Looking for the latest Splunk security content? You’ve come to the right place! This page is updated quarterly with all the latest security content details.
This blog post covers security content developed covers security content developed May 2025 - July 2025. Jump straight to the updates below, or read on to learn more about:
See the latest Splunk Security Content >
Splunk continuously monitors the threat landscape to develop, test, and deliver security content to help identify and respond to vulnerabilities and cyber attacks within your environment.
Splunk provides a variety of security content, all of which is designed to help you make the most of your Splunk environment. This includes:
Splunk’s out-of-the-box detection searches are created to help identify patterns and alert you to threats and anomalous behavior.
All detection searches relevant to a particular threat are packaged in the form of analytic stories (also known as use cases).
A collection of pre-built automation playbooks that are designed to help users tackle specific use cases.
Take advantage of security content in two ways:
Both apps allow you to deploy the over 1,900 out-of-the-box searches to start detecting, investigating and responding to threats. You can also view the full security content repository by visiting research.splunk.com.
And with that information, we can move onto the latest content. Let's take a look!
Below you will find a brief table of contents, followed by an overview of the security content developed from May 2025 - July 2025.
The Splunk Threat Research Team created several new analytic stories to help identify activity related to various malware threats:
Cisco Secure Firewall - Remote Access Software Usage Traffic detects network traffic associated with known remote access software applications that are covered by Cisco Secure Firewall Application Detectors, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. It leverages Cisco Secure Firewall Threat Defense Connection Event. This activity is significant because adversaries often use remote access tools to maintain unauthorized access to compromised environments. If confirmed malicious, this activity could allow attackers to control systems remotely, exfiltrate data, or deploy additional malware, posing a severe threat to the organization's security. The team also released the blog Cisco Secure Firewall Threat Defense Detections for Splunk.
The team released new analytic stories and detections to enhance coverage for Microsoft SharePoint Vulnerabilities given that Microsoft SharePoint is a widely deployed collaboration platform in enterprise environments, making it an attractive target for threat actors. Recent vulnerabilities have enabled attackers to compromise SharePoint servers through various attack vectors. The analytic story addresses critical vulnerabilities in Microsoft SharePoint that allow attackers to gain unauthorized access, execute code remotely, and elevate privileges. It includes detections for known exploit patterns and post-exploitation activities to help organizations identify and respond to SharePoint-targeted attacks. The team also published further research in the blog Beyond the Patch: SharePoint Exploits and the Hidden Threat of IIS Module Persistence.
Attackers are actively targeting SAP NetWeaver environments through newly disclosed vulnerabilities like CVE-2025-31324, affecting the Visual Composer service. Successful exploitation can lead to remote code execution (RCE) and the deployment of webshells, giving adversaries persistent access to SAP systems. This story provides detections for reconnaissance patterns (e.g., HEAD requests receiving HTTP 200 responses) and potential exploitation behavior (e.g., POST requests leading to successful uploads), empowering defenders to quickly identify compromise attempts and mitigate them before escalation.
The team also published the following blogs:
Looking for previous security content updates? Check out the previous quarters of security content roundups from the Spunk Threat Research Team. Stay tuned to that page and this one — we're updating them every quarter!
The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.
Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.