splunk/security_content v5.21.0 on GitHub

🚀 Key Highlights

🔍 New Finding-Based Detections (ES 8.4+):
Starting with Splunk Enterprise Security 8.4 and above, ESCU introduces Finding-Based Detections, a new analytic type that automatically groups and correlates high volumes of related findings and intermediate at the entity level. This reduces alert noise and helps analysts quickly focus on users or hosts most likely to represent real threats.
🛡️ GNU Telnetd CVE-2026-24061 Authentication Bypass:
Introduced a new analytic story covering CVE-2026-24061, a critical authentication bypass vulnerability in GNU InetUtils telnetd that allows unauthenticated attackers to establish a Telnet session as root. This flaw abuses an unsanitized, attacker-controlled USER environment variable passed to the login process, enabling direct privilege escalation without valid credentials. Added a new detection — Linux Telnet Authentication Bypass — to identify exploitation attempts targeting legacy Unix/Linux systems, embedded devices, network appliances, and operational technology environments where Telnet remains in use.
🌐 Windows Chromium Browser Hijacking Enhancements:
Expanded browser hijacking coverage with new endpoint detections targeting suspicious Chromium-based browser execution patterns on Windows. Added analytics to identify browsers launched with abnormally small window sizes, disabled popup blocking, disabled logging, suppressed extensions, and headless execution — behaviors commonly associated with ad fraud, credential harvesting, session hijacking, and stealthy user interaction abuse. These detections improve visibility into malicious browser manipulation used by infostealers, loaders, and post-exploitation frameworks.
🎯 Expanded Threat Actor and Malware Coverage (VoidLink, Storm-0501, StealC):
Tagged a broad set of existing analytics and improved detection coverage for several high-impact threats. Added comprehensive coverage for VoidLink, a cloud-native Linux malware framework leveraging a modular C2 architecture, rootkit functionality, and advanced evasion techniques to target containerized and cloud environments. Additionally, enhanced analytic stories and tagging for Storm-0501 ransomware activity and the StealC stealer, improving visibility into ransomware execution chains, credential theft, downloader behavior, and post-compromise persistence across Windows and Linux environments.

Total New and Updated Content: [419]

New Analytic Story - [4]

Updated Analytic Story - [6]

Updated Analytics -[6]

O365 New MFA Method Registered (External Contributor - @JTweet)
Set Default PowerShell Execution Policy To Unrestricted or Bypass (External Contributor - @AndreiBanaru)
Windows Abused Web Services (External Contributor - @aaaAlexanderaaa)
Services LOLBAS Execution Process Spawn (External Contributor - @DipsyTipsy)

Breaking Changes

Removed the notable alert actions: meaning these will no longer create notable/findings and will continue create risk events aka intermediate findings
a. Process Creating LNK file in Suspicious Location

Other Updates

Updated several analytics and significantly improved performance and efficiency across multiple detections by optimizing search logic (e.g., subsearches, targeted where clauses, and reduced search space), resulting in substantial runtime reductions and clearer user guidance where applicable. Pull request for specific details (#1 and #2)
Updated analytics to have standardized known false positive sections and filter macros at the end of all searches
We received reports from a number of customers whereby Removed Searches may still be scheduled to run and their execution would fail silently. However, these searches could not be disabled because they failed to render in the Saved Searches UI. This release includes a fix to savedsearches.conf which ensures that Removed Content still appears in the SavedSearches UI if it had previously been scheduled or modified, allowing these searches to be disabled.