In this section:
Configure LDAP
Configure PTA for PAS Integration
Configure PTA for Privileged Session Manager (PSM) Integration
Configure PTA for Endpoint Privilege Manager (EPM) Integration
Review the Golden Ticket and Network Sensors Configuration
Configure Privileged Users
Whitelist: Configure a List of Allowed Machines to Perform DC Replication
Configure PTA for Authorized Hosts
Configure PTA to Support Vault DR
Troubleshoot PTA Configuration
Privileged Threat Analytics
PTA Implementation Guide 15
Configure LDAP
Perform the following procedures to:
■ Enable LDAP authentication
■ Broaden and increase the accuracy of PTA detections
Create an Active Directory Query User for LDAP Users
Use the following guideline to create an Active Directory user with the least privileges
for the LDAP client.
To Create an Active Directory Query User with Least Privileges
1. Create the LDAP user, or select an existing LDAP user.
2. To ensure that the LDAP client user who will run the query has the least privileges,
grant the LDAP user the List Contents permission from the ACL, with no domain
group membership. Also, set the LDAP user password to never expire.
Configure LDAP Connection Details
Use the following procedure to configure LDAP connection details.
To Configure LDAP Client in PTA:
1. In PTA, click the Settings tab.
The Settings page appears.
2. In the left pane, click Administration > AD Connectivity. The Active Directory
connectivity settings area appears.
Privileged Threat Analytics
16 Configure LDAP
3. In the CONNECTION DETAILS area, enter the relevant DC IP address in Global
Catalog server IP.
4. If the LDAP server is configured to use LDAP over SSL, select Yes.
If the LDAP server is not configured to use LDAP over SSL select No.
5. Define the server port number in Global Catalog port.
Note:
The default port if the LDAP server is configured to use LDAP over SSL is 3269. The
default port if the LDAP server is not configured to use LDAP over SSL is 3268.
6. If the LDAP server is configured to use LDAP over SSL, click Browse to navigate to
the dedicated security Base-64 encoded X.509 SSL certificate.
■ In the window that opens, select the certificate file, click Open, and then click OK
to make your selection.
7. In User Principal Name, enter the LDAP user created above, who will be used to
connect and query the Active Directory. Enter the user in a UPN format:
For Example: [email protected]
8. In Password, enter the password of the LDAP user created above, who will be used
to connect and query the Active Directory.
9. Click Save.
Privileged Threat Analytics
PTA Implementation Guide 17
Configure LDAP Authentication to PTA (Optional)
Use the following procedure to configure LDAP Authentication to PTA.
Note:
PTA supports only one domain forest when configuring LDAP authentication.
To Configure LDAP Authentication to PTA:
1. In PTA, click the Settings tab.
The Settings page appears.
2. In the left pane, click Administration > AD Connectivity. The Active Directory
connectivity settings area appears.
3. In the LDAP AUTHENTICATION TO PTA area, enter the sAMAccountName of
the LDAP PTA group in LDAP PTA group.
4. In Group domain, enter the group whose members are allowed to connect to PTA
using their LDAP accounts.
5. Click Save.
Privileged Threat Analytics
18 Configure PTA for PAS Integration
Configure PTA for PAS Integration
This section describes how to configure your system for threat containment, such as
when suspected credential theft or Overpass the Hash occurs.
Perform the following procedure only if:
■ Your site has PAS 9.3 and higher (see CyberArk Vault / PAS Compatibility, page
52)
You can perform this either through the PTA Settings page, or by updating the specific
parameters. Select one of the following procedures.
To Configure PTA to Integrate with PAS using PTA Settings:
1. In PTA, click the Settings tab.
The Settings page appears.
2. In the left pane, click Administration > PAS Connectivity. The PVWA Connection
Details area appears.
3. Enter the PVWA host name, in FQDN format, not the URL.
4. Select whether the connection is over HTTPS. We recommend using an HTTPS
connection.
5. Enter the PVWA port that PTA will use to access the PVWA.
6. Enter the PVWA application name that PTA will use to access the PVWA. The
default name is PasswordVault, but you can specify a different application name
when you install the PVWA.
7. (Optional) To automatically add unmanaged accounts to the PAS pending accounts
queue, select Automatic Adding to Pending Accounts.
Privileged Threat Analytics
PTA Implementation Guide 19
Note:
Only perform this step if you have performed the appropriate steps shown in Configure
the PVWA for PTA Integration with PAS, page 55.
8. (Optional) To automatically rotate passwords for credentials theft in PAS, select
Automatic Rotate Password.
Note:
Only perform this step if you have performed the appropriate steps shown in Configure
the PVWA for PTA Integration with PAS, page 55.
9. Click Save.
Note:
For details on PSM Connectivity, refer to Configure PTA for PSM Integration, page 22.
To Configure PTA to Integrate with PAS using System Parameters:
Edit the local systemparm.properties file using the LOCALPARM command, and
specify the following parameters:
Defined… Parameter Description
…in EnableAutomaticMitigationByEPV Enables you to
systemparm.propertie manage
s file automatic PTA
threat
containment,
and Overpass
the Hash.
It determines
whether PTA
will integrate
with PAS to
react
automatically
to detected
credential
thefts.
…during installation / epv_https_enabled Determines
upgrade whether PTA
will connect to
PAS though
https
epv_host The PVWA
hostname
(FQDN) of the
PVWA. Do
Privileged Threat Analytics
20 Configure PTA for PAS Integration
Defined… Parameter Description
not enter the
URL of the
PVWA.
epv_port The port
through which
PTA will
connect to
PAS.
epv_root_context The PVWA
application
name.
epvIntegrationEnableAddPendingAccoun Determines
t whether PTA
will integrate
with PAS to
automatically
add
unmanaged
privileged
accounts to
the
PVWA pendin
g accounts
queue.
epv_integration_rotate_password Determines
whether PTA
will integrate
with PAS to
automatically
rotate
passwords to
accounts.
…in psm_mitigation_termination_enabled Determines
systemparm.propertie whether PTA
s file will integrate
with PAS to
automatically
terminate a
session for
suspicious
commands.
Save and close the systemparm.properties file using :wq!, and restart the PTA main
service using the service appmgr restart command.
Privileged Threat Analytics
PTA Implementation Guide 21
Configure PTA for Privileged Session Manager
(PSM) Integration
The integration of PTA with Privileged Session Manager (PSM) leverages the analytic
capabilities of PTA and assigns a risk score to privileged sessions. PTA identifies
suspicious commands in privileged sessions and anomalous activities initiated by the
Vault user.
The privileged sessions to which PTA assigned a risk score appear in PTA and are
available for security review. In addition, when PTA assigns a risk score to a privileged
session, PTA updates PSM to make the score available in PVWA, increasing the
efficiency of privileged sessions review by auditing teams.
In PSM, for SSH sessions, the Security Administrator can configure forbidden
commands in regular expression. If a user enters a forbidden command, PSM blocks the
command from running on the target machine, and in the audit next to the command
appears the word "denied", which means that the command has not been run on the
target machine. In PTA, you can set an alert on restricted commands to see which users
try to use restricted commands. For details, refer to Configuring SSH Commands Access
Control in PSMP in the PAS Implementation Guide.
■ PTA and PSM Integration Architecture , page 21
■ Configure PTA for PSM Integration, page 22
■ Configure Suspicious Session Activities in PTA, page 23
PTA and PSM Integration Architecture
Following is the architecture and process flow in an environment with PTA and PSM.
PTA-PSM integration process flow:
7. PTA receives the PSM session related syslogs from the Vault.
Privileged Threat Analytics
22 Configure PTA for Privileged Session Manager (PSM) Integration
8. PTA analyzes the PSM session related syslogs, and displays them as incidents in the
PTA Dashboard.
9. PTA sends the PSM session related data which was analyzed and found to contain
risky commands, to the PVWA.
10. PVWA displays the PTA analyzed session related data with scores in the PVWA
MONITORING tab.
Configure PTA for PSM Integration
1. Click the Settings tab.
The Settings page appears.
2. In the left pane, click Administration > PAS Connectivity. The PVWA Connection
Details area appears.
3. To send a privileged session risk score to PSM to make the score available in PVWA,
select Send PSM session related data.
4. If PSM Connectivity is not configured or PTAUser is not a member of the
PSMPTAAppUsers Vault group, the Vault Admin user credentials section of the
PVWA Connection Details area appears. Enter the Username and Password of the
Vault Administrator.
5. Click Save.
Limitations
■ PTA only analyzes session data from the time of the integration with PSM. Older
sessions are not analyzed, do not trigger security incidents in PTA, and do not
display risk scores in PVWA.
Privileged Threat Analytics
PTA Implementation Guide 23
■ Changing the configuration affects sessions from that point onward, and does not
affect older sessions.
■ PTA does not support session activities performed in environments with multibyte
languages.
Configure Suspicious Session Activities in PTA
To best reflect your organizational policy, we recommended configuring the predefined
set of suspicious session activities.
You can perform this either through the PTA Settings page, or by updating the specific
parameters. Select one of the following procedures.
To Configure Suspicious Session Activities in PTA in the Settings tab:
1. In PTA, click the Settings tab.
The Settings page appears.
2. In the left pane, click Configuration > Privileged Session Analysis. The
Privileged Session Analysis area appears.
The default rules shown represent a set of best practices that CyberArk recommends
for your use. Based on your analysis, you can add new rules or edit the default rules
to align with your security needs.
Note:
If you want to edit the default rules, we recommend creating a new rule and disabling
the default rule. The default rule will still exist if you need it in the future.
The default rules are enabled, and all new rules that you add are also enabled. You
can disable and enable each rule as needed.
3. Click Add.
4. Select a Category from the drop-down list.
The available categories are:
■ Universal keystrokes – For all platforms
■ SCP – Secure copy. For UNIX only
■ SQL – For Databases only
Privileged Threat Analytics
24 Configure PTA for Privileged Session Manager (PSM) Integration
■ SSH – For UNIX only
■ Windows titles – For Windows only
5. Enter a valid Pattern (Regular Expression) for the selected category.
Note:
Regular expressions are case sensitive for all categories except SQL and Windows
titles.
6. Enter a Score between 1 - 100 that reflects the risk level of the suspicious session
activity.
7. (Optional) Enter a Description of the suspicious session activity.
8. Determine the Response, either None, Suspend, or Terminate, to the suspicious
session activity.
9. Click Update.
To Enable and Disable Rules:
1. Double-click the selected rule.
2. Select (to enable the rule) or de-select (to disable the rule) the Enabled box.
3. Click Update.
To Configure Suspicious Session Activities in PTA Manually:
1. Edit the local systemparm.properties file using the LOCALPARM command.
2. Specify the following parameter values:
Parameter Mandatory Default
Parameter Description
Name or Optional Value
Regex Regular expression of the suspicious Mandatory None
session activity
For Example:
kill [*.*]
Note: Regular expressions are case
sensitive.
Score Score between 1 - 100 that reflects the risk Mandatory 0
level of the suspicious session activity.
Description Description / comment of the regular Optional None
expression.
Category Type of suspicious session activity; the Mandatory None
PSM audit type supported.
Enter one of the following categories:
■ SSH
For unix platform only
■ Windows titles
For windows platform only
■ SQL
Privileged Threat Analytics
PTA Implementation Guide 25
Parameter Mandatory Default
Parameter Description
Name or Optional Value
For Databases only
■ Universal keystrokes
For all platforms
■ SCP (Secure copy)
For unix platform only
Response Automatic response configuration for the Optional None
specific suspicious command.
Accepted Values:
NONE - No automatic response for the
command
SUSPEND - Automatic session
suspension for the command
TERMINATE - Automatic session
termination for the command
Active Determines whether the rule is enabled or Mandatory True
disabled.
3. Save and close the systemparm.properties file using :wq!, and restart the PTA main
service using the service appmgr restart command.
Example:
[{\"regex\":\"kill
(.*)\",\"score\":\"80\",\"description\":\"description\",\"catego
ry\":\"SSH\",\"response\":\"NONE\",\"active\":\"true\"},
{\"regex\":\"who\",\"score\":\"70\",\"description\":\"descriptio
n2\",\"category\":\"SSH\",\"response\":\"TERMINATE\",\"active\":
\"true\"}]
Configure PTA for Endpoint Privilege Manager (EPM)
Integration
Endpoint Privilege Manager (EPM) detects and blocks threats to the endpoint. Sending
these events from EPM to PTA enables you to review all privileged account related
incidents and risks in a central location.
To Integrate PTA and EPM:
1. In PTA, click the Settings tab.
The Settings page appears.
2. In the left pane, click Administration > EPM Connectivity. The EPM Connection
Details area appears.
Privileged Threat Analytics
26 Configure PTA for Endpoint Privilege Manager (EPM) Integration
3. Click Yes to enable EPM.
4. Click Save.
A message appears that EPM has been successfully enabled. The message also
contains the username and password that will be used in EPM to access PTA. For
details, refer to Integrate PTA with EPM, page 57
Privileged Threat Analytics
PTA Implementation Guide 27
Review the Golden Ticket and Network Sensors
Configuration
You are able to view the current Golden Ticket and Network Sensors configuration via
the Dashboard. To access this information, follow these directions:
1. In the Dashboard, click the Settings tab.
2. In the left pane, click Configuration > Golden Ticket Detection.
The selected configuration, as it was installed at your site, is displayed.
Configure Privileged Users
Create a list of privileged groups and users who must be managed in the CyberArk
Privileged Account Security solution.
Before You Begin:
To create privileged groups, you must activate Active Directory, as shown in Configure
LDAP, page 15
You can perform this either through the PTA Settings page, or by updating the specific
parameters. Select one of the following procedures.
To Create privileged groups and users:
1. In PTA, click the Settings tab.
The Settings page appears.
2. In the left pane, click Configuration > Privileged Groups and Users. The
Privileged Groups area appears.
Privileged Threat Analytics
28 Configure Privileged Users
3. In the PRIVILEGED GROUPS LIST area, click Add to add Active Directory groups
to the list of privileged groups.
Note:
The configured groups are in addition to the PTA predefined privileged groups.
4. In the PRIVILEGED USERS LIST area, click Add to add users and patterns to the
list of privileged users.
Note:
There is a list of default users and patterns:
Unix - root
Windows - .*admin.*
Oracle - sys, sysman, system
Regular expressions, such as (.*)_A, are supported.
5. Click Save.
Privileged Threat Analytics
PTA Implementation Guide 29
To Manually Create privileged groups and users:
Edit the local systemparm.properties file using the LOCALPARM command, and
specify the following parameters:
Parameter Description
privileged_ A list of groups considered privileged in the organization, and whose
groups_list members should be managed by CyberArk’s Privileged Account Security
solution.
privileged_ A list of users considered privileged in the organization, and who should be
users_list managed by CyberArk’s Privileged Account Security solution.
The default values are:
■ Unix - root
■ Windows - .*admin.*
■ Oracle - sys, sysman, system
Save and close the systemparm.properties file using :wq!, and restart the PTA main
service using the service appmgr restart command.
Whitelist: Configure a List of Allowed Machines to
Perform DC Replication
To keep directory data on all domain controllers consistent and up to date, Active
Directory replicates directory changes on a regular basis. DC Replication (DC Sync) is
a known attack technique for stealing credentials from a DC by mimicking a legitimate
replication request.
PTA has a DC replication whitelist which, by default, identifies domain controllers
which are allowed to perform DC replication. PTA automatically uses this whitelist to
identify legitimate DC replicators in the network.
After PTA is installed and running for some time, and after reviewing the Dashboard, you
may decide that a machine needs to be added to the DC replication whitelist.
For example, you may have systems that are not domain controllers, but which are used
for authentication in your environment. You should secure these systems with the same
level of security as your most secured assets, such as domain controllers and they should
be added to the DC replication whitelist. See Use and Understand the Dashboard, page
87.
Use the following procedure to add machines to the DC replication whitelist.
To Add Machines to the DC Replication Whitelist:
1. Edit the local systemparm.properties file using the LOCALPARM command.
2. Search for the following property:
dc_replication_whitelist
See the system property Sub-section: DC Replication, page 143.
Privileged Threat Analytics
30 Whitelist: Configure a List of Allowed Machines to Perform DC Replication
3. Add machines to the whitelist using the following format, where multiple names are
separated by commas.
dc_replication_whitelist=<IP1>,<IP2>,<FQDN1>,<FQDN2>…
4. Save and close the systemparm.properties file using :wq!, and restart the PTA main
service using the service appmgr restart command.
5. After a few weeks, review the results and edit again as necessary.
Privileged Threat Analytics
PTA Implementation Guide 31
Configure PTA for Authorized Hosts
Run the following procedure to configure authorized hosts only if:
■ Your site has SIEM/Vault, or any other authorized host that forwards messages to
PTA
■ You are upgrading your site from PTA versions 2.6.3 and below
Note:
When PTA is configured with a Vault that is deployed in a Cluster environment, configure the
Virtual IP in the Vault Connection Configuration step.
When PTA is configured with a Vault that is deployed in a distributed environment, configure the
IP for the primary Vault in the Vault Connection Configuration step.
To Configure PTA for Authorized Hosts after Upgrading:
1. Navigate to the utility directory using the UTILITYDIR command.
2. Run the file: authorizedSourceHostsConfiguration.sh
3. Search for the text Authorized machines, then add the relevant authorized source.
Authorized machines: all
Enter one of the following options:
■ IPs separated by commas
■ None
■ All
[root@PTAServer ~]# cd /opt/tomcat/utility/
[root@PTAServer utility]#
./authorizedSourceHostsConfiguration.sh
[Step 1/1 - Authorized source hosts configuration]
Specify the source host IPs that are authorized to forward
messages to PTA, separated by a comma (for example:
11.22.33.44,11.22.33.55).
To allow all hosts types to forward messages to PTA, specify
'All'.
To prevent any host type from forwarding messages to PTA,
specify 'None'.
PTA should only be permitted to receive messages from authorized
sources such as the CyberArk Vault, organizational SIEM solution
and any other server that sends messages directly to PTA.
If the Vault connection was configured, the Vault is
automatically considered to be an authorized source host (no
need to specify it in this step).
Authorized machines: all
Authorized source hosts configuration finished successfully.
Updating iptables rules...
Privileged Threat Analytics
32 Configure PTA for Authorized Hosts
Updating iptables finished successfully
-----
Verify the configuration
Log on to the PTA machine as a root user and run the PTA diagnostic tool using the
RUN_DIAGNOSTICS command to verify that PTA works properly with the new
configuration.
Privileged Threat Analytics
PTA Implementation Guide 33
Configure PTA to Support Vault DR
Perform the following procedure only if your site has Vault Disaster Recovery.
Note:
For sites where the original installation of PTA was from version 3.0 and above, this
procedure is not needed. Vault Disaster Recovery configuration is part of the
installation procedure.
To Configure PTA to Support Vault DR after Upgrade:
1. Open the file /opt/tomcat/diamond-resources/Vault.ini
2. Edit the ADDRESS by adding the Vault DR IP address:
ADDRESS=<vault_ip>,<vault_DR_ip>
3. Restart the appmgr service, to restart PTA.
4. To configure the Vault DR to send syslogs to PTA, for each Vault DR perform the
procedure Configure the Vault to Forward syslog Messages to PTA, page 53.
Verify the configuration
Log on to the PTA machine as a root user and run the PTA diagnostic tool using the
RUN_DIAGNOSTICS command to verify that PTA works properly with the new
configuration.
Privileged Threat Analytics
34 Troubleshoot PTA Configuration
Troubleshoot PTA Configuration
Verify the configuration
Log on to the PTA machine as a root user and run the PTA diagnostic tool using the
RUN_DIAGNOSTICS command to verify that PTA works properly with the new
configuration.
In this section:
Use the PTA Utility for Troubleshooting , page 35
Use the diamond.log for Troubleshooting, page 35
Domain Controllers – View the List and Manage the Cache, page 46
Test the PTA Network Sensor Connection to the PTA Server, page 47
Reset PTA Network Sensor Connection with the PTA Server, page 47
Modify or Troubleshoot PTA Network Sensor Configurations, page 48
Troubleshoot PAS Integration, page 48
PTAAppUser is Suspended - Reactivate CasosService, page 49
Privileged Threat Analytics
PTA Implementation Guide 35
Use the PTA Utility for Troubleshooting
The PTA utility enables you to perform various troubleshooting tasks, and control
processes.
Run the PTA utility, using the following command:
/opt/tomcat/utility/run.sh
Reset PTA Data
To reset the data used to generate Incident charts:
■ To clear only the analysis results, select 10 - Clear analysis data.
■ To clear all the data from the database, select 11 - Clear database.
Restart PTA Processes
To restart PTA processes:
■ To stop all the processes, select 3 - Stop application processes.
■ To start all the processes, select 4 - Start application processes.
To restart the Tomcat Web Server:
■ To stop the Tomcat Web Server, select 5 - Stop Tomcat Web Server.
■ To start the Tomcat Web Server, select 6 - Start Tomcat Web Server.
Use the diamond.log for Troubleshooting
■ View Automatic Containment Responses, page 35
■ View Statistics in the diamond.log, page 36
■ Shortcuts for Common Commands, page 41
■ Aliases, page 45
View Automatic Containment Responses
When PTA is integrated with PAS to automatically contain the threat of Overpass the
Hash attack or suspected credential thefts events, the following messages in the
diamond.log file indicate that PTA has successfully sent a password change request to
PAS:
■ At info level:
Reset pass logic ended with result ‘true’
■ At debug level:
The account (user: OUserForReset, ip: 10.1.8.20, host:
10.1.8.20, fqdn: 10.1.8.20) is managed by PAS
Event score calculated - score is '50.00'.
Event is security event. Begin reset pass logic...
Attempt to reset password by ip/host/fqdn <value> succeeded.
Privileged Threat Analytics
36 Troubleshoot PTA Configuration
View Statistics in the diamond.log
Note:
The numbers that appear in the diamond.log are reset each time the system reboots.
1. Run the following command:
SHOW_METRICS
2. Click Y to approve the terms of service.
+-- [2018-01-02 10:13:34.318 IST] ------------------------------
-----------------------+------------+
| Listener Types | Amount |
+---------------------------------------------------------------
-----------------------+------------+
| auditType_CPM_CHANGE_PASS | 3 |
| auditType_DRSUAPI_DS_GET_NC_CHANGES | 28456 |
| auditType_PAM_UNIX_SESSION_OPENED | 4 |
| auditType_PSM_CONNECT | 4 |
| auditType_PSM_DISCONNECT | 3 |
| auditType_PSM_SSH_COMMAND | 7 |
| auditType_PSM_WIN_TITLE | 35 |
| auditType_VAULT_LOGON | 82 |
| auditType_VAULT_RET_PASS | 27 |
| auditType_VAULT_STORE_PASSWORD | 5 |
| auditType_WINDOWS_KERBEROS_AS | 3608 |
| auditType_WINDOWS_KERBEROS_TGS | 14628 |
| auditType_WINDOWS_LOGON | 750 |
| auditType_WINDOWS_RESET_PASSWORD | 9 |
| filtered_audits | 56 |
| human_vault_user_task_success | 5 |
| match_bulk_ArcSightBulk | 1297 |
| match_bulk_LogRhythmBulk | 147199 |
| match_bulk_QradarBulk | 55689 |
| match_but_not_created_plugin_
com.cyberark.diamond.plugins.impl.inbound.ALEWindowsCre | 1 |
| match_plugin_
com.cyberark.diamond.plugins.impl.inbound.ALEWindowsCreator |
148129 |
| match_plugin_
com.cyberark.diamond.plugins.impl.inbound.CorreLogWindowsCreator
| 339202 |
| match_plugin_
com.cyberark.diamond.plugins.impl.inbound.CPMChangePasswordAudit
Creator | 3 |
| match_plugin_
com.cyberark.diamond.plugins.impl.inbound.DSGetNCChangesAuditCre
ator | 28456 |
| match_plugin_
com.cyberark.diamond.plugins.impl.inbound.KerberosWindowsCreator
| 18236 |
| match_plugin_
Privileged Threat Analytics
PTA Implementation Guide 37
com.cyberark.diamond.plugins.impl.inbound.PSMCommandAuditCreator
| 49 |
| match_plugin_
com.cyberark.diamond.plugins.impl.inbound.UnixPamLogonAuditCreat
or | 4 |
| match_plugin_
com.cyberark.diamond.plugins.impl.inbound.VaultLogonAuditCreator
| 82 |
| match_plugin_
com.cyberark.diamond.plugins.impl.inbound.VaultRetrievePasswordA
uditCre | 27 |
| match_plugin_
com.cyberark.diamond.plugins.impl.inbound.VaultStorePasswordAudi
tCreato | 5 |
| match_plugin_
com.cyberark.diamond.plugins.impl.inbound.WefChangeOrResetPasswo
rdCreat | 10 |
| match_plugin_
com.cyberark.diamond.plugins.impl.inbound.WefCreator | 147188 |
| mesages_with_no_matching_plugin | 1035535 |
| resolve_not_in_cache | 12946 |
| resolve_request | 109713 |
| resolve_returned_from_failed_cache | 17465 |
| resolve_returned_from_success_cache | 79302 |
| risk_processing_sent_to_sampler | 221 |
| sensorType_NETWORK_SENSOR | 46692 |
| sensorType_PAM_UNIX | 4 |
| sensorType_SIEM | 759 |
| sensorType_VAULT | 166 |
| syslog_filtered_reason_non_human | 56 |
+---------------------------------------------------------------
-----------------------+------------+
+-- [2018-01-02 10:13:43.348 IST] ------------------------------
-----------------------+------------+
| Sampler Types | Amount |
+---------------------------------------------------------------
-----------------------+------------+
| anomaly_type_PSMRiskyCommand | 5 |
| anomaly_type_SuspectedCredentialsTheft | 2 |
| anomaly_type_SuspectedPasswordChange | 1 |
| anomaly_type_UnmanagedPrivilegedAccess | 8 |
| decrypt_uds_handler_success | 1056 |
| DomainAccountAttributesRetrieving_failure | 11 |
| DomainAccountAttributesRetrieving_success | 7 |
| NetRep_FromDomain_AL_LAB.AMPM.COM_failure_no_NetRepParameters
| 5 |
| NetRep_FromDomain_AMPMDEFAULT.AMPM.COM_failure_no_
NetRepParameters | 5 |
| NetRep_FromDomain_ARIEPM63.AMPM.COM_failure_no_
NetRepParameters | 4 |
| NetRep_FromDomain_ARIEPM64.AMPM.COM_failure_no_
NetRepParameters | 4 |
| NetRep_FromDomain_ARIEPMSAAS.ENV_failure_no_NetRepParameters |
Privileged Threat Analytics
38 Troubleshoot PTA Configuration
4 |
| NetRep_FromDomain_DCDISTVAULTS.AMPM.COM_failure_no_
NetRepParameters | 1 |
| NetRep_FromDomain_ENIGMA.COM_failure_no_NetRepParameters | 5 |
| NetRep_FromDomain_EXTDOMAIN.COM_failure_no_NetRepParameters |
5 |
| NetRep_FromDomain_HRDC.AMPM.COM_failure_no_NetRepParameters |
1 |
| NetRep_FromDomain_HR_DOM.AMPM.COM_failure_no_NetRepParameters
| 1 |
| NetRep_FromDomain_IL.ENIGMA.COM_failure_no_NetRepParameters |
5 |
| NetRep_FromDomain_IL.PTA.COM_success_ | 5 |
| NetRep_FromDomain_LAB.SUPPORT.COM_failure_no_NetRepParameters
| 5 |
| NetRep_FromDomain_LYDC.AMPM.COM_failure_no_NetRepParameters |
2 |
| NetRep_FromDomain_NINIO.COM_failure_no_NetRepParameters | 2 |
| NetRep_FromDomain_PRINCESSES.COM_success_ | 3 |
| NetRep_FromDomain_PTA.COM_success_ | 5 |
| NetRep_FromDomain_RANDY.LOCAL_failure_no_NetRepParameters | 2
|
| NetRep_FromDomain_SPECFLOWDOMAIN.AMPM.COM_failure_no_
NetRepParameters | 1 |
| NetRep_FromDomain_US.PTA.COM_success_ | 5 |
| NetRep_FromDomain_WIN2KDC1.AMPM.COM_failure_no_
NetRepParameters | 3 |
| psm_score_update_success | 3 |
| resolve_not_in_cache | 45 |
| resolve_request | 748 |
| resolve_returned_from_failed_cache | 101 |
| resolve_returned_from_success_cache | 602 |
| risk_event_handler_aggregation_counter | 386 |
| risk_event_handler_create_risk_counter | 5 |
| risk_event_handler_in | 401 |
| risk_event_handler_in_typed_cleartext_protocol | 374 |
| risk_event_handler_in_typed_interactive_service_account | 2 |
| risk_event_handler_in_typed_risky_spn | 10 |
| risk_event_handler_in_typed_unconstrained_delegation | 5 |
| risk_manager_out_event | 2 |
| risk_queue_consumer_in_count | 800 |
| risk_raw_handler_in_json | 399 |
| risk_raw_handler_out_event | 389 |
| suspend_session_PSM_RISKY_COMMAND_success | 1 |
| terminate_session_PSM_RISKY_COMMAND_success | 1 |
| tkt_data_failure | 2726 |
| tkt_data_success | 166 |
| unmanage_onboard_failure | 4 |
+---------------------------------------------------------------
-----------------------+------------+
+-- [2018-01-02 10:13:32.550 IST] ------------------------------
-----------------------+------------+
| Background Scheduler Types | Amount |
Privileged Threat Analytics
PTA Implementation Guide 39
+---------------------------------------------------------------
-----------------------+------------+
| ActiveDormantUserAnomaly_success | 5 |
| AggregativeIce_success | 5 |
| CasosServicesReActivateTask_success | 5 |
| ChangePTAVaultPasswordTask_success | 5 |
| DCAServerReActivateTask_success | 5 |
| DomainAccountsAttributesQueryTask_success | 6 |
| ExcessiveAccess_success | 5 |
| GenerateJwtAuthSecretTask_success | 5 |
| GetVaultVersionTask_success | 6 |
| IrregularDayUser_success | 5 |
| IrregularHoursAsset_success | 5 |
| IrregularHoursUser_success | 5 |
| NormalActivityCountingTask_success | 6 |
| PrivilegedAccountQueryTask_success | 5 |
| RemoveInactiveProcessedAssetsTask_success | 5 |
| RiskySPNAccountsAttributesQueryTask_success | 5 |
| UnconstrainedDelegationAccountsAttributesQueryTask_success | 5
|
| VaultAccountsReloadTask_success | 5 |
| VaultViaIrregularIp_success | 5 |
+---------------------------------------------------------------
-----------------------+------------+
+-- [2018-01-02 10:13:59.066 IST] ------------------------------
-----------------------+------------+
| Services Types | Amount |
+---------------------------------------------------------------
-----------------------+------------+
| PTA_SERVICE_EPV.checkAccountIsManagedByCPM.fail | 0 |
| PTA_SERVICE_
EPV.checkAccountIsManagedByCPM.requestAccount.SuspectedPasswordC
hange.su | 1 |
| PTA_SERVICE_
EPV.checkAccountIsManagedByCPM.requestPlatform.SuspectedPassword
Change.s | 1 |
| PTA_SERVICE_EPV.checkAccountIsManagedByCPM.success | 1 |
| PTA_SERVICE_EPV.requestAddPendingAccount.fail | 4 |
| PTA_SERVICE_
EPV.requestAddPendingAccount.requestAddPendingAccount.error.Unma
nagedPri | 4 |
| PTA_SERVICE_EPV.requestAddPendingAccount.success | 0 |
| PTA_SERVICE_EPV.requestChangePasswordAsync.fail | 2 |
| PTA_SERVICE_
EPV.requestChangePasswordAsync.requestChangePassword.error.Suspe
ctedCred | 2 |
| PTA_SERVICE_EPV.requestChangePasswordAsync.success | 0 |
| PTA_SERVICE_EPV.requestPsmResumeSession.fail | 0 |
| PTA_SERVICE_EPV.requestPsmResumeSession.mitigationAction.PSM_
RISKY_COMMAND.success | 1 |
| PTA_SERVICE_EPV.requestPsmResumeSession.success | 1 |
| PTA_SERVICE_EPV.requestPsmSuspendSession.fail | 0 |
| PTA_SERVICE_EPV.requestPsmSuspendSession.mitigationAction.PSM_
Privileged Threat Analytics
40 Troubleshoot PTA Configuration
RISKY_COMMAND.success | 1 |
| PTA_SERVICE_EPV.requestPsmSuspendSession.success | 1 |
| PTA_SERVICE_EPV.requestPsmTerminateSession.fail | 0 |
| PTA_SERVICE_
EPV.requestPsmTerminateSession.mitigationAction.PSM_RISKY_
COMMAND.succes | 1 |
| PTA_SERVICE_EPV.requestPsmTerminateSession.success | 1 |
| PTA_SERVICE_EPV.submitCommandScores.fail | 0 |
| PTA_SERVICE_
EPV.submitCommandScores.submitCommandScores.PSMRiskyCommand.succ
ess | 3 |
| PTA_SERVICE_EPV.submitCommandScores.success | 3 |
| PTA_SERVICE_VAULT.writeAuditLog.fail | 0 |
| PTA_SERVICE_VAULT.writeAuditLog.success | 8 |
+---------------------------------------------------------------
-----------------------+------------+
+-- [2018-01-02 10:13:58.379 IST] ------------------------------
-----------------------+------------+
| DCA Server Types | Amount |
+---------------------------------------------------------------
-----------------------+------------+
| control_agent_Server_to_Agent_ACK_success | 581533 |
| data_clear_text_create_success | 153 |
| data_dcerpc_event_create_success | 6122 |
| data_formatter_clear_text_events_match_cleartextformatter_
success | 153 |
| data_formatter_dcerpc_event_events_match_dcerpcformatter_
success | 6122 |
| data_formatter_kerberos_events_match_kerberosformatter_success
| 10317 |
| data_formatter_windows_events_events_match_rawdataformatter_
success | 147208 |
| data_incoming_event_CLEAR_TEXT_success | 153 |
| data_incoming_event_DCERPC_EVENT_success | 6122 |
| data_incoming_event_KERBEROS_success | 10317 |
| data_incoming_event_WINDOWS_EVENTS_success | 147208 |
| data_in_sensor_create_success | 163647 |
| data_kerberos_as-req-rep_create_success | 6629 |
| data_kerberos_tgs-req-rep_create_success | 3688 |
| data_raw_risks_create_success | 153 |
| data_windows_events_create_success | 147208 |
+---------------------------------------------------------------
-----------------------+------------+
Log file can be found at '/opt/tomcat/logs/PTA_Tool_Log_
20180102101359.log'.
■ Search for auditType_<audit type>. This the number of audits created per
type.
In the Example above: {"auditType_WINDOWS_KERBEROS_TGS":14628}
Privileged Threat Analytics
PTA Implementation Guide 41
■ Search for sensorType_<Sensor type>":. This the number of audits created
per sensor.
In the Example above: {"sensorType_NETWORK_SENSOR":46692}
■ Search for mesages_with_no_matching_plugin. The number that appears is
the number of messages that PTA failed to parse as they did not match any of
the PTA plugins per message type.
■ Search for syslog_filtered_reason_<filter name>. This is the number of
audits which were filtered by <filter name>.
For Example: syslog_filtered_reason_non_human:56}
■ Search for filtered_audits. This is the total number of audits that were filtered
by all the PTA filters.
■ Search for anomaly_type_<attack name>. This is the number of audits
identified by PTA as security events of type <attack name>.
Shortcuts for Common Commands
The shortcuts.sh utility allows easy use of PTA common commands. The format is:
shortcuts.sh [<type>]
Following are the types for this utility:
Type Command Description
1 tail -f /opt/tomcat/logs/diamond.log | grep Output all errors in the last part
"ERROR" of the main PTA log file, follow
the file and output any errors as
the file grows
2 cat /opt/tomcat/logs/diamond.log | grep Output all errors in the main
"ERROR" | less PTA log file
3 tail -f /opt/tomcat/logs/diamond.log | grep Output all listener metrics in the
"metrics-PTA-listener" last part of the main PTA log
file, follow the file and output
any listener metrics as the file
grows
Use this:
■ To verify incoming traffic
from the sensors (such as
Vault, Network Sensor,
SIEM)
■ To verify the creation of
audits per operation (such
as Vault retrieve password,
Vault logon, Windows
logon, Unix logon, Kerberos
traffic)
■ To verify that the syslogs
from the various SIEMs
(such as ArcSight, QRadar,
Privileged Threat Analytics
42 Troubleshoot PTA Configuration
Type Command Description
Splunk, and so on) are
successfully accepted in
PTA
4 cat /opt/tomcat/logs/diamond.log | grep Output all listener metrics in the
"metrics-PTA-listener" | less main PTA log file
Use this:
■ To verify incoming traffic
from the sensors (such as
Vault, Network Sensor,
SIEM)
■ To verify the creation of
audits per operation (such
as Vault retrieve password,
Vault logon, Windows
logon, Unix logon, Kerberos
traffic)
■ To verify that the syslogs
from the various SIEMs
(such as ArcSight, QRadar,
Splunk, and so on) are
successfully accepted in
PTA
5 tail -f /opt/tomcat/logs/diamond.log | grep Output all sampler metrics in the
"metrics-PTA-sampler" last part of the main PTA log
file, follow the file and output
any sampler metrics as the file
grows
Use this:
■ To verify incident creation
and that the outbound mail
or syslogs were sent
■ To verify mitigation results,
such as rotate password
upon suspected credential
theft
6 cat /opt/tomcat/logs/diamond.log | grep Output all sampler metrics in the
"metrics-PTA-sampler" | less main PTA log file
Use this:
■ To verify incident creation
and that the outbound mail
or syslogs were sent
■ To verify mitigation results,
such as rotate password
upon suspected credential
theft
Privileged Threat Analytics
PTA Implementation Guide 43
Type Command Description
7 tail -f /opt/tomcat/logs/diamond.log | grep Output all scheduled task
"metrics-PTA-Background" metrics in the last part of the
main PTA log file, follow the file
and output any scheduled task
metrics as the file grows
Use this to verify the results of
scheduled tasks, such as
Active Directory, Vault
accounts and users, and so on
8 cat /opt/tomcat/logs/diamond.log | grep Output all scheduled task
"metrics-PTA-Background" | less metrics in the main PTA log file
Use this to verify the results of
scheduled tasks, such as
Active Directory, Vault
accounts and users, and so on
9 tail -f /opt/tomcat/logs/diamond.log | grep Output all PTA internal services
"metrics-PTA-services" metrics in the last part of the
main PTA log file, follow the file
and output any PTA internal
services metrics as the file
grows
10 cat /opt/tomcat/logs/diamond.log | grep Output all PTA internal services
"metrics-PTA-services" | less metrics in the main PTA log file
11 tail -f /opt/tomcat/logs/diamond.log | grep Output all metrics in the last part
"metrics-PTA" of the main PTA log file, follow
the file and output any metrics
as the file grows
12 cat /opt/tomcat/logs/diamond.log | grep Output all metrics in the main
"metrics-PTA" | less PTA log file
13 tail -f /opt/tomcat/logs/diamond.log | grep Output all incoming syslogs in
"Incoming syslog" the last part of the main PTA log
file, follow the file and output
any incoming syslogs as the file
grows
This command requires the
Listener component to be on the
Debug log level
Use this:
■ To verify the incoming
syslog is from Vault, SIEM,
or Network Sensor
■ To see the syslog String
received by PTA from the
different inbound sources
Privileged Threat Analytics
44 Troubleshoot PTA Configuration
Type Command Description
14 cat /opt/tomcat/logs/diamond.log | grep Output all incoming syslogs in
"Incoming syslog" | less the main PTA log file
This command requires the
Listener component to be on the
Debug log level
Use this:
■ To verify the incoming
syslog is from Vault, SIEM,
or Network Sensor
■ To see the syslog String
received by PTA from the
different inbound sources
15 tail -f /opt/tomcat/logs/diamond.log | grep Output all containment calls
"CyberArkAuthenticationService.svc/logon" used in password rotation,
| less pending accounts, and PSM
risky commands in the last part
of the main PTA log file, follow
the file and output any
containment calls as the file
grows
Use this to troubleshoot issues
with mitigation of various
containment capabilities such
as Rotate Password, Pending
unmanaged accounts, and
update Risky commands
scores in the PVWA
16 cat /opt/tomcat/logs/diamond.log | grep Output all containment calls
"CyberArkAuthenticationService.svc/logon" used in password rotation,
| less pending accounts, and PSM
risky commands in the the main
PTA log file
Use this to troubleshoot issues
with mitigation of various
containment capabilities such
as Rotate Password, Pending
unmanaged accounts, and
update Risky commands
scores in the PVWA
17 tail -f /opt/tomcat/logs/diamond.log | grep Output all dcaserver metrics in
"metrics-PTA-dcaserver" the last part of the main PTA log
file, follow the file and output
any dcaserver metrics as the
file grows.
Use this:
■ To troubleshoot
Privileged Threat Analytics
PTA Implementation Guide 45
Type Command Description
configuration issues with
the PTA Windows Agent
■ To troubleshoot connection
issues between the
PTA Windows Agent and
the PTA Server
18 cat /opt/tomcat/logs/diamond.log | grep Output all dcaserver metrics in
"metrics-PTA-dcaserver" | less the main PTA log file
Use this:
■ To troubleshoot
configuration issues with
the PTA Windows Agent
■ To troubleshoot connection
issues between the
PTA Windows Agent and
the PTA Server
Aliases
Aliases are predefined commands that allow easier troubleshooting of the PTA server.
The aliases are only available for the root user, and must be written in capital letters.
Alias Command
LOGSDIR cd /opt/tomcat/logs
TAILDIAMOND tail -f /opt/tomcat/logs/diamond.log
LESSDIAMOND less /opt/tomcat/logs/diamond.log
DEFAULTPARM less /opt/tomcat/diamond-
resources/default/systemparm.properties
LOCALPARM vi /opt/tomcat/diamond-
resources/local/systemparm.properties
VAULTSERVICESDIR cd /opt/tomcat/VaultServices/
VAULTSERVICESLOG less /opt/tomcat/VaultServices/Casos.Debug.log
CASOSSERVICESDIR cd /opt/tomcat/CasosServices
CASOSSERVICESLOG less /opt/tomcat/CasosServices/Casos.Debug.log
NETWORK_SENSOR_ cat /opt/ag/conf/pta_devices.conf
DEVICES
VERSION_NUMBER cat /opt/tomcat/diamond-resources/version.properties
UPGRADE_HISTORY cat /opt/tomcat/logs/upgrade_history.log
RUN_DIAGNOSTICS /opt/pta/diag-tool/pta_tool.sh
Privileged Threat Analytics
46 Troubleshoot PTA Configuration
Alias Command
AGENTSHELL /opt/agentshell/run.sh
EXPORT_UTILITY /opt/tomcat/utility/exportTool.sh
MONIT_STATUS sudo -u monit /opt/monit/bin/monit status
STATISTICS less /opt/tomcat/statistics/logs/statistics.log
SHOW_METRICS /opt/pta/diag-tool/pta_tool.sh P037
UTILITYDIR cd /opt/tomcat/utility
PREPWIZDIR cd /opt/tomcat/prepwiz
Domain Controllers – View the List and Manage the Cache
PTA uses domain controllers data for real time analysis. Using this tool, you are able to:
■ View the list of domains and list of Domain Controllers per each domain.
■ Clear the domain collection cache in the Database. You do this so that PTA is able
to relearn which Domain Controllers there are in each domain.
To View the Domain Controller List and to Manage the Cache:
1. Navigate to the utility directory using the UTILITYDIR command, and run
domainsUtil.sh.
The following menu appears:
1- Get list of domains and list of DC's per each domain
2- Clear domains collection cache in the Database:
2. Specify 1 to view the list of machines which PTA identifies as Domain Controllers,
for each domain.
For Example:
1- Get list of domains and list of DC's per each domain
2- Clear domains collection cache in the Database: 1
1. <Domain> includes 2 dc's: {10.1.1.1,aa-d1-dc1, aa-d1-
dc1.<Domain>}; {10.1.1.11, aa-d1-dc2, aa-d1-dc2.<Domain>}
[root@PTAServer utility]# ./domainsUtil.sh
3. Specify 2 to clear the domain collection cache in the Database.
For Example:
1- Get list of domains and list of DC's per each domain
2- Clear domains collection cache in the Database: 2
Collection 'domains' has been deleted successfully
[root@PTAServer utility]#
Privileged Threat Analytics
PTA Implementation Guide 47
Test the PTA Network Sensor Connection to the PTA
Server
Use this procedure to test the connection between the PTA Network Sensor and the
PTA Server.
To Test the Connection Between PTA and the Network Sensors:
1. Log on to PTA using the root user.
2. Change the user to agbroker by using the following command: su agbroker
3. At the command line, in the /opt/ag/bin/ folder, run the following command:
deviceMgmt.sh diag
4. You should see succeeded with the Network Sensor version number.
SSH access to device 'Probe1'(1) at '10.0.10.10'... Succeeded.
Version 5.1 Build 10
SSH access to device 'Probe2'(2) at '10.0.11.11'... Succeeded.
Version 5.1 Build 10
SSH access to device 'Probe3'(3) at '10.0.12.12'... Succeeded.
Version 5.1 Build 10
5. To reset the connection, you must reset the password of the PTA Network Sensor
broker user. For details, see Reset PTA Network Sensor Connection with the PTA
Server, page 47.
Reset PTA Network Sensor Connection with the PTA
Server
Use this procedure when there is no connection between the PTA Network Sensor and
the PTA Server. The message that the connection is refused might appear.
To reset the connection, you must reset the broker password. Use the below procedure
to achieve this.
To Reset the PTA Network Sensor Connection with the PTA Server:
1. Log on to the PTA Network Sensor machine using the admin username and
password:
■ Username: admin
■ Password: The admin password you created.
Note:
The PTA Network Sensor machine is hardened for security reasons. As such, you can
only log on to it using the admin user.
2. Change the user to root by using the following command: su –
Enter the same password: The root password you created.
3. At the command line, in the /opt/ag/bin/ folder, run the following command:
ns_setup.sh
Privileged Threat Analytics
48 Troubleshoot PTA Configuration
4. Reset the password of the PTA Network Sensor broker user.
5. Add Sensors to your system. To do this, continue with the Add PTA Network Sensor
Coverage or a PTA Windows Agent connection section in the PTA Installation Guide.
Modify or Troubleshoot PTA Network Sensor
Configurations
Use the following procedure to modify or troubleshoot the PTA Network Sensor
configuration parameters.
To Modify or Troubleshoot PTA Network Sensor Configurations:
1. At the command line, in the /opt/ag/bin/ folder, run the following command:
ns_setup.sh
2. You are then able to modify the following PTA Network Sensor configurations:
PTA Network Sensor
You can…
configuration
Network settings Modify Management card network settings.
(IP, subnet, gateway)
User credentials Change admin, root, and broker users.
Note:
Reset the broker user password if you
need to add a Network Sensor to a PTA
machine. See Reset PTA Network Sensor
Connection with the PTA Server, page 47.
Hostname Modify the hostname of the PTA Network Sensor
machine.
NTP Modify NTP of the PTA Network Sensor.
Date, Time and Timezone Set the Date, Time and Timezone of the Network
Sensor.
3. In addition, you are able to restore PTA Network Sensor to the default settings.
Troubleshoot PAS Integration
Log
Problem Suggested Resolution
Message
Error 500 Failed to log on to PAS There might be multiple binds for the same
port in the IIS configuration. Fix the IIS
configuration to have only one bind per port.
Error 404 Failed to log on to PAS The endpoint bindingConfiguration was
httpBinding. It must be returned to
httpsBinding.
Privileged Threat Analytics
PTA Implementation Guide 49
Log
Problem Suggested Resolution
Message
Error 405 Failed to change Need to disable WebDAVModule and
credentials WebDAV handler
http://stackoverflow.com/a/14465655
You can remove them from the IIS features
using the Server Manager > Add or Server
Manager > Remove features
PTAUser Failed to change Need to add permissions.
had no credentials See Integrate PTA with PAS, page 52.
permissions
to invoke
CPM
Access When clicking Full In the PVWA, go to Administration >
denied session details in Options > Access restrictions and
Suspicious activities configure PTA as an allowed referrer in the
in a privileged PVWA for both the IP address and the
session, an access FQDN/host. The format of the PTA machine
denied message is should be: https://<IP> or
shown by the PVWA. https://<FQDN/HOST>.
PTAAppUser is Suspended - Reactivate CasosService
When Golden Ticket detection is configured, CasosServices must be up and running.
When the PTAAppUser is suspended, this means that CasosServices are not running,
and therefore not monitored.
This could be caused by exceeding the number of violations allowed for the PTAAppUser
in the Vault (default is 5).
Note:
By default, CasosServices are configured to request a restart five times.
If Golden Ticket detection is configured, perform the following procedure to reactivate
CasosServices so it can start monitoring again, for PTA to continue decrypting tickets.
To review the CasosServices logs:
■ Path to the log configuration file location:
/opt/tomcat/CasosServices/logconf.log4cxx
■ Path to the log location:
/opt/tomcat/CasosServices/logs/casosservices.log
To Reactivate CasosServices:
1. Using the PrivateArk client, reactivate the suspended PTAAppUser.
2. Run one of the following commands:
■ Using the SEutility, enter task_executer then select the following:
Privileged Threat Analytics
50 Troubleshoot PTA Configuration
CasosServicesReActivateTask
■ Or, using command prompt:
sudo –u monit /opt/monit/bin/monit monitor ptacasosservicesd
Privileged Threat Analytics
51
Integrate PTA
To enable PTA to work correctly, the PTA machine must have access to data such as the
real-time activities of the Vault and the UNIX machines in your organization. The
following tasks describe how to configure PTA, CyberArk components, SIEM vendors
and the inspected UNIX machines to send their logging data to the PTA machine.
In this section:
Integrate PTA with PAS
Forward Log Data to PTA
Send PTA Data
Privileged Threat Analytics
PTA Implementation Guide 52
Integrate PTA with PAS
PTA can integrate with PAS to provide actionability in the form of automatic reactive
containment to detected credential thefts, unmanaged privileged accounts, and
Overpass the Hash. This enables you to benefit from a comprehensive CyberArk solution
which not only detects, but also contains the risk, and which protects your organizational
environment at the highest standard.
PTA can be configured to automatically initiate password rotation when it detects a
suspected credential threat and Overpass the Hash, without any user intervention. In
addition, PTA can be configured to automatically add detected unmanaged privileged
accounts to the pending accounts queue in PAS. These features can only be installed in
environments where the Vault is installed, and is enabled at system level.
To integrate PTA with PAS, perform the following procedures.
Verify the configuration
Log on to the PTA machine as a root user and run the PTA diagnostic tool using the
RUN_DIAGNOSTICS command to verify that PTA works properly with the new
configuration.
CyberArk Vault / PAS Compatibility
Integration Required Version
Integrate the Vault with SIEM and PTA CyberArk Vault version
7.2.5 or higher
Support automatic threat containment using PAS CyberArk Vault version
integration, for Overpass the Hash attack and Suspected 9.3 or higher
Credential Theft security events
Support automatically adding unmanaged privileged CyberArk Vault version
accounts to the pending accounts queue 9.7 or higher
Configure Golden Ticket detection CyberArk Vault version
9.8 or higher
Support the Privileged Session Management integration CyberArk Vault and
PVWA version 9.8 or
higher
Note:
Privileged
Session
Management
integration
works with
lower
Privileged Threat Analytics
53 Integrate PTA with PAS
Integration Required Version
versions of
CyberArk
Vault, but
without the
ability to
report
Privileged
Session
Analysis
results to
PVWA.
Support a distributed Vault environment CyberArk Vault version
9.9.5 or higher
Support sending PTA alerts to the Vault CyberArk Vault version
9.10 or higher
Support automatic session termination CyberArk Privileged
Account Security suite
version 10.1 or higher
Configure the Vault to Forward syslog Messages to PTA
The system logger of the Vault must be configured to send logging data to the PTA
machine for real-time data analysis.
Note:
When PTA is configured with Vaults deployed in a distributed environment, configure
the primary and satellite Vaults.
To Configure syslog on the Vault Machine:
1. From the installation package, copy PTA.xsl to the Syslog subdirectory of the Vault
installation folder. By default, the subdirectory is:
C:\Program Files (x86)\PrivateArk\Server\Syslog.
2. In the same server installation folder,by default C:\Program Files
(x86)\PrivateArk\Server, open dbparm.ini and add the following lines:
[SYSLOG]
SyslogTranslatorFile=Syslog\PTA.xsl
SyslogServerPort=<port number>
SyslogServerIP=<server IP>
SyslogServerProtocol=UDP
SyslogMessageCodeFilter=295,308,7,24,31,428,361,372,373,359,436,
412,411,300,302,294,427
UseLegacySyslogFormat=No
Specify the following information:
Privileged Threat Analytics
PTA Implementation Guide 54
Parameter Name Define or Select
SyslogServerIP The IP address(es) of the PTA machine where messages
will be sent.
SyslogServerPort The port number through which the syslog will be sent.
Specify 514 to send syslogs to the default PTA port.
SyslogServerProtocol The protocol used to transfer the syslog records.
Specify: tcp or udp.
SyslogMessageCodeFilter Defines which message codes will be sent from the Vault
Machine to PTA through Syslog protocol.
You can specify message numbers, separated by
commas. You can also specify range of numbers using ‘-‘.
Message codes are sent for the following events:
Code Activity
7 Logon
24 CPM Change Password
31 CPM Reconcile Password
295 Retrieve Password
308 Use Password
428 Retrieve SSH keys
361 SSH Command
372 Terminated PSM Session
373 Terminated PSM Session Failed
359 SQL Command
436 SCP Command
412 PSM Keystrokes Logging
411 PSM Window Titles
300 PSM Connect
302 PSM Disconnect
294 Store Password
427 Store SSH Key
SyslogTranslatorFile Specifies the XSL file used to parse Vault records data
into Syslog protocol.
UseLegacySyslogFormat Controls the format of the syslog message, and defines
whether it will be sent in a newer syslog format (RFC
5424) or in a legacy format.
Privileged Threat Analytics
55 Integrate PTA with PAS
Parameter Name Define or Select
Required value: No. This enables the Vault to work with
the newer syslog format.
3. To forward Vault syslogs to multiple machines (for instance to your SIEM solution
as well as to PTA), you can specify multiple values for the following parameters and
separate each value with a comma.
■ This requires a CyberArk Vault version 7.2.5 or higher.
■ All destinations must use the same port and protocol, which are specified in the
SyslogServerPort and SyslogServerProtocol fields.
■ The specified values will apply to all destinations configured in SyslogServerIP,
using the translator files specified in SysLogTranslatorFile.
Parameter Name Comments
SyslogServerIP
SyslogTranslatorFile
UseLegacySyslogFormat
SyslogMessageCodeFilter Separate multiple values with a comma, and separate sets
of multiple values with a pipe-line, as shown in the
example below.
The following example shows how to send different syslog messages to multiple
syslog servers.
[SYSLOG]
SysLogTranslatorFile=Syslog\Arcsight.sample.xsl,Syslog\QRadar.xs
l,Syslog\PTA.xsl
SyslogServerPort=<port number>
SysLogServerIP=1.1.1.1,1.1.2.2,1.1.3.3
SyslogServerProtocol=UDP
UseLegacySyslogFormat=Yes,Yes,No
SyslogMessageCodeFilter=7,8,295|295-
296|295,308,7,24,31,428,361,372,373,359,436,412,411,300,302,294,
427
4. Save the file and close it.
5. Restart the Vault.
For more detailed instructions about integrating SIEM applications, see Integrating with
SIEM Applications in the Privileged Account Security Implementation Guide.
Configure the PVWA for PTA Integration with PAS
Configure the PTA user in PAS so that it can initiate automatic password changes when
PTA identifies a suspected credential threat and Overpass the Hash, and automatically
add detected unmanaged privileged accounts to the pending accounts queue in PAS.
To Configure the PVWA to automatically initiate password rotation or
reconciliation in PAS:
1. Log on to the PVWA as a user with the Manage Users permission.
Privileged Threat Analytics
PTA Implementation Guide 56
2. Navigate to Policies > Access Control (Safes), select the Safe where you want to
automatically initiate password rotation, and click Edit to display the Safe Details
page.
3. Make sure that the Assigned to CPM setting is enabled.
4. Click Save.
5. Click Members.
6. Click Add Member.
7. Search for PTAUser.
8. Leave the default permissions (List accounts, Retrieve accounts, and View Safe
Members).
9. Expand Account Management and select Initiate CPM account management
operations.
10.Click Add.
11.Search for PTAAppUser and perform steps 8 -10 above.
12.Click Close. The PTAUser’s authorizations in the Safe are updated and the Safe
Details page is displayed again.
13.Repeat this procedure for each safe where you want to automatically initiate
password rotation.
To Configure Adding of Unmanaged Privileged Accounts to Pending Accounts
Queue in PAS
1. Log on to the PVWA as a user with the Manage Users permission.
2. Open the PasswordManager_Pending safe, and click Members to display the
Safe Details page.
3. Click Add Member.
4. Search for PTAUser.
5. Remove all default permissions, except List accounts and View Safe Members.
6. Expand Account Management and select the following permissions:
■ Add accounts (includes update properties)
■ Update account content
■ Update account properties
7. Click Add.
8. Click Close. The PTAUser’s authorizations in the Safe are updated and the Safe
Details page is displayed again.
Integrate PTA with PSM
The integration of PTA and PSM requires changes in the Vault and PVWA.
In the Vault:
Configure the Vault to forward syslog messages to PTA. For details, see Configure the
Vault to Forward syslog Messages to PTA, page 53
To Show the PTA Activity Score in PVWA:
1. Log on to the PVWA as a user with the Administrator permission.
Privileged Threat Analytics
57 Integrate PTA with PAS
2. Navigate to Administration > Options, and select PIM Suite Configuration
> Access Restriction.
3. Right-click and select Add AllowedReferrer.
4. In BaseUrl, enter the PTA Server IP address.
5. Set RegularExpression to Yes.
6. Click Apply.
7. Navigate to Administration > Options, and select PIM Suite Configuration
> Privileged Session Management UI.
8. Ensure that the PSMandPTAIntegration setting is valued with Yes.
9. Click Apply and then click OK.
To Allow Session Termination:
1. Log on to the PVWA as a user with the Administrator permission.
2. Navigate to Administration > Options, and select PIM Suite Configuration
> Privileged Session Management > General Settings > Server Settings
> Live Sessions Monitoring Settings.
3. Ensure that the AllowPSMNotifications setting is valued with Yes.
4. Click Apply.
5. Expand Live Sessions Monitoring Settings > Terminating Live Sessions
Users and Groups and ensure that the PSMLiveSessionTerminators group
exists.
6. Click Apply and then click OK.
Integrate PTA with EPM
Go to Advanced > Server Configuration and click the link that represents the current
value of the PTA Configuration parameter. Enter the PTA server name, along with the
username and password created in PTA.
Privileged Threat Analytics
PTA Implementation Guide 58
Forward Log Data to PTA
PTA integrates with various solutions to receive raw data as syslog messages.
PTA can also receive Windows events from the PTA Windows Agent. For details on
installing the PTA Windows Agent, refer to the PTA Installation Guide.
Following are general guidelines for the data sent to PTA:
■ PTA supports UTF-8 formatted data.
■ Windows: The integration with Windows is based on authentication events 4624,
4723, and 4724. PTA supports this event type, which is supported in Windows 2003
and higher.
Note:
In order for PTA to monitor activity of privileged accounts in Windows machines,
Windows security events 4624, 4723, and 4724 from each monitored Windows
machine must be forwarded to the SIEM and from the SIEM to PTA.
■ Unix: When collecting syslogs directly from Unix machines, PAM Unix is supported.
PAM Unix is supported by multiple Unix flavors, such as Red Hat Linux, HP-UX, and
Solaris.
Supported PAM Unix events include accepted public key, accepted password, and
session open.
■ Database: Oracle logon events are supported.
■ Network Sensor: Traffic is received from domain controllers in the environment.
■ Vault: Specific events are accepted. Supported device types are operating system
and database.
Note:
It is strongly recommended to limit the allowed sources of syslog messages using the
organization's firewall. PTA should only be allowed to receive syslog messages from
allowed sources such as ArcSight, Splunk, QRadar, and any other server that reports to
PTA.
■ To configure the Windows Events Forwarder server to send syslog messages
to PTA via the PTA Windows Agents:
■ Configure Windows Event Forwarder server to forward Windows events to
PTA, page 59
■ If your SIEM solution receives syslog messages from UNIX, Windows and Oracle
machines, configure your SIEM solution to send these messages to PTA:
■ Configure HP ArcSight to Forward syslog Messages to PTA, page 59
■ Configure Splunk to Forward syslog Messages to PTA, page 59
■ Configure QRadar to Forward syslog Messages to PTA, page 61
■ Configure LogRhythm to Forward syslog Messages to PTA, page 63
■ Configure RSA to Forward syslog Messages to PTA, page 63
■ Configure McAfee ESM to Forward syslog Messages to PTA, page 63
Privileged Threat Analytics
59 Forward Log Data to PTA
■ To configure the UNIX Hosts to send syslog messages directly to PTA:
■ Configure UNIX Hosts to Forward syslog Messages to PTA, page 68
Verify the configuration
Log on to the PTA machine as a root user and run the PTA diagnostic tool using the
RUN_DIAGNOSTICS command to verify that PTA works properly with the new
configuration.
Configure Windows Event Forwarder server to forward
Windows events to PTA
PTA Windows Agent can integrate with the Windows Event Forwarder server to receive
Windows events that have already been collected. To enable this integration, configure
the Windows Event Forwarder server to send events to the PTA server via the
PTA Windows Agent.
In the Windows Event Forwarder server, create a subscription to send these events.
Configure the Query Filter to send Windows security 4624, 4723, and 4724 events. Also,
in the Advanced Subscription Settings, select Minimize Latency.
Configure HP ArcSight to Forward syslog Messages to
PTA
PTA can integrate with HP ArcSight to receive raw data that has been already collected.
The raw data that PTA analyzes is login activities to Windows and Unix machines, as well
as to Oracle databases. To enable this integration, configure the ArcSight Forwarding
Connector to send CEF Syslog events to the PTA server.
For information about forwarding HP ArcSight events to a third party such as PTA, see
the relevant sections in the "HP ArcSight ESM Forwarding Connector for Integration with
Technology Partners" User’s Guide.
Note:
To forward only the relevant raw data from the HP ArcSight ESM Forwarding Connector,
it is recommended to load the dedicated ArcSight_to_PTA_Filter.arb filter file. This filter
guarantees that the ESM only forwards login activities to the platforms mentioned
above. For more information about this filter file, contact your CyberArk representative.
Configure Splunk to Forward syslog Messages to PTA
PTA can integrate with Splunk to enable it to send raw data to PTA, which analyzes login
activities of Windows and Unix machines, and detects abnormal behavior according to
the machine’s profile.
To Configure Splunk to Forward Windows Events to PTA:
1. In the SPLUNK_HOME/etc/system/local folder, open the outputs.conf file.
2. Add the following section:
[syslog:pta_syslog]
server = <PTA Server IP>:<port>
Privileged Threat Analytics
PTA Implementation Guide 60
indexAndForward=true
type=<udp|tcp>
timestampformat = %s
■ <PTA server IP> - The IP address of the PTA machine.
■ <port> - The port number to which the syslog will be sent. Specify port 514,
which is the default PTA listener port for TCP and UDP.
■ <udp|tcp> – The syslog protocol type. Specify either udp or tcp.
For Example:
[syslog:pta_syslog]
server = 192.168.0.1:514
indexAndForward=true
type=udp
timestampformat = %s
In the above example, the syslog type is udp. The IP of the PTA server is
192.168.0.1 and the PTA listening port is 514.
For more information about configuring the Splunk outputs.conf file, see
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf.
3. Save the outputs.conf file and close it.
4. In the same folder, open the props.conf file. If this file does not exist, create it.
5. Add the following section:
[source::WinEventLog:Security]
TRANSFORMS-pta = pta_syslog_filter
6. Save the props.conf file and close it.
7. In the same folder, open the transforms.conf file. If this file does not exist, create it.
8. Add the following section:
[pta_syslog_filter]
REGEX = .*EventCode=4624|4723|4724.*
DEST_KEY = _SYSLOG_ROUTING
FORMAT = pta_syslog
9. Save the transforms.conf file and close it.
To Configure syslog Type as tcp:
1. In the SPLUNK_HOME/etc/system/local folder, open the outputs.conf file.
2. In the type parameter, specify tcp.
3. Save the outputs.conf file and close it.
4. In the same folder, open the props.conf file.
5. In the LINE_BREAKER_LOOKBEHIND parameter, specify 1500, as shown in the
following example:
[windows_snare_syslog]
LINE_BREAKER_LOOKBEHIND = 1500
6. Save the props.conf file and close it.
Privileged Threat Analytics
61 Forward Log Data to PTA
To Configure Splunk to Forward UNIX syslog Messages to PTA:
1. On the Splunk server, in the SPLUNK_HOME/etc/system/local folder, open the
outputs.conf file.
2. Add the following line:
syslogSourceType=sourcetype:: <name of data type>
3. Specify the sourcetype name of the UNIX forwarder installed in your organization
that is associated with the type of data that will be forwarded to Splunk.
4. Save the outputs.conf file and close it.
5. In the same folder, open the props.conf file. If this file does not exist, create it.
6. Add the following row:
[source::/var/log/secure]
7. Save the props.conf file and close it.
Configure QRadar to Forward syslog Messages to PTA
PTA can integrate with QRadar to send raw data to PTA, which analyzes login activities
of Windows machines, and detects abnormal behavior according to the machine’s
profile. PTA supports centralized and endpoint configuration.
To Configure QRadar to Forward Windows Events to PTA:
1. In the QRadar dashboard, display the Admin tab, then select Forwarding
Destination.
2. Add a new destination by specifying the following details:
Parameter Name Define or Select
Name The name of the destination. For example,
PTA.
Destination Address The IP address of the PTA server.
Event Format The format of the destination event. Select:
Payload.
Destination Port The port number to which the syslog will be
sent.
Specify: port 514. This is the default PTA
listener port.
Protocol The syslog protocol type. Specify: udp or
tcp.
Prefix a syslog header if it is missing Select this option.
or invalid
3. Save the new destination and close it.
4. In the QRadar dashboard, in the Admin tab, select Routing Rules.
5. Add a new routing rule by specifying the following details:
Privileged Threat Analytics
PTA Implementation Guide 62
Parameter
Define or Select
Name
Name The name of the new routing rule. For example, Security information for
PTA.
Description A description of the new rule. This is optional.
Mode The mode of the rule. Select Online.
Forwarding The event collector that is used to collect the security information. If
Event multiple event collectors are used, create multiple rules for every event
Collector collector.
Data The data source for this routing rule. Select Events.
Source
Event Set the EventID to 4624, 4723, or 4724. See the following instructions for
Filters details.
Routing Select Forward and specify the forwarding destination that you entered in
Options step 2.
6. In the Event Filters section, set EventID (custom) equals any of 4624, 4723, or
4724, and click the plus sign.
7. Click Add Filter.
Privileged Threat Analytics
63 Forward Log Data to PTA
8. Save the new routing rule and close it.
Configure LogRhythm to Forward syslog Messages to PTA
PTA can integrate with LogRhythm to receive raw data that has already been collected.
The raw data that PTA analyzes is login activities to Windows and Unix machines. To
enable this integration, configure LogRhythm to send events to the PTA server. For
information about forwarding LogRhythm events to a third party such as PTA, see the
relevant LogRhythm User’s Guide.
Configure RSA to Forward syslog Messages to PTA
PTA can integrate with RSA to receive raw data that has already been collected. The
raw data that PTA analyzes is login activities to Windows and Unix machines, as well as
to Oracle databases. To enable this integration, configure RSA to send events to the
PTA server. For information about forwarding RSA events to a third party such as PTA,
see the relevant RSA User’s Guide.
Configure McAfee ESM to Forward syslog Messages to
PTA
PTA can integrate with McAfee ESM to send raw data to PTA, which analyzes login
activities of Windows machines, and detects abnormal behavior according to the
machine’s profile. PTA supports centralized and endpoint configuration.
Before You Begin:
■ Make sure that the devices which will forward syslog messages to PTA are defined
in the McAfee Enterprise Security Manager (ESM).
To Configure McAfee to Forward syslog Messages to PTA:
1. Open McAfee Enterprise Security Manager (ESM), and click the System
Privileged Threat Analytics
PTA Implementation Guide 64
Properties button.
The System Properties window opens.
2. Click the Event Forwarding tab, then click the Add button. The Edit Event
Forwarding Destination window opens.
Privileged Threat Analytics
65 Forward Log Data to PTA
3. Select or enter the following details:
Parameter Name Define or Select
Name Enter a name.
Enabled Click, to select Enabled.
Format Select Syslog (Standard Event Form) from the drop-down list.
Destination IP Enter the PTA IP address.
Destination Port Enter the port number 514.
Protocol Select UDP from the drop-down list.
Facility Leave the default, User.
Severity Leave the default, Informational.
Time Zone Select GMT+ and the PTA Server time zone
4. Click the Event Filters button. The Event Filters window opens.
Privileged Threat Analytics
PTA Implementation Guide 66
5. Next to the Device field, click the filter icon .
The Devices window opens and the list of predefined devices appear. These are the
devices which will send syslog messages to PTA.
6. Select the relevant devices, then click OK. The devices you selected appear in the
Device field.
Privileged Threat Analytics
67 Forward Log Data to PTA
7. In Normalized ID area, click the filter icon to select the types of messages that
will appear. The Filter Variables window opens.
8. Click the Watchlists tab.
9. Navigate to Authentication > Login, and select Host Login.
10.Click OK. The number 408977408/18 appears in the Normalized ID field.
11.Click OK to save your parameters in the Events Filters window.
12.Click OK again. The System Properties window reopens.
Privileged Threat Analytics
PTA Implementation Guide 68
13.Click the Settings button. The Event Forwarding Settings window opens.
14.In the Maximum combined events forwarded per second field, set the value to 1.
15.Then, click OK.
16.Click OK again to save your settings, and to close the System Properties window.
Configure UNIX Hosts to Forward syslog Messages to PTA
You can configure the UNIX machines in your organization to forward syslog messages
to PTA, which analyzes UNIX syslog messages and detects when users access these
machines with a privileged account without first retrieving the password from the Vault.
This configuration is not necessary if the UNIX machines’ syslog messages are
forwarded to your SIEM solution and from there to PTA. For more information, see
Configure HP ArcSight to Forward syslog Messages to PTA, page 59.
Privileged Threat Analytics
69 Forward Log Data to PTA
To Configure UNIX Hosts to Forward syslog Messages to PTA:
1. Log in as the root user.
2. To identify the System Logger engine running on your OS, run the following
command:
ls -d /etc/*syslog*
Depending on your OS, the output will be one of the following:
■ rsyslog.conf
■ syslog.conf (the current version of PTA does not support this syslog engine)
■ syslog-ng.conf (the current version of PTA does not support this syslog
engine)
The table below lists the abilities of the syslog engine.
Output Type Rsyslog
Configuration file location /etc/rsyslog.conf
Custom ports ü
UDP forwarding ü
TCP forwarding ü
3. If an rsyslog engine is not installed on your Linux machine, install it.
For information about installing the rsyslog engine, see
http://www.rsyslog.com/rhelcentos-rpms/.
4. When the rsyslog engine is installed on your machine, configure it as follows:
a. Edit the configuration file with a text editor such as vi, as follows:
vi /etc/rsyslog.conf
b. In the configuration file, add the authpriv keyword, which limits the syslog
messages sent to security and authorization messages:
authpriv.*<tab><protocol><server IP>:<port number>
Note: Make sure authpriv.* and <protocol><server IP> are separated by tabs and not
spaces.
c. Specify the following information:
■ Protocol – Replace <protocol> with @ for UDP or @@ for TCP.
■ ServerIP – Replace <server IP> with the IP of the PTA machine.
■ Port number - Replace <port number> with the port number to which the
syslog will be sent. Specify port 514, which is the default PTA listener port for
TCP and UDP.
Note:
In Linux, you cannot use custom ports and can only specify the following:
authpriv.*<tab>@<server IP>
d. Save the file and exit the editor.
Privileged Threat Analytics
PTA Implementation Guide 70
5. Restart the syslog service by using one of the following commands:
service rsyslog restart
or,
/etc/init.d/rsyslog restart
Privileged Threat Analytics
71 Send PTA Data
Send PTA Data
PTA can send detected incidents as syslog messages to SIEM solutions. PTA can also
send alerts to individual or group email addresses, or to the Vault.
In this section:
Send PTA syslog Records to SIEM , page 71
Send PTA Alerts to Email , page 77
Send PTA Alerts to the Vault, page 78
Verify the configuration
Log on to the PTA machine as a root user and run the PTA diagnostic tool using the
RUN_DIAGNOSTICS command to verify that PTA works properly with the new
configuration.
Send PTA syslog Records to SIEM
PTA can integrate with SIEM solutions to send detected incidents as syslog messages in
CEF/LEEF format.
This section describes how to configure outbound integration of PTA with your SIEM
solution. When PTA detects an event, it sends a syslog record to the server where your
SIEM solution is installed in real time using CEF/LEEF format.
You can identify PTA records by their device vendor name, CyberArk, and their device
product name, PTA.
To Configure PTA to Send syslog Records to SIEM:
1. On the PTA machine, open the default systemparm.properties file using the
DEFAULTPARM command.
2. Copy the line containing the syslog_outbound property, and exit the file.
3. Open the local systemparm.properties file using the LOCALPARM command.
4. Click i to edit the file.
5. Paste the line you copied, uncomment the syslog_outbound property and edit the
parameters. Use the following table as a guide.
Parameter Description Comments
siem Enter the SIEM system in your
organization.
PTA supports the following
vendors:
■ HP ArcSight
■ McAfee
■ QRadar
■ RSA
■ Splunk
Privileged Threat Analytics
PTA Implementation Guide 72
Parameter Description Comments
format The format used to transfer the ■ CEF is supported by the
syslog records to the server following Vendors:
where your SIEM solution is ■ HP ArcSight
installed. ■ McAfee
Enter: ■ RSA
CEF -or- LEEF ■ Splunk
■ LEEF is supported by
the following Vendors:
■ QRadar
host The Host/IP address of the server
where your SIEM solution is
installed.
port The port number through which
the syslog records will be sent to
the server where your SIEM
solution is installed.
protocol The protocol used to transfer the
syslog records to the server
where your SIEM solution is
installed.
Currently, PTA supports only
udp.
Example for: HP ArcSight, McAfee, RSA, Splunk
syslog_outbound=[{"siem": "McAfee", "format": "CEF", "host":
"SIEM_MACHINE_ADDRESS", "port": 1236, "protocol": "UDP"}]
Example for: QRadar
syslog_outbound=[{"siem": "QRadar", "format": "LEEF", "host":
"SIEM_MACHINE_ADDRESS", "port": 1236, "protocol": "UDP"}]
Example for: multiple syslog recipients, separated by commas.
syslog_outbound=[{"siem": "RSA", "format": "CEF", "host": "SIEM_
MACHINE_ADDRESS", "port": 1236, "protocol": "UDP"}, {"siem":
"QRadar", "format": "LEEF", "host": "SIEM_MACHINE_ADDRESS",
"port": 1236, "protocol": "UDP"}, …]
6. Save the configuration file and close it.
7. Restart PTA.
8. To view the syslog records sent by PTA, see:
■ CEF-Based Format Definition, page 73
■ LEEF-Based Format Definition, page 75
Privileged Threat Analytics
73 Send PTA Data
CEF-Based Format Definition
The following table describes the CEF-based format of the syslog records sent by PTA.
Field Description Specified value
Prefix fields
CEF:[number] The CEF header and CEF:0
version.
The version number
identifies the version of
the CEF format.
Device Vendor, Device Information about the CyberArk, PTA, 3.95
Product, Device Version device sending the
message. For PTA, the
Device Vendor is
CyberArk, and the
Device Product is PTA.
Event Type A unique ID that {21-55}
identifies the event that
is reported.
Event Name A description of the {Suspected credentials theft,
reported event type. Unmanaged privileged
account, Privileged access
during irregular hours, etc…}
For a complete list of PTA
detections, indicators of
compromise and their
descriptions, see What
Detections Does PTA
Report?, page 6.
Severity A numeric value that {1,2,3,4,5,6,7,8,9,10}
indicates the severity of
the event.
■ 1 is the lowest event
severity
■ 10 is the highest
event severity
Extension fields
suser Source User Name Any user
shost Source host name Any host
src Source IP address Any IP
duser Destination user name Any user
dhost Destination host address Any host
Privileged Threat Analytics
PTA Implementation Guide 74
Field Description Specified value
dst Destination IP address Any IP
cs1Label The label of the Extra “ExtraData”
Data field
cs1 Additional information SPN, Session etc.
which is relevant for the
reported security event
cs2Label The label of the Security “EventID”
Event ID field
cs2 The ID of the reported 52b06812ec3500ed864c461e
security event
deviceCustomDate1Label The label of the “DetectionDate”
detectionDate field
deviceCustomDate1 The system time when 1388577900000
PTA identified the
security event
cs3Label The label of the link field “PTALink”
cs3 The HTTPS link to the https://1.1.1.1/incidents/
Incident Details page of 52b06812ec3500ed864c461e
this security event in the
PTA dashboard
cs4Label The label of the external “ExternalLink”
link field
cs4 An HTTPS link to other http://...
CyberArk or third party
product that can add
more information to the
incident
Note:
suser, shost, src, duser, dhost and dst fields may contain a single value or a list of values. If
the field contains a list of values, these values will be separated by a comma, and if they are larger
than 1024, data will be omitted and “etc..” will be added to the end.
dhost and dst fields could be a single host or a database instance. If it is a database instance, the
dhost destination will be in the format <machine:instance>.
When the src, dst, duser, suser or cs1 field has no value, the field is sent with the value None.
The following example shows syslog output generated by PTA:
CEF:0|CyberArk|PTA|3.95|1|Suspected credentials
theft|8|[email protected] shost=prod1.domain.com
src=1.1.1.1 [email protected] dhost=dev1.domain.com
dst=2.2.2.2 cs1Label=ExtraData cs1=None cs2Label=EventID
cs2=52b06812ec3500ed864c461e deviceCustomDate1Label=detectionDate
deviceCustomDate1=1388577900000 cs3Label=PTAlink
Privileged Threat Analytics
75 Send PTA Data
cs3=https://1.1.1.1/incidents/52b06812ec3500ed864c461e
cs4Label=ExternalLink cs4=None
LEEF-Based Format Definition
The following table describes the LEEF-based format of the syslog records sent by PTA.
Field Description Specified value
Prefix fields
LEEF:[number] The LEEF header and LEEF:[number]
version. The version
number identifies the
version of the LEEF
format.
Device Vendor, Information about the CyberArk, PTA, 3.95
Device Product, device sending the
Device Version message. For PTA, the
Device
Vendor is CyberArk, and
the Device Product is
PTA.
Event Type A unique ID that {21-55}
identifies the event type
that is reported.
Cat A description of the {Suspected credentials theft,
reported event type. Unmanaged privileged account,
Privileged access during irregular
hours, etc…}
For a complete list of PTA detections,
indicators of compromise and their
descriptions, see What Detections
Does PTA Report?, page 6.
sev A numeric value that {1,2,3,4,5,6,7,8,9,10}
indicates the severity of
the event.
■ 1 is the lowest event
severity
■ 10 is the highest
event severity
Extension fields
src Source host/IP address Any host/IP
usrName Destination user name Any user
associated with the
event.
Privileged Threat Analytics
PTA Implementation Guide 76
Field Description Specified value
dst Destination host/IP Any host/IP
address
extraDataLabel The label of the Extra “extraData”
data field.
extraData Additional information SPN, Session etc.
relevant for the reported
security event
eventIdLabel The label of the Security “eventID”
Event ID field
eventID The ID of the reported 52b06812ec3500ed864c461e
security event
devTime The system time when 1388577600000
PTA identified the
security event
linkLabel The label of the link field “ptaLink”
ptaLink The HTTPS link to the https://1.1.1.1/incidents/
Incident Details page of 52b06812ec3500ed864c461e
this security event in the
PTA dashboard.
suserLabel The label of the Event “suser”
Name field.
suser Source User Name Any user
externalLinkLabel The label of the external “externalLink”
link field.
externalLink The HTTPS link to the http://...
Incident Details page of
this security event in the
PTA dashboard.
Note:
suser, shost, src, duser, dhost and dst fields may contain a single value or a list of values. If
the field contains a list of values, these values will be separated by a comma, and if they are larger
than 1024, data will be omitted and “etc..” will be added to the end.
dhost and dst fields could be a single host or a database instance. If it is a database instance, the
dhost destination will be in the format <machine:instance>.
When the src, dst, duser, suser or cs1 field has no value, the field is sent with the value None.
The following example shows syslog output generated by PTA:
LEEF:1.0|CyberArk|PTA|3.95|1|Cat=Suspected credentials
theft|sev=8| src=src1 userName=mike dst=192.168.0.1
ExtraDataLabel=ExtraData ExtraData=None EventIdLabel=EventID
EventID=52b06812ec3500ed864c461e devTime= 1388577600000
Privileged Threat Analytics
77 Send PTA Data
LinkLabel=PTALink
PTALink=https://1.1.1.1/incidents/52b06812ec3500ed864c461e
suserLabel=SourceUserName suser=mike2
ExternalLinkLabel=ExternalLink ExternalLink=None
Send PTA Alerts to Email
PTA can send alerts to individual or group email addresses.
To Configure PTA to Send Alerts to Emails:
Note:
If you already configured PTA to send emails during the PTA installation, you do not
need to perform this procedure.
1. On the system console, log in as the root user user using the password you specified
during installation.
2. Start the PTA utility by running the following command:
/opt/tomcat/utility/emailConfiguration.sh
3. Enter the IP address of the email server in your organization, then press Enter.
Specify the email server IP address:
The SMTP port prompt appears.
Specify SMTP port [25]:
a. Enter the port of the SMTP server, then press Enter. The following prompt
appears.
Specify the sender’s email address (in the following format:
[email protected]):
b. Specify the email address, in lowercase characters, of the user whose name will
be included as the sender in notifications, then press Enter. The following prompt
appears.
Specify the recipient’s email address (in the following
format: [email protected]). Separate multiple addresses with
‘;’ (semi-colon):
c. Specify the email address(es), in lowercase characters, of the notification
recipient(s), then press Enter. Separate multiple recipient addresses with a
semi-colon. The mail server authentication prompt appears.
Does the mail server require authentication (y/n)? [y]:
d. Enter y if the mail server requires authentication, then press Enter.
The sender’s credentials prompts appear:
Setting the sender’s credentials
Enter username and password for the user that will send email
Privileged Threat Analytics
PTA Implementation Guide 78
notifications.
Username:
Password:
Retype password:
e. Enter the user name and password of the user in the email system who will send
notifications, then press Enter. After the sender’s credentials are saved
successfully, the following confirmation is displayed.
The sender's credentials saved successfully.
f. After the email notifications are configured successfully, the following
confirmation is displayed, and the installation proceeds to the next step.
Email notifications configuration finished successfully.
Send PTA Alerts to the Vault
PTA can send alerts to the Vault. This feature is automatically enabled.
In PVWA, you can see the PTA alerts under the Privileged Threat Analytics Activities
section. There are two events:
■ 460 - Privileged Threat Analytics event for managed account
■ 461 - Privileged Threat Analytics event for Vault user
In PAS, the alerts are marked in the report as Privileged Threat Analytics Event.
To Disable this Feature:
1. On the PTA machine, open the local systemparm.properties configuration file
using the LOCALPARM command. .
2. Click i to edit the file.
3. Change the send_pta_events_to_pas_enabled property to False.
4. Save the file and close it.
5. Run the service appmgr restart command to restart PTA.
Privileged Threat Analytics
79
Use PTA
The PTA dashboard displays an overview of general system status for a selected period
of time, enabling you to view system activity and analysis, as well as details about current
and past incidents and a summary of system activity.
This section describes how to access PTA, introduces you to the PTA dashboard and
explains how to generate reports.
In this section:
Access and Use PTA
Use and Understand the Dashboard
Generate Reports
Privileged Threat Analytics
PTA Implementation Guide 80
Access and Use PTA
Refer to the following procedures to access and use PTA.
Log on to PTA
Log off from PTA
Change your Password
Reset your Password
Manage your Password
Access PTA Information
Privileged Threat Analytics
81 Access and Use PTA
Log on to PTA
In your browser, navigate to the following URL: https://ptaserver
The PTA Sign In window is displayed.
To Log on to PTA as an administrator:
1. In the Sign In window, specify administrator and the administrator password, then
click Sign In; PTA authenticates your user and displays the PTA dashboard.
2. While you are logged onto PTA as an administrator, you can use any of the following
procedures:
■ To change or reset your password, see Change your Password, page 82.
■ If you forgot your password, you can reset your password. See Reset your
Password, page 83.
■ Updating the settings shown in Use PTA for the First Time, page 10.
To Log on to PTA as a regular user:
1. Specify your user name and password, then click Sign In; PTA authenticates your
user and displays the PTA dashboard.
2. If you are an LDAP user, enter your username as UPN.
For Example: [email protected]
Privileged Threat Analytics
PTA Implementation Guide 82
Log off from PTA
From the User menu, select Sign out; PTA signs you out.
Change your Password
Use the following procedure to change your password.
To Change your Password:
1. From the User menu, select Change Password.
The Change Password window is displayed.
2. In Current Password, specify the password that you used to log on to PTA.
3. In New Password, specify a new password that meets all of the following criteria:
■ A minimum of twelve characters
Privileged Threat Analytics
83 Access and Use PTA
■ At least two uppercase and two lowercase letters
■ At least two digits
4. In Confirm Password, specify your new password again to confirm it, then click
Change password; PTA updates your password.
Reset your Password
If you forget your administrator password, you can initiate a password reset process.
To Reset your Password:
1. On the system console, log in as the ptauser user using the password you specified
during installation.
2. At the command line, in the /opt/tomcat/utility folder, run the following command.
sudo ./resetPtaAdminPass.sh
The following prompt appears.
[Step 1/1 – Reset PTA Administrator’s Password]
This will reset the Administrator’s password. Are you sure you
want to continue (y/n)? [n]: y
3. Specify y to continue the reset password procedure. The Password prompt appears.
Password:
4. Specify the new password, then press Enter. The Retype password prompt
appears.
Retype password:
5. Specify the new password again, then press Enter; the process resets the password
and the following confirmation is displayed.
PTA Administrator’s password has been reset successfully
When you log on to PTA for the first time after resetting your password, the Change
Password window is displayed and you are required to change your password. For more
information, see Change your Password, page 82.
Manage your Password
You can manage your PTA Dashboard Administrator password via CyberArk Privileged
Account Security, for password verification and automatic password change.
To Manage your Administrator Password (for PAS 10.1 and PVWA 10.1 and
higher):
Note:
This procedure is only for users whose PAS and PVWA versions are 10.1 or higher.
See the next procedure for older versions of PAS and PVWA.
Privileged Threat Analytics
PTA Implementation Guide 84
1. In the PVWA, go to Administration > Platform management > CyberArk PTA
and ensure that the status is Active.
2. In the PVWA, create a new account.
a. Value the Platform Name with CyberArk PTA.
b. Value the Device Type with Application.
c. Value the Address with the PTA Server. Use one of the following values:
i. IP address
ii. Host name
iii. FQDN
d. Value the Username with Administrator.
e. Value the Password with the Administrator account's password.
3. Verify the account.
To Manage your Administrator Password (for PAS and PVWA version less than
10.1):
Note:
This procedure is only for users whose PAS and PVWA versions are less than 10.1. See the
previous procedure for newer versions of PAS and PVWA.
If you are using a previous version of the PTAPlugin.zip file, that creates a PTA Dashboard
platform, you must import the new PTAPlugin.zip file, and move the account to the new platform.
1. Import the PTAPlugin.zip file included in the PTA installation package to the PVWA.
See the Importing New Platforms section in the Privileged Account Security
Implementation Guide.
2. In the PVWA, create a new account.
Privileged Threat Analytics
85 Access and Use PTA
a. Value the Platform Name with CyberArk PTA.
b. Value the Device Type with Application.
c. Value the Address with the PTA Server. Use one of the following values:
i. IP address
ii. Host name
iii. FQDN
d. Value the Username with Administrator.
e. Value the Password with the Administrator account's password.
3. Verify the account.
4. In the PVWA, go to Administration > Platform management. If the
PTA Dashboard platform with a Website device exists, delete the existing account.
5. Go to Administration > Platform management > PTA Dashboard and ensure
that the status is Inactive.
Access PTA Information
■ Click and select About to view information about the current release of PTA.
■ Click and select Help Center to open an HTML version of the
PTA Implementation Guide.
Privileged Threat Analytics
PTA Implementation Guide 86
Privileged Threat Analytics
87 Use and Understand the Dashboard
Use and Understand the Dashboard
The Dashboard provides an overview of general system status for a selected period of
time, as well as details about current and past incidents and a summary of system activity
over time.
The dashboard presents all this information in multiple graphic analysis of system activity
and security incidents that enable you to see and understand system activity at a glance.
In this section:
Select a Time Frame , page 88
View Current Incidents, page 88
View System Activities, page 90
View the Incident Summary , page 91
Close an Incident, page 93
View Privileged Related Risks, page 95
Privileged Threat Analytics
PTA Implementation Guide 88
Select a Time Frame
In the upper right area of the Dashboard, select the time frame to display in the
Dashboard analysis.
View Current Incidents
The Incidents chart displays incidents in the system over the selected timeframe and
shows their severity using the following display features:
■ Color: Incidents are displayed as colored bubbles, according to one of three risk
levels. This enables you to easily understand if suspicious activities occurred.
Suspicious activities detected in a privileged session are displayed in a larger bubble,
with the center of the bubble also colored. Only one bubble is displayed for all the
suspicious activities detected over the selected timeframe. This bubble is an
aggregation of all the suspicious activities, and is placed between the most suspicious
and the latest suspicious activities in the privileged session.
Suspicious activities detected in a privileged session include:
■ Commands that are considered suspicious
■ Privileged access to the Vault during irregular hours
■ Excessive access to privileged accounts in the Vault
■ Activity by dormant Vault users
Note:
You can display suspicious activities in individual bubbles, using the
numberOfIncidentsToGroupBy system parameter. For details, see Section: UI, page 151.
■ Severity score: Each bubble contains a score which denotes the severity attributed
to the incident. Although the bubbles are placed at different levels on the chart, this
score give a precise indication of severity.
■ Frame: The frame around each bubble indicates the management status of the
incident.
■ A heavy outline indicates that the incident has not yet been viewed.
■ A light outline indicates that the incident has been viewed.
Privileged Threat Analytics
89 Use and Understand the Dashboard
■ Enlarge the Display of a Timeframe, page 89
■ View Incident Details, page 89
Enlarge the Display of a Timeframe
You can zoom into the display of a time period in the chart to enable you to distinguish
more clearly between incidents that occurred closely together.
■ Click and hold the mouse over a date, then drag it to create a yellow box that defines
the relevant timeframe. You can further enlarge the selected period by repeating this
procedure.
■ To return to the default view of the Incidents chart, select Week in the upper right
area of the Dashboard.
View Incident Details
■ Hold your mouse over an incident to view details,
or,
■ Select an incident to display a summary of details in the Details pane. The summary
includes the name, risk index and status of the incident, as well as a description. For
more information, see View the Incident Summary , page 91.
The incident details for suspicious activities detected in a privileged session are shown as
a table. Click the suspicious activities incident to view details:
Privileged Threat Analytics
PTA Implementation Guide 90
The incident details are displayed in order according to the Risk Index. You can sort them
by Start Date. A summary of details for the first incident is displayed in the Details pane.
Select an incident to show its summary of details. The summary includes the name, risk
index and status of the incident, as well as a description. For more information, see View
the Incident Summary , page 91.
View System Activities
You can see a summary of events in the system over the selected period of time, giving
you a comparison among the different types of activities. This information is displayed in a
bar chart that indicates the number of activities by type and the date when they occurred.
To view a summary of these activities for a specific day, move your mouse over any bar.
You can click on any of the activity types at the bottom. When the activity type is gray, its
events are not shown.
The activity types are received from Vault, SIEM, Unix, Network Sensor, AD, and EPM.
If there is no activity from one of these sources during the selected period of time, the type
is not shown. Activities for the time period before this version was installed are shown as
type of All.
Privileged Threat Analytics
91 Use and Understand the Dashboard
View the Incident Summary
The Details pane displays the current risk index and status of the incident.
The Incident Summary indicates whether the incident has been handled, using the
following stages:
Status Indicates
Unread This incident has not yet been viewed.
In the Incidents graph, this type of incident is marked with a bold
frame.
Active This incident has been viewed and is currently being handled.
In the Incidents graph, this type of incident is marked with a light
frame.
Closed This incident is no longer in progress.
In the Incidents graph, this type of incident is marked with a gray
frame.
■ Click Details to display the Incident Details page, which contains more information
about each incident. See View Incident Details, page 92.
Privileged Threat Analytics
PTA Implementation Guide 92
View Incident Details
The Incident Details page provides details about a selected incident, enabling you to view
a break-down of events and the incident’s current status and risk. Using this information,
you can investigate incidents and contain them to ensure a lower risk environment.
The example above shows a Suspected credentials theft event.
In the Incident Details page for suspicious activities, click Full session details to view
the details in PVWA. You must authenticate yourself to access PVWA.
View Correlated Events
The Correlated Events page provides details about multiple security events that occurred
over a certain period involving the same Vault user, account, attacked asset, and/or
source machine, which are correlated into one or more incidents.
■ Identifying the Correlated Incident, page 92
■ Viewing the Correlated Incident as a Table of Security Events, page 93
Identifying the Correlated Incident
PTA allocates an ID to each correlated incident, which is combined with the reason for
the incident to create a unique title. The title of the first type of suspicious activity that
occurred is displayed. A short description gives an overview of the correlated incident,
which includes multiple correlated security events that occurred in a certain period and
involved the same Vault user and/or attacked asset.
Privileged Threat Analytics
93 Use and Understand the Dashboard
Viewing the Correlated Incident as a Table of Security Events
PTA displays a table of security events which lists all the correlated security events that
comprise the incident. You can expand an event to view a descriptive description of it.
This table includes the following details:
Status Indicates...
ID The unique ID of the event.
Score The risk index of an event.
User The name of the Vault user whose account was used.
Target user The name of the target user whose account was used.
Target The target address of the machine where the event occurred.
address
Source The source address of the machine on which the event occurred.
address
Event type The type of event that occurred.
Detection The time when the security event was detected. This enables you to
time see how much time has passed since the event occurred and security
may have been compromised.
Close an Incident
After you have handled an incident successfully, you can close it and it is removed from
the Dashboard’s Incident chart. Its risk index will not be used to calculate the system risk
index any more.
1. In the Incident Summary, click Close; the Close incident window is displayed.
Privileged Threat Analytics
PTA Implementation Guide 94
2. From the Reason drop-down list, select the reason for closing the incident:
■ Incident was handled – The user investigated the reason for the incident, took
care of the relevant issues, and it is no longer a threat.
■ It is not a real incident – Although an anomaly was detected, human
observation determined that it was not a real anomaly.
3. Click OK to save your changes.
Privileged Threat Analytics
95 Use and Understand the Dashboard
View Privileged Related Risks
PTA is able to proactively create alerts on critical risks in privileged accounts.
You can review these critical risks in the PTA dashboard.
Risk Name Explanation of the Risk Recommended Actions
Unconstrained Service accounts are granted
Delegation with permissive delegation Caution:
privileges and therefore expose This
the domain to high risk. procedure is
by
An attacker could maliciously
recommendati
leverage the service account that
on only.
is trusted for unconstrained
delegation, in order to The
compromise credentials and recommendati
access remote services on ons in this
behalf of delegated accounts. section are
the
PTA searches for accounts with
Customer's
permissive delegation privileges
responsibility.
and flags these accounts as
risky. CyberArk
does not bear
any
responsibility
for the
procedures
below which
are performed
at the
Customer
site.
Use the following recommended
procedure: To Identify Risky
Service Accounts Exposed to
Unconstrained Delegations:,
page To Identify Risky Service
Accounts Exposed to
Unconstrained Delegations:,
page 97
Risky SPNs Privileged accounts with SPN
(service principal name) Caution:
configuration can be vulnerable This
to offline brute-forcing and procedure is
dictionary attacks, allowing a by
malicious insider to recover the recommendati
account's clear-text password. on only.
Privileged Threat Analytics
PTA Implementation Guide 96
The
recommendati
ons in this
section are
the
Customer's
responsibility.
CyberArk
does not bear
any
responsibility
for the
procedures
below which
are performed
at the
Customer
site.
Use the following recommended
procedure: To Identify Risky
SPNs:, page To Identify Risky
SPNs:, page 98
Dual Usage A service account was
interactively logged on. Caution:
This
Logging on interactively using procedure is
service accounts can create by
security risks by leaving recommendati
credential hashes on the target on only.
machine. Attackers seek service
The
account credentials, which are
recommendati
valid for an extended period of
ons in this
time.
section are
the
Customer's
responsibility.
CyberArk
does not bear
any
responsibility
for the
procedures
below which
are performed
at the
Customer
site.
Privileged Threat Analytics
97 Use and Understand the Dashboard
Use the following recommended
procedure: To Identify Service
Accounts Logged on
Interactively:, page 101.
Exposed LDAP might send user
Credentials credentials in clear text when Caution:
using unsecure or legacy LDAP This
methods for authentication. In procedure is
other words, the credentials are by
exposed and not encrypted. recommendati
on only.
PTA searches for clear text
credentials transmitted over the The
wire, and flags the machines recommendati
which expose these credentials ons in this
as risky. You can also view a list section are
of the detected compromised the
accounts. Customer's
responsibility.
CyberArk
does not bear
any
responsibility
for the
procedures
below which
are performed
at the
Customer
site.
Use the following recommended
procedure: To Identify Machines
Exposing Credentials:, page 100.
To Identify Risky Service Accounts Exposed to Unconstrained Delegations:
Caution:
This procedure is by recommendation only.
The recommendations in this section are the Customer's responsibility.
CyberArk does not bear any responsibility for the procedures below which are
performed at the Customer site.
1. In the Dashboard, click on the risk, Unconstrained Delegation in the left pane.
Privileged Threat Analytics
PTA Implementation Guide 98
The events connected to that Risk appear in the Unconstrained Delegation
window, with details of each event.
■ The Unconstrained Delegation window displays the following details: Score,
Account name, Target address, Source address, Event type, and Status.
■ If the risk appears in an aggregated summary, in the Account column
Multiple will appear instead of the account name, and in the risk details, a list of
detected compromised accounts appears.
2. Review each event.
3. Consider changing the Delegation property rights of the relevant service accounts to
Constrained Delegation.
4. Consider also configuring privileged accounts as sensitive and cannot be
delegated.
5. Repeat for every machine where the potential risk is identified.
6. Continue with To Close and Filter Risky Events, page 102.
To Identify Risky SPNs:
Caution:
This procedure is by recommendation only.
The recommendations in this section are the Customer's responsibility.
CyberArk does not bear any responsibility for the procedures below which are
performed at the Customer site.
Privileged Threat Analytics
99 Use and Understand the Dashboard
1. In the Dashboard, click on the risk, Risky SPN(s) in the left pane.
The events connected to that Risk appear in the Risky SPN(s) window, with details
of each event.
■ The Risky SPN(s) window displays the following details: Score, Account
name, Event type, and Status.
■ If the risk appears in an aggregated summary, in the Account column
Multiple will appear instead of the account name, and in the risk details, a list of
detected compromised accounts appears.
2. Review each event.
3. Consider increasing the encryption level to use AES256.
4. Reduce the privileges of accounts associated with SPNs to the minimum possible.
5. Periodically clean SPNs that are no longer necessary.
6. Ensure that accounts associated with SPNs are configured with complex, rotated
and random generated passwords.
7. Store and manage the privileged account in the Vault.
8. Repeat for every machine where the potential risk is identified.
9. Continue with To Close and Filter Risky Events, page 102.
Privileged Threat Analytics
PTA Implementation Guide 100
To Identify Machines Exposing Credentials:
Caution:
This procedure is by recommendation only.
The recommendations in this section are the Customer's responsibility.
CyberArk does not bear any responsibility for the procedures below which are
performed at the Customer site.
1. In the Dashboard, click on the risk, Exposed Credentials in the left pane.
The events connected to that Risk appear in the Exposed Credentials window, with
details of each event.
■ The Exposed Credentials window displays the following details: Score,
Account name, Target address, Source address, Event type, and Status.
■ If the risk appears in an aggregated summary, in the Account column
Multiple will appear instead of the account name, and in the risk details, a list of
detected compromised accounts appears.
2. Review each event.
3. Double click, or click the plus sign, to view details of the risky machine.
4. Go to the physical machine where the potential risk was identified, and search for any
services running LDAP.
Privileged Threat Analytics
101 Use and Understand the Dashboard
5. Consider changing the method LDAP is using for authentication to a more secure
method, or use LDAPS.
6. Repeat for every machine where the potential risk is identified.
7. Continue with To Close and Filter Risky Events, page 102.
To Identify Service Accounts Logged on Interactively:
Caution:
This procedure is by recommendation only.
The recommendations in this section are the Customer's responsibility.
CyberArk does not bear any responsibility for the procedures below which are
performed at the Customer site.
1. In the Dashboard, click on the risk, Dual Usage in the left pane.
The events connected to that Risk appear in the Service Account logged on
interactively window, with details of each event.
■ The Service Account logged on interactively window displays the following
details: Score, Account name, Target address, Source address, Event
type, and Status.
Privileged Threat Analytics
PTA Implementation Guide 102
■ If the risk appears in an aggregated summary, in the Account column
Multiple will appear instead of the account name, and in the risk details, a list of
detected compromised accounts appears.
2. Review each event.
3. Consider separating between user accounts and service accounts, and only logging
on with user accounts..
4. Repeat for every machine where the potential risk is identified.
5. Continue with To Close and Filter Risky Events, page 102.
To Close and Filter Risky Events
1. After reviewing an event you can close it.
■ To close an event, click the square to select the event, then click the Close
button.
2. To filter the events while reviewing them, do the following:
■ Select Show open events to only show the open events.
■ Select Show all events to show both open and closed events.
3. After reviewing the events, you can close all the events in the risk.
■ To do this, click the top square to select all the events, then click the Close
button.
Privileged Threat Analytics
103 Generate Reports
Generate Reports
For a general description on generating and using PTA reports, see Generate a PTA
Report, page 103.
In the Reports page, you are able to generate the following PTA reports:
■ User Activities Report – This report describes the User Profile of a Vault user,
and displays their regular activities and anomalies during a specified period.
See Understanding the User Activities Report, page 105.
■ Privileged Threat Assessment Report – This report presents a thorough visual
summary of PTA analysis of privileged account activity in your organizational
environment.
See Understanding the Privileged Threat Assessment Report, page 106.
Generate a PTA Report
1. Click Reports to display the Reports page.
2. Define the report to generate and its contents:
■ Report Type – Select one of the following report types:
■ User Activities Report
■ Privileged Threat Assessment (PDF)
■ Date Range – Select the time frame to include in the report. Choose one of the
following:
■ Last 7 days
■ Last 30 days
■ Last 60 days
■ Customize – Choose this option to display the Select Date Range window,
which enables you to select a date range.
■ User – Specify the username of the Vault user. PTA provides suggestions as
you type into the field. This is only relevant to the User Activities Report.
The following diagram displays the definitions for the User Activities Report:
Privileged Threat Analytics
PTA Implementation Guide 104
The following diagram displays the definitions for the Privileged Threat
Assessment Report:
3. Click Generate to generate the report for the selected time period.
Privileged Threat Analytics
105 Generate Reports
Understanding the User Activities Report
The User Activities Report displays the user’s normal behavior by anomaly type, and
shows all events that occurred in the given time frame in a table.
The User Activities Report includes the following sections:
■ Profile summary – Displays the user’s normal behavior by profile type:
■ Working hours
■ Access rate (8 hours)
■ Source IP
Note:
If the user has a default profile, “default” is displayed. If no profile exists for this user,
“N/A” is displayed.
■ Events table – Displays all events that occurred for this user in the given time
frame. The table includes the following fields:
■ Serial number – The anomaly’s serial number in the table.
■ ID – The anomaly’s ID in the PTA database.
■ Score – The risk index of the event.
■ Target user – The target user affected by the event.
■ Target address – The target address of the machineaffected by the event.
■ Source address – The source address of the machine on which the event
occurred.
■ Event type - The type of event that occurred.
■ Detection time - The time when the event was detected.
Privileged Threat Analytics
PTA Implementation Guide 106
Understanding the Privileged Threat Assessment Report
The Privileged Threat Assessment Report presents a thorough visual summary of PTA
analysis of privileged account activity in your organizational environment.
After generating the Privileged Threat Assessment Report, it is automatically
downloaded to your local machine.
Before the report presents the activity analysis, it gives an at-a-glance view of the level of
risk to which your organization is exposed.
This section of the report presents the following details:
■ Overall risk level – A system score that reflects the current overall risk index. This
score uses the following values:
Risk index System score
Low 0 – 70
Medium 70 – 90
High 90 – 100
Note:
Time range selection does not impact the value of this field.
■ Total number of security incidents – A security incident is an event or series of
events that indicates a security risk. This metric displays the number of incidents
detected during the selected date range that pose a potential security risk. This
number includes all types of incidents – Unread, Active and Closed.
■ Average incident score – The average score of all the incidents in this report. The
score range is 1–100.
■ Total security events – A security event is an observable occurrence of suspicious
or malicious behavior. This metric displays the total number of security events
indicating abnormal user behavior that occurred during the date range for this report.
The Privileged Threat Assessment Report analyzes the following privileged account
activity:
■ Top Accounts with Unusual Behavior, page 108
■ Top Machines with Unusual Behavior, page 109
■ Top Accounts not Managed by CyberArk, page 110
Privileged Threat Analytics
107 Generate Reports
■ Top Accounts Suspected of Credentials Theft, page 111
■ Top Scored Incidents, page 112
Privileged Threat Analytics
PTA Implementation Guide 108
Top Accounts with Unusual Behavior
A list of accounts that have the most detected incidents. Review these accounts to make
sure they do not pose a potential security threat.
This list displays the following information:
Column Description
User The name of the user who used the account.
Target The machine the user used to log on and/or to retrieve the
password.
Account type The type of account. Possible values are:
■ OS: Unix/Windows/”N/A”
■ DB: Oracle
■ Domain
Number of The number of incidents that the user or account was involved in.
incidents
Average score The average risk score for each incident.
Last observed The date and time of the last incident.
Privileged Threat Analytics
109 Generate Reports
Top Machines with Unusual Behavior
A list of machines that have the most detected incidents. Review these machines to make
sure they do not pose a potential security threat.
This list displays the following information:
Column Description
Name The fully qualified domain name (FQDN) of the machine where the
incident took place.
Number of The number of incidents that the user or account was involved in.
incidents
Average score The average risk score for each incident.
Last observed The date and time of the last incident.
Privileged Threat Analytics
PTA Implementation Guide 110
Top Accounts not Managed by CyberArk
A list of the most used privileged accounts that are not currently managed by CyberArk
and could pose a potentially high security threat.
This list displays the following information:
Column Description
Name The name of the user who used the account.
Target The fully qualified domain name (FQDN) of the machine where the user
logged on and/or retrieved the password.
Account type The type of account. Possible values are:
■ OS: Unix/Windows/”N/A”
■ DB: Oracle
Times The number of times that the account was involved in security events.
observed
Last observed The date and time of the last security event.
Privileged Threat Analytics
111 Generate Reports
Top Accounts Suspected of Credentials Theft
A list of accounts that are managed by CyberArk, but access to the accounts is not
properly going through the CyberArk Vault. This type of account usage indicates misuse
of privileged accounts and suspected credential theft.
This list displays the following information:
Column Description
User The name of the user who used the account.
Target The fully qualified domain name (FQDN) of the
machine where the user logged on and/or retrieved
the password.
Account type The type of account. Possible values are:
■ OS: Unix/Windows/”N/A”
■ DB: Oracle
■ Domain
Times The number of times that the account was involved
observed in security events.
Last observed The date and time of the last incident.
Privileged Threat Analytics
PTA Implementation Guide 112
Top Scored Incidents
A list of the most severe incidents, with a breakdown of their security events. This list
provides informative details for forensic investigation of potential threats.
This list displays the following information:
Column Description
Index The sequence of listed incidents, from the most severe to the least
severe.
ID The ID of the incident, allocated by PTA.
Score The risk score for each incident.
Type The type of incident.
User The type of user who used the account during each incident. Possible
values are:
■ Vault user
■ User name
Privileged Threat Analytics
113 Generate Reports
Column Description
■ None
Affected asset The name of the asset that was affected by each incident. Possible
values are:
■ Target machine
■ Database
■ Source IP
■ Source machine
■ None
Detection time The date and time when each incident was detected.
Description A detailed description of each incident.
Privileged Threat Analytics
114
Manage PTA
This section describes how to manage PTA.
In this section:
Manage your License
Run the PTA Management Utility
Logging
Reset PTA to Clear All Data
Monitor PTA
Collect Data from PTA
Import PTA to a New Machine
Privileged Threat Analytics
PTA Implementation Guide 115
Manage your License
The PTA license settings enable you to do the following:
■ View license usage in your organization
■ Upload a license
■ Update an expired license
■ Specify targets and Domain Controllers that PTA will monitor or disregard
See the following:
View your License Settings
View License Usage
Upload a License
Updating an Expired License File
Use the Inclusion and Exclusion Lists
View your License Settings
1. In the Dashboard, click the Settings tab.
2. In the left pane, click Administration > License.
Privileged Threat Analytics
116 Manage your License
View License Usage
The License Usage area displays the number of monitored targets and Domain
Controllers in your organization that is being monitored by PTA, compared to the number
of targets and Domain Controllers allowed under the terms of your license.
When the number of monitored targets and Domain Controllers exceeds your license
limits, a red exclamation mark appears and the number of monitored targets and Domain
Controllers is displayed along with its percentage of the total number of targets and
Domain Controllers allowed under your license terms. For information about expanding
your license, contact your CyberArk support representative.
Upload a License
To upgrade or renew your license, upload a valid license file as follows:
1. Click Uploading License to display the license upload area.
2. Click Browse and select the license file.
3. Click Upload to upload the file.
Privileged Threat Analytics
PTA Implementation Guide 117
When the license file is uploaded successfully, the PTA dashboard is displayed.
Updating an Expired License File
When an existing license has expired, the License Required page is displayed.
Upload the license file provided by your CyberArk support representative as follows:
■ Click Browse and select the license file, then click Upload to upload the file. When
the license file is uploaded successfully, the PTA dashboard is displayed.
Use the Inclusion and Exclusion Lists
The Inclusion and Exclusion Lists enable you to specify which targets and Domain
Controllers you want PTA to monitor, and which targets and Domain Controllers you
want it to disregard. This allows you to focus PTA monitoring on the most relevant targets
and Domain Controllers in your organization, while passing over less significant ones.
Excluded targets and Domain Controllers will not be counted under the terms of your
license.
Privileged Threat Analytics
118 Manage your License
■ In the Inclusion List, specify the targets and Domain Controllers that PTA will be
monitoring. For example, to monitor all the production machines in your
organization, add them to this list. If no targets and Domain Controllers are specified
in the Inclusion List, PTA will assume that all targets and Domain Controllers in your
organization must be monitored.
■ In the Exclusion List, specify the targets and Domain Controllers that you want
PTA to disregard. For example, to exclude all machines that are used for testing or
debugging, add them to this list. If no targets and Domain Controllers are specified in
this list, PTA will assume that no machine must be excluded.
The targets and Domain Controllers you specify in the Exclusion List will be subtracted
from the targets and Domain Controllers you specified in the Inclusion List to form the
group of targets and Domain Controllers that PTA will monitor. If a particular target or
Domain Controller exists in both the Inclusion and the Exclusion List, the target or
Domain Controller will be excluded from PTA monitoring.
Targets and Domain Controllers can be added to the lists in the following formats:
■ IP/CIDR
■ Policy ID
To Add an Entry to the Inclusion or Exclusion List:
1. In the Settings page, display the relevant list.
2. Add one or more targets and Domain Controllers to the list in the supported formats.
For example:
■ IP – 10.10.0.1
Privileged Threat Analytics
PTA Implementation Guide 119
■ Policy ID – Unix_test
To Remove an Entry from the Inclusion or Exclusion List:
■ In the specific target or Domain Controller row, click the delete icon; the target or
Domain Controller is removed from the list.
Privileged Threat Analytics
120 Run the PTA Management Utility
Run the PTA Management Utility
The PTA utility enables you to manage PTA. It is used for the following purposes:
■ Uploading data to the database
■ Creating the baselines for different algorithms
■ Administrating the application
To Run the PTA Management Utility:
1. On the system console, log in as the ptauser user using the password you specified
during installation.
2. Start the PTA utility by running the following command:
sudo /opt/tomcat/utility/run.sh
The menu options, as described in the table below, appear.
Option Description
1. Create baseline for 'Privileged Creates a baseline for the ‘Privileged access
access during irregular hours' during irregular hours’ algorithm from the Vault
algorithm log data.
2. Create baseline for 'Excessive Creates a baseline for the ‘Excessive access to
access to privileged accounts' privileged accounts’ algorithm from the Vault log
algorithm data.
3. Stop application processes Stops PTA.
4. Start application processes Starts PTA.
5. Stop Tomcat Web Server Stops the PTA Web Server.
6. Start Tomcat Web Server Starts the PTA Web Server.
7. Show application processes status Enables you to monitor PTA services.
8. Enter exchange user Enables you to specify credentials for the
Exchange user who will send incident
notifications.
9. Export external data Exports data from the PTA system.
10. Clear analysis data Deletes all the analysis data from the database.
11. Clear database Clears all the data from the database.
12. Create baseline for 'Accessing the Creates a baseline for the 'Accessing the Vault
Vault from irregular IP' algorithm from irregular IP' algorithm from the Vault log
data.
13. Delete all events, incidents and Clears all the data of events’ incidents and
profiles profiles from the database
14. Generating a Certificate Signing Generates a Certificate Signing Request (CSR)
Privileged Threat Analytics
PTA Implementation Guide 121
Option Description
Request (CSR)
Note:
The CSR requires a Base-64
encoded X.509 SSL certificate
15. Installing SSL Certificate Chain Installs an SSL Certificate Chain
(Root, Intermediate(s), PTA Server
certificates)
Note:
The SSL Certificate Chain requires
a Base-64 encoded X.509 SSL
certificate
16. Installing SSL Client Certificate Installs an SSL Client Certificate Issuer Chain
Issuer Chain (Root, Intermediate(s))
Note:
The SSL Certificate Issuer Chain
requires a Base-64 encoded X.509
SSL certificate
17. Exit Exits the PTA utility.
3. Select the relevant option and then click Enter.
4. In the /opt/tomcat/utility/logs/ directory, open the diamond-utility.log file and
verify that no errors have occurred.
Other PTA Utilities
PTA provides other utilities that can assist you when managing the system.
To run these utilities, at the command line, in the /opt/tomcat/utility/ folder, run the
specific command:
Note:
The ChangeLogLevel.sh, changeComponentResource.sh, and shortcuts.sh utilities are
found in the /opt/pta/utility/ folder.
Utility Name of log file
authorizedSourceHostsConfiguration.sh Configure authorized hosts
See Configure PTA for Authorized Hosts ,
page 31
crossDomainConfiguration.sh Configure cross-domain mapping in a multi-
domains environment
dataAndTimezoneConfiguration.sh Configure the date and time zone
domainsUtil.sh View the Domain Controller List and manage
the Cache
Privileged Threat Analytics
122 Run the PTA Management Utility
Utility Name of log file
See Domain Controllers – View the List and
Manage the Cache, page 46
emailConfiguration.sh Configure email notifications
exportTool.sh Collect data from PTA
See Collect Data from PTA , page 128
exportObscurelyTool.sh Collect and encrypt data from PTA
goldenTicketConfiguration.sh Add domain coverage for Golden Ticket
Detection
See the Add PTA Network Sensor Coverage
or a PTA Windows Agent connection with
Golden Ticket Detection section in the
PTA Installation Guide
identifyDuplicateDNSUtil.sh Identify if there is a DNS issue
networkConfiguration.sh Specify the network configuration
networkSensorConfiguration.sh Add Network Sensor coverage
See the Add PTA Network Sensor Coverage
or a PTA Windows Agent connection section
in the PTA Installation Guide
objectCountUtil.sh Count how many objects exist for a specified
period
reloadVaultData.sh Reload data from the Vault
resetPtaAdminPass.sh Initiate a password reset process
See Reset your Password, page 83
vaultConfiguration.sh Configure the Vault connection
ChangeLogLevel.sh For each component, set the target log level
retrieved as info, debug, or trace. Info is the
default level for each component log
Note:
By default, every change restarts
the affected component. To
disable the restart, add -norestart .
shortcuts.sh Easily use PTA common commands
See Shortcuts for Common Commands, page
41
migrate_centos6_to_centos7.sh Migrate data from CentOS 6 to CentOS 7
See the Migrate to CentOS 7 - PTA Version
3.6 section in the PTA Installation Guide for
details
Privileged Threat Analytics
PTA Implementation Guide 123
Utility Name of log file
import_PTA_data.sh Import PTA data, configuration and settings
from the existing PTA machine to a new
machine
See Import PTA to a New Machine, page 129
Logging
Logging enables you to track all the activities carried out by PTA or by PTA Windows
Agent and to identify problems, if they occur.
PTA Logging
The log files that are created by the system are stored on the PTA machine in the
locations specified below. It is not recommended to change the locations of these files.
For your convenience, you can use the changeLogLevel.sh utility instead of manually
changing the log level in the system .
For Name of log file Default location
PTA installation and configuration prepwiz.log /opt/tomcat/prepwiz/logs
PTA utility diamond-utility.log /opt/tomcat/utility/logs
PTA system diamond.log /opt/tomcat/logs
PTA statistics statistics.log /opt/tomcat/statistics/logs
PTA upgrade log_upgrade.log /opt/tomcat/logs
The debug level determines the types of messages that are included in the log files. The
default debug level is info. To see all activities, change the debug level to trace.
Note:
To view statistics that are generated in the diamond.log, see View Statistics in the
diamond.log, page 36.
To use the changeLogLevel.sh utility:
1. Log in as the root user and run the changeLogLevel.sh utility using the following
format:
changeLogLevel.sh -c <component id> [-l <debug level>] [<-
norestart>]
2. Value the <component id> based on the Applications you want to change:
■ 1 - Listener
■ 2 - Sampler
■ 3 - Background
■ 4 - DiamondWebApp
Privileged Threat Analytics
124 Logging
■ 5 - Services
■ 6 - statistics
■ 7 - prepwiz
■ 8 - dcaserver
■ 9 - agentshell
■ all - all Applications
3. Set the new <debug level>:
■ info
■ debug
■ trace
For example:
Example 1:
Change all components to "info":
changeLogLevel.sh -c all
Example 2:
Change Listener and Sampler components to "debug":
changeLogLevel.sh -c 12 -l debug
Example 3:
Change all components to "trace" without restarting:
changeLogLevel.sh -c all -l trace -norestart
To Manually Change the Debug Level for each Application:
1. Open the following files using vi editor:
■ DiamondWebApp application:
/opt/-tomcat/webapps/DiamondWebApp/WEB-INF/classes/log4j2.xml
■ Listener application:
/opt/tomcat/listener/log4j2.xml
■ Sampler application:
/opt/sampler/log4j2.xml
■ CasosServices application:
/opt/tomcat/CasosServices/logconf.log4cxx
■ Background scheduler:
/opt/backgroundScheduler/log4j2.xml
■ Statistics:
/opt/tomcat/statistics/log4j2.xml
2. In each of the above files, in the order listed above, change info to trace:
Privileged Threat Analytics
PTA Implementation Guide 125
Example 1:
Change:
<priority value ="info" />
to:
<priority value ="trace" />
Example2:
Change:
<Logger name="com.cyberark.diamond" level="info">
to:
<Logger name="com.cyberark.diamond" level="trace">
3. Restart the PTA main service using the following command:
service appmgr restart
PTA Windows Agent Logging
The log files that are created by the system are stored on the PTA Windows Agent
machine in %PROGRAMDATA%\CyberArk\PTA Agent, or in the location you selected
when installing the PTA Windows Agent.
Default
Appender
For Name of log file Debug
Name
Level
General debug log pta_agent.log debug_ Info
Appender
Write syslog forwarder pta_agent_ forwarder_ Info
events if debug is enabled windows_ debug_
events.log Appender
Debugging Kerberos parsing pta_agent_krb.log krb_debug_ Info
process Appender
Debugging the LDAP parsing pta_agent_ ldap_debug_ Info
process ldap.log Appender
Write network agent events if pta_agent_ events_debug_ Info
debug is enabled network_ Appender
events.log
The debug level determines the types of messages that are included in the log files. To
see all activities, change the debug level to trace.
To Change the Debug Level for each Log:
1. Edit C:\Program Files\CyberArk\PTA Agent\aggregator_win.log4cxx.
2. Find the log that you want to modify.
3. Change the priority value to info, debug, or trace.
Privileged Threat Analytics
126 Reset PTA to Clear All Data
Example 1:
<category name="DEBUG" >
<priority value ="info" />
<appender-ref ref="debug_Appender"/>
</category>
Example2:
<category name="KRB_DEBUG" >
<priority value ="info" />
<appender-ref ref="krb_debug_Appender"/>
</category>
Example3:
<category name="LDAP_DBG" >
<priority value ="info" />
<appender-ref ref="ldap_debug_Appender"/>
</category>
Example4:
<category name="EVENT_DEBUG" >
<priority value ="info" />
<appender-ref ref="events_debug_Appender"/>
</category>
Example5:
<category name="FORWARDER_DEBUG" >
<priority value ="info" />
<appender-ref ref="forwarder_debug_Appender"/>
</category>
File Size and Rolling
Log files record all the activities carried out by PTA. By default, when a diamond.log log
file reaches 100MB, a new log file is created and the previous one is compressed and
saved in the /opt/tomcat/logs/archive/ directory as a .gz file. Log files are stored in a cycle
of 500 files, meaning that when a new log file is created, the current date and a number
between one and 500 is added to the name of the file incrementally. For example:
diamond-mm-dd-yyyy-1.log.gz). When the 501st log file is created, it replaces the first log
file, and so on.
Reset PTA to Clear All Data
You can reset PTA to clear all data gathered by the system, including baseline
information, events, incidents and audits. For example, you can delete all POC-related
data prior to production deployment.
Privileged Threat Analytics
PTA Implementation Guide 127
To Reset PTA to Clear All Data:
1. On the system console, log in as the ptauser user using the password you specified
during installation.
2. Initialize PTA by running the following command:
sudo /opt/tomcat/utility/run.sh
3. Using the PTA utility, do the following:
a. Clear all the data from the database. Select 11 - Clear database.
b. Stop the Tomcat Web Server. Select 5 - Stop Tomcat Web Server.
c. Start the Tomcat Web Server. Select 6 - Start Tomcat Web Server.
Monitor PTA
You can monitor the PTA Server machine using Simple Network Management Protocol
(SNMP).
You can monitor the following processes:
■ activemq.service
■ mongod.service
■ monit.service
■ tomcat.service
■ loggersocket
■ ptalistenerd
■ ptasamplerd
■ ptabschedulerd
■ ptastatisticsd
■ ptaservicesd
■ ptadcaserverd (only if PTA Windows Agent is configured)
■ ptacasosservicesd (only if Golden Ticket Detection is configured)
To allow the monitoring agent to communicate, you must create a custom firewall.
To create a custom firewall
1. Stop the PTA Application to revert to the static firewall settings.
systemctl stop appmgr
2. Add the requested SNMP rule manually.
Example1: Allow outgoing rule of port 1234 to IP 10.10.1.1
iptables -I OUTPUT 1 -p tcp -d 10.10.1.1 --dport 1234 -j ACCEPT
-m comment --comment 'Allow SNMP Outgoing connection'
Example 2: Allow incoming rule from IP 10.10.2.2 to port 1235
iptables -I INPUT 1 -p tcp -s 10.10.2.2 --dport 1235 -j ACCEPT -
m comment --comment 'Allow SNMP Incoming connection'
Privileged Threat Analytics
128 Collect Data from PTA
3. Save the static firewall settings.
iptables save
4. Start the PTA Application.
systemctl start appmgr
5. Verify that the port and connection are open, reboot the machine, and test the
firewall.
Note:
We recommend adding the most specific firewall rule possible.
Collect Data from PTA
The PTA export utility enables you to collect data gathered by PTA, including baseline
information, events, incidents, audits and PTA log files. This utility stores all the collected
data in a compressed .tar file in the /opt/tomcat/logs directory.
To Collect Data from PTA:
1. On the system console, log in as the ptauser user using the password you specified
during installation.
2. Initialize the PTA export tool by running the following command:
sudo /opt/tomcat/utility/exportTool.sh
The following prompt appears:
[Step 1/1 - Threat Center export utility]
The number of previous days for which to include records (leave
empty to include all records):
3. Press Enter to collect all records and logs files, or specify the number of days for
which to include records and log files.
The following prompt appears:
Would you like to export db files? (Type 'y' or 'n'):
4. Enter Y to also export databases, or N to not export the databases.
The following prompt appears:
Would you like to export dump files? (Type 'y' or 'n'):
5. Enter Y to also export dump files, or N to not export the dump files.
The data is collected by the PTA export utility, then a confirmation message is
displayed.
Privileged Threat Analytics
PTA Implementation Guide 129
Import PTA to a New Machine
Use the following procedure to import your existing PTA data, settings, configurations
and logs to a new PTA machine. The existing PTA machine will then no longer be used.
Note:
Both machines must have the same PTA version.
The migration script runs in the background. The script can run for up to a few hours. Refer to the
import PTA log (/tmp/import_PTA_data.log) for details on the progress of the script. Important
messages are also written to the screen.
To import PTA to a new machine:
1. Save a snapshot of the PTA image on the new PTA machine.
2. Log in to PTA as the root user.
3. Navigate to the utility directory using the UTILITYDIR command and run the
following command:
./import_PTA_data.sh
The migration script begins. The script can run for up to a few hours.
Before running the migration, save a snapshot of the PTA image
on the new PTA machine.
While the migration script runs in the background, the
existing PTA machine will be down and you will not receive any
data.
After the migration process ends successfully, all PTA data will
be contained on the new PTA machine.
4. Provide the details of the existing PTA machine.
Note:
The new PTA instance must have the same PTA image as the existing PTA machine. If
the script cannot connect to the existing PTA machine after three attempts, contact your
administrator.
Provide the details of the existing PTA machine.
Enter the existing PTA machine IP:
Enter the existing PTA machine root user password:
5. The tool opens SSH port 22 on the new PTA machine to migrate the data from the
existing PTA machine.
Opening port 22 on the new PTA machine for SSH communication
with the existing (<IP>) PTA machine.
6. The migration script stops the PTA Server on the existing PTA machine.
The PTA Server will be stopped on the existing PTA machine
(<IP>) - Press Enter to continue.
Redirecting to /bin/systemctl stop appmgr.service
Privileged Threat Analytics
130 Import PTA to a New Machine
7. If there is no NTP server configuration on the existing PTA machine, the following
prompt appears.
Note:
If there is an NTP server configuration on the existing PTA machine, the migration script
copies the NTP server configuration to the new PTA machine.
Would you like to provide the time synchronization details
(y/n)?
8. If you entered y, the following prompt appears.
Note:
If you entered n , the migration script copies the date and time from the existing
PTA machine to the new PTA machine.
Specify your time zone (example: America/Chicago). For a full
time zone list, specify ‘help’.
Time zone:
a. Enter the time zone, then press Enter. The date and time prompt appears.
Specify current date and time in 24h format “MM/DD/YYYY
hh:mm” (example: 11/21/2013 16:20):
b. Enter the current date and time using the format included in the prompt, then
press Enter. The following prompt appears, enabling you to synchronize the time
zone you are setting, with your NTP server.
Do you want to synchronize with NTP server (y/n)? [n]
c. If you specified y, the NTP server IP prompt appears:
Specify the NTP server IP:
d. Enter the IP address of the NTP server, then press Enter.
The date and time zone are now configured and the following confirmation is
displayed, and the installation proceeds to the next step.
Date and time zone configuration finished successfully
9. The migration process begins.
The migration script is running in the background. Refer to the
migration log (/tmp/import_PTA_data.log) for details on the
progress of the script.
Start migrating data...
Copying the configuration files...
Copying the PTA logs...
Copying the database files...
Privileged Threat Analytics
PTA Implementation Guide 131
10.If any error messages appear, navigate to the log and resolve the issue. When you
open the log, address the error by searching for the version number and the task in
which the error occurred.
Note:
If the data migration process does not complete successfully, revert the new PTA
machine using the snapshot that was saved in Step 1 and rerun the migration script.
11.The data migration process is now complete and the following confirmation is
displayed:
Data migration completed successfully.
12.The existing PTA machine is shut down and the PTA Server is started on the new
PTA machine.
a. If the IP of the existing PTA machine is configured as static, the migration script
shuts down the existing PTA machine, sets the new PTA machine with the
existing IP, and starts PTA on the new machine.
Changing machine IP...
Shutting down the existing PTA machine.
Restarting network service...If you are using a terminal,
connect to the new IP - <IP> - where PTA <IP> is up and
running.
Starting PTA service on the new machine...
The migration process completed successfully. PTA is up and
running.
Install VMWare Tools on the new machine.
b. If the IP of the existing PTA machine is configured using DHCP, perform the
following:
The IP address of the existing PTA machine is configured
using DHCP. Perform the following:
1. Save the IP address for later reference.
2. Shut down the existing PTA machine.
3. Assign the saved IP address to the new PTA machine in the
DHCP server configuration. You might need your IT team's
assistance.
4. Start the PTA Server on the new machine.
5. Install VMWare Tools on the new machine.
Privileged Threat Analytics
132
Appendices
This section contains the following appendices:
Configure System Properties, page 133
Configure Agent Properties, page 154
Time Zones, page 158
Privileged Threat Analytics
PTA Implementation Guide 133
Configure System Properties
The systemparm.properties file configures PTA. The default properties file is stored in
the /opt/tomcat/diamond-resources/default directory. This file contains all the
available properties with their default values, if they exist. This file cannot be edited.
The properties file that can be edited is stored in the /opt/tomcat/diamond-
resources/local directory.
To Change Default Property Values:
1. In the /opt/tomcat/diamond-resources/default directory, open the
systemparm.properties file.
2. Copy the relevant property parameter, then close the file.
3. In the /opt/tomcat/diamond-resources/local directory, open the
systemparm.properties file.
4. Paste the copied property parameter and specify its value.
5. Save the file and close it.
6. Run the service appmgr restart command to restart PTA.
The tables below list all the parameters of the systemparm.properties file, with a brief
explanation. You can copy any parameters you require when configuring the properties
file.
Note:
All parameters must be specified without spaces.
systemparm.properties
Section: Data Loading
date_format
Description Date format of the organization. For example, for US users the
format is MM/dd/yyyy.
Acceptable Values MM/dd/yyyy, dd/MM/yyyy
Default Value MM/dd/yyyy
vault_log_records_csv
Description The full pathname of the loglist.csv report generated by the
ExportVaultData utility.
Acceptable Values Full pathname. For example, /tmp/loglist.csv.
Default Value None
pvwa_privileged_accounts_report_csv
Privileged Threat Analytics
134 Configure System Properties
Section: Data Loading
Description The full pathname of the PVWA Inventory Report .csv file.
Acceptable Values Full pathname
Default Value None
Section: LDAP
ldap_connection_protocol
Description The protocol to use for the LDAP connection.
Acceptable Values Valid protocol
Default Value None
ldap_base
Description The LDAP base context.
Acceptable Values String
Default Value None
ldap_port
Description The port of the LDAP server.
Acceptable Values Number between 1024 and 65535
Default Value None
ldap_server
Description The IP of the LDAP server to integrate with.
Acceptable Values IP
Default Value None
ldap_domain
Description The name of the domain where the LDAP server resides.
Acceptable Values String
Default Value None
ldap_group_name
Description The name of the LDAP PTA group.
Acceptable Values String
Default Value PTA_GROUP
ldap_pre2000
Description The netbios (Pre2000) name of the domain.
Acceptable Values String
Privileged Threat Analytics
PTA Implementation Guide 135
Section: LDAP
Default Value None
Section: Syslog
syslog_outbound
Description Outbound configuration that enables PTA to integrate with your SIEM.
Acceptable A list of the following information: {siem, format, host, port, protocol}
Values Acceptable values are:
■ siem – HP ArcSight, McAfee, QRadar, RSA, Splunk
■ format – CEF or LEEF
■ host - Host/IP
■ port – number
■ protocol - UDP
Default None
Value
syslog_port_tcp
Description The port used for incoming syslog records sent from the Vault machine and
Unix machines on the TCP port.
Acceptable Number between 1 and 65535. The number must represent an unused port.
Values
Default 514
Value
syslog_port_udp
Description The port used for incoming syslog records sent from the Vault machine and
Unix machines on the UDP port.
Acceptable Number between 1 and 65535. The number must represent an unused port.
Values
Default 514
Value
vault_timezone
Description The timezone configured in the Vault.
Acceptable NA
Values
Default The PTA machine timezone.
Value
syslog_non_human_filter
Description List of non-human usernames whose syslog messages PTA will ignore.
Acceptable Vault users
Privileged Threat Analytics
136 Configure System Properties
Section: Syslog
Values
Default passwordmanager,prov_,pvwaappuser,psmapp
Value
syslog_port_ssl_data_tcp
Description The port used to receive syslog data in a secure channel.
Acceptable Number between 1 and 65535. The number must represent an unused port.
Values
Default 6514
Value
syslog_port_ssl_control_tcp
Description The port used to receive statistics data in a secure channel.
Acceptable Number between 1 and 65535. The number must represent an unused port.
Values
Default 7514
Value
send_pta_events_to_pas_enabled
Description Enable or disable the option to send PTA events to the Vault.
Acceptable true/false
Values
Default true
Value
Section: Syslog
Sub-section: Syslog
custom_vault_device_types
Description Device Types from PVWA that PTA monitors. The value is case
sensitive.
Acceptable String
Values
Default Value None
Section: Syslog
Sub-section: Syslog format legacy
syslog_format_regex_legacy
Description A regular expression that defines the legacy syslog format.
Acceptable Regular expression
Privileged Threat Analytics
PTA Implementation Guide 137
Section: Syslog
Sub-section: Syslog format legacy
Values
Default (<\\d+>)?([\\d\\.]+)?\\s*([a-zA-Z]+\\s+\\d{1,2}\\s+\\d{1,2}:\\d{1,2}:\\d
Value {1,2})\\s+([^\\s]+)\\s+(.*)
syslog_field_index_date_legacy
Description The index that corresponds to the date field defined in the syslog_format_
regex_legacy property.
Acceptable Number greater than zero
Values
Default 3
Value
syslog_field_index_machine_legacy
Description The index that corresponds to the machine field defined in the syslog_
format_regex_legacy property.
Acceptable Number greater than zero
Values
Default 4
Value
syslog_field_index_body_legacy
Description The index that corresponds to the body field defined in the syslog_format_
regex_legacy property.
Acceptable Number greater than zero
Values
Default 5
Value
Section: Syslog
Sub-section: Syslog format 5424
syslog_format_regex_5424
Description A regular expression that defines the syslog format 5424.
Acceptable Regular expression
Values
Default <(\\d+)>([\\d\\.]+)\\s+(\\d{4}-\\d{2}-\\d{1,2}T\\d{1,2}:\\d{1,2}:\\d{1,2}Z)\\s+
Value ([^\\s]+)\\s+(.*)
syslog_field_index_date_5424
Description The index that corresponds to the date field defined in the syslog_format_
regex_5424 property.
Privileged Threat Analytics
138 Configure System Properties
Section: Syslog
Sub-section: Syslog format 5424
Acceptable Number greater than zero
Values
Default 3
Value
syslog_field_index_machine_5424
Description The index that corresponds to the machine field defined in the syslog_
format_regex_5424 property.
Acceptable Number greater than zero
Values
Default 4
Value
syslog_field_index_body_5424
Description The index that corresponds to the body field defined in the syslog_format_
regex_5424 property.
Acceptable Number greater than zero
Values
Default 5
Value
Section: Syslog
Sub-section: Audit creator for vault retrieve password
audit_creator_body_regex_vault_retrieve_password
Description A regular expression that defines the data format in a syslog string that the
audit creator detects.
Acceptable Regular expression
Values
Default \\s*\\|\\s*([^\\s\\|]+)\\s*\\|\\s*([^\\|]*)\\s*\\|\\s*(Retrieve password|Use
Value Password)\\s*\\|\\s*([^\\s\\|]*)\\s*\\|\\s*([^\\s\\|]*)\\s*\\|(.*)
body_field_index_vault_retrieve_password_user
Description The index that corresponds to the user who retrieved the password from the
Vault in the audit_creator_body_regex_vault_retrieve_password property.
Acceptable Number greater than zero
Values
Default 1
Value
body_field_index_vault_retrieve_password_date
Description The index that corresponds to the date when the password was retrieved
Privileged Threat Analytics
PTA Implementation Guide 139
Section: Syslog
Sub-section: Audit creator for vault retrieve password
from the Vault in the audit_creator_body_regex_vault_retrieve_ password
property.
Acceptable Number greater than zero
Values
Default 2
Value
body_field_index_vault_retrieve_password_account_user
Description The index that corresponds to the user specified in the account that was
retrieved from the Vault in the audit_creator_body_regex_vault_retrieve_
password property.
Acceptable Number greater than zero
Values
Default 4
Value
body_field_index_vault_retrieve_password_account_address
Description The index that corresponds to the address specified in the account that was
retrieved from the Vault in the audit_creator_body_regex_vault_retrieve_
password property.
Acceptable Number greater than zero
Values
Default 5
Value
Section: Syslog
Sub-section: Audit creator for unix session opened
audit_creator_body_regex_unix_session_opened
Description A regular expression that defines the data format in a syslog string that
the audit creator detects.
Acceptable Regular expression
Values
Default Value \\s*[a-zA-Z0-9\\[\\]]+:\\s+pam_unix\\((.+):session\\):\\s*session opened
for user\\s+(\\S+) by.*
body_field_index_unix_session_opened_user
Description The index of the user who opened the unix session in the audit_creator_
body_regex_unix_session_opened property.
Acceptable Number greater than zero
Values
Privileged Threat Analytics
140 Configure System Properties
Section: Syslog
Sub-section: Audit creator for unix session opened
Default Value 2
body_field_index_unix_session_opened_session_type
Description The index of the type of session that was opened in the audit_creator_
body_regex_unix_session_opened property.
Acceptable Number greater than zero
Values
Default Value 1
Section: Syslog
Sub-section: Audit creator for CEF
audit_creator_body_regex_cef
Description A regular expression that defines the data format in a syslog string that the
audit creator detects.
Acceptable Regular expression
Values
Default CEF:(?<cefVersion>\\d+)\\|(?<vendor>(?:[^\\\\\\|]|\\\\.)*+)\\|(?<product>(?:
Value [^\\\\\\|]|\\\\.)*+)\\|(?<version>(?:[^\\\\\\|]|\\\\.)*+)\\|(?<id>(?:[^\\\\\\|]|\\\\.)*+)\\|
(?<name>(?:[^\\\\\\|]|\\\\.)*+)\\|(?<severity>(?:[^\\\\\\|]|\\\\.)*+)\\|
(?<extension>.*)
custom_CEF_Windows_plugin_parameter
Description Custom vendor and product name for Windows logon support
Acceptable Json string
Values
Default [{\"Vendor\":\"Microsoft\",\"Product\":\"Microsoft Windows\"}]
Value
Section: Schedulers
excessive_access_task_trigger
Description The time for frequent updates of the excessive access (user) baseline.
The default is midnight of every day.
Acceptable Cron expression
Values
Default 0 0 0 * * ?
Value
irregular_ip_task_trigger
Description The time for frequent updates of the irregular IP (user) baseline. The
Privileged Threat Analytics
PTA Implementation Guide 141
Section: Schedulers
default is midnight of every day.
Acceptable Cron expression
Values
Default 0 0 0 * * ?
Value
vault_accounts_reload_task_trigger
Description The time for frequent updates of the Vault accounts reload. The default is
1:00 AM of every day.
Acceptable Cron expression
Values
Default 0 0 1 * * ?
Value
human_vault_user_cache_reload_task_trigger
Description The time for frequent updates of the Vault users reload. The default is
midnight of every day.
Acceptable Cron expression
Values
Default 0 0 0 * * ?
Value
irregular_hours_asset_task_trigger
Description The time for frequent updates of the irregular hours (machine) baseline.
The default is midnight of every day.
Acceptable Cron expression
Values
Default 0 0 0 * * ?
Value
irregular_hours_user_task_trigger
Description The time for frequent updates of the irregular hours (user) baseline. The
default is midnight of every day.
Acceptable Cron expression
Values
Default 0 0 0 * * ?
Value
audits_retention_task_trigger
Description The time for deleting raw data that has passed the retention period. The
default is 3:30 AM every day.
Acceptable Cron expression
Values
Privileged Threat Analytics
142 Configure System Properties
Section: Schedulers
Default 0 30 3 * * ?
Value
Section: Algorithms
disabled_detection_algorithms
Description The list of anomalies whose detections are disabled.
Acceptable ■ ActiveDormantUserAnomalyAlgorithm
Values ■ AggregativeIceAnomalyAlgorithm
■ BaseICEAnomalyAlgorithm
■ ExcessiveAccessAnomalyAlgorithm
■ ExcessiveAccessAssetAnomalyAlgorithm
■ ExcessiveAccessUserAnomalyAlgorithm
■ GoldenTicketAnomalyAlgorithm
■ InteractiveLogonWithServiceAccountAnomalyAlgorithm
■ IrregularHoursAssetAnomalyAlgorithm
■ IrregularHoursUserAnomalyAlgorithm
■ LogonIrrSourceMachineToTgtMachineByTgtAccAnomalyAlgorithm
■ LogonIrrTgtAccFromMachineAnomalyAlgorithm
■ LogonIrrTgtMachineByTgtAccAnomalyAlgorithm
■ MachineAccessViaIrregularIpAnomalyAlgorithm
■ MaliciousRetrievalOfDomainAccountsAnomalyAlgorithm
■ OverPassTheHashAnomalyAlgorithm
■ PacAsRequestAttackAnomalyAlgorithm
■ PSMRiskyCommandAnomalyAlgorithm
■ PSMVaultAnomalyAlgorithm
■ SuspectedCredentialsTheftAnomalyAlgorithm
■ UnmanagedPrivilegedAccessAnomalyAlgorithm
■ VaultAccessViaIrregularIpAnomalyAlgorithm
■ RiskySPNRisk
■ IrregularDayUserAnomaly
Default Value ExcessiveAccessAssetAnomalyAlgorithm,
LogonIrrSourceMachineToTgtMachineByTgtAccAnomalyAlgorithm,
LogonIrrTgtAccFromMachineAnomalyAlgorithm,
LogonIrrTgtMachineByTgtAccAnomalyAlgorithm,
MachineAccessViaIrregularIpAnomalyAlgorithm
Section: Algorithms
Sub-section: irregular hours
irr_hours_excluded_usernames_list
Description The list of users to be excluded from the Irregular Hours baseline
Privileged Threat Analytics
PTA Implementation Guide 143
Section: Algorithms
Sub-section: irregular hours
calculation. Multiple names must be separated by commas.
Acceptable Vault users
Values
Default None
Value
irr_hours_baseline_range_start
Description The starting-point of training data (vault_log) in the range, for baseline
calculation.
Acceptable 0.0-1 (where 1 is 100%)
Values
Default 0
Value
irr_hours_baseline_range_end
Description The endpoint of training data (vault_log) in the range, for baseline
calculation.
Acceptable 0.0-1 (where 1 is 100%)
Values
Default 1
Value
irr_hours_baseline_debug
Description Determines how the baseline is created.
Note:
This parameter is for internal debugging purposes.
Acceptable true/false
Values
Default false
Value
Section: Algorithms
Sub-section: DC Replication
dc_replication_whitelist
Description The list of machines which are allowed to execute DC replication
operations. Multiple names must be separated by commas.
Acceptable Fully-qualified machine names, IPs
Values
Privileged Threat Analytics
144 Configure System Properties
Section: Algorithms
Sub-section: DC Replication
Default None
Value
Section: Algorithms
Sub-section: Unmanaged privileged access
privileged_users_list
Description A list of users considered privileged in the organization, and who should be
managed by CyberArk’s Privileged Account Security solution.
Acceptable A list of the following information: {platform, case sensitivity of user, regular
Values expression}
Acceptable values are:
■ Platform – WINDOWS/UNIX/ORACLE (upper case)
■ Case sensitivity – true/false
■ Regex – string
Default If this value is not defined by the user, the system will use the following
Value default value:
[{"mPlatform":"UNIX","mIsCaseSensitive":true, "mUsers" :[root]},
{"mPlatform":"WINDOWS","mIsCaseSensitive":false,"mUsers":
[.*admin.*]},{"mPlatform":"ORACLE", "mIsCaseSensitive":
false,"mUsers":[sys,system,sysman]}]
privileged_groups_list
Description A list of groups considered privileged in the organization, and whose
members should be managed by CyberArk’s Privileged Account Security
solution.
Acceptable A list of the following information: {Domain, Group_name}
Values Acceptable values are:
■ Domain
■ Group Name
Default None
Value
Unmanaged_Privileged_Access_Score
Description The unmanaged privileged access anomaly score.
Acceptable Number between 1-100
Values
Default 30
Value
Privileged Threat Analytics
PTA Implementation Guide 145
Section: Algorithms
Sub-section: vault access via irregular ip
irregular_ip_tail_proporion_exp_base
Description The base taken in the exponent of the proportion of the tail of the given IP
which was not spanned by the tree.
Specify a number greater than ‘1’.
Acceptable ■ Double
Values
Default 8.0
Value
irr_ip_excluded_usernames_list
Description A list of usernames that PTA will ignore when analyzing Vault access via
irregular IP addresses.
Acceptable ■ Vault users
Values
Default DR,BATCH,BACKUP
Value
irr_ip_excluded_sourceIP_list
Description A list of IP addresses that PTA will ignore when analyzing Vault access
via irregular IP addresses.
Acceptable IPs
Values
Default Configured PVWA IP
Value
Section: Algorithms
Sub-section: ICE - asset connection words algorithms
asset_connection_excluded_domain_account_list
Description The list of domain accounts to be excluded from the Asset
Connection baseline calculation.
Acceptable Values A list of the following information: {domain, list of users that belong
to the domain}
Acceptable values are:
■ Domain – any valid domain name (string)
■ Users – string of users name separated by comma
Default Value N/A
Privileged Threat Analytics
146 Configure System Properties
Section: Algorithms
Sub-section: Suspected credentials theft
not_via_pim_time_window
Description The number of minutes of the default check-out time period of a password.
Acceptable Number
Values
Default 480
Value
sct_excluded_account_list
Description A list of usernames that PTA will ignore when analyzing connections to
remote machines without first retrieving the required credentials from the
Vault.
Acceptable A list of the following information: {platform, Machine/domain, DB instance,
Values User}
Acceptable values are:
■ Platform – WINDOWS/UNIX/ORACLE (upper case)
■ Machine – either IP or FQDN
■ Domain – relevant only for WINDOWS platforms, when the account is
a domain account
■ DB Instance – if the Platform is ORACLE, the instance name must be
mentioned
■ User – string
All fields except Platform can be configured as a list with a ‘,’ delimiter and
support asterisks.
For example: #sct_excluded_account_list=[{"mPlatforms":
["WINDOWS"],"mUsers":["user"],"mDomains":["domain.com"]},
{"mPlatforms":["WINDOWS"],"mUsers":["localUser"],"mMachines":
["prod.domain.com"]},{"mPlatforms":["ORACLE"],"mUsers":
["localUser"],"mMachines":["prodDB.domain.com","mInstanceNames":
["MyDB"]}]
Default None
Value
Section: Algorithms
Sub-section: Suspicious Password Change
suspicious_password_change_time_window_minutes
Description The time, in minutes, PTA waits before indicating a password change
was not done by CPM and is suspicious.
Acceptable Number between 1-60
Values
Default Value 2
Privileged Threat Analytics
PTA Implementation Guide 147
Section: Algorithms
Sub-section: Suspicious Password Change
suspicious_password_change_score
Description The suspicious password change anomaly score.
Acceptable Number between 1-100
Values
Default Value 80
Section: Algorithms
Sub-section: Suspicious activities detected in a privileged session
risky_command_configuration
Descri A regular expression that defines the suspicious session activities that
ption PTA analyzes.
Accept A list of the following information: {regular expression of the command, score,
able description, category}
Values Acceptable values are:
■ Regex – string
■ Score – 1-100
■ Description (optional) – string
■ Category - Universal keystrokes, SCP, SQL, SSH, Windows titles
■ Response - NONE, TERMINATE, SUSPEND
■ Active - true/false
For example:{"regex":"kill
(.*)","score":"70","description":"description2","category":"SSH","response
":"NONE",“active”:true}]
Default A set of best practices that CyberArk recommends.
Value
Section: Algorithms
Sub-section: Risky SPN
risky_spn_excluded_account_list
Description A list of usernames, domains and service principal names that PTA will
ignore when analyzing privileged accounts that contain service principal
names.
Acceptable A list of the following information: {user, domain, service}
Values Acceptable values are:
■ User – string
■ Domain – domain name, such as domain.com
■ Service principal name – service principal name in the format of
host\service
Privileged Threat Analytics
148 Configure System Properties
Section: Algorithms
Sub-section: Risky SPN
All fields can be configured as a list with a ‘,’ delimiter, and can support
asterisks.
For example:
risky_spn_excluded_account_list=[{"mUsers":["user1"],"domain":
["domain.com"],"service":["host\service","fqdn\service"]},{"mUsers":
["sqladmin"],"domain":["domain.com"],"service":["*"]}]
Default None
Value
Section: Email
mail.smtp.host
Description The IP of the mail server in the organization.
Acceptable IP address
Values
Default None
Value
mail.smtp.port
Description The SMTP port for emails.
Acceptable 25, 587
Values
Default 25
Value
mail.smtp.auth
Description Whether the authentication method is on.
Acceptable true/false
Values
Default true
Value
mail.debug
Description Whether the debug messages of the email process appear in the log.
Acceptable true/false
Values
Default false
Value
email_from
Description The email address of the sender.
Privileged Threat Analytics
PTA Implementation Guide 149
Section: Email
Acceptable Email address in lowercase characters.
Values
Default None
Value
email_recipient
Description A list of the recipient email addresses that will receive an email when an
incident is discovered. Specify email addresses using only lowercase
characters. Multiple addresses are separated by a semi-colon (;).
Acceptable Email address; email address, ...
Values
Default None
Value
Section: DNS
dns_srv_record_format
Description The format of a DNS service record (SRV).
Acceptable Regular expression
Values
Default \\s*\\d+\\s+\\d+\\s+\\d+\\s+((?=.{1,255}$)[0-9A-Za-z](?:(?:[0-9A-Za-z]|-)
Value {0,61}[0-9A-Za-z])?(?:\\.[0-9A-Za-z](?:(?:[0-9A-Za-z]|-){0,61}[0-9A-Za-
z])?)*\\.?)\\.
dns_ldap_domain_srv_record_name_prefix
Description The prefix that identifies an SRV record for a domain.
Acceptable String
Values
Default _ldap._tcp.dc._msdcs.
Value
dns_resolving_timeout
Description The timeout period for DNS resolving, in milliseconds.
Acceptable Numbers in milliseconds
Values
Default 10000
Value
Section: Domain
domain_controllers
Privileged Threat Analytics
150 Configure System Properties
Section: Domain
Description List of domain and domain controllers.
Acceptable {"domain_name":[{"mAddress":"dc1_ip_address","mHostName":"dc1_
Values host_name"},{"mAddress":"dc2_ip_address","mHostName":"dc2_host_
address"}]}
Default None
Value
pre2000_domain_list
Description List of DNS names with their corresponding pre-Windows 2000 names.
Acceptable {"preWin2000DomainName":"fullDNSDomainName",
Values "preWin2000DomainName2":"fullDNSDomainName2"}
Default None
Value
epv_https_enabled
Description Whether PTA will connect to PAS though https.
Acceptable true/false
Values
Default true
Value
epv_host
Description The name of PAS that PTA will connect to. Enter the FQDN.
Acceptable String
Values
Default -
Value
epv_port
Description The port through which PTA will connect to PAS.
Acceptable Port number
Values
Default ■ https: 443
Value ■ http: 80
epv_root_context
Description The PVWA application name.
Acceptable String
Values
Default PasswordVault
Value
Privileged Threat Analytics
PTA Implementation Guide 151
Section: Domain
send_psm_session_related_data
Description Whether PTA will send a privileged session risk score to PSM to make the
score available in PVWA.
Acceptable true/false
Values
Default true
Value
Section: UI
numberOfIncidentsToGroupBy
Description The number of suspicious session activity incidents for the selected
timeframe that will be displayed in individual bubbles on the dashboard.
The rest of the incidents will be displayed in a single aggregated bubble.
Acceptable Number
Values
Default Value 0
Section: Mitigation
epvintegrationRotatePasswordExcludeList
Description The list of anomalies to be excluded from the automatically rotate
password reaction for credentials theft.
Acceptable ■ SuspectedCredentialsTheft
Values ■ OverPassTheHash
■ SuspiciousPasswordChange
Default Value SuspectedCredentialsTheft,OverPassTheHash,SuspiciousPasswo
rdChange
EnableAutomaticMitigationByEPV
Description Determines whether PTA will integrate with PAS to react
automatically to detected credential thefts.
Acceptable true/false
Values
Default Value ■ When integration with PAS is not configured, this parameter is
not relevant.
■ When integration with PAS is configured, this parameter is
automatically set to true.
epvIntegrationEnableAddPendingAccount
Description Determines whether PTA will integrate with PAS to automatically
Privileged Threat Analytics
152 Configure System Properties
Section: Mitigation
add unmanaged privileged accounts to the PVWA pending accounts
queue.
Acceptable ■ True – automatic adding of unmanaged privileged accounts is
Values enabled
■ False – automatic adding of unmanaged privileged accounts is
disabled
Default Value False
epv_integration_rotate_password
Description Determines whether PTA will integrate with PAS to automatically
rotate passwords to accounts.
Acceptable ■ True – automatic rotate passwords to accounts is enabled
Values ■ False – automatic rotate passwords to accounts is disabled
Default Value False
epv_integration_reconcile_password
Description Determines whether PTA will integrate with PAS to react
automatically to any detected CyberArk Password Manager bypass.
Acceptable ■ True – automatic password reconciliation is enabled
Values ■ False – automatic password reconciliation is disabled
Default Value False
psm_mitigation_enabled
Description Allows a user to enable or all automatic mitigation of PSM
suspicious activities.
Acceptable ■ True – automatic mitigation is enabled
Values ■ False – automatic mitigation is disabled
Default Value True
psm_mitigation_termination_enabled
Description Allows a user to enable or disable automatic mitigation session
termination of PSM suspicious activities.
Acceptable ■ True – automatic mitigation session termination is enabled
Values ■ False – automatic mitigation session termination is disabled
Default Value False
psm_mitigation_suspension_enabled
Description Allows a user to enable or disable automatic mitigation session
suspension of PSM suspicious activities.
Acceptable ■ True – automatic mitigation session suspension is enabled
Values ■ False – automatic mitigation session suspension is disabled
Default Value False
Privileged Threat Analytics
PTA Implementation Guide 153
Section: Auto Purge
audits_retention_period_in_days
Description The retention period for raw data to be stored in PTA before it will be
deleted. This does not apply to events that PTA has detected.
Acceptable Number
Values
Default 90
Value
Section: PTA Agent
enable_client_verification
Description Enables client verification for the secured syslog.
Acceptable ■ True – client verification for the secured syslog is enabled
Values ■ False – client verification for the secured syslog is disabled
Default Value True
enable_dcagent_connection
Description Enables PTA Windows Agent connection to the PTA Server.
Acceptable ■ True – PTA Windows Agent connection to the PTA Server is
Values enabled
■ False – PTA Windows Agent connection to the PTA Server is
disabled
Default Value True
Privileged Threat Analytics
Table of Contents 154
Configure Agent Properties
The config.ini file configures the PTA Windows Agent. The configuration file is stored in
C:\Program Files\cyberark\PTA Agent\ directory.
To Change Default Property Values:
1. Navigate to C:\Program Files\cyberark\PTA Agent\ directory.
2. Locate the needed property from the documentation below.
3. Add to the end of the file the property's header from the documentation below (if the
header is missing).
4. Add the relevant value below the property header.
Note:
All parameters must be specified without spaces.
Section: ServerInfo
PTA_IP_Address
Description The IP of the PTA Server.
Acceptable Values IP address
Default Value None
SSL_Data_Port
Description The port used to send syslog data to PTA in a secure channel.
Acceptable Values Number between 1024 and 65535
Default Value 6514
SSL_Control_Port
Description The port used to send statistics data to PTA in a secure channel.
Acceptable Values Number between 1024 and 65535
Default Value 7514
Section: DCInfo
Server_Verification_Required
Description Determines whether the PTA Server certificate is validated by the
PTA Windows Agent, making the connection trusted.
Acceptable true/false
Values
Default true
Value
Privileged Threat Analytics
155 Table of Contents
Section: DCInfo
Network_Interface_ID
Description The network interface that the PTA Windows Agent uses.
Acceptable Number
Values
Default 1
Value
KeepAlive_Interval_msec
Description The milliseconds between each heartbeat to the PTA Server.
Acceptable Number
Values
Default 2000 (2 seconds)
Value
Network_Enabled
Description Data analysis mode to inspect Network traffic.
Acceptable ■ True – data analysis mode to inspect Network traffic is enabled
Values ■ False – data analysis mode to inspect Network traffic is disabled
Default True
Value
Windows_Event_Enabled
Description Data analysis mode to inspect Windows events.
Acceptable ■ True – data analysis mode to inspect Windows events is enabled
Values ■ False – data analysis mode to inspect Windows events is disabled
Default False
Value
Section: Debug
Write_Events_To_Log
Description Set the debug events flag. This parameter is for internal debugging
purposes.
Acceptable ■ 0 - false
Values ■ 1 - true
Default Value 0 (false)
Section: Monitoring
Machine_Monitoring_Enabled_Global
Privileged Threat Analytics
Table of Contents 156
Section: Monitoring
Description Determines whether monitoring options
are available.
Acceptable Values true/false
Default Value true
Machine_Monitoring_Enabled_Memory
Description Determines whether Memory monitoring
is available.
Acceptable Values true/false
Default Value true
Machine_Monitoring_Enabled_CPU
Description Determines whether CPU monitoring is
available.
Acceptable Values true/false
Default Value true
Machine_Monitoring_Enabled_Network
Description Determines whether Network monitoring
is available.
Acceptable Values true/false
Default Value true
Machine_Monitoring_To_Log
Description Determines whether the monitoring
results are written to the log file.
Acceptable Values true/false
Default Value true
Machine_Monitoring_Interval_sec
Description The interval to query the Machine for the
resources data
Acceptable Values Number
Default Value 10
Section: ClientCertificate
Client_Certificate_Enabled
Description Determines whether the client sends the certificate to the PTA Server
for verification .
Acceptable true/false
Privileged Threat Analytics
157 Table of Contents
Section: ClientCertificate
Values
Default Value true
Client_Certificate_Subject_Name
Description The subject name of the client certificates installed on the
PTA Windows Agent machine.
Acceptable String
Values
Default Value None
Section: Enforcement
Process_CPU_Enabled
Description Determines whether the CPU based enforcement is enabled.
Acceptable Values true/false
Default Value true
Process_CPU_Monitoring_Time_Window
Description The time window to monitor CPU exceptions.
Acceptable Values Number
Default Value 60
Process_CPU_Percent_Threshold
Description The CPU Threshold percentage limit.
Acceptable Values Number between 1 and 100
Default Value 35
Process_CPU_Percent_Exceeded_Samples_sec
Description The allowed percentage of the exceeded threshold.
Acceptable Values Number
Default Value 70
Section: Forwarder
Windows_Event_Log
Description The Windows event log name from which the PTA Windows Agent
reads the events.
Acceptable String
Values
Default Value ForwardedEvents
Privileged Threat Analytics
158 Time Zones
Time Zones
The PTA installation wizard requires you to configure your time zone. The following table
lists the available time zones.
EST5EDT MET WET
GB Iran Mexico/BajaSur
Mexico/BajaNorte Mexico/General Israel
NZ Asia/Macao Asia/Irkutsk
Asia/Shanghai Asia/Chongqing Asia/Anadyr
Asia/Hovd Asia/Urumqi Asia/Harbin
Asia/Thimphu Asia/Bishkek Asia/Dhaka
Asia/Hong_Kong Asia/Jakarta Asia/Vientiane
Asia/Pyongyang Asia/Baghdad Asia/Gaza
Asia/Samarkand Asia/Tashkent Asia/Beirut
Asia/Oral Asia/Jerusalem Asia/Calcutta
Asia/Tokyo Asia/Taipei Asia/Omsk
Asia/Dushanbe Asia/Kolkata Asia/Brunei
Asia/Dili Asia/Istanbul Asia/Baku
Asia/Ashgabat Asia/Jayapura Asia/Colombo
Asia/Tbilisi Asia/Ulan_Bator Asia/Kuching
Asia/Novosibirsk Asia/Phnom_Penh Asia/Novokuznetsk
Asia/Ujung_Pandang Asia/Thimbu Asia/Ashkhabad
Asia/Bahrain Asia/Vladivostok Asia/Kamchatka
Asia/Seoul Asia/Chungking Asia/Sakhalin
Asia/Aqtau Asia/Magadan Asia/Kuwait
Asia/Singapore Asia/Kuala_Lumpur Asia/Amman
Asia/Kathmandu Asia/Krasnoyarsk Asia/Rangoon
Asia/Pontianak Asia/Dubai Asia/Yekaterinburg
Asia/Yakutsk Asia/Aden Asia/Aqtobe
Asia/Qatar Asia/Muscat Asia/Nicosia
Asia/Qyzylorda Asia/Macau Asia/Hebron
Asia/Kabul Asia/Choibalsan Asia/Riyadh87
Privileged Threat Analytics
PTA Implementation Guide 159
Asia/Tel_Aviv Asia/Saigon Asia/Yerevan
Asia/Kashgar Asia/Manila Asia/Ulaanbaatar
Asia/Makassar Asia/Riyadh89 Asia/Ho_Chi_Minh
Asia/Dacca Asia/Bangkok Asia/Riyadh
Asia/Tehran Asia/Damascus Asia/Katmandu
Asia/Karachi Asia/Almaty Asia/Riyadh88
Canada/East- Canada/Central Canada/Newfoundland
Saskatchewan
Canada/Atlantic Canada/Eastern Canada/Yukon
Canada/Mountain Canada/Pacific Canada/Saskatchewan
Greenwich Africa/Accra Africa/Khartoum
Africa/Kigali Africa/Bangui Africa/Timbuktu
Africa/Juba Africa/Ouagadougou Africa/Dar_es_Salaam
Africa/Monrovia Africa/Maputo Africa/Tripoli
Africa/Windhoek Africa/Bissau Africa/Ndjamena
Africa/Asmera Africa/Lome Africa/Ceuta
Africa/Blantyre Africa/Cairo Africa/Tunis
Africa/Mbabane Africa/Porto-Novo Africa/Bamako
Africa/Nouakchott Africa/Maseru Africa/Niamey
Africa/Nairobi Africa/Algiers Africa/Johannesburg
Africa/Lagos Africa/Kinshasa Africa/Gaborone
Africa/Banjul Africa/Brazzaville Africa/Sao_Tome
Africa/Mogadishu Africa/Djibouti Africa/Luanda
Africa/Casablanca Africa/Addis_Ababa Africa/Douala
Africa/Lusaka Africa/Conakry Africa/Abidjan
Africa/Freetown Africa/Malabo Africa/Dakar
Africa/Asmara Africa/Libreville Africa/Bujumbura
Africa/Lubumbashi Africa/Harare Africa/Kampala
Africa/El_Aaiun Zulu Japan
Indian/Maldives Indian/Antananarivo Indian/Chagos
Indian/Reunion Indian/Mayotte Indian/Christmas
Indian/Mauritius Indian/Kerguelen Indian/Mahe
Indian/Cocos Indian/Comoro NZ-CHAT
Privileged Threat Analytics
160 Time Zones
Eire UTC Universal
EET Brazil/Acre Brazil/West
Brazil/East Brazil/DeNoronha MST7MDT
Mideast/Riyadh87 Mideast/Riyadh89 Mideast/Riyadh88
Libya EST UCT
Atlantic/St_Helena Atlantic/South_Georgia Atlantic/Canary
Atlantic/Cape_Verde Atlantic/Faroe Atlantic/Azores
Atlantic/Jan_Mayen Atlantic/Reykjavik Atlantic/Faeroe
Atlantic/Bermuda Atlantic/Madeira Atlantic/Stanley
HST Hongkong posix/EST5EDT
posix/MET posix/WET posix/GB
posix/Iran posix/Mexico/BajaSur posix/Mexico/BajaNorte
posix/Mexico/General posix/Israel posix/NZ
posix/Asia/Macao posix/Asia/Irkutsk posix/Asia/Shanghai
posix/Asia/Chongqing posix/Asia/Anadyr posix/Asia/Hovd
posix/Asia/Urumqi posix/Asia/Harbin posix/Asia/Thimphu
posix/Asia/Bishkek posix/Asia/Dhaka posix/Asia/Hong_Kong
posix/Asia/Jakarta posix/Asia/Vientiane posix/Asia/Pyongyang
posix/Asia/Baghdad posix/Asia/Gaza posix/Asia/Samarkand
posix/Asia/Tashkent posix/Asia/Beirut posix/Asia/Oral
posix/Asia/Jerusalem posix/Asia/Calcutta posix/Asia/Tokyo
posix/Asia/Taipei posix/Asia/Omsk posix/Asia/Dushanbe
posix/Asia/Kolkata posix/Asia/Brunei posix/Asia/Dili
posix/Asia/Istanbul posix/Asia/Baku posix/Asia/Ashgabat
posix/Asia/Jayapura posix/Asia/Colombo posix/Asia/Tbilisi
posix/Asia/Ulan_Bator posix/Asia/Kuching posix/Asia/Novosibirsk
posix/Asia/Phnom_Penh posix/Asia/Novokuznetsk posix/Asia/Ujung_
Pandang
posix/Asia/Thimbu posix/Asia/Ashkhabad posix/Asia/Bahrain
posix/Asia/Vladivostok posix/Asia/Kamchatka posix/Asia/Seoul
posix/Asia/Chungking posix/Asia/Sakhalin posix/Asia/Aqtau
posix/Asia/Magadan posix/Asia/Kuwait posix/Asia/Singapore
posix/Asia/Kuala_Lumpur posix/Asia/Amman posix/Asia/Kathmandu
Privileged Threat Analytics
PTA Implementation Guide 161
posix/Asia/Krasnoyarsk posix/Asia/Rangoon posix/Asia/Pontianak
posix/Asia/Dubai posix/Asia/Yekaterinburg posix/Asia/Yakutsk
posix/Asia/Aden posix/Asia/Aqtobe posix/Asia/Qatar
posix/Asia/Muscat posix/Asia/Nicosia posix/Asia/Qyzylorda
posix/Asia/Macau posix/Asia/Hebron posix/Asia/Kabul
posix/Asia/Choibalsan posix/Asia/Riyadh87 posix/Asia/Tel_Aviv
posix/Asia/Saigon posix/Asia/Yerevan posix/Asia/Kashgar
posix/Asia/Manila posix/Asia/Ulaanbaatar posix/Asia/Makassar
posix/Asia/Riyadh89 posix/Asia/Ho_Chi_Minh posix/Asia/Dacca
posix/Asia/Bangkok posix/Asia/Riyadh posix/Asia/Tehran
posix/Asia/Damascus posix/Asia/Katmandu posix/Asia/Karachi
posix/Asia/Almaty posix/Asia/Riyadh88 posix/Canada/
East-Saskatchewan
posix/Canada/Central posix/Canada/Newfoundl posix/Canada/Atlantic
and
posix/Canada/Eastern posix/Canada/Yukon posix/Canada/Mountain
posix/Canada/Pacific posix/Canada/Saskatche posix/Greenwich
wan
posix/Africa/Accra posix/Africa/Khartoum posix/Africa/Kigali
posix/Africa/Bangui posix/Africa/Timbuktu posix/Africa/Juba
posix/Africa/Ouagadougou posix/Africa/Dar_es_ posix/Africa/Monrovia
Salaam
posix/Africa/Maputo posix/Africa/Tripoli posix/Africa/Windhoek
posix/Africa/Bissau posix/Africa/Ndjamena posix/Africa/Asmera
posix/Africa/Lome posix/Africa/Ceuta posix/Africa/Blantyre
posix/Africa/Cairo posix/Africa/Tunis posix/Africa/Mbabane
posix/Africa/Porto-Novo posix/Africa/Bamako posix/Africa/Nouakchott
posix/Africa/Maseru posix/Africa/Niamey posix/Africa/Nairobi
posix/Africa/Algiers posix/Africa/Johannesbur posix/Africa/Lagos
g
posix/Africa/Kinshasa posix/Africa/Gaborone posix/Africa/Banjul
posix/Africa/Brazzaville posix/Africa/Sao_Tome posix/Africa/Mogadishu
posix/Africa/Djibouti posix/Africa/Luanda posix/Africa/Casablanca
posix/Africa/Addis_Ababa posix/Africa/Douala posix/Africa/Lusaka
Privileged Threat Analytics
162 Time Zones
posix/Africa/Conakry posix/Africa/Abidjan posix/Africa/Freetown
posix/Africa/Malabo posix/Africa/Dakar posix/Africa/Asmara
posix/Africa/Libreville posix/Africa/Bujumbura posix/Africa/Lubumbashi
posix/Africa/Harare posix/Africa/Kampala posix/Africa/El_Aaiun
posix/Zulu posix/Japan posix/Indian/Maldives
posix/Indian/Antananarivo posix/Indian/Chagos posix/Indian/Reunion
posix/Indian/Mayotte posix/Indian/Christmas posix/Indian/Mauritius
posix/Indian/Kerguelen posix/Indian/Mahe posix/Indian/Cocos
posix/Indian/Comoro posix/NZ-CHAT posix/Eire
posix/UTC posix/Universal posix/EET
posix/Brazil/Acre posix/Brazil/West posix/Brazil/East
posix/Brazil/DeNoronha posix/MST7MDT posix/Mideast/Riyadh87
posix/Mideast/Riyadh89 posix/Mideast/Riyadh88 posix/Libya
posix/EST posix/UCT posix/Atlantic/St_Helena
posix/Atlantic/South_ posix/Atlantic/Canary posix/Atlantic/Cape_
Georgia Verde
posix/Atlantic/Faroe posix/Atlantic/Azores posix/Atlantic/Jan_Mayen
posix/Atlantic/Reykjavik posix/Atlantic/Faeroe posix/Atlantic/Bermuda
posix/Atlantic/Madeira posix/Atlantic/Stanley posix/HST
posix/Hongkong posix/CST6CDT posix/US/Alaska
posix/US/Indiana-Starke posix/US/Central posix/US/Michigan
posix/US/Aleutian posix/US/East-Indiana posix/US/Eastern
posix/US/Pacific-New posix/US/Hawaii posix/US/Mountain
posix/US/Arizona posix/US/Samoa posix/US/Pacific
posix/MST posix/GMT+0 posix/ROC
posix/Singapore posix/Turkey posix/GMT0
posix/Poland posix/Chile/Continental posix/Chile/EasterIsland
posix/Iceland posix/America/Antigua posix/America/Swift_
Current
posix/America/Inuvik posix/America/Juneau posix/America/Porto_
Velho
posix/America/Sao_Paulo posix/America/Cuiaba posix/America/Santarem
posix/America/Buenos_ posix/America/Lima posix/America/Recife
Aires
Privileged Threat Analytics
PTA Implementation Guide 163
posix/America/Lower_ posix/America/Panama posix/America/
Princes Cambridge_Bay
posix/America/Montevideo posix/America/Argentina/ posix/America/Argentina/
Buenos_Aires Salta
posix/America/Argentina/ posix/America/Argentina/ posix/America/Argentina/
San_Juan ComodRivadavia Tucuman
posix/America/Argentina/ posix/America/Argentina/ posix/America/Argentina/
San_Luis Ushuaia Jujuy
posix/America/Argentina/ posix/America/Argentina/ posix/America/Argentina/
Rio_Gallegos Mendoza La_Rioja
posix/America/Argentina/C posix/America/Argentina/ posix/America/Nassau
atamarca Cordoba
posix/America/Shiprock posix/America/Manaus posix/America/Rosario
posix/America/Nome posix/America/Danmarks posix/America/Resolute
havn
posix/America/Rio_Branco posix/America/Vancouver posix/America/
Campo_Grande
posix/America/Ensenada posix/America/Belem posix/America/Rankin_
Inlet
posix/America/Thunder_ posix/America/St_ posix/America/St_Vincent
Bay Thomas
posix/America/North_ posix/America/North_ posix/America/North_
Dakota/ Dakota/ Dakota/Beulah
New_Salem Center
posix/America/Dawson posix/America/Fortaleza posix/America/Monterrey
posix/America/Montserrat posix/America/Sitka posix/America/Atikokan
posix/America/Regina posix/America/Winnipeg posix/America/Paramaribo
posix/America/Rainy_River posix/America/Mazatlan posix/America/Edmonton
posix/America/Port-au- posix/America/Moncton posix/America/Mexico_
Prince City
posix/America/Matamoros posix/America/Nipigon posix/America/Indianapoli
s
posix/America/Los_Angeles posix/America/New_York posix/America/El_
Salvador
posix/America/Coral_ posix/America/Miquelon posix/America/Tortola
Harbour
posix/America/Kralendijk posix/America/Knox_IN posix/America/Goose_
Bay
posix/America/Curacao posix/America/Santa_ posix/America/
Isabel Dawson_Creek
Privileged Threat Analytics
164 Time Zones
posix/America/Tegucigalpa posix/America/Barbados posix/America/Godthab
posix/America/Caracas posix/America/Puerto_ posix/America/Santiago
Rico
posix/America/St_Johns posix/America/St_ posix/America/Aruba
Barthelemy
posix/America/Martinique posix/America/St_Lucia posix/America/Phoenix
posix/America/Yakutat posix/America/Hermosillo posix/America/Kentucky/L
ouisville
posix/America/Kentucky/ posix/America/Bahia_ posix/America/Thule
Monticello Banderas
posix/America/Yellowknife posix/America/Havana posix/America/Scoresbys
und
posix/America/Halifax posix/America/Adak posix/America/Creston
posix/America/Boise posix/America/Grand_ posix/America/Araguaina
Turk
posix/America/Guayaquil posix/America/Belize posix/America/Anguilla
posix/America/Maceio posix/America/Anchorage posix/America/Dominica
posix/America/Costa_Rica posix/America/Chicago posix/America/St_Kitts
posix/America/Pangnirtung posix/America/Louisville posix/America/Toronto
posix/America/Bogota posix/America/Menomine posix/America/Porto_Acre
e
posix/America/Blanc- posix/America/Jujuy posix/America/Bahia
Sablon
posix/America/Santo_ posix/America/Eirunepe posix/America/Indiana/
Domingo Marengo
posix/America/Indiana/ posix/America/Indiana/ posix/America/Indiana/Ve
Petersburg Indianapolis vay
posix/America/Indiana/ posix/America/Indiana/Wi posix/America/Indiana/
Tell_City namac Vincennes
posix/America/Indiana/Kno posix/America/Cayenne posix/America/Virgin
x
posix/America/Guatemala posix/America/Whitehors posix/America/Ojinaga
e
posix/America/Cayman posix/America/Mendoza posix/America/Noronha
posix/America/Cancun posix/America/Glace_ posix/America/Port_of_
Bay Spain
posix/America/Iqaluit posix/America/Fort_ posix/America/Merida
Wayne
Privileged Threat Analytics
PTA Implementation Guide 165
posix/America/Detroit posix/America/Tijuana posix/America/Metlakatla
posix/America/Managua posix/America/La_Paz posix/America/Montreal
posix/America/Jamaica posix/America/Marigot posix/America/Catamarca
posix/America/Cordoba posix/America/Guyana posix/America/Asuncion
posix/America/Guadeloupe posix/America/Denver posix/America/Atka
posix/America/Chihuahua posix/America/Boa_Vista posix/America/Grenada
posix/GMT-0 posix/Kwajalein posix/Arctic/Longyearbyen
posix/PST8PDT posix/Australia/North posix/Australia/ACT
posix/Australia/Lord_Howe posix/Australia/NSW posix/Australia/Darwin
posix/Australia/Currie posix/Australia/Melbourne posix/Australia/Lindeman
posix/Australia/Queensland posix/Australia/Victoria posix/Australia/Canberra
posix/Australia/West posix/Australia/Broken_ posix/Australia/Hobart
Hill
posix/Australia/LHI posix/Australia/Yancowin posix/Australia/Eucla
na
posix/Australia/South posix/Australia/Tasmania posix/Australia/Brisbane
posix/Australia/Adelaide posix/Australia/Sydney posix/Australia/Perth
posix/GB-Eire posix/Europe/Riga posix/Europe/Luxembourg
posix/Europe/Kaliningrad posix/Europe/Andorra posix/Europe/Kiev
posix/Europe/Malta posix/Europe/Lisbon posix/Europe/Sofia
posix/Europe/Samara posix/Europe/Brussels posix/Europe/Prague
posix/Europe/Bratislava posix/Europe/Minsk posix/Europe/Amsterdam
posix/Europe/Paris posix/Europe/Zaporozhye posix/Europe/Chisinau
posix/Europe/Isle_of_Man posix/Europe/Madrid posix/Europe/Istanbul
posix/Europe/Tiraspol posix/Europe/Belgrade posix/Europe/London
posix/Europe/Tallinn posix/Europe/Vilnius posix/Europe/Warsaw
posix/Europe/San_Marino posix/Europe/Podgorica posix/Europe/Copenhagen
posix/Europe/Zurich posix/Europe/Mariehamn posix/Europe/Monaco
posix/Europe/Jersey posix/Europe/Skopje posix/Europe/Gibraltar
posix/Europe/Nicosia posix/Europe/Belfast posix/Europe/Zagreb
posix/Europe/Volgograd posix/Europe/Athens posix/Europe/Berlin
posix/Europe/Budapest posix/Europe/Dublin posix/Europe/Moscow
posix/Europe/Bucharest posix/Europe/Vatican posix/Europe/Stockholm
Privileged Threat Analytics
166 Time Zones
posix/Europe/Oslo posix/Europe/Tirane posix/Europe/Vienna
posix/Europe/Sarajevo posix/Europe/Uzhgorod posix/Europe/Rome
posix/Europe/Guernsey posix/Europe/Ljubljana posix/Europe/Simferopol
posix/Europe/Vaduz posix/Europe/Helsinki posix/Egypt
posix/Navajo posix/PRC posix/Jamaica
posix/ROK posix/GMT posix/Etc/GMT-9
posix/Etc/GMT-2 posix/Etc/GMT+9 posix/Etc/GMT-4
posix/Etc/GMT+8 posix/Etc/GMT+10 posix/Etc/GMT-5
posix/Etc/GMT+1 posix/Etc/GMT+6 posix/Etc/GMT-6
posix/Etc/Greenwich posix/Etc/Zulu posix/Etc/GMT-11
posix/Etc/GMT-7 posix/Etc/GMT-10 posix/Etc/GMT-14
posix/Etc/UTC posix/Etc/Universal posix/Etc/GMT-8
posix/Etc/UCT posix/Etc/GMT+2 posix/Etc/GMT+0
posix/Etc/GMT0 posix/Etc/GMT+3 posix/Etc/GMT+5
posix/Etc/GMT+12 posix/Etc/GMT-3 posix/Etc/GMT-0
posix/Etc/GMT-13 posix/Etc/GMT+4 posix/Etc/GMT-12
posix/Etc/GMT+7 posix/Etc/GMT+11 posix/Etc/GMT-1
posix/Etc/GMT posix/W-SU posix/CET
posix/Cuba posix/Antarctica/McMurd posix/Antarctica/Davis
o
posix/Antarctica/South_ posix/Antarctica/Casey posix/Antarctica/Vostok
Pole
posix/Antarctica/Syowa posix/Antarctica/Rothera posix/Antarctica/Mawson
posix/Antarctica/Macquarie posix/Antarctica/Palmer posix/Antarctica/
DumontDUrville
posix/Pacific/Chuuk posix/Pacific/Noumea posix/Pacific/Saipan
posix/Pacific/Pitcairn posix/Pacific/Marquesas posix/Pacific/Fiji
posix/Pacific/Tahiti posix/Pacific/Majuro posix/Pacific/Funafuti
posix/Pacific/Yap posix/Pacific/Midway posix/Pacific/Palau
posix/Pacific/Rarotonga posix/Pacific/Chatham posix/Pacific/Auckland
posix/Pacific/Guam posix/Pacific/Tarawa posix/Pacific/Truk
posix/Pacific/Apia posix/Pacific/Efate posix/Pacific/Norfolk
posix/Pacific/Nauru posix/Pacific/Johnston posix/Pacific/Wallis
posix/Pacific/Niue posix/Pacific/Ponape posix/Pacific/Kiritimati
Privileged Threat Analytics
PTA Implementation Guide 167
posix/Pacific/Pohnpei posix/Pacific/Enderbury posix/Pacific/Port_
Moresby
posix/Pacific/Galapagos posix/Pacific/Tongatapu posix/Pacific/Gambier
posix/Pacific/Guadalcanal posix/Pacific/Pago_Pago posix/Pacific/Kwajalein
posix/Pacific/Wake posix/Pacific/Fakaofo posix/Pacific/Kosrae
posix/Pacific/Easter posix/Pacific/Samoa posix/Pacific/Honolulu
posix/Portugal CST6CDT US/Alaska
US/Indiana-Starke US/Central US/Michigan
US/Aleutian US/East-Indiana US/Eastern
US/Pacific-New US/Hawaii US/Mountain
US/Arizona US/Samoa US/Pacific
MST GMT+0 ROC
Singapore Turkey GMT0
Poland posixrules right/EST5EDT
right/MET right/WET right/GB
right/Iran right/Mexico/BajaSur right/Mexico/BajaNorte
right/Mexico/General right/Israel right/NZ
right/Asia/Macao right/Asia/Irkutsk right/Asia/Shanghai
right/Asia/Chongqing right/Asia/Anadyr right/Asia/Hovd
right/Asia/Urumqi right/Asia/Harbin right/Asia/Thimphu
right/Asia/Bishkek right/Asia/Dhaka right/Asia/Hong_Kong
right/Asia/Jakarta right/Asia/Vientiane right/Asia/Pyongyang
right/Asia/Baghdad right/Asia/Gaza right/Asia/Samarkand
right/Asia/Tashkent right/Asia/Beirut right/Asia/Oral
right/Asia/Jerusalem right/Asia/Calcutta right/Asia/Tokyo
right/Asia/Taipei right/Asia/Omsk right/Asia/Dushanbe
right/Asia/Kolkata right/Asia/Brunei right/Asia/Dili
right/Asia/Istanbul right/Asia/Baku right/Asia/Ashgabat
right/Asia/Jayapura right/Asia/Colombo right/Asia/Tbilisi
right/Asia/Ulan_Bator right/Asia/Kuching right/Asia/Novosibirsk
right/Asia/Phnom_Penh right/Asia/Novokuznetsk right/Asia/Ujung_Pandang
right/Asia/Thimbu right/Asia/Ashkhabad right/Asia/Bahrain
right/Asia/Vladivostok right/Asia/Kamchatka right/Asia/Seoul
Privileged Threat Analytics
168 Time Zones
right/Asia/Chungking right/Asia/Sakhalin right/Asia/Aqtau
right/Asia/Magadan right/Asia/Kuwait right/Asia/Singapore
right/Asia/Kuala_Lumpur right/Asia/Amman right/Asia/Kathmandu
right/Asia/Krasnoyarsk right/Asia/Rangoon right/Asia/Pontianak
right/Asia/Dubai right/Asia/Yekaterinburg right/Asia/Yakutsk
right/Asia/Aden right/Asia/Aqtobe right/Asia/Qatar
right/Asia/Muscat right/Asia/Nicosia right/Asia/Qyzylorda
right/Asia/Macau right/Asia/Hebron right/Asia/Kabul
right/Asia/Choibalsan right/Asia/Riyadh87 right/Asia/Tel_Aviv
right/Asia/Saigon right/Asia/Yerevan right/Asia/Kashgar
right/Asia/Manila right/Asia/Ulaanbaatar right/Asia/Makassar
right/Asia/Riyadh89 right/Asia/Ho_Chi_Minh right/Asia/Dacca
right/Asia/Bangkok right/Asia/Riyadh right/Asia/Tehran
right/Asia/Damascus right/Asia/Katmandu right/Asia/Karachi
right/Asia/Almaty right/Asia/Riyadh88 right/Canada/East-
Saskatchewan
right/Canada/Central right/Canada/Newfoundla right/Canada/Atlantic
nd
right/Canada/Eastern right/Canada/Yukon right/Canada/Mountain
right/Canada/Pacific right/Canada/Saskatche right/Greenwich
wan
right/Africa/Accra right/Africa/Khartoum right/Africa/Kigali
right/Africa/Bangui right/Africa/Timbuktu right/Africa/Juba
right/Africa/Ouagadougou right/Africa/Dar_es_ right/Africa/Monrovia
Salaam
right/Africa/Maputo right/Africa/Tripoli right/Africa/Windhoek
right/Africa/Bissau right/Africa/Ndjamena right/Africa/Asmera
right/Africa/Lome right/Africa/Ceuta right/Africa/Blantyre
right/Africa/Cairo right/Africa/Tunis right/Africa/Mbabane
right/Africa/Porto-Novo right/Africa/Bamako right/Africa/Nouakchott
right/Africa/Maseru right/Africa/Niamey right/Africa/Nairobi
right/Africa/Algiers right/Africa/Johannesburg right/Africa/Lagos
right/Africa/Kinshasa right/Africa/Gaborone right/Africa/Banjul
right/Africa/Brazzaville right/Africa/Sao_Tome right/Africa/Mogadishu
Privileged Threat Analytics
PTA Implementation Guide 169
right/Africa/Djibouti right/Africa/Luanda right/Africa/Casablanca
right/Africa/Addis_Ababa right/Africa/Douala right/Africa/Lusaka
right/Africa/Conakry right/Africa/Abidjan right/Africa/Freetown
right/Africa/Malabo right/Africa/Dakar right/Africa/Asmara
right/Africa/Libreville right/Africa/Bujumbura right/Africa/Lubumbashi
right/Africa/Harare right/Africa/Kampala right/Africa/El_Aaiun
right/Zulu right/Japan right/Indian/Maldives
right/Indian/Antananarivo right/Indian/Chagos right/Indian/Reunion
right/Indian/Mayotte right/Indian/Christmas right/Indian/Mauritius
right/Indian/Kerguelen right/Indian/Mahe right/Indian/Cocos
right/Indian/Comoro right/NZ-CHAT right/Eire
right/UTC right/Universal right/EET
right/Brazil/Acre right/Brazil/West right/Brazil/East
right/Brazil/DeNoronha right/MST7MDT right/Mideast/Riyadh87
right/Mideast/Riyadh89 right/Mideast/Riyadh88 right/Libya
right/EST right/UCT right/Atlantic/St_Helena
right/Atlantic/South_ right/Atlantic/Canary right/Atlantic/Cape_Verde
Georgia
right/Atlantic/Faroe right/Atlantic/Azores right/Atlantic/Jan_Mayen
right/Atlantic/Reykjavik right/Atlantic/Faeroe right/Atlantic/Bermuda
right/Atlantic/Madeira right/Atlantic/Stanley right/HST
right/Hongkong right/CST6CDT right/US/Alaska
right/US/Indiana-Starke right/US/Central right/US/Michigan
right/US/Aleutian right/US/East-Indiana right/US/Eastern
right/US/Pacific-New right/US/Hawaii right/US/Mountain
right/US/Arizona right/US/Samoa right/US/Pacific
right/MST right/GMT+0 right/ROC
right/Singapore right/Turkey right/GMT0
right/Poland right/Chile/Continental right/Chile/EasterIsland
right/Iceland right/America/Antigua right/America/Swift_
Current
right/America/Inuvik right/America/Juneau right/America/Porto_Velho
right/America/Sao_Paulo right/America/Cuiaba right/America/Santarem
Privileged Threat Analytics
170 Time Zones
right/America/Buenos_Aires right/America/Lima right/America/Recife
right/America/Lower_ right/America/Panama right/America/
Princes Cambridge_Bay
right/America/Montevideo right/America/Argentina/ right/America/Argentina/
Buenos_Aires Salta
right/America/Argentina/ right/America/Argentina/ right/America/Argentina/
San_Juan ComodRivadavia Tucuman
right/America/Argentina/ right/America/Argentina/ right/America/Argentina/
San_Luis Ushuaia Jujuy
right/America/Argentina/ right/America/Argentina/ right/America/Argentina/
Rio_Gallegos Mendoza La_Rioja
right/America/Argentina/Cat right/America/Argentina/ right/America/Nassau
amarca Cordoba
right/America/Shiprock right/America/Manaus right/America/Rosario
right/America/Nome right/America/Danmarksh right/America/Resolute
avn
right/America/Rio_Branco right/America/Vancouver right/America/
Campo_Grande
right/America/Ensenada right/America/Belem right/America/Rankin_Inlet
right/America/Thunder_Bay right/America/St_Thomas right/America/St_Vincent
right/America/North_ right/America/North_ right/America/North_
Dakota/ Dakota/ Dakota/Beulah
New_Salem Center
right/America/Dawson right/America/Fortaleza right/America/Monterrey
right/America/Montserrat right/America/Sitka right/America/Atikokan
right/America/Regina right/America/Winnipeg right/America/Paramaribo
right/America/Rainy_River right/America/Mazatlan right/America/Edmonton
right/America/Port-au- right/America/Moncton right/America/Mexico_City
Prince
right/America/Matamoros right/America/Nipigon right/America/Indianapolis
right/America/Los_Angeles right/America/New_York right/America/El_Salvador
right/America/Coral_ right/America/Miquelon right/America/Tortola
Harbour
right/America/Kralendijk right/America/Knox_IN right/America/Goose_Bay
right/America/Curacao right/America/Santa_ right/America/Dawson_
Isabel Creek
right/America/Tegucigalpa right/America/Barbados right/America/Godthab
right/America/Caracas right/America/Puerto_ right/America/Santiago
Privileged Threat Analytics
PTA Implementation Guide 171
Rico
right/America/St_Johns right/America/St_ right/America/Aruba
Barthelemy
right/America/Martinique right/America/St_Lucia right/America/Phoenix
right/America/Yakutat right/America/Hermosillo right/America/Kentucky/
Louisville
right/America/Kentucky/ right/America/Bahia_ right/America/Thule
Monticello Banderas
right/America/Yellowknife right/America/Havana right/America/Scoresbysu
nd
right/America/Halifax right/America/Adak right/America/Creston
right/America/Boise right/America/Grand_Turk right/America/Araguaina
right/America/Guayaquil right/America/Belize right/America/Anguilla
right/America/Maceio right/America/Anchorage right/America/Dominica
right/America/Costa_Rica right/America/Chicago right/America/St_Kitts
right/America/Pangnirtung right/America/Louisville right/America/Toronto
right/America/Bogota right/America/Menominee right/America/Porto_Acre
right/America/Blanc-Sablon right/America/Jujuy right/America/Bahia
right/America/Santo_ right/America/Eirunepe right/America/Indiana/
Domingo Marengo
right/America/Indiana/ right/America/Indiana/ right/America/Indiana/Vev
Petersburg Indianapolis ay
right/America/Indiana/ right/America/Indiana/Wi right/America/Indiana/
Tell_City namac Vincennes
right/America/Indiana/Knox right/America/Cayenne right/America/Virgin
right/America/Guatemala right/America/Whitehorse right/America/Ojinaga
right/America/Cayman right/America/Mendoza right/America/Noronha
right/America/Cancun right/America/Glace_Bay right/America/Port_of_
Spain
right/America/Iqaluit right/America/Fort_ right/America/Merida
Wayne
right/America/Detroit right/America/Tijuana right/America/Metlakatla
right/America/Managua right/America/La_Paz right/America/Montreal
right/America/Jamaica right/America/Marigot right/America/Catamarca
right/America/Cordoba right/America/Guyana right/America/Asuncion
right/America/Guadeloupe right/America/Denver right/America/Atka
Privileged Threat Analytics
172 Time Zones
right/America/Chihuahua right/America/Boa_Vista right/America/Grenada
right/GMT-0 right/Kwajalein right/Arctic/Longyearbyen
right/PST8PDT right/Australia/North right/Australia/ACT
right/Australia/Lord_Howe right/Australia/NSW right/Australia/Darwin
right/Australia/Currie right/Australia/Melbourne right/Australia/Lindeman
right/Australia/Queensland right/Australia/Victoria right/Australia/Canberra
right/Australia/West right/Australia/Broken_ right/Australia/Hobart
Hill
right/Australia/LHI right/Australia/Yancowinn right/Australia/Eucla
a
right/Australia/South right/Australia/Tasmania right/Australia/Brisbane
right/Australia/Adelaide right/Australia/Sydney right/Australia/Perth
right/GB-Eire right/Europe/Riga right/Europe/Luxembourg
right/Europe/Kaliningrad right/Europe/Andorra right/Europe/Kiev
right/Europe/Malta right/Europe/Lisbon right/Europe/Sofia
right/Europe/Samara right/Europe/Brussels right/Europe/Prague
right/Europe/Bratislava right/Europe/Minsk right/Europe/Amsterdam
right/Europe/Paris right/Europe/Zaporozhye right/Europe/Chisinau
right/Europe/Isle_of_Man right/Europe/Madrid right/Europe/Istanbul
right/Europe/Tiraspol right/Europe/Belgrade right/Europe/London
right/Europe/Tallinn right/Europe/Vilnius right/Europe/Warsaw
right/Europe/San_Marino right/Europe/Podgorica right/Europe/Copenhagen
right/Europe/Zurich right/Europe/Mariehamn right/Europe/Monaco
right/Europe/Jersey right/Europe/Skopje right/Europe/Gibraltar
right/Europe/Nicosia right/Europe/Belfast right/Europe/Zagreb
right/Europe/Volgograd right/Europe/Athens right/Europe/Berlin
right/Europe/Budapest right/Europe/Dublin right/Europe/Moscow
right/Europe/Bucharest right/Europe/Vatican right/Europe/Stockholm
right/Europe/Oslo right/Europe/Tirane right/Europe/Vienna
right/Europe/Sarajevo right/Europe/Uzhgorod right/Europe/Rome
right/Europe/Guernsey right/Europe/Ljubljana right/Europe/Simferopol
right/Europe/Vaduz right/Europe/Helsinki right/Egypt
right/Navajo right/PRC right/Jamaica
Privileged Threat Analytics
PTA Implementation Guide 173
right/ROK right/GMT right/Etc/GMT-9
right/Etc/GMT-2 right/Etc/GMT+9 right/Etc/GMT-4
right/Etc/GMT+8 right/Etc/GMT+10 right/Etc/GMT-5
right/Etc/GMT+1 right/Etc/GMT+6 right/Etc/GMT-6
right/Etc/Greenwich right/Etc/Zulu right/Etc/GMT-11
right/Etc/GMT-7 right/Etc/GMT-10 right/Etc/GMT-14
right/Etc/UTC right/Etc/Universal right/Etc/GMT-8
right/Etc/UCT right/Etc/GMT+2 right/Etc/GMT+0
right/Etc/GMT0 right/Etc/GMT+3 right/Etc/GMT+5
right/Etc/GMT+12 right/Etc/GMT-3 right/Etc/GMT-0
right/Etc/GMT-13 right/Etc/GMT+4 right/Etc/GMT-12
right/Etc/GMT+7 right/Etc/GMT+11 right/Etc/GMT-1
right/Etc/GMT right/W-SU right/CET
right/Cuba right/Antarctica/McMurdo right/Antarctica/Davis
right/Antarctica/South_Pole right/Antarctica/Casey right/Antarctica/Vostok
right/Antarctica/Syowa right/Antarctica/Rothera right/Antarctica/Mawson
right/Antarctica/Macquarie right/Antarctica/Palmer right/Antarctica/
DumontDUrville
right/Pacific/Chuuk right/Pacific/Noumea right/Pacific/Saipan
right/Pacific/Pitcairn right/Pacific/Marquesas right/Pacific/Fiji
right/Pacific/Tahiti right/Pacific/Majuro right/Pacific/Funafuti
right/Pacific/Yap right/Pacific/Midway right/Pacific/Palau
right/Pacific/Rarotonga right/Pacific/Chatham right/Pacific/Auckland
right/Pacific/Guam right/Pacific/Tarawa right/Pacific/Truk
right/Pacific/Apia right/Pacific/Efate right/Pacific/Norfolk
right/Pacific/Nauru right/Pacific/Johnston right/Pacific/Wallis
right/Pacific/Niue right/Pacific/Ponape right/Pacific/Kiritimati
right/Pacific/Pohnpei right/Pacific/Enderbury right/Pacific/Port_Moresby
right/Pacific/Galapagos right/Pacific/Tongatapu right/Pacific/Gambier
right/Pacific/Guadalcanal right/Pacific/Pago_Pago right/Pacific/Kwajalein
right/Pacific/Wake right/Pacific/Fakaofo right/Pacific/Kosrae
right/Pacific/Easter right/Pacific/Samoa right/Pacific/Honolulu
right/Portugal Chile/Continental Chile/EasterIsland
Privileged Threat Analytics
174 Time Zones
Iceland zone.tab America/Antigua
America/Swift_Current America/Inuvik America/Juneau
America/Porto_Velho America/Sao_Paulo America/Cuiaba
America/Santarem America/Buenos_Aires America/Lima
America/Recife America/Lower_Princes America/Panama
America/Cambridge_Bay America/Montevideo America/Argentina/
Buenos_Aires
America/Argentina/Salta America/Argentina/San_ America/Argentina/
Juan ComodRivadavia
America/Argentina/Tucuma America/Argentina/San_ America/Argentina/Ushuai
n Luis a
America/Argentina/Jujuy America/Argentina/Rio_ America/Argentina/Mendo
Gallegos za
America/Argentina/La_Rioja America/Argentina/Cata America/Argentina/Cordob
marca a
America/Nassau America/Shiprock America/Manaus
America/Rosario America/Nome America/Danmarkshavn
America/Resolute America/Rio_Branco America/Vancouver
America/Campo_Grande America/Ensenada America/Belem
America/Rankin_Inlet America/Thunder_Bay America/St_Thomas
America/St_Vincent America/North_Dakota/ America/North_Dakota/
New_Salem Center
America/North_ America/Dawson America/Fortaleza
Dakota/Beulah
America/Monterrey America/Montserrat America/Sitka
America/Atikokan America/Regina America/Winnipeg
America/Paramaribo America/Rainy_River America/Mazatlan
America/Edmonton America/Port-au-Prince America/Moncton
America/Mexico_City America/Matamoros America/Nipigon
America/Indianapolis America/Los_Angeles America/New_York
America/El_Salvador America/Coral_Harbour America/Miquelon
America/Tortola America/Kralendijk America/Knox_IN
America/Goose_Bay America/Curacao America/Santa_Isabel
America/Dawson_Creek America/Tegucigalpa America/Barbados
America/Godthab America/Caracas America/Puerto_Rico
Privileged Threat Analytics
PTA Implementation Guide 175
America/Santiago America/St_Johns America/St_Barthelemy
America/Aruba America/Martinique America/St_Lucia
America/Phoenix America/Yakutat America/Hermosillo
America/Kentucky/Louisvill America/Kentucky/Monti America/Bahia_Banderas
e cello
America/Thule America/Yellowknife America/Havana
America/Scoresbysund America/Halifax America/Adak
America/Creston America/Boise America/Grand_Turk
America/Araguaina America/Guayaquil America/Belize
America/Anguilla America/Maceio America/Anchorage
America/Dominica America/Costa_Rica America/Chicago
America/St_Kitts America/Pangnirtung America/Louisville
America/Toronto America/Bogota America/Menominee
America/Porto_Acre America/Blanc-Sablon America/Jujuy
America/Bahia America/Santo_Domingo America/Eirunepe
America/Indiana/Marengo America/Indiana/Petersb America/Indiana/Indianapo
urg lis
America/Indiana/Vevay America/Indiana/Tell_City America/Indiana/Winamac
America/Indiana/Vincennes America/Indiana/Knox America/Cayenne
America/Virgin America/Guatemala America/Whitehorse
America/Ojinaga America/Cayman America/Mendoza
America/Noronha America/Cancun America/Glace_Bay
America/Port_of_Spain America/Iqaluit America/Fort_Wayne
America/Merida America/Detroit America/Tijuana
America/Metlakatla America/Managua America/La_Paz
America/Montreal America/Jamaica America/Marigot
America/Catamarca America/Cordoba America/Guyana
America/Asuncion America/Guadeloupe America/Denver
America/Atka America/Chihuahua America/Boa_Vista
America/Grenada GMT-0 Kwajalein
Arctic/Longyearbyen PST8PDT Australia/North
Australia/ACT Australia/Lord_Howe Australia/NSW
Australia/Darwin Australia/Currie Australia/Melbourne
Privileged Threat Analytics
176 Time Zones
Australia/Lindeman Australia/Queensland Australia/Victoria
Australia/Canberra Australia/West Australia/Broken_Hill
Australia/Hobart Australia/LHI Australia/Yancowinna
Australia/Eucla Australia/South Australia/Tasmania
Australia/Brisbane Australia/Adelaide Australia/Sydney
Australia/Perth GB-Eire Europe/Riga
Europe/Luxembourg Europe/Kaliningrad Europe/Andorra
Europe/Kiev Europe/Malta Europe/Lisbon
Europe/Sofia Europe/Samara Europe/Brussels
Europe/Prague Europe/Bratislava Europe/Minsk
Europe/Amsterdam Europe/Paris Europe/Zaporozhye
Europe/Chisinau Europe/Isle_of_Man Europe/Madrid
Europe/Istanbul Europe/Tiraspol Europe/Belgrade
Europe/London Europe/Tallinn Europe/Vilnius
Europe/Warsaw Europe/San_Marino Europe/Podgorica
Europe/Copenhagen Europe/Zurich Europe/Mariehamn
Europe/Monaco Europe/Jersey Europe/Skopje
Europe/Gibraltar Europe/Nicosia Europe/Belfast
Europe/Zagreb Europe/Volgograd Europe/Athens
Europe/Berlin Europe/Budapest Europe/Dublin
Europe/Moscow Europe/Bucharest Europe/Vatican
Europe/Stockholm Europe/Oslo Europe/Tirane
Europe/Vienna Europe/Sarajevo Europe/Uzhgorod
Europe/Rome Europe/Guernsey Europe/Ljubljana
Europe/Simferopol Europe/Vaduz Europe/Helsinki
Egypt Navajo PRC
Jamaica ROK GMT
Etc/GMT-9 Etc/GMT-2 Etc/GMT+9
Etc/GMT-4 Etc/GMT+8 Etc/GMT+10
Etc/GMT-5 Etc/GMT+1 Etc/GMT+6
Etc/GMT-6 Etc/Greenwich Etc/Zulu
Etc/GMT-11 Etc/GMT-7 Etc/GMT-10
Etc/GMT-14 Etc/UTC Etc/Universal
Privileged Threat Analytics
PTA Implementation Guide 177
Etc/GMT-8 Etc/UCT Etc/GMT+2
Etc/GMT+0 Etc/GMT0 Etc/GMT+3
Etc/GMT+5 Etc/GMT+12 Etc/GMT-3
Etc/GMT-0 Etc/GMT-13 Etc/GMT+4
Etc/GMT-12 Etc/GMT+7 Etc/GMT+11
Etc/GMT-1 Etc/GMT W-SU
CET Cuba Antarctica/McMurdo
Antarctica/Davis Antarctica/South_Pole Antarctica/Casey
Antarctica/Vostok Antarctica/Syowa Antarctica/Rothera
Antarctica/Mawson Antarctica/Macquarie Antarctica/Palmer
Antarctica/DumontDUrville Pacific/Chuuk Pacific/Noumea
Pacific/Saipan Pacific/Pitcairn Pacific/Marquesas
Pacific/Fiji Pacific/Tahiti Pacific/Majuro
Pacific/Funafuti Pacific/Yap Pacific/Midway
Pacific/Palau Pacific/Rarotonga Pacific/Chatham
Pacific/Auckland Pacific/Guam Pacific/Tarawa
Pacific/Truk Pacific/Apia Pacific/Efate
Pacific/Norfolk Pacific/Nauru Pacific/Johnston
Pacific/Wallis Pacific/Niue Pacific/Ponape
Pacific/Kiritimati Pacific/Pohnpei Pacific/Enderbury
Pacific/Port_Moresby Pacific/Galapagos Pacific/Tongatapu
Pacific/Gambier Pacific/Guadalcanal Pacific/Pago_Pago
Pacific/Kwajalein Pacific/Wake Pacific/Fakaofo
Pacific/Kosrae Pacific/Easter Pacific/Samoa
Pacific/Honolulu Portugal iso3166.tab
Privileged Threat Analytics
Common questions
Powered by AIConfiguring PTA to support syslog message forwarding involves specifying acceptable values such as the format (CEF or LEEF), host, port, and protocol (UDP or TCP) for the syslog outbound configuration . It is also essential to restrict the allowed sources of syslog messages to those specifically configured, such as from ArcSight, Splunk, QRadar, or predefined servers, to prevent unauthorized data flow . Furthermore, defining port numbers for different communication channels, whether using SSL for secure communication or not, is crucial in maintaining integrity and security of data transmitted to the PTA .
CyberArk Privileged Threat Analytics (PTA) uses proprietary statistical algorithms to detect suspicious activities by distinguishing between normal and abnormal behaviors in real-time . PTA classifies these detections by severity and risk levels through profiling user activities and looking for deviations from established norms . Configuration of suspicious session activities can be done through the PTA Settings page, where predefined rules for detecting suspicious activities are set or modified . These activities can include specific categories like universal keystrokes, SCP, SQL, SSH, and Windows titles, each requiring a regular expression pattern and risk score to be specified . Additionally, PTA's detection capabilities are supported by deep packet inspection technology, which includes detecting Kerberos attacks and anomalies such as login from unusual locations or during unusual hours .
CyberArk PTA integrates differently with Windows and Unix systems regarding data handling. For Windows systems, PTA primarily relies on event IDs 4624, 4723, and 4724, which relate to logon events. These events are forwarded as syslog messages, typically via the PTA Windows Agent, and are supported from Windows 2003 onwards. These events must first be collected by a Windows Event Forwarder, forwarded to a SIEM, and then sent to PTA . In contrast, for Unix systems, PTA supports the collection of syslogs directly from Unix machines using PAM Unix modules. Supported events include accepted public key, accepted password, and session open, covering various Unix flavors like Red Hat Linux, HP-UX, and Solaris . Thus, the integration with Windows depends significantly on specific Windows event logging and further forwarding, while Unix integration utilizes direct syslog forwarding from the machines .
CyberArk PTA enhances integration with existing infrastructure through LDAP configurations by allowing queries to Active Directory, which helps identify privileged accounts and monitor their activities on the network. Creating an LDAP user specifically for query purposes ensures that PTA can authenticate users and detect any suspicious behavior associated with them . This integration provides a streamlined method for collecting user-related events, thus enabling more effective monitoring and alerting processes for potential security breaches within the organizational infrastructure.
The CyberArk PTA dashboard is pivotal in threat management as it provides a centralized interface for monitoring system activities and incident summaries. It allows users to view current incidents, analyze user activities, and assess privileged-related risks. Through the dashboard, security teams can generate comprehensive threat assessment reports, which aid in identifying and addressing security vulnerabilities promptly . The dashboard's capabilities for real-time visualization and reporting facilitate informed decision-making and efficient threat response.
CyberArk PTA's integration with Privileged Session Manager (PSM) strengthens security by allowing real-time monitoring of live sessions, and managing suspicious activities during privileged sessions. This integration ensures that any suspicious session activity identified by PTA can trigger notifications and potentially terminate risky sessions immediately. Specifically, it includes settings for live session monitoring and termination, which are critical for quickly responding to potential threats . By linking these two components, PTA enhances visibility over privileged activities and empowers security teams to mitigate risks effectively.
CyberArk PTA supports the detection of Golden Ticket attacks by monitoring privileged accounts continuously and using proprietary profiling algorithms to identify abnormal behavior. When it detects real-time unusual activity, particularly those consistent with Kerberos attacks such as Golden Tickets, it raises alerts for the security team to act . PTA leverages deep packet inspection (DPI) technology and network tapping to deterministically identify and alert on such attacks in real time, thereby providing an additional security layer to mitigate advanced persistent threats that exploit privileged accounts .
CyberArk PTA employs proprietary profiling algorithms to distinguish between normal and abnormal behavior in real-time, thus enhancing security measures. These algorithms analyze the usage of privileged accounts, detecting any deviations from established norms, which might indicate abuse or compromise. Once abnormal activity is detected, PTA raises an alert, enabling quick response from security teams . This proactive approach allows organizations to manage and mitigate inside threats, malware, targeted attacks, and Advanced Persistent Threats (APTs) efficiently .
CyberArk PTA manages and mitigates network-related risks associated with privileged accounts by continuously monitoring their usage and distinguishing real-time normal behavior from abnormal activities. PTA proactively detects and alerts on critical risks such as potential Kerberos attacks (Golden Tickets) using DPI technology . Furthermore, PTA processes network traffic and received raw events from diversified platforms like Vault, UNIX, and Windows machines, facilitating early detection and intervention of potential attacks before they fully transpire . This active approach significantly mitigates the risk of insider threats and external targeted attacks leveraging privileged accounts.
PTA's syslog configuration supports seamless integration with external security solutions like SIEMs by defining outbound syslog settings, compatible with various SIEM formats like CEF or LEEF . The system specifies hosts, ports, and protocols required for establishing connections, and it clearly defines and limits the allowed sources for syslog messages, ensuring prevention of unauthorized data access . This integration ensures that security events detected by PTA are efficiently communicated to SIEMs, enhancing organizational incident response capabilities by allowing centralized alert and analysis capabilities through the SIEM interfaces.
You might also like
- CyberArk Privileged Threat Analytics OverviewNo ratings yetCyberArk Privileged Threat Analytics Overview36 pages
- CyberArk - PrivilegeCloud - Implementation Document100% (1)CyberArk - PrivilegeCloud - Implementation Document45 pages
- CyberArk PVWA Access Issues and ResolutionsNo ratings yetCyberArk PVWA Access Issues and Resolutions3 pages
- 13WS-PAS-Install-EPV Configuration and Performance Tuning100% (1)13WS-PAS-Install-EPV Configuration and Performance Tuning34 pages
- 13-PAS-ADMIN-Exercise Guide (v10.3) (New UI) PDFNo ratings yet13-PAS-ADMIN-Exercise Guide (v10.3) (New UI) PDF159 pages
- CyberArk PrivilegeCloud BreakglassProceduresNo ratings yetCyberArk PrivilegeCloud BreakglassProcedures15 pages
- Privileged Account Security Web Services SDK Implementation Guide PDFNo ratings yetPrivileged Account Security Web Services SDK Implementation Guide PDF273 pages
- 11 - PSM Customization For Windows Applications - Exercise GuideNo ratings yet11 - PSM Customization For Windows Applications - Exercise Guide30 pages
- CyberArk User and Account Management Guide100% (3)CyberArk User and Account Management Guide47 pages
- CyberArk Security Fundamentals For Privileged Account SecurityNo ratings yetCyberArk Security Fundamentals For Privileged Account Security6 pages
- CyberArk Interview Questions and AnswersNo ratings yetCyberArk Interview Questions and Answers11 pages
- 20-PAM-ADMIN Troubleshooting Common IssuesNo ratings yet20-PAM-ADMIN Troubleshooting Common Issues32 pages
- CyberArk Vault Security and Encryption GuideNo ratings yetCyberArk Vault Security and Encryption Guide18 pages
- 08-PAM-ADMIN Privileged Access WorkflowsNo ratings yet08-PAM-ADMIN Privileged Access Workflows38 pages
- 05WS PAS Install Authentication MethodsNo ratings yet05WS PAS Install Authentication Methods51 pages
- Top 60 CyberArk Interview Questions You MUST Know in 2025No ratings yetTop 60 CyberArk Interview Questions You MUST Know in 202522 pages
- 13-PAM-ADMIN Privileged Threat AnalyticsNo ratings yet13-PAM-ADMIN Privileged Threat Analytics36 pages
- Defending AzureAD - Thesis - Syynimaa - NestoriNo ratings yetDefending AzureAD - Thesis - Syynimaa - Nestori57 pages
- Letter To Sam Page From Local Gym OwnersNo ratings yetLetter To Sam Page From Local Gym Owners3 pages
- BOQ of Parkview City Water Treatment Plant - RemovedNo ratings yetBOQ of Parkview City Water Treatment Plant - Removed6 pages
- Media Gateway Control Protocol - WikipediaNo ratings yetMedia Gateway Control Protocol - Wikipedia5 pages
- Manupatra Weekly Wrap 21st July 2025 To 26th July 2025No ratings yetManupatra Weekly Wrap 21st July 2025 To 26th July 202520 pages
- Introduction to Requirements EngineeringNo ratings yetIntroduction to Requirements Engineering48 pages
- 2021 Final Social Welfare Project Development and Management100% (3)2021 Final Social Welfare Project Development and Management111 pages
- The Dark Side of Leadership Identifying and Overcoming Unethical Practice in Organizations 1st Edition Anthony H. Normore100% (3)The Dark Side of Leadership Identifying and Overcoming Unethical Practice in Organizations 1st Edition Anthony H. Normore73 pages
