What's new
ESCU version 5.23.0 was released on March 4, 2026.
Key highlights
This release expands visibility into SD-WAN control-plane activity, enabling security teams to detect unauthorized peers, anomalous control connections, and topology drift earlier. By baselining peer relationships and highlighting rare or unexpected control-plane combinations, defenders can more quickly surface misconfigurations, rogue devices, and potential exploitation attempts targeting SD-WAN infrastructure. The result is improved oversight of network edge components, reduced time to validate suspicious peering events, and stronger assurance that control-plane trust relationships have not been silently altered.
On the endpoint side, new process-level detection strengthens coverage for obfuscated payload retrieval, helping SOC teams identify evasive download behavior before secondary tooling is deployed. Threshold-based logic and tunable parameters across analytics support environment-specific noise reduction while preserving high-signal findings. Additional detection refinements and YAML validation improvements enhance rule accuracy, consistency, and maintainability—reducing operational friction, improving signal quality, and supporting faster investigations across both network and endpoint layers.
New analytic story
New analytics
Other updates
-
Added end-to-end YAML formatting/validation (yamlfmt + yamllint) via a new pre-commit hook and CI "YAML Validation" job (validate_yaml.py), updates docs, and auto-formats all detections/analytics (including initial SPL beautification using |- for readability).
-
Updates multiple detections to better cover calc-related binaries by adding CalculatorApp.exe/win32calc.exe entries, fixing a LOLBAS network-traffic filter bug (All_Traffic.dest_ip), and enhancing calc DLL side-loading rule metadata (including explicit WindowsCodecs.dll) to address issue #3916.