Splunk Threat Research Team's Blog Posts

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository.

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.

Read more Splunk Security Content.

Simulating, Detecting, and Responding to Log4Shell with Splunk
Security
13 Minute Read

Simulating, Detecting, and Responding to Log4Shell with Splunk

Splunk Threat Research Team simulated the Log4j vulnerabilities in the Splunk Attack Range. Using the data collected, we developed 13 new detections and 9 playbooks to help Splunk SOAR customers investigate and respond to this threat.
Active Directory Lateral Movement Detection: Threat Research Release, November 2021
Security
12 Minute Read

Active Directory Lateral Movement Detection: Threat Research Release, November 2021

The Splunk Threat Research Team recently updated the Active Directory Lateral Movement analytic story to help security operations center (SOC) analysts detect adversaries executing these techniques within Windows Active Directory (AD) environments.
Securing DevSecOps - Threat Research Release October 2021
Security
5 Minute Read

Securing DevSecOps - Threat Research Release October 2021

Learn how you can secure your development security operations with pre-built and tested Splunk detections and automated playbooks.
Detecting Remcos Tool Used by FIN7 with Splunk
Security
7 Minute Read

Detecting Remcos Tool Used by FIN7 with Splunk

The following is a walkthrough of Remcos executed via Attack Range Local. We will go over some of the multiple and intrusive operations this remote access tool can execute at compromised hosts.
FIN7 Tools Resurface in the Field – Splinter or Copycat?
Security
8 Minute Read

FIN7 Tools Resurface in the Field – Splinter or Copycat?

The Splunk Threat Research team addresses the two tools used by the well-organized and highly-skilled criminal group FIN7 — JSS Loader and Remcos.
Detecting IcedID... Could It Be A Trickbot Copycat?
Security
12 Minute Read

Detecting IcedID... Could It Be A Trickbot Copycat?

IcedID is a trojan that has been used in recent malicious campaigns and with new defense bypass methods.