IT Security Search 11.4.1 Update 3 (4361469)

NOTE: The earliest version this update can be applied to is 11.4.1.

Please download the ITSS 11.4.1 update 3 from the following link:

Download Update

IT Security Search 11.4.1 Update 3 contains no new features. For details about improvements included in the release, see the Enhancements and Resolved issues sections.

The ITSS 11.4.1 update has all the new features, enhancements and resolved issues from all previous updates.

11.4.1 Update 2 New Features:

• Group membership and traversal functions in search queries - In an IT Security Search query, a function transforms the results of a smaller query to other objects. IT Security Search functions take a query as their single argument and return a collection of objects. Functions work only for data provided by the Warehouse connector. The following functions are available at this time:
  • Members - Returns the direct members of all groups that the argument query returned
  • Members_Deep - Returns both direct and indirect members of all groups that the argument query returned
  • MemberOf - Returns all groups that directly contain the accounts returned by the argument query
  • MemberOf_Deep - Returns all groups that directly or indirectly contain the accounts returned by the argument query
• Feature preview: Splunk connector - IT Security Search 11.4.1 Update 2 contains an early implementations of support for retrieval of searchable data from Splunk. These feature preview is provided as-is, so that you can try them out, give us feedback and help us make it more useful in future releases

11.4.1 Update 1 New Features:

• Advanced multi-stage search language (search-in-search capabilities)
  • Transfer the results of a search to the next search in a row; the results flow without interruptions. Each of your established search workflows can now be consolidated into a single search query. This feature relies on the familiar pipe syntax used by shell languages and various search APIs. For more details, see
• Context parameter for currently logged-on user
  • The parameter can help configure flexible role-based access for groups and users or make searches (saved and regular) tuned for self-audit purposes. If you specify the {Context.CurrentUser} variable in your query, it is automatically resolved to information that identifies the currently logged-on user. Use the parameter in search queries and in operator scope-limiting queries that define role-based access
• Customizable columns in the event grid
  • In the event result grid, the new Columns drop-down menu provides tools for specifying which event fields to display. The layout you configure is also kept in the PDF and CSV files that you export the search results to

11.4.1 Update 2 Enhancements:

• In situations where a search finds nothing directly but produces results of a type that you aren't looking for, there is now a suggestion that you check those results - IS-2410
• When you configure the InTrust connector, you can now specify multiple repositories at once - IS-2702
• The Reset Settings action link is now available on all connector configuration pages so that you can easily restore the default values - IS-2166
• If you change the set of columns in the result grid while any rows are selected or any facets or filters enabled, your filters and row selection are not cleared anymore in the updated grid - IS-2455,IS-2167
• Search queries that explicitly specify the types of objects to look for are now optimized for that case and run faster on large sets of data - IS-2120
• You can now sort the item groupings by number of items, in descending or ascending order. Sorting in ascending order helps you focus on seldom-occurring items, which may be the most relevant - IS-854
• IT Security Search now shows a link to a dedicated video playlist (https://www.quest.com/ITSSVideos) with tips and feature demos. The link is available on the About screen (click the question mark icon to get there). - IS-1407

11.4.1 Update 1 Enhancements:

• Now the InTrust suite setup has an option to download IT Security Search - IN-9122
• In compliance with recommended security practices, the use of localhost and IP address 127.0.0.1 for setting up connection between IT Security Search services is now disallowed. For the same reason, the New-SslCertificate.ps1script doesn't create self-signed certificates for localhost and 127.0.0.1 anymore - IS-1466

11.4.1 Update 2 Resovled Issues:

• When you run searches on data provided by Enterprise Reporter, you get the following error message:
  Ambiguous column name 'WhenCreated'. This is caused by changes in the Enterprise Reporter database schema in version 3.2.1 - IS-2707
• IT Security Search uses an unreliable account impersonation method for connection to SQL Server. As a result, the connection uses the computer account of the IT Security Search server, and this fails with an error like the following:
  System.Data.SqlClient.SqlException (0x80131904): Login failed for user 'domain_name\itss_server_name$' - IS-2757
• If the network link used by any of the enabled IT Security Search connectors is slow, then it takes a long time to show the details pages for items and may make the application unresponsive indefinitely. This happens even where no data from that connector is actually used - IS-2780,IS-2788
• If you add tabs to the result grid and later try to remove them by clicking their cross icons, in some situations the tabs stay there - IS-1736

11.4.1 Update 1 Resolved Issues:

• If an IT Security Search operator's scope is limited by a query that contains the name of a specific field (for example, Source="Active Roles"), then that operator may not be able to view details pages when clicking the links in search results - IS-2023
• If the data store for the Warehouse component is in a network share that is not hosted on the IT Security Search server, then Active Roles events can be absent from search results - IS-1783
• Indexing of effective group membership data from Enterprise Reporter is slow and causes the "tempdb" database to exceed its size limit - IS-2099, IS-1159
• Indexing fails during calculation of group membership data from Enterprise Reporter if there is circular membership among the groups (meaning that groups are their own members through membership in other groups) - IS-2121
• In InTrust connector settings, if you select a repository but then click Cancel, the repository is still there the next time you reopen the settings - IS-1716
• The breadcrumbs area contains garbage - IS-1972

The ITSS update also includes the following Feature Preview:

• HTTPS API for Forwarded Change Auditor Events
  • An early implementation of support for retrieval of forwarded Change Auditor data in the Warehouse connector. This feature preview is provided as-is, so that you can try it out, give us feedback and help us make it more useful in a future release
• Splunk Connector
  • The new Splunk connector provides preliminary support for retrieval of searchable data from Splunk. The connector is available in the Data Sources list in freshly installed IT Security Search 11.4.1 Update 2

For more information on how to configure and use the new preview of the forwarded Change Auditor events, please see the ITSS 11.4.1 Update 3 Release Notes.