Release Notes
Quest® IT Security Search 11.4.1
Update 3 Release Notes
June 2020
These release notes provide information about the Quest® IT Security Search Update 3 release.
Topics:
About this release
IT Security Search provides IT administrators, IT managers and security teams with a way to navigate the expanse of information about the enterprise infrastructure.
|
|
IMPORTANT: This document is for IT Security Search 11.4.1 and Update 3 for this version. IT Security Search 11.4.1 Update 3 can be installed only on top of version 11.4.1 with or without Update 1 or Update 2. |
New features
IT Security Search 11.4.1 Update 3 contains no new features. For details about improvements included in the release, see the Enhancements and Resolved issues sections.
New features in IT Security Search 11.4.1 Update 2:
- Group membership and traversal functions in search queries
In an IT Security Search query, a function transforms the results of a smaller query to other objects. IT Security Search functions take a query as their single argument and return a collection of objects. Functions work only for data provided by the Warehouse connector. The following functions are available at this time:
- Members
Returns the direct members of all groups that the argument query returned.
- Members_Deep
Returns both direct and indirect members of all groups that the argument query returned. - MemberOf
Returns all groups that directly contain the accounts returned by the argument query. - MemberOf_Deep
Returns all groups that directly or indirectly contain the accounts returned by the argument query.
You can condense advanced use scenarios to compact function-powered queries. For example, if you want events from all computers where user martystu is an administrator, it can be done with a single query like this:
memberof_Deep(Who=martystu) AccountSID="S-1-5-32-544" | Where="{DomainName}" Who=martystu
For details about how this particular query works, see Using Functions in Queries. - Members
- Feature preview: Splunk connector
New features in IT Security Search 11.4.1 Update 1:
- Advanced multi-stage search language (search-in-search capabilities)
Transfer the results of a search to the next search in a row; the results flow without interruptions. Each of your established search workflows can now be consolidated into a single search query. This feature relies on the familiar pipe syntax used by shell languages and various search APIs. For more details, see Search Term Syntax. - Context parameter for currently logged-on user
The parameter can help configure flexible role-based access for groups and users or make searches (saved and regular) tuned for self-audit purposes. If you specify the {Context.CurrentUser} variable in your query, it is automatically resolved to information that identifies the currently logged-on user. Use the parameter in search queries and in operator scope-limiting queries that define role-based access. - Customizable columns in the event grid
In the event result grid, the new Columns drop-down menu provides tools for specifying which event fields to display. The layout you configure is also kept in the PDF and CSV files that you export the search results to.
New in IT Security Search 11.4.1:
- Improved Hybrid Active Directory forensics
A number of new Azure object properties are now available in search results, including the following:- Permissions for Azure applications
- Security rules for network security groups
- Membership details for Azure users and groups
In addition, Azure events collected by Change Auditor now contain links to the details of Azure objects that occur in the Who and Whom fields.
- Fine-grained scope definition for IT Security Search operators
You can now use regular search queries to fine-tune the scope of objects visible to IT Security Search operators. For example, this helps segregate information that users can see based on Active Directory domain or a Azure tenant. - FIPS 140-2 mode compatibility
IT Security Search can now function in Microsoft Windows environments where FIPS 140 revision 2 ( FIPS 140-2) mode is enabled. For more information about FIPS 140-2 mode, see https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing. - Feature preview: HTTPS API for forwarded Change Auditor events
See also:
Feature Previews
IT Security Search 11.4.1 Update 3 contains early implementations of features that will be completed in the coming versions. These feature previews are provided as-is, so that you can try them out, give us feedback and help us make them more useful in future releases.
HTTPS API for Forwarded Change Auditor Events
The Warehouse connector provides preliminary support for retrieval of forwarded Change Auditor data.
Before You Begin
First, make sure the ITSS.Warehouse service is running on your IT Security Search server. This is required for a successful Change Auditor subscription.
Getting Change Auditor Ready
To make Change Auditor push audit data to Warehouse, run the CreateCAITSSEventSubscription.ps1 PowerShell script, which is located in the <Change Auditor installation folder>\Client\PowerShell Sample Scripts folder on your Change Auditor coordinator. This will start a multi-step configuration procedure in the command prompt, where you will need to specify the settings for your particular environment.
The following are examples of values that you can supply for some of the prompts:
- Specify Change Auditor installation name
DEFAULT - Enter the number(s) of the subsystem events to be forwarded (separate multiple entries with commas)
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 - Specify the destination URL and port for the ITSS warehouse instance
https://myitssserver:443/warehouse/changeauditor/events
|
|
NOTE: To find out which port is used, check the HKEY_LOCAL_MACHINE\SOFTWARE\Quest\IT Security Search Warehouse API\ListenPort registry value on the IT Security Search server. To see whether HTTPS is used instead of HTTP, check the HKEY_LOCAL_MACHINE\SOFTWARE\Quest\IT Security Search Warehouse API\ListenScheme registry value. |
- Enter a coordinator DNS or NetBIOS name (or press enter to finish)
mycacoordinatorvm1,someothercacoordinatorvm9
The following additional scripts are also provided to let you manage your IT Security Search subscriptions:
- GetCAITSSEventSubscriptions.ps1
- ModifyCAITSSEventSubscription.ps1
- RemoveCAITSSEventSubscription.ps1.
Getting IT Security Search Ready
|
|
IMPORTANT:
|
At this time, the Warehouse connector settings in the web UI do not expose Change Auditor-related options. You need to edit the configuration file manually.
To set up retrieval of Change Auditor data from Warehouse
- On your IT Security Search server, make sure the %ProgramData%\Quest\IT Security Search\settings.xml file exists. If it doesn't, this means IT Security Search settings have never been configured. To make IT Security Search create the file, you can change some minor option, save the settings and then change it back and save the settings again.
- Stop the ITSS.Server (Quest IT Security Search) service.
- Open the %ProgramData%\Quest\IT Security Search\settings.xml file in a text editor.
- Change this:
<connector active='false' key='WarehouseCA'>
to this:
<connector active='true' key='WarehouseCA'>
- Save the configuration file.
- Start the ITSS.Server (Quest IT Security Search) service.
After you have completed these steps, data pushed by Change Auditor to Warehouse should appear in your searches.
Splunk Connector
The new Splunk connector provides preliminary support for retrieval of searchable data from Splunk. The connector is available in the Data Sources list in freshly installed IT Security Search 11.4.1 Update 3.
The connector has the following minimal configuration options:
- Splunk server URI
- The user name and password of the account to use for access to Splunk
One additional setting that you may want to configure is the number of retrieved Splunk results. By default, Splunk returns 50,000 objects, whereas IT Security Search shows 100,000 per page. To make these limits consistent, take the following steps:
- On the Splunk server, open (or create if necessary) the %programfiles%\Splunk\etc\system\local\limits.conf file (on Windows) or /opt/splunk/etc/system/local/limits.conf file (on Linux) in a text editor.
- Add the following lines to the file:
[restapi]
maxresultrows = 100000 - Restart Splunk.
IT Security Search provides a predefined Splunk-to-IT Security Search field mapping. If you find that this mapping doesn't suit you, call Quest Support. This will help improve Splunk integration for you and everyone else.
Enhancements
Table 1: General enhancements in IT Security Search 11.4.1 Update 3
| Enhancement | Issue ID |
|---|---|
|
Persistent changes to the search timeframe When you run searches, the timeframe settings are reused from the last time you changed them during the current browser session. Previously, the timeframe was reset to the default value for every search. |
IS-3006 |
|
Seconds in event timestamps Timestamps for events in the search result grid now display seconds. |
IS-3086 |
|
Saved searches: instant query preview When you specify custom variables for a saved search, you now get a live preview with your specified values substituted. |
IS-3099 |
|
Visual clues for column resizing In the result grid, vertical lines have been added to make it clearer that you can resize the columns. |
IS-3324 |
Table 2: General enhancements in IT Security Search 11.4.1 Update 2
| Enhancement | Issue ID |
|---|---|
|
In situations where a search finds nothing directly but produces results of a type that you aren't looking for, there is now a suggestion that you check those results. |
IS-2410 |
|
When you configure the InTrust connector, you can now specify multiple repositories at once. |
IS-2702 |
|
The Reset Settings action link is now available on all connector configuration pages so that you can easily restore the default values. |
IS-2166 |
|
If you change the set of columns in the result grid while any rows are selected or any facets or filters enabled, your filters and row selection are not cleared anymore in the updated grid. |
IS-2455, |
|
Search queries that explicitly specify the types of objects to look for are now optimized for that case and run faster on large sets of data. |
IS-2120 |
|
You can now sort the item groupings by number of items, in descending or ascending order. Sorting in ascending order helps you focus on seldom-occurring items, which may be the most relevant. |
IS-854 |
|
IT Security Search now shows a link to a dedicated video playlist (https://www.quest.com/ITSSVideos) with tips and feature demos. The link is available on the About screen (click the question mark icon to get there). |
IS-1407 |
Table 3: General enhancements in IT Security Search 11.4.1 Update 1
| Enhancement | Issue ID |
|---|---|
|
Now the InTrust suite setup has an option to download IT Security Search. |
IN-9122 |
|
In compliance with recommended security practices, the use of localhost and IP address 127.0.0.1 for setting up connection between IT Security Search services is now disallowed. For the same reason, the New-SslCertificate.ps1script doesn't create self-signed certificates for localhost and 127.0.0.1 anymore. |
IS-1466 |
Table 4: General enhancements in IT Security Search 11.4.1
| Enhancement | Issue ID |
|---|---|
|
There have been across-the-board performance improvements: searches now start faster, and the user interface is generally more responsive. |
IS-1293 |
|
You can now fine-tune the column layout for export of search results to CSV or PDF. For that, use the new ITSS-ExportFields.psm1 PowerShell script that comes with IT Security Search. The script lets you rearrange and resize columns for arbitrary object types. For details, see Additional Utility Scripts. |
IS-1220 |
|
The welcome wizard that was previously shown by default on the IT Security Search landing page has been replaced by an unobtrusive notification popup. |
IS-1003 |
|
In the Active Roles connector settings, error reporting has been improved for connection tests. |
IS-936 |
|
The Warehouse installer now automatically supplies the current user account in the Account name field. |
IS-703 |
|
A major update of third-party components was made, including an update of Elasticsearch to version 2.4.4. The newer Elasticsearch component helped resolve a known issue where IT Security Search generated huge logs daily. |
IS-1456 |
|
During installation and upgrade, IT Security Search setup now clearly states which services it requires and tells you what to do if they are stopped. |
IS-1427 |
|
IT Security Search setup now lets you customize where Warehouse keeps its data stores. |
IS-807 |
|
Display of Azure objects in search results has been improved: more properties are shown for them, and each Azure object type has its own set of relevant columns. |
IS-1750, |
Deprecated features
The Enterprise Reporter connector is being phased out. In future versions, support for Enterprise Reporter data will be provided only in the IT Security Search Warehouse connector, which will have all the features of the current Enterprise Reporter connector and more.
Currently, using the Enterprise Reporter connector is recommended only if you work with information about effective permissions. Otherwise, consider switching to the IT Security Search Warehouse connector.