Looking for the latest Splunk security content? You’ve come to the right place! This page is updated quarterly with all the latest security content details.
This blog post covers security content developed February 2025 - April 2025. Jump straight to the updates below, or read on to learn more about:
See the latest Splunk Security Content >
Splunk continuously monitors the threat landscape to develop, test, and deliver security content to help identify and respond to vulnerabilities and cyber attacks within your environment.
Splunk provides a variety of security content, all of which is designed to help you make the most of your Splunk environment. This includes:
Splunk’s out-of-the-box detection searches are created to help identify patterns and alert you to threats and anomalous behavior.
All detection searches relevant to a particular threat are packaged in the form of analytic stories (also known as use cases).
A collection of pre-built automation playbooks that are designed to help users tackle specific use cases.
Take advantage of security content in two ways:
Both apps allow you to deploy the over 1,900 out-of-the-box searches to start detecting, investigating and responding to threats. You can also view the full security content repository by visiting research.splunk.com.
And with that information, we can move onto the latest content. Let's take a look!
Below you will find a brief table of contents, followed by an overview of the security content developed from February 2025 - April 2025.
The Splunk Threat Research Team created several new analytic stories to help identify activity related to various malware threats:
Additionally, the team released Remote Monitoring and Management Software to help users analyze unauthorized remote monitoring & management (RMM) tool usage, including detection of 3rd-party software installations like AnyDesk and TeamViewer through phishing/drive-by compromises.
The team released new analytic stories and detections to enhance coverage for Apache Tomcat Session Deserialization Attacks and Windows shortcut exploit abuse (ZDI-CAN-25373), as well as expanded ransomware mappings to track emerging threats like Medusa and Salt Typhoon.
The STRT published a new analytic story and added new detections for Cisco Secure Firewall focusing on three primary event types—file events, network connections, and intrusion alerts. These detections identify activity such as malicious or uncommon file downloads, connections over suspicious ports or to file-sharing domains, and Snort rule-based intrusion events across multiple hosts. This enables broader visibility into network-based threats and host-level indicators of compromise.
A new analytic story focusing on GitHub Malicious Activity helps detect potential security risks and policy violations in GitHub Enterprise and GitHub Organizations. This includes detections for disabling 2FA requirements, modifying or pausing audit log event streams, deleting repositories, disabling security features like Dependabot and branch protection rules, and registering unauthorized self-hosted runners—helping organizations prevent unauthorized changes and account takeovers.
The team introduced a new analytic story targeting SQL Server exploitation tactics. These detections cover malicious SQLCMD execution, abuse of xp_cmdshell, unauthorized configuration changes, and the loading of potentially dangerous extended procedures. This enhanced monitoring helps organizations detect lateral movement and privilege escalation attempts in Windows-based SQL environments.
To add addresses the risks associated with S3 bucket misconfigurations and potential hijacking of decommissioned buckets, this story includes baselines and detections that track public S3 buckets before deletion, monitor access attempts to these bucket names, and identify potential hijacking activities, leveraging AWS CloudTrail logs, DNS queries, and web proxy data to ensure robust monitoring and security.
A new analytic story, which includes new detections focused on identifying tampering activities with Cisco Secure Endpoint services cover techniques such as inhibiting system recovery and disabling or modifying security tools, enhancing our ability to detect and respond to potential security threats.
The team also published the following blogs:
Looking for previous security content updates? Check out the previous quarters of security content roundups from the Spunk Threat Research Team. Stay tuned to that page and this one — we're updating them every quarter!
The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.
Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.