Chat now with support
Chat with Support

IT Security Search 11.4.1 - Release Notes

Resolved issues

The following is a list of issues addressed in IT Security Search 11.4.1 Update 3.

Table 5: Resolved issues in IT Security Search 11.4.1 Update 3

Resolved Issue Issue ID

If you use a function in your search query but omit the closing parenthesis, you get an unclear "Unrecognized expression" error message.

IS-2875

On the Details page for any file, clicking the "Who has direct or indirect access permissions on this folder" action link in the left pane may cause an error.

IS-2983

A saved search doesn't work if its query contains an ampersand (&).

IS-2993

When you click a file or folder item to view its details, the details page takes a long time to open.

IS-3330

When you save a query that contains a pair of parentheses, they are dropped from the resulting saved search. This can break the query.

IS-3195

Table 6: Resolved issues in IT Security Search 11.4.1 Update 2

Resolved Issue Issue ID

When you run searches on data provided by Enterprise Reporter, you get the following error message:

Ambiguous column name 'WhenCreated'.

This is caused by changes in the Enterprise Reporter database schema in version 3.2.1.

IS-2707

IT Security Search uses an unreliable account impersonation method for connection to SQL Server. As a result, the connection uses the computer account of the IT Security Search server, and this fails with an error like the following:

System.Data.SqlClient.SqlException (0x80131904): Login failed for user 'domain_name\itss_server_name$'.

IS-2757

If the network link used by any of the enabled IT Security Search connectors is slow, then it takes a long time to show the details pages for items and may make the application unresponsive indefinitely. This happens even where no data from that connector is actually used.

IS-2780,
IS-2788

If you add tabs to the result grid and later try to remove them by clicking their cross icons, in some situations the tabs stay there.

IS-1736

The following issues were resolved in previous releases of IT Security Search.

Table 7: Resolved issues in IT Security Search 11.4.1 Update 1

Resolved Issue Issue ID

If an IT Security Search operator's scope is limited by a query that contains the name of a specific field (for example, Source="Active Roles"), then that operator may not be able to view details pages when clicking the links in search results.

IS-2023

If the data store for the Warehouse component is in a network share that is not hosted on the IT Security Search server, then Active Roles events can be absent from search results.

IS-1783

Indexing of effective group membership data from Enterprise Reporter is slow and causes the "tempdb" database to exceed its size limit.

IS-2099
IS-1159

Indexing fails during calculation of group membership data from Enterprise Reporter if there is circular membership among the groups (meaning that groups are their own members through membership in other groups).

IS-2121

In InTrust connector settings, if you select a repository but then click Cancel, the repository is still there the next time you reopen the settings.

IS-1716

The breadcrumbs area contains garbage.

IS-1972

Table 8: Resolved issues in IT Security Search 11.4.1

Resolved Issue Issue ID

In some cases the Warehouse connector can produce huge error messages.

IS-1282

IS-1719

In some cases, if you pin an object type as a tab and the object type name is not all-lowercase, then you get duplicate tabs for it: one has your original spelling and the other is all-lowercase.

IS-1320

Sometimes if you copy a value from the search grid, garbage can be appended to the copied string.

IS-1310

For computer local users, "null" is shown on the Member Of tab.

IS-781

For some types of object (particularly, objects that reference other objects through attributes), when you click the VIew Details link, you get the details for the wrong object.

IS-1465

If you expand or collapse the contents of a facet while a search is in progress, you may get an incomplete list of results.

IS-1421

The Warehouse store index may become corrupted if the Warehouse service is stopped while the index is being built.

IS-1411

If you use negative expressions in Warehouse searches, you may get incorrect search results for Enterprise Reporter data.

IS-1440

The web UI doesn't get dates from the IT Security Search server in a consistent format. It isn't always clear which number is the month and which is the day.

IS-1659

The details view for an Active Directory account shows the Last Logon field with a timestamp taken from Active Directory. However, it's possible that there are more recent logons by the account. Information about the last logons should be available in the events view instead of the details view.

IS-1751

When you try to click a facet to filter results, it can suddenly move away from the cursor.

IS-1880

If you use the Warehouse connector for working with Enterprise Reporter data in an environment with a large number of Active Directory objects, then data for container objects with a lot of members may fail to be saved in the Warehouse store.

IS-1580

If multiple events of the same kind (meaning, with the same values in fields such as What, Who, Whom and Where) occur less than a second apart, then the View Details link for all of these events may point to the newest of them.

IS-1043

Known issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 9: General known issues

Known Issue

Issue ID

Internet Explorer becomes unresponsive when IT Security Search shows a modal dialog box on top of the browser windows. You can work around this by minimizing all windows and clicking the close button in the modal window; Internet Explorer resumes working.

IS-360

After an IT Security Search upgrade, the layout of the controls in the web interface can appear broken (missing blocks of data, misplaced elements and so on). You can correct this by refreshing the page, preferably with a cache cleanup (Ctrl+F5).

During the IT Security Search Warehouse installation step of IT Security Search setup, an unused service connection point is created in Active Directory. This operation is skipped if the user account used for installation doesn't have the required privileges. Whether or not the service connection point is created, this has no effect on the installation or operation of IT Security Search.

IS-954

If you are upgrading IT Security Search from version 11.3 or later and you use data sending from Enterprise Reporter 3.0, you may need to go to Enterprise Reporter Configuration Manager and resend all data to IT Security Search. Otherwise, no pre-upgrade Enterprise Reporter data will be available to IT Security Search.

Search results from InTrust repositories and IT Security Search Warehouse may be incomplete. Eligible objects will be skipped if their names contain any of the following characters:

. @ "

This issue affects the following:

  • Searches for InTrust-provided events
  • Searches for data stored in IT Security Search Warehouse (Enterprise Reporter data and Active Roles events)
  • Results from the Test query link in operator scope options (on the IT Security Search Settings page, on the Security tab)

IS-1162

The IT Security Search Warehouse component may become inaccessible if you reinstall IT Security Search into the same organization where IT Security Search was previously deployed.

Root-cause: Newly installed server will receive new identification and data collected by a server with another ID will not be available for it.

Workaround:

  1. In InTrust Deployment Manager select Storage tab
  2. On each Repository that have exclamation sign on the right panel on Security section, click Edit link
  3. Specify valid InTrust server in Managed by this server combobox. Click Apply.

After the reconfiguration is finished, the following services should be started on IT Security Search server:

  • Quest IT Security Search Warehouse API
  • Quest IT Security Search Active Roles Data Attendant

It is recommended to either deploy a separate InTrust organization for IT Security Search every time you install the server or always perform the reconfiguration. InTrust system protects data collected by a specific server and prevents unauthorized access even for queries from the same computer.

IS-1256

System requirements

Before installing IT Security Search 11.4.1 Update 3, ensure that your system meets the following minimum hardware and software requirements.

Compatibility

The following versions of data-providing systems are supported in this version of IT Security Search:

  • InTrust 11.4.1, 11.4, 11.3.2, 11.3.1, 11.3
  • Change Auditor 7.1, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0, 6.9.5, 6.9.4, 6.9.3, 6.9.2, 6.9.1, 6.9
  • Enterprise Reporter 3.2.1, 3.2, 3.1, 3.0
  • Recovery Manager for Active Directory 10.1, 10.0.1, 10.0, 9.0.1, 9.0, 8.8.1
  • Active Roles 7.4.1, 7.4, 7.3.2, 7.3.1, 7.2.1, 7.2, 7.1

Software Requirements

  • Operating system:
    • Microsoft Windows Server 2019
    • Microsoft Windows Server 2016
    • Microsoft Windows Server 2012 R2
    • Microsoft Windows Server 2012
    • Microsoft Windows Server 2008 R2
  • Additional software:
    • Microsoft .NET Framework 4.7.2 or later
    • Microsoft Windows PowerShell 3.0 or later
    • Microsoft SQL Server 2012 or later (all editions)
      This is a requirement of the IT Security Search Warehouse component, which needs it for internal configuration management.
  • Additional requirements for the Recovery Manager for Active Directory connector:
  • Additional requirements for the Active Roles connector:
    • Active Roles Management Tools
    • The PowerShell script execution policy must be set to RemoteSigned.

Browser Compatibility

The IT Security Search Web interface works correctly with the following browsers:

  • Microsoft Edge
  • Microsoft Internet Explorer 11
  • Google Chrome 72.0 or later
  • Mozilla Firefox 65.0 or later

The minimum supported monitor resolution is 1024x768.

Hardware Requirements

  • CPU: 6 cores minimum; 16 cores recommended
  • RAM: 8GB minimum; 16GB or more recommended
  • Disk: 200GB (SSD recommended); disk space requirements are very dependent on the volume of Enterprise Reporter and Active Roles data being processed, because the index size varies proportionally; the indexes for Change Auditor, Recovery Manager for AD and InTrust data do not consume any disk space on the IT Security Search computer, because they are located in the data stores used by these systems
  • If you deploy on a virtual machine, make sure the CPU and memory requirements above are met, and do not overload the virtual machine host

To find out the disk requirements for IT Security Search installation, consider the sections below. They describe how much disk space is used for indexing data provided by specific connectors.

Disk Space for Legacy Enterprise Reporter Data

These numbers are for a sample environment with 10000 of each type of Enterprise Reporter object. Scale the values according to your own circumstances.

Object type Size of an index entry Number of objects Size of the index
Computers 1KB 10000 10MB
Files 0.2KB 10000 2MB
Groups 2.5KB 10000 25MB
Shares 1KB 10000 10MB
Users 2KB 10000 20MB
Total   50000 67MB

Disk Space for Enterprise Reporter Data in Warehouse

These are the average index entry sizes for each type of Enterprise Reporter object. Use them in calculating the required disk space for your particular on-premises or hybrid environment.

Note that there are generally multiple index entries per object, depending on how often objects are changed.

Object type

Average size

of an index entry,

in kilobytes

AD Permissions

2.1

AD Contacts

3.3

Computers

1.6

Groups

1.5

Files

1.5

OUs

2.3

Shares

2.1

Users

1.6

Azure Applications

1.6

Azure Contacts

1.6

Azure Devices

5

Azure Groups

1.4

Azure Network Security Groups

2.2

Azure Resource Groups

1.5

Azure Resource Subscriptions

5

Azure Resources

1.6

Azure Roles

1.4

Azure Service Principals

1.5

Azure Tenants

2.8

Azure Users

3.4

Azure Virtual Machines

2.5

Disk Space for Active Roles Event Data

An index entry for a single Active Roles event in IT Security Search Warehouse takes 0.5KB on average. Estimate the event rate in your environment to calculate the required disk space.

Disk Space for InTrust and Change Auditor Data

To display InTrust and Change Auditor events, IT Security Search uses the built-in indexes in InTrust and Change Auditor data stores, so no additional disk space is required.

 

Where to Install

It is recommended that you install IT Security Search in the same domain as the servers of your data-providing systems: InTrust, Enterprise Reporter, Change Auditor, Recovery Manager for Active Directory and Active Roles. Do not install IT Security Search on any of those systems' servers.

Product licensing

This product does not require licensing.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating