What's new

ESCU version 5.21.0 was released on February 6, 2026.

Key highlights

Following is a summary of the latest updates:

  • New finding-based detections: In Splunk Enterprise Security 8.4 and higher, ESCU introduces finding-based detections, which is a new analytic type that automatically groups and correlates high volumes of related findings and intermediate findings at the entity level. This reduces alert noise and helps analysts quickly focus on users or hosts most likely to represent real threats.

  • GNU Telnetd CVE-2026-24061 authentication bypass: Introduced a new analytic story covering CVE-2026-24061, a critical authentication bypass vulnerability in GNU InetUtils telnetd that allows unauthenticated attackers to establish a Telnet session as root. This flaw abuses an un-sanitized, attacker-controlled user environment variable that is passed to the login process, enabling direct privilege escalation without valid credentials. Added a new detection called Linux Telnet Authentication Bypass to identify exploitation attempts targeting legacy Unix/Linux systems, embedded devices, network appliances, and operational technology environments where Telnet remains in use.

  • Windows Chromium browser hijacking enhancements: Expanded browser hijacking coverage with new endpoint detections targeting suspicious Chromium-based browser execution patterns on Windows. Added analytics to identify browsers launched with abnormally small window sizes, disabled popup blocking, disabled logging, suppressed extensions, and headless execution — behaviors commonly associated with ad fraud, credential harvesting, session hijacking, and stealthy user interaction abuse. These detections improve visibility into malicious browser manipulation used by infostealers, loaders, and post-exploitation frameworks.

  • Expanded threat actor and malware coverage (VoidLink, Storm-0501, StealC): Tagged a broad set of existing analytics and improved detection coverage for several high-impact threats. Added comprehensive coverage for VoidLink, a cloud-native Linux malware framework leveraging a modular C2 architecture, rootkit functionality, and advanced evasion techniques to target containerized and cloud environments. Additionally, enhanced analytic stories and tagging for Storm-0501 ransomware activity and the StealC stealer, improving visibility into ransomware execution chains, credential theft, downloader behavior, and post-compromise persistence across Windows and Linux environments.

These additions strengthen security teams' ability to detect and respond to emerging threats across critical enterprise platforms.

Other updates

  • Updated several analytics and significantly improved performance and efficiency across multiple detections by optimizing search logic (e.g., subsearches, targeted where clauses, and reduced search space), resulting in substantial runtime reductions and clearer user guidance where applicable. Pull request for specific details (#1 and #2)

  • Updated analytics to have standardized known false positive sections and filter macros at the end of all searches

  • We received reports from a number of customers whereby Removed Searches may still be scheduled to run and their execution would fail silently. However, these searches can't be disabled because they failed to render in the user interface for saved searches. This release includes a fix to savedsearches.conf , which ensures that removed content still appears in the user interface for saved searches, if it had previously been scheduled or modified, allowing these searches to be disabled.

Breaking changes

Removed the notable alert actions, which implies that notable alert actions won't create notables or findings but continue to create risk events such as intermediate findings Process Creating LNK file in Suspicious Location.