Splunk Security Content for Threat Detection & Response: December Recap
style
two-column
In December, the Splunk Threat Research Team had 1 release of new security contentvia the Enterprise Security Content Update (ESCU) app (v5.19). With this release, there are 6 new analytic stories and 31 new analytics now available in Splunk Enterprise Security via the ESCU application update process.
Content Highlights Include:
This release advances the Splunk + Cisco Better Together strategy with the largest expansion of Cisco ASA security analytics to date, exposing configuration tampering, logging suppression, packet capture abuse, identity manipulation, and reconnaissance activity on firewall infrastructure. Together, these updates help customers detect high-impact threats earlier, reduce blind spots across modern enterprise environments, and strengthen SOC effectiveness through unified, high-confidence detections. In addition, this release also adds the following coverage:
- React2Shell (CVE-2025-55182): Introduced a new analytic story, React2Shell, addressing the critical pre-authentication Remote Code Execution (RCE) vulnerability in React Server Components. This vulnerability affects React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, as well as Next.js 15.x and 16.x versions using the App Router. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, allowing attackers to execute arbitrary JavaScript code on the server without authentication.
- Tuoni C2 Framework: Introduced a new analytic story addressing threats from the Tuoni command-and-control framework, a sophisticated cross-platform red teaming tool increasingly adopted by threat actors for real-world attacks. Tuoni enables adversaries to deploy malicious payloads directly into system memory, bypassing traditional disk-based detection mechanisms. Its modular design supports multiple attack variations and allows operators to maintain persistence and execute commands across Windows, Linux, and macOS environments without leaving significant forensic artifacts.
- Kerberos Coercion with DNS (CVE-2025-33073): A new analytic story addressing CVE-2025-33073. These analytics identify coercion attempts where attackers leverage DNS records to trigger Kerberos authentication from remote hosts, a technique that can lead to credential relay or domain privilege escalation.
- NPM Supply Chain Compromise (Shai-Hulud Campaigns):Expanded detection coverage for npm ecosystem supply chain compromises, addressing both the Shai-Hulud 2.0 worm campaign and recurring lifecycle hook abuse patterns. This update adds analytics to detect malicious npm package installations that execute arbitrary scripts through preinstall, install, postinstall, or prepare hooks; a long-standing risk vector exploited in major incidents from event-stream (2018) to ua-parser-js (2021) and Shai-Hulud (2025).
- NetSupport RMM Tool Abuse:Strengthened detection coverage for malicious use of the NetSupport Manager RMM tool, which adversaries frequently deploy for covert remote access under the guise of legitimate remote-support activity. New analytics identify NetSupport’s presence through loaded module patterns, executable masquerading, and registry manipulation, including detections for Windows Deletion of Most Recent Used Command via Registry, Executable Masquerading as Benign File Types, and NetSupport RMM Loaded Modules.
- Suspicious Local LLM Frameworks:Added new analytics to address the rise of Shadow AI, unauthorized deployment of local Large Language Model (LLM) frameworks such as Ollama, LM Studio, GPT4All, Jan, llama.cpp, and KoboldCPP inside enterprise environments. These tools allow users to run powerful models locally, creating blind spots for data exfiltration, policy violations, and unmonitored processing of sensitive information.
For all our tools and security content, please visit research.splunk.com.
Related Articles
displayMode
carousel
category
Security
Security1 minute readSplunk Security Content for Threat Detection & Response: December Recap
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security Content Update (ESCU) app.
Security12 Minute ReadPredicting Cyber Fraud Through Real-World Events: Insights from Domain Registration Trends
By analyzing new domain registrations around major real-world events, researchers show how fraud campaigns take shape early, helping defenders spot threats before scams surface.
Security4 Minute ReadWhen Your Fraud Detection Tool Doubles as a Wellness Check: The Unexpected Intersection of Security and HR
Behavioral analytics can spot fraud and burnout. With UEBA built into Splunk ES Premier, one data set helps security and HR reduce risk, retain talent, faster.
Security1 Minute ReadSplunk Security Content for Threat Detection & Response: November Recap
Discover Splunk's November security content updates, featuring enhanced Castle RAT threat detection, UAC bypass analytics, and deeper insights for validating detections on research.splunk.com.
Security2 Minute ReadSecurity Staff Picks To Read This Month, Handpicked by Splunk Experts
Our Splunk security experts share their favorite reads of the month so you can follow the most interesting, news-worthy, and innovative stories coming from the wide world of cybersecurity.
Security10 Minute ReadBehind the Walls: Techniques and Tactics in Castle RAT Client Malware
Uncover CastleRAT malware's techniques (TTPs) and learn how to build Splunk detections using MITRE ATT&CK. Protect your network from this advanced RAT.
Security12 Minute ReadAI for Humans: A Beginner’s Field Guide
Unlock AI with the our beginner's field guide. Demystify LLMs, Generative AI, and Agentic AI, exploring their evolution and critical cybersecurity applications.
Security5 Minute ReadSplunk Security Content for Threat Detection & Response: November 2025 Update
Learn about the latest security content from Splunk.
Security3 Minute ReadOperation Defend the North: What High-Pressure Cyber Exercises Teach Us About Resilience and How OneCisco Elevates It
The OneCisco approach is not about any single platform or toolset; it's about fusing visibility, analytics, and automation into a shared source of operational truth so that teams can act decisively, even in the fog of crisis.
Security5 Minute ReadData Fit for a Sovereign: How to Consider Sovereignty in Your Digital Resilience Strategy
Explore how digital sovereignty shapes resilient strategies for European organisations. Learn how to balance control, compliance, and agility in your data infrastructure with Cisco and Splunk’s flexible, secure solutions for the AI era.
Security3 Minute ReadCrossed Swords 2025: Lessons From the Frontlines of Cyber Defense with Splunk Enterprise Security
Splunk participated in the NATO Cooperative Cyber Defense Center of Excellence cyberwarfare exercise 'Crossed Swords' by providing tooling and personnel.
Security10 Minute ReadNotDoor Insights: A Closer Look at Outlook Macros and More
The Splunk Threat Research Team breaks down the NotDoor Outlook-macro backdoor linked to APT28 and shows how to detect these stealthy techniques to strengthen security coverage.
Security10 Minute ReadHide Me Again: The Updated Multi-Payload .NET Steganography Loader That Includes Lokibot
An analysis on the updated .NET steganography loader delivering Lokibot malware, including evasion techniques, MITRE ATT&CK TTPs, and Splunk detections to enhance threat identification.
Security4 Minute ReadStrengthen Your Security Operations in the Era of Agentic AI
Strengthen your security operations in the era of agentic AI at EMEA Digital Resilience Week. Learn how Splunk and Cisco unify visibility, automate response, and secure AI workloads. Gain actionable strategies to boost threat detection and resilience. Register now to stay ahead of evolving cyber threats!- Security3 Minute Read
Splunk Security Content for Threat Detection & Response: October Recap
Stay ahead with Splunk's ESCU monthly security content updates. Find new analytics & stories for threat detection, covering malware, vulnerabilities, and threat actors. 
Security3 Minute ReadUnderstanding Cyber Resilience with the World Economic Forum
Discover what cyber resilience really means, and the seven areas that organisations need to invest in, to bolster their resilience. This post delves into the WEF's Cyber Resilience Compass and strategies for a proactive defence.
Security1 Minute ReadSplunk Ranked Number 1 in the 2025 Gartner® Critical Capabilities for Security Information and Event Management Use Cases
Splunk has been ranked as the #1 SIEM solution in all three Use Cases for the second consecutive time in the 2025 Gartner® Critical Capabilities for Security Information and Event Management report.
Security13 Minute ReadThe Lost Payload: MSIX Resurrection
Threat actors weaponize MSIX for malware delivery – learn about MSIX attacks, distribution, and how Splunk's MSIXBuilder helps security teams test detection safely.
Security4 Minute ReadSplunk is a Leader and Placed Highest in Execution in the Gartner® Magic Quadrant™ for SIEM
Splunk has once again been named a Leader in the 2025 Gartner® Magic Quadrant™ for Security Information and Event Management (SIEM) — our eleventh consecutive placement.
Security2 Minute ReadBuild the SOC of the Future with Splunk and Cisco
Discover how Splunk and Cisco are transforming security operations centers with unified platforms, AI-driven threat detection, and real-time visibility. Learn key insights, challenges, and strategies to build a smarter, more resilient SOC for the future.
Security3 Minute ReadEnhancing SOC Efficiency with OCSF & Splunk Enterprise Security
As threat volumes grow and environments become more complex, standardized, high-fidelity telemetry is no longer a luxury–it’s a necessity.- Security2 Minute Read
Splunk Security Content for Threat Detection & Response: September Recap
Splunk's September ESCU update: New security content & analytics for robust threat detection. Covers Cisco ASA, ArcaneDoor, diverse malware, and Office365 Copilot activity. 
Security4 Minute ReadTrust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler
As of Splunk Enterprise 10.0, mTLS is now supported across 10 essential communication paths in your deployment—from forwarders and HTTP Event Collector (HEC) to clustered search heads and indexers.
Security6 Minute ReadUniting for Collective Defence: How Splunk and ASD Are Strengthening National Cyber Resilience Through CTIS
In response to the evolving cyber threat environment, the Australian Government has taken proactive steps to strengthen national cyber defences.
Security2 Minute Read2025 Worldwide BOTS Day
After a successful launch of BOTS at .conf25, we’re ready to take it to the masses with two worldwide BOTS10 competitions.
Security7 Minute ReadBuilding a Cross-Functional Remote Employment Fraud Response Team
In this blog, Splunkers Jonathan Heckinger and Brian Starrs cover the most complex aspect of REF risk: what to do after you find it.
Security10 Minute ReadFrom Prompt to Payload: LAMEHUG’s LLM-Driven Cyber Intrusion
The Splunk Threat Research Team analyzes the LAMEHUG malware, examining its tactics and techniques to provide insights that can help SOC analysts and blue teamers identify and respond.
Security3 Minute ReadGoing Beyond Today’s Asset and Risk Intelligence: What’s New in Splunk ARI 1.2
With the improvements within Splunk’s ARI 1.2, organizations can further improve aligning their vulnerabilities, misconfigurations, and threat activity with the business value of each asset.
Security4 Minute ReadStrengthen SOC Defenses with Native UEBA in Splunk Enterprise Security
Splunk's enhanced UEBA capability, now natively available in ES, empowers SOCs to transition from reactive, fragmented workflows to a proactive, behavior-driven security posture.
Security5 Minute ReadSplunk Enterprise Security: Built to Empower Every SOC Analyst
Announcing a transformative update to Splunk Enterprise Security (ES) with 8.2: An AI-powered SecOps platform designed to unify and accelerate threat detection, investigation, and response (TDIR) in one seamless experience.
Security7 Minute ReadOperationalize ESCU Detections Featuring Onboarding Assistant
Master operationalizing Splunk ESCU detections in Splunk Enterprise Security using the Onboarding Assistant.- Security3 Minute Read
Splunk Security Content for Threat Detection & Response: August Recap
Learn about the latest security content from Splunk. 
Security17 Minute ReadStatic Tundra Analysis & CVE-2018-0171 Detection Guide
Protect your network from Static Tundra's exploitation of CVE-2018-0171 Cisco Smart Install vulnerability. Get comprehensive analysis & Splunk detection guidance.
Security11 Minute ReadDetecting Suspicious ESXi Activity Before Ransomware Happens
Learn to detect suspicious activity using Splunk, including log ingestion, common indicators, and comprehensive detection strategies for VMware ESXi environments.
Security13 Minute ReadPicture Paints a Thousand Codes: Dissecting Image-Based Steganography in a .NET (Quasar) RAT Loader
Uncover how to identify malicious executable loaders that use steganography to deliver payloads such as Quasar RAT.
Security13 Minute ReadObey My Logs! AI-Powered Compromised Credential Detection
Splunker Shannon Davis shares a closer look into how to detect compromised credentials with AI-powered PLoB.
Security1 Minute ReadIntroducing… The Threat Hunter’s Cookbook!
The security experts on the SURGe team have released The Threat Hunter’s Cookbook, a hands-on guide for security practitioners that features actionable insights into threat hunting methods, ready-to-use queries, and more.
Security4 Minute ReadSecuring the Unseen
Learn how Splunk Asset and Risk Intelligence unifies IT/OT visibility, enhances threat detection, and ensures compliance.
Security9 Minute ReadNow Available: OCSF Translation with Splunk Edge Processor
Splunk Edge Processor now translates raw data to OCSF format using new SPL2 commands.- Security2 Minute Read
Splunk Security Content for Threat Detection & Response: July Recap
Learn about the latest security content from Splunk. 
Security12 Minute ReadBeyond the Patch: SharePoint Exploits and the Hidden Threat of IIS Module Persistence
The cybersecurity landscape witnessed a perfect storm in July 2025 when multiple critical SharePoint vulnerabilities collided with sophisticated IIS module-based persistence techniques, creating a nightmare scenario for enterprise defenders.
Security10 Minute ReadCitrixBleed 2: When Memory Leaks Become Session Hijacks
Discover how to detect, mitigate, and respond to CitrixBleed 2 (CVE-2025-5777), a critical Citrix NetScaler ADC and Gateway vulnerability exploited in the wild.
Security20 Minute ReadUnlocking Endpoint Network Security Insights with Cisco Network Visibility Module (NVM) and Splunk
Unlock deep endpoint network security insights by integrating Cisco NVM with Splunk.
Security13 Minute ReadBeyond The Click: Unveiling Fake CAPTCHA Campaigns
Learn how clipboard hijacking delivers malware and explore tools like ClickGrab & PasteEater for robust defense strategies.
Security4 Minute ReadSplunk @ SAPPHIRE 2025 Recap: How SAP Customers Use Splunk for World-Class Observability and Security
Splunker Keith Hontz shares a look at the Splunk highlights from SAP SAPPHIRE 2025.- Security2 Minute Read
Splunk Security Content for Threat Detection & Response: June Recap
Learn about the latest security content from Splunk. 
Security6 Minute ReadHow To Use CloudTrail Data for Security Operations & Threat Hunting
This blog post reviews AWS cloudtrail as a security logging source and how to hunt in it
Security16 Minute ReadWhen Installers Turn Evil: The Pascal Script Behind Inno Setup Malware Campaign
Uncover the Inno Setup malware campaign leveraging Pascal scripting to deliver RedLine Stealer.
Security4 Minute ReadThreat Hunting with TLS/SSL Certificates
TLS and SSL certificates are a great way to hunt advanced adversaries. Collect them with Splunk Stream, Bro, or Suricata and hunt in your own data!
Security4 Minute ReadHunting with SA-Investigator & Splunk Enterprise Security (SIEM)
Discover how Splunk Enterprise Security and the SA-Investigator add-on empower analysts to streamline threat hunting and incident response. Learn how to pivot across assets, identities, and processes for deep-dive investigations and actionable insights. Happy hunting!
Security7 Minute ReadHunting for Threats in VPCFlows
This article will look at native AWS network telemetry — VPCFlows. We’ll explore what it is, how you can ingest it, and what value it provides from a security perspective.
Security13 Minute ReadXWorm's Shape-Shifting Arsenal: Loader and Stager Variants in the Wild
Explore XWorm's shape-shifting tactics, evolution, and persistence, and how Splunk helps detect this RAT.
Security15 Minute ReadMachine Learning in Splunk Enterprise Security: Unleashing Hidden Detection Power
Discover how Splunk Enterprise Security 8.0 revamps machine learning, spots hidden threats, simplifies anomaly detection, and turbocharges your SOC.
Security2 Minute ReadSplunk Attack Analyzer Introduces Built-in Translation and Achieves SOC 2 Compliance
Splunk Attack Analyzer enhances threat analysis with built-in email/document translation and achieves SOC 2 compliance.
Security3 Minute ReadIntroducing Splunk Attack Range v4.0
Splunk Attack Range v4.0 empowers security teams to build detections & emulate adversaries.
Security16 Minute ReadBehind the Curtain: Detecting Remote Employment Fraud Inside Your Organization
Detect Remote Employment Fraud using Splunk Enterprise Security with actionable detection strategies to identify and respond to fraudulent activity.
Security1 Minute ReadSplunk Named a Leader in The Forrester Wave™: Security Analytics Platforms, Q2 2025
Splunk has been named a Leader in The Forrester Wave: Security Analytics Platforms, Q2 2025.
Security7 Minute ReadDefending at Machine Speed: Guiding LLMs with Security Context
Enhance LLM performance for cybersecurity tasks with few-shot learning, RAG, & fine-tuning guide models for accurate PowerShell classification.
Security1 Minute ReadSplunk Security Content for Threat Detection & Response: May Recap
There are 13 new analytics and 4 new analytic stories now available in Splunk Enterprise Security via the ESCU application update process.
Security3 Minute ReadInnovations in Splunk Security Expands Unified TDIR Experience to On-Premises and FedRamp Moderate Environments
Announcing the general availability of Splunk Enterprise Security 8.1, bringing unified TDIR workflows fueled by automation to both customer managed deployments and FedRAMP Moderate environments
Security5 Minute ReadFrom Instinct to Insight: Why Metrics Are Essential to Threat Hunting Success
Splunker Tamara Chacon explores why metrics are critical to threat hunting success.
Security14 Minute ReadSecuring the Network Edge: Cisco Secure Firewall Threat Defense Detections for Splunk
Enhance your network security with Cisco Firepower Threat Defense and Splunk using out-of-the-box detections developed by Splunk's Threat Research Team.
Security4 Minute ReadEnter the SOC of the Future in Splunk’s State of Security 2025
Splunk's State of Security 2025: The Stronger, Smarter SOC of the Future reveals the insights, aspirations, and challenges of security leaders.
Security4 Minute ReadKey Findings From a Recent Study on Data Management in the Modern Security Operations Center
Learn about cloud storage preferences, data cost challenges, and best practices for optimizing your SOC's security posture and cost efficiency.
Security8 Minute ReadBreaking Down Termite Ransomware: Infection Methods and Detections
Deep dive into Termite ransomware: Discover its infection methods, targeted vulnerabilities (like Cleo's CVE-2024-50623), and Splunk security detections.
Security6 Minute ReadImposters at the Gate: Spotting Remote Employment Fraud Before It Crosses the Wire
Remote Employment Fraud actors don’t steal credentials—they’re issued them. This blog explores early detection and why security can’t face this threat alone.
Security3 Minute ReadAustralia Is Investing in Resilience – Are Businesses Ready?
Splunker Craig Bates explains why the most immediate — and underestimated — consequence of disruption isn’t always data loss. It’s downtime.
Security10 Minute ReadCloak and Firewall: Exposing Netsh’s Hidden Command Tricks
Learn about hidden Netsh command tricks, detection methods, and Splunk security detections to protect your Windows systems.
Security14 Minute ReadA Data-Driven Approach to Windows Advanced Audit Policy – What to Enable and Why
Maximize visibility without overwhelming your SIEM with this data-driven guide to Windows Advanced Audit Policy.
Security1 Minute ReadSplunk at RSAC™ 2025: Helping Users Build the SOC of the Future
Join Splunk at RSAC™ 2025 to discover cutting-edge security solutions for building the SOC of the Future. Explore data management, SIEM advancements, and more.
Security4 Minute ReadSupercharge Your SOC Investigations with Splunk SOAR 6.4
Splunker Nick Hunter explains how to integrate Cisco Talos threat intelligence, leverage Azure scalability, and streamline investigations.
Security8 Minute ReadThe High Cost of Security Investigations
Splunk Asset & Risk Intelligence (ARI) can significantly reduce investigation costs, improve analyst efficiency, and accelerate threat containment.
Security3 Minute ReadSplunk Security Ops: Building the Blueprint for Success
Learn how Splunk Global Security runs ops at scale and enables the business by focusing on what matters—solving problems through data, automation, and collaboration.
Security3 Minute ReadSequenced Event Templates via Risk-based Alerting
Splunker Haylee Mills explains how to convert sequenced events into actionable insights using SPL techniques to enhance anomaly detection and improve security analytics.
Security2 Minute ReadSOAR: Transforming Security and IT
Splunker Kassandra Murphy explains how to streamline workflows and boost efficiency across your organization with intelligent orchestration and automation.
Security4 Minute ReadLogs Are for Campfires: Integrate and Innovate With Splunk Asset and Risk Intelligence
Splunker Jerald Perry explains how to stay ahead of threats with streamlined workflows and comprehensive insights into your security posture.
Security5 Minute ReadDefending at Machine-Speed: Accelerated Threat Hunting with Open Weight LLM Models
Splunker Ryan Fetterman explains how Splunk DSDL 5.2 enhances cybersecurity operations, streamlining PowerShell script classification and reducing analyst workload by 250x.
Security16 Minute ReadSinister SQL Queries and How to Catch Them
Discover comprehensive strategies for detecting and mitigating SQL Server attacks.- Security6 Minute Read
SNARE: The Hunters Guide to Documentation
Discover the SNARE framework for effective threat hunting documentation. 
Security5 Minute ReadExploring AI for Vulnerability Investigation and Prioritisation
Splunker James Hodgkinson explains how AI-driven tools can revolutionize vulnerability investigation and prioritization.
Security20 Minute ReadInfostealer Campaign against ISPs
The Splunk Threat Research Team observed actors performing minimal intrusive operations to avoid detection, with the exception of artifacts created by accounts already compromised.
Security4 Minute ReadWhy Security Teams Choose Splunk Enterprise Security: Three Core Benefits That Transform SecOps
Discover how Splunk Enterprise Security transforms SecOps with comprehensive visibility, contextual threat detection, and efficient operations. Learn from PeerSpot users how this leading SIEM solution enhances security management and improves threat response.
Security5 Minute ReadOnboarding Windows Events to Powershell Threat Detection in UBA
Learn how to enhance PowerShell threat detection in UBA by effectively onboarding Windows events. Our step-by-step guide covers XML event log formats and Splunk integration, ensuring robust security against cyber threats.
Security14 Minute ReadHey SDDL SDDL: Breaking Down Windows Security One ACE at a Time
Explore SDDL in Windows security with our comprehensive guide to help enhance your defensive strategy against privilege escalation attacks.
Security6 Minute ReadAutonomous Adversaries: Are Blue Teams Ready for Cyberattacks To Go Agentic?
Explore the impact of autonomous adversaries on cybersecurity as AI and LLMs evolve.
Security4 Minute ReadIntroducing DECEIVE: A Proof-of-Concept Honeypot Powered by AI
Explore DECEIVE: an AI-powered proof-of-concept honeypot by SURGe. Learn how AI simplifies cybersecurity with dynamic simulations and session summaries, paving the way for innovative security solutions.
Security4 Minute ReadNow Available: Splunk Enterprise Security Content Update App 5.0
The Splunk Threat Research Team announces the release of the Enterprise Security Content Update (ESCU) app 5.0.
Security1 Minute ReadCloud SOAR Achieves IRAP Assessment Along With Enterprise Security 8.0, DMX Edge Processor & Federated Search S3
We are delighted to announce that our Cloud SOAR solution has successfully completed the IRAP assessment.
Security6 Minute ReadMatching AI Strengths to Blue Team Needs
Discover how AI and Large Language Models (LLMs) enhance cybersecurity operations for Blue Teams.- Security3 Minute Read
Logs Are for Campfires: Splunk’s Asset and Risk Intelligence Leaves No Vulnerability Undiscovered!
Splunk's Asset and Risk Intelligence enhances security by uncovering hidden vulnerabilities, prioritizing critical threats, and offering dynamic risk scoring for proactive risk mitigation and compliance. 
Security4 Minute ReadHarness the Power of Cisco Talos Threat Intelligence Across Splunk Security Products
Leverage Cisco Talos’ threat intelligence through Cisco Talos Intelligence for Enterprise Security, the Cisco Talos Intelligence connector for Splunk SOAR, and as a globally enabled feature in Splunk Attack Analyzer.
Security2 Minute ReadThe Modern SIEM Has Come a Long Way From Your Grandmother’s SIEM
Explore how modern SIEM solutions tackle scalability, alert fatigue, and advanced threat detection with automation, machine learning, and real-time insights for efficient SOC workflows.
Security18 Minute ReadMeduza Stealer Analysis: A Closer Look at its Techniques and Attack Vector
Uncover Meduza Stealer, a 2023 malware targeting credentials and crypto wallets. Explore its evasion tactics, attack methods, and Splunk’s expert insights for enhanced security.
Security2 Minute ReadCisco Intends to Acquire Threat Detection and Defense Company SnapAttack, Driving Further Splunk Innovation to Power the SOC of the Future
Cisco announces it intent to acquire threat detection and defense company SnapAttack, driving further Splunk innovation to power the SOC of the future.- Security3 Minute Read
Logs Are For Campfires: Log Data, Big Data, and Splunk Asset & Risk Intelligence
Discover how Splunk Asset and Risk Intelligence (ARI) transforms log data into actionable insights. From automated asset discovery to risk and compliance management, ARI empowers organizations with real-time visibility, vulnerability tracking, and proactive threat mitigation. Elevate your security posture today. 
Security2 Minute ReadIntroducing the OT Security Solution Accelerator
The OT Security Solution Accelerator provides prescriptive guidance around data collection, reference architectures, and a Splunk app with existing content to accelerate their capabilities.
Security11 Minute ReadBypassing the Bypass: Detecting Okta Classic Application Sign-On Policy Evasion
The Splunk Threat Research Team dives into the Okta policy bypass vulnerability, offering detection insights and effective hunting strategies for security teams.
Security10 Minute ReadCosmicSting: A Critical XXE Vulnerability in Adobe Commerce and Magento (CVE-2024-34102)
The Splunk Research Team dissects the technical intricacies of the CosmicSting vulnerability, explores its potential impact on affected systems, and provides detection opportunities and mitigation strategies.
Security10 Minute ReadCracking Braodo Stealer: Analyzing Python Malware and Its Obfuscated Loader
The Splunk Threat Research Team break down Braodo Stealer's loader mechanisms, obfuscation strategies, and payload behavior.
Security4 Minute ReadPaving the Way for Unified Cybersecurity: OCSF Joins the Linux Foundation with Splunk’s Support
Unified cybersecurity takes a step forward as OCSF joins the Linux Foundation, backed by Splunk’s support.
Security1 Minute ReadSplunk Enterprise Security 8.0: Customer Feedback
Splunk Enterprise Security 8.0 delivers unified workflows, alert aggregation, and detection versioning to empower security teams, shaped by customer feedback.
Security1 Minute ReadIntroducing Wayfinder: Simplify Your Navigation in Splunk SOAR
Introducing Wayfinder, a new Splunk SOAR feature that streamlines navigation across the user interface and puts important data right at your fingertips.
Security4 Minute ReadSplunk Enterprise Security 8.0 and Splunk SOAR 6.3 Unify and Automate TDIR Workflows within the Market-Leading SIEM
Patriz Regalado explains how Splunk Enterprise Security is now natively integrated with automation capabilities from Splunk SOAR.
Security2 Minute ReadGuided Automation Using Real Incident Data for Easier Playbook Building in Splunk SOAR
Build powerful playbooks in Splunk SOAR faster and easier with guided automation, using real incident data to streamline security responses in seconds.- Security4 Minute Read
Logs Are for Campfires: This Is Your Data!
Splunker Jerald Perry shares how log data fuels insights, security, and efficiency, making it as impactful as Big Data for smarter decisions. 
Security6 Minute ReadFederated Analytics: Analyze Data Wherever It Resides for Rapid and Holistic Security Visibility
Federated Analytics is now generally available as a premium add-on feature for Splunk Cloud Platform and Splunk Enterprise Security.
Security2 Minute ReadUnify and Automate TDIR Workflows with Splunk SOAR 6.3 and Splunk Enterprise Security 8.0
Splunk SOAR 6.3 and Enterprise Security 8.0 make it easier to unify and automate your threat detection, investigation, and response workflows.
Security2 Minute ReadSplunk SOAR Prompt-Driven Automation: Reduce MTTR with Collaborative SecOps
Get started with prompt-driven automation today with the latest version of Splunk SOAR.
Security3 Minute ReadAnnouncing the General Availability of Splunk® Enterprise Security 8.0
We are thrilled to announce Splunk Enterprise Security 8.0 is now generally available.
Security3 Minute ReadCybersecurity Awareness Month Spotlight: Insights from the Cisco Talos & SURGe Teams
The Cisco Talos and SURGe by Splunk teams gathered for a special episode of Talos Takes filled with engaging cybersecurity discussions and candid opinions.
Security12 Minute ReadValleyRAT Insights: Tactics, Techniques, and Detection Methods
The Splunk Threat Research Team conducts an analysis for several variants of ValleyRAT’s malware samples to extract its MITRE ATT&CK tactics, techniques, and procedures (TTPs).
Security3 Minute ReadFueling the SOC of the Future with Built-in Threat Research and Detections in Splunk Enterprise Security
The Splunk Threat Research Team develops security resources and content that helps enhance your ability to detect and respond to advanced threats.
Security3 Minute ReadMacro ATT&CK for a TTP Snack
Splunk's Mick Baccio and Ryan Fetterman explore 2024's macro-level cyber incident trends through the lens of the MITRE ATT&CK framework.
Security3 Minute ReadIntroducing Splunk Attack Range v3.1
The Splunk Threat Research Team is happy to release v3.1 of Splunk Attack Range.
Security3 Minute ReadVulnerability Prioritization Is a Treat for Defenders
There have been numerous high-profile cybersecurity incidents where vulnerability management had an impact on severe breaches – here are some notable examples.
Security14 Minute ReadPowerShell Web Access: Your Network's Backdoor in Plain Sight
The Splunk Threat Research Teams dives deep into PowerShell Web Access (PSWA) exploring its functionality within the context of cyber threats.
Security2 Minute ReadSplunk is Nurturing Tomorrow’s Cybersecurity Leaders Today
The Splunk Academic Alliance program combines education with practical skills development to prepare the next generation of data and cybersecurity professionals.
Security6 Minute ReadMacro-ATT&CK 2024: A Five-Year Perspective
Splunk’s Ryan Fetterman and Tamara Chacon dive into attacker techniques, trends, and blue team tips for analyzing and visualizing data from the past year.
Security3 Minute ReadCybersecurity Awareness Is Not Just for Spooky Season
As October marks Cybersecurity Awareness Month, Splunker Mick Baccio reflects on the progress made over the past two decades.
Security11 Minute ReadMy CUPS Runneth Over (with CVEs)
This blog dissects the technical intricacies of the CUPS vulnerability, explores its potential impact on affected systems, and provides detection opportunities and mitigation strategies.
Security11 Minute ReadA Case Study in Vulnerability Prioritization: Lessons Learned from Large-Scale Incidents
Splunker Audra Streetman provides an overview of the lessons learned from previous large-scale security incidents to help inform vulnerability prioritization.
Security5 Minute ReadSplunk SOAR Evolved: A Unified TDIR Approach to Automation
Splunk SOAR 6.3.0 and 6.3.1 constitute a significant evolution in how security practitioners can implement, use, and leverage security automation in the SOC more efficiently.
Security1 Minute ReadSplunk Named a Leader in the 2024 IDC MarketScape for SIEM for Enterprise
Splunk is ranked #1 for the fourth year in a row in the IDC Worldwide Security Information and Event Management Market Shares, 2023: The Leaders in SIEM City report!
Security2 Minute ReadCelebrating 2024 Worldwide BOTS Day
After a successful launch of BOTS at .conf24, we’re ready to take it to the masses with two worldwide BOTSv9 competitions.
Security17 Minute ReadHandala’s Wiper: Threat Analysis and Detections
Cisco Talos and the Splunk Threat Research Team provide a comprehensive analysis that expands on existing coverage of Handala's Wiper and offers unique insights.
Security13 Minute ReadShrinkLocker Malware: Abusing BitLocker to Lock Your Data
The Splunk Threat Research Team shares their findings and methodologies to aid the cybersecurity community in combating ShrinkLocker effectively.
Security12 Minute ReadPrevious Security Content Roundups from the Splunk Threat Research Team (STRT)
Recap: Learn about the last four quarters of security content from the Splunk Threat Research Team.
Security8 Minute ReadThe Final Shell: Introducing ShellSweepX
The Splunk Threat Research Team is excited to announce the final tool in the ShellSweep collection: ShellSweepX.
Security3 Minute ReadStaff Picks for Splunk Security Reading August 2024
Splunk security experts share their curated list of presentations, whitepapers, and customer case studies that they feel are worth a read.
Security3 Minute ReadThe New & Improved Splunk Guide to Risk-Based Alerting
Splunker Haylee Mills shares a brand new version of the step-by-step guide to success with the risk-based alerting framework.
Security8 Minute ReadObservability Meets Security: Build a Baseline To Climb the PEAK
Splunker James Hodgkinson looks at how to apply the baseline hunting process to some common O11y data sources and shows how the OpenTelemetry standard offers easier data analysis.
Security3 Minute ReadWhat Does Powering the Modern SOC Look Like in ANZ?
Splunker Craig Bates dives into what powering the modern SOC looks like in Australia and New Zealand.
Security3 Minute ReadObservability Meets Security: Tracing that Connection
Splunker James Hodgkinson looks at how you can use traces to see directly into the workings of an application to find a potential threat.
Security3 Minute ReadComprehensive, Continuous, and Compliant: Obtain Proactive Insights with Splunk Asset and Risk Intelligence
Announcing the release of the latest addition to our security product portfolio, Splunk Asset and Risk Intelligence.
Security3 Minute ReadFortify Digital Resilience with Splunk + Cisco Talos Incident Response
Announcing the availability of Cisco Talos Incident Response services to Splunk customers.
Security2 Minute ReadAnnouncing General Availability of Cisco Talos Intelligence in Splunk Attack Analyzer
We are pleased to announce the general availability of Cisco Talos threat intelligence to all Splunk Attack Analyzer customers globally.
Security11 Minute ReadLLM Security: Splunk & OWASP Top 10 for LLM-based Applications
Threats to LLMs are real. Let’s look at top LLM threats and show you how, with Splunk, you can better defend LLM-based applications and their users.
Security3 Minute ReadDriving vSOC Detection with Machine Learning
In this blog, Splunker Jim Goodrich takes a deep dive into an API security use case, using machine learning to detect API anomalies, and more.
Security6 Minute ReadEmbracing Observability Tools to Empower Security Incident Response
Bridge the gap between development and security with OpenTelemetry and observability tools.- Security4 Minute Read
Staff Picks for Splunk Security Reading July 2024
Welcome to the Splunk staff picks blog, featuring a curated list of presentations, whitepapers, and customer case studies that our Splunk security experts feel are worth a read. 
Security6 Minute ReadAcidPour Wiper Malware: Threat Analysis and Detections
The Splunk Threat Research Team provides an analysis of AcidPour and how to use Splunk’s out-of-the-box security content to help defend against this wiper malware.
Security3 Minute ReadHow Splunk SOAR is Helping Organizations Achieve a More Resilient Approach to Security
We worked with Peerspot to capture some of the ways customers have found success while using Splunk SOAR as part of their security stack.
Security4 Minute ReadSplunk Security Content for Impact Assessment of CrowdStrike Windows Outage
This blog is intended to help existing Splunk customers who are also customers of CrowdStrike gain visibility into how the CrowdStrike outage may be impacting their organizations.
Security3 Minute ReadSplunk at Black Hat 2024: Strategic Transformations to Power the SOC of the Future
At Black Hat 2024, Splunk will demonstrate how we’re empowering security teams to embrace strategic transformations and navigate the complex threat landscape.
Security8 Minute ReadBreaking Down Linux.Gomir: Understanding this Backdoor’s TTPs
The Splunk Threat Research Team provides an analysis of Linux.Gomir to help security analysts, blue teamers and Splunk customers defend against this threat.
Security4 Minute ReadWoken by Ransomware, Are We Hypnotized by Tunnel Vision?
Splunker Ronald Beiboer examines if ransomware has blinded us to the more invisible attacks and how cybersecurity can help.
Security14 Minute ReadIntroducing ShellSweepPlus: Open-Source Web Shell Detection
Detect web shells easily with ShellSweepPlus, an open-source tool for detecting potential web shells. Learn how ShellSweepPlus works and how to use it here.
Security9 Minute ReadregreSSHion: Uncovering CVE-2024-6387 in OpenSSH - A Critical Vulnerability
CVE-2024-6387, aka "regreSSHion", exposes Linux environments to remote unauthenticated code execution. Learn how to handle this CVE here.
Security1 Minute ReadSplunk Ranked Number 1 in the 2024 Gartner® Critical Capabilities for Security Information and Event Management
Splunk was ranked as the #1 SIEM solution in all three Use Cases in the 2024 Gartner® Critical Capabilities for Security Information and Event Management report.- Security2 Minute Read
Staff Picks for Splunk Security Reading June 2024
Welcome to the June Splunk staff picks blog, featuring a list of presentations, whitepapers, and customer case studies that our Splunk Security experts feel are worth a read. 
Security8 Minute ReadThe Geometry of Fraud Detection
Splunker Nimish Doshi shares statistical ways to find outliers and visualizes what they would look like if using virtual area or virtual volume as geometric representations to find them.
Security4 Minute ReadZipf's Law and Fraud Detection
Splunker Nimish Doshi breaks down Zipf’s Law to look for possible indicators of fraud.
Security4 Minute ReadSafe Passage: Seamless Transition Path for IBM QRadar Customers
The SOC is where it all goes down and where dedicated SecOps teams work tirelessly to protect every digital corner of an organization.
Security15 Minute ReadLNK or Swim: Analysis & Simulation of Recent LNK Phishing
LNK files are a common starting point for many phishing campaigns. Read on to strengthen your defenses against these LNK file phishing attacks.
Security5 Minute ReadReduce False Alerts – Automatically!
Splunker Xiao Lin explains the 'False Positive Suppression Model,' now in the UBA tool.
Security11 Minute ReadDeploy, Test, Monitor: Mastering Microsoft AppLocker, Part 1
The Splunk Threat Research Team provides a comprehensive overview of AppLocker and guidance for getting started with AppLocker policies
Security10 Minute ReadDeploy, Test, Monitor: Mastering Microsoft AppLocker, Part 2
Leverage the power of Splunk to ingest, visualize, and analyze AppLocker events, enabling you to gain valuable insights and strengthen your organization's security posture.
Security6 Minute ReadSecurity Insights: Detecting CVE-2024-4040 Exploitation in CrushFTP
The Splunk Threat Research Team explores how Splunk can help you identify and investigate CVE-2024-4040 exploitation in your CrushFTP environment.- Security3 Minute Read
Staff Picks for Splunk Security Reading May 2024
Splunk security experts share a list of presentations, whitepapers, and customer case studies that we feel are worth a read. 
Security5 Minute ReadAccelerate Rare Event Model Computation by Customizing Cardinality Constraints
Splunker Xiao Lin explores how 'cardinalitySizeLimit' works, its impact on UBA performance, and how to leverage this feature to enhance threat detection.
Security14 Minute ReadSplunk Tools & Analytics To Empower Threat Hunters
Calling all threat hunters! This article dives into the many Splunk tools and analytics that can help threat hunters in their day-to-day hunting activities.
Security4 Minute ReadUEBA Superpowers: Simplify Incident Investigations to Increase SOC Efficiency
Fernando Jorge explains how Splunk UBA simplifies incident investigations and enhances SOC efficiency with advanced machine learning and behavior analytics.
Security2 Minute ReadSplunk SOAR Playbook of the Month: Splunk Attack Analyzer Dynamic Analysis
For this Splunk SOAR Playbook of the Month, Splunker Coty Sugg shows how to use one of our out-of-the-box playbooks for faster, simpler, and more effective dynamic analysis.
Security7 Minute ReadThreat Hunting in 2025: Must-Have Resources & Tasks for Every Hunter
What are the most important things threat hunters do every day? We surveyed professionals and here are the must-have tasks and resources.
Security3 Minute ReadSplunk Named a Leader in the Gartner® Magic Quadrant™ for SIEM
Splunk has been named a Leader in the 2024 Gartner® Magic Quadrant™ for Security Information and Event Management (SIEM), which is the tenth consecutive time for Splunk in the Leaders Quadrant.
Security2 Minute ReadSplunk User Behavior Analytics (UBA) 5.4 Delivers FIPS Compliance and Advanced Anomaly Detection
Splunker Fernando Jorge walks us through enhancements and new features in the latest User Behavior Analytics (UBA) product update, version 5.4.0.
Security5 Minute ReadBuilding At-Scale User Behavior Analytics for Splunk UBA: Enhance Performance of Account & Device Exfiltration Models
Splunkers Ania Kacewicz, Cui Lin and Che-Lun Tsao discuss how the scalability performance of Account and Device Exfiltration models can be achieved in UBA V5.4.0.
Security17 Minute ReadHunting M365 Invaders: Dissecting Email Collection Techniques
The Splunk Threat Research Team describes various methods attackers may leverage to monitor mailboxes, how to simulate them and how teams can detect them using Splunk’s out-of-the-box security content.
Security8 Minute ReadElevating Security: The Growing Importance of Open Cybersecurity Schema Framework (OCSF)
Splunker Paul Agbabian shares what's new in the Open Cybersecurity Schema Framework (OCSF) and how profiles can augment the natural structure of event classes and categories.
Security3 Minute ReadExplore the AI Frontier in Splunk’s State of Security 2024
Splunk's State of Security 2024: The Race to Harness AI report reveals the insights, aspirations, and challenges of security leaders.
Security6 Minute ReadHow To Start Threat Hunting: The Beginner's Guide
Ready to hunt threats? Starting a hunt in a new data environment? This is the place to begin! We've got you covered in this threat hunting 101 tutorial.- Security3 Minute Read
Staff Picks for Splunk Security Reading April 2024
Splunk security experts share their list of presentations, whitepapers, and customer case studies from April 2024 that they feel are worth a read. 
Security12 Minute ReadDetecting & Hunting Named Pipes: A Splunk Tutorial
Named pipes can be threats, too. In this comprehensive article, we are going to talk about detecting, hunting and investigating named pipes.
Security9 Minute ReadFrom Water to Wine: An Analysis of WINELOADER
In this blog post we'll look closely at the WINELOADER backdoor and how Splunk can be used to detect and respond to this threat.
Security2 Minute ReadSplunk SOAR Playbook of the Month: Cisco Umbrella DNS Denylisting
Cisco and Splunk can help users achieve more comprehensive security with a playbook that combines the power of Cisco Umbrella and Splunk SOAR.- Security4 Minute Read
Splunk at RSAC 2024: Powering the SOC of the Future
Visit Splunk at RSAC 2024 and see how we can help you evolve to the SOC of the future. 
Security4 Minute ReadUEBA Superpowers: Enhance Security Visibility with Rich Insights to Take Rapid Action Against Threats
Splunk UBA illuminates hidden corners of your org's digital ecosystem, providing unparalleled visibility into behaviors and patterns that define the network's pulse.
Security4 Minute ReadDetecting Lateral Movement with Splunk: How To Spot the Signs
Identifying lateral movement is so important, and it sure isn't easy. Using Splunk makes it a lot easier, and we'll show you how in this tutorial.- Security3 Minute Read
Staff Picks for Splunk Security Reading March 2024
Welcome to the March 2024 Splunk staff picks, featuring a curated list of presentations, whitepapers, and customer case studies that we feel are worth a read. 
Security6 Minute ReadUEBA Superpowers: Detect and Eliminate Advanced Threats with Machine Learning
Splunk User Behavior Analytics (UBA) detects advanced attacks and insider threats with unsupervised machine learning.
Security6 Minute ReadLevel Up Your Security Data Journey and MITRE ATT&CK Benchmarking with Splunk Security Essentials
Announcing the release of Splunk Security Essentials version 3.8.0, which adds maturity journey and benchmarking.
Security5 Minute ReadProcess Hunting with PSTree
This tutorial shows how to use the pstree command & app to help you look through all the processes you have to investigate.
Security4 Minute ReadElevating Security Intelligence with Splunk UBA's Machine Learning Models
Splunk UBA uses machine learning to detect evolving threats beyond rule-based approaches in SOC operations, tackling overwhelming event volumes.
Security2 Minute ReadEnhancing SIEM Events with Automated Threat Analysis of URLs
Splunk debuts Add-on & App for Splunk Attack Analyzer v1.1, elevating security ops via automated URL threat analysis in Splunk ES.
Security7 Minute ReadDetecting New Domains in Splunk (Finding New Evil)
Ready to find "new" domains that may be naughty? We'll walk you through how to use Splunk & Splunk Enterprise Security to do that: get the full story here!
Security10 Minute ReadUnder the Hood of SnakeKeylogger: Analyzing its Loader and its Tactics, Techniques, and Procedures
In this blog, the Splunk Threat Research Team provides valuable insights to enable security analysts and blue teamers to defend and be aware of these scam tactics.
Security9 Minute ReadSecurity Insights: JetBrains TeamCity CVE-2024-27198 and CVE-2024-27199
The Splunk Threat Research Team examines exploit operations, analytics, hunting queries, and tips on capturing TeamCity logs.
Security5 Minute ReadAdd To Chrome? - Part 4: Threat Hunting in 3-Dimensions: M-ATH in the Chrome Web Store
SURGe experiments with a method to find masquerading using M-ATH with Splunk and the DSDL App.
Security4 Minute ReadDetect Money Laundering, Healthcare Fraud, and Unemployment Fraud with the New Version of the Splunk App for Fraud Analytics
Detect money laundering, healthcare fraud, and unemployment fraud with Splunk App Fraud Analytics 1.2.4.
Security3 Minute ReadStaff Picks for Splunk Security Reading February 2024
The Splunk security team shares a curated list of presentations, whitepapers, and customer case studies they feel are worth a read.
Security7 Minute ReadBeyond Logs: Navigating Entity Behavior in Splunk Platform
Master internal threat detection with Splunk's anomaly detection, finding events like unusual geolocations and spikes in activity, while optimizing security.
Security11 Minute ReadUnveiling Phemedrone Stealer: Threat Analysis and Detections
The Splunk Threat Research Team dissects the Phemedrone Stealer.
Security5 Minute ReadAdd to Chrome? - Part 3: Findings and Recommendations
SURGe explores findings and general recommendations on whether or not you should click 'Add to Chrome' the next time you find a fancy new extension.
Security5 Minute ReadAdd to Chrome? - Part 2: How We Did Our Research
SURGe explores the analysis pipeline in more detail and digs into the two main phases of this research – how the team collected the data and how they analyzed it.
Security5 Minute ReadAre You Forensic Ready?
In the landscape of everyday operations, the concept of forensic readiness may often linger unnoticed in the background.
Security11 Minute ReadHunting M365 Invaders: Navigating the Shadows of Midnight Blizzard
The Splunk Threat Research Team outlines the attack chain detailed in the Microsoft blog, offering practical detection and hunting tips for cybersecurity defenders.
Security3 Minute ReadSupercharge Cybersecurity Investigations with Splunk and Graphistry: A Powerful Combination for Interactive Graph Exploration
In this blog post, we'll dive deeper into how combining Splunk and Graphistry can help you unlock new capabilities for your cybersecurity investigations and gain better resilience for your organization.
Security4 Minute ReadAdd to Chrome? - Part 1: An Analysis of Chrome Browser Extension Security
An overview of SURGe research that analyzed the entire corpus of public browser extensions available on the Google Chrome Web Store.
Security6 Minute ReadBuilding Large-Scale User Behavior Analytics: Data Validation and Model Monitoring
Splunk's Cui Lin explores fundamental techniques to validate data volume and monitor models to understand the size of your own UBA clusters.
Security9 Minute ReadAnother Year of RATs and Trojan Stealer: Detection Commonalities and Summary
The Splunk Threat Research Team shares analysis, analytic stories and security detections for seven well-known RAT and Trojan Stealer malware families.
Security4 Minute ReadHow Tech Executives Can Support Gender Diverse Cyber Talent
The number of unfilled cybersecurity roles creates a perfect opportunity for leaders to attract female talent at their organizations.- Security3 Minute Read
Staff Picks for Splunk Security Reading January 2024
Welcome to the January Splunk staff picks blog – a curated list of presentations, whitepapers, and customer case studies that Splunk security experts feel are worth a read. 
Security5 Minute ReadSecurity Insights: Jenkins CVE-2024-23897 RCE
In response to CVE-2024-23897, the Splunk Threat Research Team has developed new security detections and hunting queries to support defenders.
Security6 Minute ReadSecurity Insights: Tracking Confluence CVE-2023-22527
In response to CVE-2023-22527, the Splunk Threat Research Team has developed new security detections to support defenders.
Security6 Minute ReadSecurity Insights: Investigating Ivanti Connect Secure Auth Bypass and RCE
The Splunk Threat Research Team has swiftly developed Splunk analytics and hunting queries, helping defenders quickly adapt and respond to emerging threats CVE-2023-46804 and CVE-2024-21887.
Security11 Minute ReadHypothesis-Driven Cryptominer Hunting with PEAK
A sample hypothesis-driven hunt, using SURGe's PEAK threat hunting framework, looking for unauthorized cryptominers.
Security1 Minute ReadAI: Keep Your Feet on the Ground
Splunk is excited about AI, but we're keeping our boots on the ground as we partner with customers to leverage AI to improve efficiency while continuing the essentials via Splunk’s platform.
Security10 Minute ReadEnter The Gates: An Analysis of the DarkGate AutoIt Loader
The Splunk Threat Research Team (STRT) provides a deep dive analysis of the DarkGate malware and its use of AutoIt.
Security7 Minute ReadGhost in the Web Shell: Introducing ShellSweep
Splunk introduces ShellSweep, a suite of utilities designed to detect and combat malicious web shells in servers.
Security17 Minute ReadHunting M365 Invaders: Blue Team's Guide to Initial Access Vectors
Discover insights from the Splunk Threat Research Team on Microsoft 365 threat detection, focusing on data source analysis and effective methods for hunting initial access threats.
Security5 Minute ReadOT Security Is Different, Isn’t IT?
Explore the differences between OT security and IT security, delving into industry-specific challenges and solutions, with insights into the Purdue Model and how Splunk can help.
Security3 Minute ReadSplunk Enterprise Security 7.3 Delivers a Refined Analyst Experience and Enhanced Risk Context for Seamless Incident Triage
Announcing Splunk Enterprise Security 7.3, delivering a refined analyst experience and enhanced risk context for seamless incident triage.
Security2 Minute ReadStaff Picks for Splunk Security Reading December 2023
Splunk security experts share their December list of presentations, whitepapers, and customer case studies that they feel are worth a read.
Security1 Minute ReadIntroducing Our New SOAR Integrations: Why Panorama and FortiManager Users Should Be Excited
The Splunk SOAR team shares more on the latest firewall management apps introduced in Splunk SOAR 6.2.
Security6 Minute ReadOld School vs. New School
The Splunk SURGe team examines the claim that generative AI will empower threat actors to improve the scale and/or efficiency of their spear-phishing campaigns.
Security17 Minute ReadDeploy, Test, Monitor: Mastering Microsoft Defender ASR with Atomic Techniques in Splunk
Explore Microsoft Defender ASR's role in cybersecurity with Splunk and learn deployment, testing, and monitoring strategies for robust defense.
Security3 Minute ReadUpdated Baseline Creation and Dashboards in OT Security Add-on for Splunk Version 2.3
Version 2.3 of the OT Security Add-on for Splunk is here and it delivers three main updates.
Security5 Minute ReadSOC Models: In-House, Out-Sourced, or Hybrid SOC?
Splunk's Kirsty Paine shares best practices from a roundtable held at Gartner Security & Risk Management Summit 2023.
Security2 Minute ReadReduce Operational Complexity with Splunk SOAR Logic Loops
Learn about the logic loops feature introduced in Splunk SOAR version 6.2 and how you can implement them in your own use cases and playbooks.- Security7 Minute Read
Laying the Foundation for a Resilient Modern SOC
Splunk Security supports your journey to digital resilience by providing comprehensive security visibility to reduce business risk; equipping your team with risk-based threat detection, investigation, and response technologies to help you build a modern SOC; and fueling security innovation through Splunk’s vibrant community. 
Security8 Minute ReadUnmasking the Enigma: A Historical Dive into the World of PlugX Malware
The Splunk Threat Research Team (STRT) unravels the mystery of a PlugX variant, peeling back the layers of its payload, tactics, and impact on the digital realm.
Security6 Minute ReadUser Behavior Monitoring with M-21-31
OMB M-21-31 requires US Federal Civilian agencies to implement user behavior monitoring. We'll explain what that means and how to do it right.
Security2 Minute ReadCIO Roundtable: Harnessing GenAI for Resilient Security and Observability – Insights and Strategies
Get insights from a recent roundtable discussion in collaboration with CIO magazine. The talk focused on the dual challenge faced by IT and security managers: mitigating risks associated with AI while leveraging AI to enhance organizational capability.
Security6 Minute ReadDetecting Dubious Domains with Levenshtein, Shannon & URL Toolbox
Got some parsed fields that you're ready to analyze... possibly for threat hunting? We'll use Levenshtein, Shannon & URL Toolbox to show you how!
Security3 Minute ReadParsing Domains with URL Toolbox (Just Like House Slytherin)
One of the most popular Splunk security apps of all time, URL Toolbox’s URL parsing capabilities have been leveraged by thousands. Full story here.
Security10 Minute ReadTake a SIP: A Refreshing Look at Subject Interface Packages
Splunker Michael Haag dives into Subject Interface Packages (SIPs) and their role in Windows security, exploring how SIPs can be exploited by malicious actors to bypass security measures and sign malicious code.
Security3 Minute ReadSplunk SOAR 6.2 Introduces New Automation Features, Workload Migration, and Firewall Integrations
Announcing the release of Splunk SOAR 6.2 with features like logic loops for playbooks, integrations with CyberArk, two new firewall apps, and a new conversion option for classic playbooks.- Security3 Minute Read
Staff Picks for Splunk Security Reading November 2023
Splunk security experts share their list of presentations, whitepapers, and customer case studies from November 2023 that they feel are worth a read. 
Security5 Minute ReadUsing eval to Calculate, Appraise, Classify, Estimate & Threat Hunt
This article discusses a foundational capability within Splunk — the eval command. Need to pick a couple commands for your desert island collection? eval should be one!
Security4 Minute ReadUsing RegEx for Threat Hunting (It’s Not Gibberish, We Promise!)
Another excellent tool for your threat hunting: RegEx! SPL offers two commands for utilizing regular expressions in Splunk searches. See how to do it here.
Security8 Minute ReadCompliance Essentials for Splunk 2.1.0
Announcing the latest on Compliance Essentials for Splunk, an essential part of your toolkit to help your organization maintain and monitor your compliance status and cyber resiliency with various frameworks.
Security6 Minute ReadStat! 3 Must-Have Data Filtering Techniques
To hunt for threats, there's a lot of data you do NOT need. Here are the 3 must-have data filtering techniques so you can hunt those threats STAT!
Security5 Minute ReadEnhance Security Resilience Through Splunk User Behavior Analytics VPN Models
This blog introduces new machine learning models in Splunk UBA for VPN connection monitoring to enhance WFH security resilience.
Security10 Minute ReadMore Than Just a RAT: Unveiling NjRAT's MBR Wiping Capabilities
The Splunk Threat Research Team (STRT) provides a deep-dive analysis of NjRAT (or Bladabindi), a Remote Access Trojan (RAT) discovered in 2012 that's still active today.
Security5 Minute ReadDetect WS_FTP Server Exploitation with Splunk Attack Range
The Splunk Threat Research Team shares how they used Splunk Attack Range to develop detection content related to CVE-2023-40044.- Security4 Minute Read
Staff Picks for Splunk Security Reading October 2023
Splunk security experts share their list of presentations, whitepapers, and customer case studies from October 2023 that they feel are worth a read. 
Security3 Minute ReadEducating the Next Generation of Cyber Defenders
Splunk's Eric Fusilero emphasizes the need for cyber defender education and aligns with the National Cyber Workforce Strategy, offering training and scholarships.
Security3 Minute ReadIntroducing Splunk Add-On for Splunk Attack Analyzer & Splunk App for Splunk Attack Analyzer
Announcing the launch of the Splunk Add-on for Splunk Attack Analyzer and Splunk App for Splunk Attack Analyzer.- Security2 Minute Read
Splunk Named #1 SIEM Provider in the 2022 IDC Market Share for SIEM for 3rd Time in a Row
Splunk has been named as the #1 SIEM provider in the 2022 IDC Market Share for SIEM for the third time in a row. - Security3 Minute Read
Driving the vSOC with Splunk
Splunker Jim Goodrich explains how Splunk drives innovation for the Vehicle Security Operations Center (vSOC). 
Security3 Minute ReadHow to Install and Configure Infosec Multicloud
Learn how to set up and optimize InfoSec MultiCloud for Splunk to help maximize your cloud security effortlessly in our step-by-step guide.
Security1 Minute ReadSplunk Wins Awards for SIEM, SOAR and More
Splunk wins four PeerSpot Tech Leader awards in the SIEM and SOAR categories. A special thanks goes out to all the reviewers who shared their Splunk experience.
Security3 Minute ReadSee More, Act Faster, and Simplify Investigations with Customizable Workflows from Splunk Enterprise Security 7.2
Introducing new capabilities that deliver an improved workflow experience for simplified investigations; enhanced visibility and reduced manual workload; and customized investigation workflows for faster decision-making.- Security3 Minute Read
Staff Picks for Splunk Security Reading September 2023
Our Splunk security experts curated their September 2023 list of presentations, whitepapers, and customer case studies that we feel are worth a read. 
Security5 Minute ReadRevisiting the Big Picture: Macro-level ATT&CK Updates for 2023
SURGe reviews the latest attacker trends and behaviors with this look at four years of ATT&CK data from some of the largest and most trusted threat reporting sources.
Security8 Minute ReadDefending the Gates: Understanding and Detecting Ave Maria (Warzone) RAT
The Splunk Threat Research Team provides a deep-dive analysis of Ave Maria RAT, also known as 'Warzone RAT.'
Security9 Minute ReadMockbin and the Art of Deception: Tracing Adversaries, Going Headless and Mocking APIs
Splunk's Threat Research Team delves into the attack's components, usage of tools like Mockbin and headless browsers, and provides guidance on detecting such activities.
Security4 Minute ReadUsing metadata & tstats for Threat Hunting
Behold the power of metadata and tstats commands! These commands will quickly provide situational awareness of your hosts and sourcetypes as you begin hunting.
Security5 Minute ReadUsing stats, eventstats & streamstats for Threat Hunting…Stat!
The stats command is a crucial capability when you’re threat hunting. And so are two related commands: eventstats & streamstats. Get all the details, right here.
Security6 Minute ReadThreat Hunting for Dictionary-DGA with PEAK
Explore applied model-assisted threat hunting for dictionary-based domain generation algorithms using the SURGe Security Research Team's PEAK Threat Hunting Framework.
Security4 Minute ReadDeep Learning in Security: Text-based Phishing Email Detection with BERT Model
We introduced a large language model (LLM)-based phishing email detector integrated into the Splunk DSDL app. We provide details on model training and evaluation, comparisons to other machine learning and deep learning algorithms as well as deployment approaches to Splunk in this blog.
Security9 Minute ReadSharing is Not Caring: Hunting for Network Share Discovery
This post offers a practical guide to enhancing detection strategies against network share discovery, a technique often used by threat actors.- Security4 Minute Read
Staff Picks for Splunk Security Reading August 2023
Splunk security experts share a list of presentations, whitepapers, and customer case studies from August 2023 that they feel are worth a read. 
Security2 Minute ReadSplunk Security Use Cases
- Security4 Minute Read
Key Threat Hunting Deliverables with PEAK
When most people think of threat hunting, they think of uncovering unknown threats – but that is only one of many (better) reasons to show value with threat hunting. 
Security4 Minute ReadUnified Strategies Across IT and Security for Cutting-Edge Detection, Investigation and Response
Splunk's Mike Horn shares a closer look at the value of a unified approach to security and observability.
Security8 Minute ReadDetecting Lateral Movement Using Splunk User Behavior Analytics
The blog is to introduce lateral movement detection using Splunk User Behavior Analytics (UBA)
Security1 Minute ReadIntegrated Intelligence Enrichment With Threat Intelligence Management
Threat Intelligence Management enables analysts to fully investigate security events or suspicious activity by providing the relevant and normalized intelligence to better understand threat context and accelerate time to triage.
Security2 Minute ReadSplunk SOAR Playbook of the Month: Investigations with Playbooks
For this month’s edition of Playbook of the Month, we’ll look at how you can perform investigations at machine speed using Splunk SOAR and one of our investigation playbooks, Internal Host WinRM Investigate.
Security4 Minute ReadUsing Splunk Stream for Hunting: Finding Islands in the Stream (of Data)
Let's look at how to use the popular Splunk Stream App for our favorite purpose: threat hunting! This is part of our Threat Hunting with Splunk series.
Security2 Minute ReadThat Was Easy! Manage Lookup Files and Backups With the Splunk App for Lookup File Editing
The 4.0.1 release of the App for Lookup File Editing helps users mitigate issues with new features such as a backup size limit and dashboards for tracking backup size.
Security2 Minute ReadUnveiling Splunk UBA 5.3: Power and Precision in One Package
Splunk celebrates the launch of User Behavior Analytics (UBA) 5.3, introducing the 20 Node XL cluster, innovative Splunk UBA models, and essential system and security upgrades.
Security2 Minute ReadMaking Sense of the New SEC Cybersecurity Rules and What They Could Mean for Your Company
The United States Securities and Exchange Commission’s (SEC) July 26 approval of new cybersecurity 'incident' disclosure rules is top of mind for every public company, and understanding what it means and how companies will be held accountable is crucial.- Security3 Minute Read
Open Cybersecurity Schema Framework (OCSF) Takes Flight with v1.0 Schema Release
The Open Cybersecurity Schema Framework (OCSF) celebrates its first anniversary with the launch of a new open data schema. 
Security1 Minute ReadBOTS at .conf23 Wrap Up and Worldwide BOTS Day!
After four hours, 56 New Wave songs, a make-your-own donut bar, and a ton of fun, BOTS v8 made its successful debut at .conf23
Security4 Minute ReadUsing the Lookup Command for Threat Hunting (Lookup Before You Go-Go)
Lookup commands are basically the #1 place to start any threat hunt in Splunk. Get the expert directions here.- Security5 Minute Read
Measuring Hunting Success with PEAK
Splunker David Bianco explains how an effective threat hunting program is one of the best ways to drive positive change across an organization’s entire security posture. 
Security1 Minute ReadHeading to Black Hat? Splunk’s Countdown Is On
Join Splunk at Black Hat 2023 to explore Splunk Attack Analyzer, SURGe research on Chrome browser extension risks, and the latest detection engineering tools from the Splunk Threat Research Team.- Security4 Minute Read
Turning Hunts Into Detections with PEAK
In this post, we’re going to look at something the PEAK framework refers to as the Hierarchy of Detection Outputs. - Security3 Minute Read
Staff Picks for Splunk Security Reading July 2023
Welcome to the July 2023 edition of our Splunk staff picks blog, featuring a list of presentations, whitepapers, and customer case studies that we feel are worth a read. 
Security8 Minute ReadAmadey Threat Analysis and Detections
The Splunk Threat Research Team shares a deep-dive analysis of the Amadey Trojan Stealer, an active and prominent malware that first emerged on the cybersecurity landscape in 2018 and has maintained a persistent botnet infrastructure ever since.
Security2 Minute ReadDevSecOps is Here! Developers and SREs, Meet the SOC Team.
As organizations strive to enhance the cyber resilience of their operations, the scope of SOC teams is expanding beyond traditional enterprise IT. Find out more in this blog.
Security2 Minute ReadSplunk SOAR Playbook of the Month: Threat Hunting with Playbooks
For this month’s edition of Playbook of the Month, we’ll look at how you can use Splunk SOAR’s Hunting playbook to perform threat hunting activities at machine speed.- Security9 Minute Read
Baseline Hunting with the PEAK Framework
Splunker David Bianco provides an in-depth look at baseline hunts, also known as Exploratory Data Analysis (EDA) hunts. 
Security8 Minute ReadMachine Learning in Security: Detect DNS Data Exfiltration Using Deep Learning
This blog discusses in detail about detecting DNS data exfiltration attacks using deep learning
Security12 Minute ReadPeeping Through Windows (Logs): Using Sysmon & Event Codes for Threat Hunting
Windows and endpoints go together like threat hunting and Splunk. Let's look at the most valuable Sysmon event codes for threat hunting in Splunk.
Security7 Minute ReadUK TSA Regulations: SOC Teams, Get Ready!
The UK Telecommunications Security Act (TSA) compliance is coming and will be a new challenge for SOC teams. Splunk security evangelist Matthias Maier takes a closer look at requirements and shares an end-to-end use case as an example.- Security5 Minute Read
Staff Picks for Splunk Security Reading June 2023
Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read. 
Security4 Minute ReadThreat Hunting with Splunk: Hands-on Tutorials for the Active Hunter
Curious about threat hunting in Splunk? Wanna brush up on your baddie-finding skills? Here's the place to find every one of our expert articles for hunting with Splunk.
Security2 Minute ReadIdentifying BOD 23-02 Network Management Interfaces with Splunk
Splunker Drew Church explains the CISA-released directive to reduce risk from internet-exposed management interfaces, highlighting the threat of external remote services.
Security4 Minute ReadThe Lessons Learned in Cybersecurity 25 Years Ago Are Still Applicable to AI Today
Splunk's Paul Kurtz explores what we can learn from past events as AI accelerates the future.
Security11 Minute ReadThe Security Detail Podcast: Exploring Cyber Threats Across Different Industries
SURGe, Splunk’s strategic security research team, examines the cyber threat landscape across different industries in a new podcast series called The Security Detail.
Security7 Minute ReadDetecting DNS Exfiltration with Splunk: Hunting Your DNS Dragons
DNS data is an all-too-common place for threats. Find out how to use Splunk to hunt for threats in your DNS. We will slay those DNS dragons.
Security9 Minute ReadDon’t Get a PaperCut: Analyzing CVE-2023-27350
The Splunk Threat Research team shares insights on the CVE-2023-27350 vulnerability, proof of concept scripts, setting up Splunk logging, and detecting adversaries for secure printing.
Security3 Minute ReadSplunk SOAR Playbook of the Month: Tackling Phishing Attempts with Identifier Reputation Analysis
Learn how you can use Splunk's identifier reputation analysis playbooks to implement a workflow that will help your team automate the alert and quarantine processes for potential threats based on key identifiers.
Security11 Minute ReadDo Not Cross The 'RedLine' Stealer: Detections and Analysis
The Splunk Threat Research Team provides a deep dive analysis of the RedLine Stealer threat and shares valuable insights to help enable blue teamers to defend against and detect this malware variant.- Security3 Minute Read
Staff Picks for Splunk Security Reading May 2023
Welcome to the Splunk staff picks, featuring a curated list of presentations, whitepapers, and customer case studies that our Splunk security experts feel are worth a read. 
Security2 Minute ReadOCSF Goes Into High Gear with Amazon Security Lake Launch and New OCSF Release Candidate
Splunk's Paul Agbabian shares two new major OCSF developments – the general availability of Amazon Security Lake and Splunk Add-On for AWS v.7.0, and Release Candidate 3 launching for public review.
Security4 Minute ReadYour Roadmap to Success with Risk-Based Alerting
Splunker Haylee Mills dives deeper into the four levels of the Splunk Risk-Based Alerting journey.
Security9 Minute ReadModel-Assisted Threat Hunting (M-ATH) with the PEAK Framework
Welcome to the third entry in our introduction to the PEAK Threat Hunting Framework! Taking our detective theme to the next level, imagine a tough case where you need to call in a specialized investigator. For these unique cases, we can use algorithmically-driven approaches called Model-Assisted Threat Hunting (M-ATH).
Security10 Minute ReadTrust Unearned? Evaluating CA Trustworthiness Across 5 Billion Certificates
In this blog post, we dive into our recent research project, in which the Splunk SURGe team analyzed more than five billion TLS certificates to find out if the CAs we rely on are really worthy of our trust.
Security3 Minute ReadSplunk Field Hashing & Masking Capabilities for Compliance
Satisfy internal and external compliance requirements using Splunk standard components.
Security5 Minute ReadSecurity Content from the Splunk Threat Research Team
The blog explains how STRT develops Splunk Security Content, aiding detection engineering and threat research teams to efficiently detect and respond to potential threats, using ESCU App amidst growing security incidents and system complexity.- Security9 Minute Read
Hypothesis-Driven Hunting with the PEAK Framework
Details on hypothesis-driven threat hunting with the PEAK framework. 
Security4 Minute ReadPlanning for Success with Risk-Based Alerting
In our last RBA blog post, we talked about some of the problems RBA can help solve. In this post, we explain the methodology we use with Splunk customers as their security teams start working with RBA.
Security8 Minute ReadMachine Learning in Security: Detect Suspicious TXT Records Using Deep Learning
The Splunk Machine Learning for Security (SMLS) team introduces a new detection to detect DNS Tunneling using DNS TXT payloads.
Security7 Minute Read7 questions all CxOs should ask to increase cyber resilience before buying more software
Here are 7 questions you should always ask to help your organisation to make the best possible purchase and increase its cyber resilience at the same time.
Security8 Minute ReadPaws in the Pickle Jar: Risk & Vulnerability in the Model-sharing Ecosystem
As AI / Machine Learning (ML) systems now support millions of daily users, has our understanding of the relevant security risks kept pace with this wild rate of adoption?- Security5 Minute Read
Staff Picks for Splunk Security Reading April 2023
Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read. We hope you enjoy. - Security2 Minute Read
Open Cybersecurity Schema Framework (OCSF) Gains Momentum
Splunk's Paul Agbabian shares a look back at the key developments and enhancements to the Open Cybersecurity Schema Framework (OCSF) since its launch in August 2022. 
Security7 Minute ReadThreat Update: AwfulShred Script Wiper
The Splunk Threat Research Team shares their findings on the Linux-targeted destructive payload AwfulShred.
Security2 Minute ReadSplunk Gets the Hat Trick!
Splunk Enterprise Security was named a leader in SIEM and security analytics by three analyst firms - Forrester, IDC and a third analyst firm. In fact, Splunk is the only SIEM provider to be named a “Leader” in SIEM by all three top analyst reports.- Security4 Minute Read
Introducing the PEAK Threat Hunting Framework
Introducing the PEAK Threat Hunting Framework, bringing a fresh perspective to threat hunting and incorporating three distinct types of hunts. 
Security3 Minute ReadSend Your SOAR Events to Splunk
Make your SIEM your single point of truth by ingesting events that are otherwise seen only by Splunk Security, Orchestration, Automation and Response (SOAR).
Security15 Minute ReadThese Are The Drivers You Are Looking For: Detect and Prevent Malicious Drivers
The Splunk Threat Research Team explores how to detect and prevent malicious drivers and discusses Splunk Security Content available to defend against these types of attacks.
Security10 Minute ReadAddressing CISOs AI Anxieties Through Resilience
Splunk's Paul Kurtz explores how CISOs’ jobs will become more complex as they address AI-driven attacks, automated vulnerability exploitation, battle data poisoning, or deep fakes that make current phishing tactics look quaint.
Security3 Minute ReadLevel Up Your Cybersecurity with Risk-Based Alerting
In our first blog in the Splunk RBA series, we introduced Risk-Based Alerting (RBA) and covered the basic principles of RBA. In the rest of this series, we explain how you can plan and then implement RBA within your organization.
Security3 Minute ReadSplunk Unified Security Operations for Digital Resilience at RSA Conference 2023
Splunk is excited to be joining the cybersecurity community back at the Moscone Center in April for RSA Conference 2023, and to share how we can help unify, simplify and modernize your security operations.
Security5 Minute ReadBaselining and Beyond: What's New in OT Security Add-On v2.2
Splunk has released a new version of OT Security Add-On, designed to help organizations understand their cybersecurity risks, improve their security monitoring, and better detect and react to industrial cybersecurity threats.
Security4 Minute ReadThe State of Security 2023: Collaboration Is Essential For Building Resilience
Explore the trends and findings in our new report, The State of Security 2023, detailing research on the challenges and opportunities ahead for security leaders and teams.
Security6 Minute ReadUsing Workflow Actions & OSINT for Threat Hunting in Splunk
Two things will make you a more efficient & effective security analyst: OSINT and workflow actions in Splunk. We've got you covered in this article.
Security9 Minute ReadSplunk Insights: Investigating the 3CXDesktopApp Supply Chain Compromise
In this Splunk blog post, we aim to equip defenders with the necessary tools and strategies to actively hunt down and counteract this campaign. Additionally, we will offer some resilient analytic ideas that can serve as a foundation for future threat detection and response efforts.
Security2 Minute ReadWho's the Boss? EMEA Boss Of The SOC DAY 2023
Boss of the SOC (BOTS) is Splunk’s blue-team capture the flag-esque competition in which defenders use Splunk’s suite of security products to find APT threats, discover attacks and figure out what happened to our favorite virtual organization “Frothly Brewing Co.”
Security5 Minute ReadWhat Generative AI Means For Cybersecurity: Risk & Reward
Learn the risks and rewards of generative AI in cybersecurity.- Security5 Minute Read
Staff Picks for Splunk Security Reading March 2023
In this month's Staff Picks blog, our Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read. 
Security9 Minute ReadAsyncRAT Crusade: Detections and Defense
The Splunk Threat Research Team explores detections and defense against the Microsoft OneNote AsyncRAT malware campaign.
Security3 Minute ReadMy Username Fields Have Passwords in Them! What Do I Do?
Sometimes, users put their password into a username field and it gets logged into Splunk – learn how to identify this behavior and remediate it with SOAR.
Security11 Minute ReadBreaking the Chain: Defending Against Certificate Services Abuse
Explore the common certificate abuses leveraged by current and relevant adversaries in the wild, the multiple methods they use to obtain certificates, how to gather relevant logs and ways to mitigate adversaries stealing certificates.
Security7 Minute ReadMachine Learning in Security: Detecting Suspicious Processes Using Recurrent Neural Networks
Splunk's Kumar Sharad explains how to detect suspicious processes using recurrent neural networks.
Security4 Minute ReadStrengthen Digital Resilience with Unified Security Operations
Splunk Mission Control offers a unified, simplified, and modernized security operations experience which reduces complexity and reduces risk.
Security7 Minute ReadOvercome Cybersecurity Challenges to Improve Digital Resilience
Discover how embracing automation, unifying security operations and tackling security as a data problem helps organizations overcome the challenges posed to cybersecurity effectiveness and digital resilience.
Security4 Minute ReadThreat Advisory: SwiftSlicer Wiper STRT-TA03
The Splunk Threat Research Team shares a closer look at the SwiftSlicer wiper, a new payload discovered by ESET and found in a recent January 2023 campaign.
Security5 Minute ReadDon’t boil the ocean: A technologist’s take on prioritisation in sustainability
Even if manufacturing isn’t close to your heart, you’d have to be pretty cold not to care about sustainability in 2023. Let's get a technologist’s take on prioritisation in sustainability.
Security1 Minute ReadSplunk Observability & Security Weeks - Best Practices for Strong Cyber Resilience and Business Success
This March, we are holding two weeks of virtual sessions across EMEA, packed with thought provoking and educational content to suit everyone. Whether your area of expertise is in security or IT & observability — we’ve got you covered.- Security3 Minute Read
Staff Picks for Splunk Security Reading February 2023
Explore the latest list of presentations, whitepapers, and customer case studies that our Splunk security experts feel are worth a read. 
Security8 Minute ReadFantastic IIS Modules and How to Find Them
This blog showcases how to enable and ingest IIS operational logs, utilize PowerShell scripted inputs to ingest installed modules and simulate AppCmd and PowerShell adding new IIS modules and disable HTTP logging using Atomic Red Team.
Security7 Minute ReadAll the Proxy(Not)Shells
The Splunk Threat Research Team walks through exploitation of ProxyShell and ProxyNotShell using MetaSploit, and hunts through data in Splunk to showcase different avenues for defenders to identify malicious activity.
Security5 Minute ReadUsing MITRE ATT&CK in Splunk Security Essentials
Discover how you can use the ATT&CK framework for a wide array of use cases and to answer a wide range of questions in Splunk Security Essentials (SSE).- Security5 Minute Read
Staff Picks for Splunk Security Reading January 2023
Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read. 
Security2 Minute ReadAll of Us Can Defend Each of Us
Splunk's Global Security Strategist Mick Baccio shares his experience attending Hackers on the Hill and invites you to join him and SURGe leader, Ryan Kovar, for the Data Security Predictions 2023 webinar.
Security5 Minute ReadDetect Faster, Rapidly Scope an Incident, and Streamline Security Workflows with Splunk Enterprise Security 7.1
Splunk Enterprise Security 7.1 offers new capabilities to help security teams detect suspicious behavior in real-time, quickly discover the scope of an incident to respond accurately, and improve security workflow efficiencies using embedded frameworks.
Security2 Minute ReadPutting the 'E' in Team: Solution Integration Enablement for Security Build Motion Partners
Cybersecurity requires a strong team – that's why Splunk has developed a new enablement course for our security partners to help create a better team for our customers.
Security13 Minute ReadFrom Registry With Love: Malware Registry Abuses
The Splunk Threat Research Team explores the common Windows Registry abuses leveraged by current and relevant malware families in the wild and how to detect them.
Security3 Minute ReadIntroducing Attack Range v3.0
Explore the new features introduced in version 3.0 of the Splunk Attack Range, aimed at helping you build resilient, high-quality threat detections.
Security3 Minute ReadPCI Compliance Done Right with Splunk
Check out the added features to support PCI compliance in the latest Splunk App for PCI Compliance version 5.1, now generally available.
Security8 Minute ReadCISA Top Malware Summary
This blog summarizes the Splunk Threat Research Team’s (STRT) recent review of the CISA Top 10 Malware strains for the year 2021 report.
Security3 Minute ReadUnknown and unseen, the cyberwar between Crimsonia and Berylia
First week of December, unbeknown to many the island of Berylia engaged in cyberwarfare with their neighbors Crimsonia after a number of months of heightened tensions. The goal of the Berylian attackers was to disable as many critical infrastructure components of the Crimsonian Ministry of Defense in order to prevent the Crimsonian Navy from sailing. This would give the Berylian fleet the time to aid and protect critical locations and assets.
Security1 Minute ReadSplunk Named a Leader in The Forrester Wave™: Security Analytics Platforms, Q4 2022
We’re thrilled to share that Splunk has been named a Leader in The Forrester Wave™: Security Analytics Platforms, Q4 2022.- Security3 Minute Read
Staff Picks for Splunk Security Reading December 2022
Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read. 
Security2 Minute ReadUsing Splunk to Secure Your Productivity and Team Collaboration Environment
See how Splunk helps teams work and collaborate securely while using Google Chrome and Google Workspace.
Security2 Minute ReadDo More with Splunk Security Essentials 3.7.0
Check out some highlights of the new features available in Splunk Security Essentials 3.7.0.
Security2 Minute ReadSplunk Named a Leader in the 2022 IDC MarketScape for SIEM
See why Splunk earned a spot in the 'Leaders' category in the 2022 IDC MarketScape for worldwide SIEM software.
Security2 Minute ReadVisualising a Space of JA3 Signatures With Splunk
One common misconception about machine learning methodologies is that they can completely remove the need for humans to understand the data they are working with. In reality, it can often place a greater burden on an analyst or engineer to ensure that their data meets the requirements, cleanliness and standardization assumed by the methodologies used. However, when the complexity of the data becomes significant, how is a human supposed to keep up? One methodology is to use ML to find ways to keep a human in the loop!
Security8 Minute ReadMachine Learning in Security: Deep Learning Based DGA Detection with a Pre-trained Model
The Splunk Machine Learning for Security team introduces a new detection to detect Domain Generation Algorithms generated domains.
Security10 Minute ReadDetecting Cloud Account Takeover Attacks: Threat Research Release, October 2022
The Splunk Threat Research Team shares a closer look at the telemetry available in Azure, AWS and GCP and the options teams have to ingest this data into Splunk.
Security13 Minute ReadFrom Macros to No Macros: Continuous Malware Improvements by QakBot
This blog, the Splunk Threat Research Team (STRT) showcases a year's evolution of QakBot. We also dive into a recent change in tradecraft meant to evade security controls. Last, we reverse engineered the QakBot loader to showcase some of its functions.
Security2 Minute ReadSplunk Integrates with Amazon Security Lake to Deliver Analytics Using the Open Cybersecurity Schema Framework
We're proud to be one of the early partners of Amazon Security Lake, allowing joint Splunk and AWS customers to efficiently ingest the OCSF-compliant data to help improve threat detection, investigation and response.
Security2 Minute ReadHow Good is ClamAV at Detecting Commodity Malware?
We ran over 400,000 instances of malware to see how good ClamAV really is. Here's the data.
Security6 Minute ReadNIS2 is coming… What does it mean?
On 28th November, European Member States formally adopted the revision of the Network and Information Security Directive (NIS2) (EN, DE, FR). The Directive will enter into force before the end of the year, but will only be applicable after EU Member States transpose the Directive into national law - by September 2024. So now is the time for a heads-up about the upcoming changes and what they will mean for your cybersecurity operations.- Security2 Minute Read
Staff Picks for Splunk Security Reading November 2022
Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read. We hope you enjoy. 
Security3 Minute ReadExplore the Splunk SOAR Adoption Maturity Model
SOAR helps you orchestrate security workflows and automate tasks in seconds to empower your SOC, work smarter and respond faster. Increasingly, security automation is becoming seen as a milestone in maturing your security operations. And maturing security operations is something all organizations need to do, with the rising threat of attacks and threats of all kinds.
Security5 Minute ReadThis Feels Scripted: Zeek Scripting and Splunk
Splunker Shannon Davis shares a closer look at updated searches for detecting SpookySSL.
Security12 Minute ReadInside the Mind of a ‘Rat’ - Agent Tesla Detection and Analysis
The Splunk Threat Research Team (STRT) describes the different tactics, techniques and procedures mapped to the ATT&CK framework leveraged by the Agent Tesla remote access trojan.
Security2 Minute ReadSOC, Amore Mio! Following .italo's Tracks to a More Mature SOC
Recently I sat down with Enrico Maresca, CISO of .italo, to discuss their security operations strategy and double click into multiple lessons learned and best practices. Enrico shared insight into what good looks like when communicating to the Board of Directors, discussed cyber security topics and SecOps use case development strategies.
Security2 Minute ReadDORA will accelerate cloud migration in Financial Services
The much-anticipated Digital Operational Resilience Act (DORA) is finally here. This Regulation, applicable across the 27 EU Member States, provides a set of guidelines via which financial services organisations will need to prove that they are operationally resilient, i.e, they are able to withstand any unforeseen shocks.
Security2 Minute ReadSplunk Security Award-Winning Momentum in 2022
See why analysts continue to recognize that Splunk Security is a must-have when it comes to the need for SIEM and SOAR solutions.
Security12 Minute ReadNothing PUNY About OpenSSL (CVE-2022-3602)
The Splunk SURGe team shares an outline of their interpretation of the CVE-2022-3602 vulnerability and what you can do to detect it in your environment.- Security3 Minute Read
Staff Picks for Splunk Security Reading October 2022
Check out October's list of presentations, whitepapers, and customer case studies that our Splunk security experts feel are worth a read. 
Security2 Minute ReadThe people have spoken and Splunk wins twice at the ITAwards
You know that us Splunkers love to go deep into use cases and figure out what helps our customers the most. However in today’s business world, industry recognition goes a long way in proving the value in the products and services we use.
Security9 Minute ReadDark Crystal RAT Agent Deep Dive
The Splunk Threat Research Team (STRT) analyzed and developed Splunk analytics for this RAT to help defenders identify signs of compromise within their networks.
Security2 Minute ReadSplunk Security with the Infosec App
Get an overview of the InfoSec App for Splunk and learn more about what customers can achieve with it.
Security3 Minute ReadPlay Now with BOTS Partner Experiences: Okta
Introducing our third BOTS Partner Experience with Identity-as-a-Service provider Okta!
Security3 Minute Read2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Consecutive Year
Splunk has been named a Leader in the 2022 Gartner Magic Quadrant for Security Information and Event Management, marking the ninth consecutive year for Splunk in the Leaders Quadrant.
Security2 Minute ReadDetect Fraud Sooner with the Splunk App for Fraud Analytics
Leverage your data to detect, investigate and respond to fraud sooner with the Splunk App for Fraud Analytics.
Security3 Minute ReadFederated Search for Security
Splunker Johan Bjerke outlines some of the new security use cases Federated Search enables across Splunk deployments.
Security11 Minute ReadDeliver a Strike by Reversing a Badger: Brute Ratel Detection and Analysis
The Splunk Threat Research Team shares how they utilized public research to capture Brute Ratel Badgers (agents) and create a Yara rule to help identify more on VirusTotal.- Security3 Minute Read
Staff Picks for Splunk Security Reading September 2022
Check out the latest staff picks from Splunk security experts, featuring presentations, whitepapers, and customer case studies that we feel are worth a read. 
Security7 Minute ReadMachine Learning in Security: NLP Based Risky SPL Detection with a Pre-trained Model
The Splunk Threat Research Team shares a closer look at a hunting analytic and two machine learning-based detections that help find users running highly suspicious risky SPL commands.
Security5 Minute ReadFollina for Protocol Handlers
The Splunk Threat Research Team shares how to identify protocol handlers on an endpoint, different ways to simulate adversary tradecraft that utilizes a protocol handler, and a piece of inspiring hunting content to help defenders identify protocol handlers being used in their environment.- Security1 Minute Read
Americas' BOTS Day '22
With less than a month to go before Americas' BOTS Day '22, we thought it would be the perfect time to explain what’s happening and how the day will go. 
Security24 Minute ReadAppLocker Rules as Defense Evasion: Complete Analysis
The Splunk Threat Research Team analyzes 'Azorult loader' (a payload that imports its own AppLocker rules) to understand the tactics and techniques that may help defend against these types of threats.- Security2 Minute Read
Staff Picks for Splunk Security Reading August 2022
Check out the latest staff picks from our Splunk security experts, featuring a list of presentations, whitepapers, and customer case studies that we feel are worth a read. 
Security2 Minute ReadIntroducing the Ransomware Content Browser
Learn more about the Ransomware Content Browser recently released inside Splunk Security Essentials, aimed at helping customers combat the problem of ransomware.
Security3 Minute ReadSplunk Announces Participation in the Open Cybersecurity Schema Framework (OCSF) Project
Announcing our participation as a co-founder of the new public Open Cybersecurity Schema Framework (OCSF) open-source project at Black Hat 2022.- Security2 Minute Read
Security Made Stronger with Splunk User Behavior Analytics (UBA) Version 5.1
Announcing the availability of User Behavior Analytics (UBA) version 5.1 - Security2 Minute Read
Staff Picks for Splunk Security Reading July 2022
Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read. 
Security6 Minute ReadML Detection of Risky Command Exploit
Discover how to use machine learning algorithms to develop methods for detecting misuse or abuse of risky SPL commands to further pinpoint a true security threat.
Security2 Minute ReadSplunk Security Essentials 3.6.0: A Holistic View of Your Security
Check out all the new features being released in Splunk Security Essentials 3.6.0.
Security3 Minute Read3 Important German BSI Documents Every SIEM & SOC Manager Needs To Know About
The German IT Security Act 2.0 (IT-SiG 2.0) has been in force for some time now. Due to this new law, significantly more German companies have been classified as operators of critial infrastructures (KRITIS) than ever. This is a major cause of headaches for many managers. In addition, IT departments are starting to ask themselves: "Are we now regarded as KRITIS"? And if so, "What do we have to take into consideration?" Splunker Matthias Maier shares the 3 most important BSI documents every SIEM and SOC manager needs to know about.
Security6 Minute ReadIntroducing Splunk Attack Range v2.0
The Splunk Attack Range project has officially reached the v2.0 release with a host of new features – get all the details from the Splunk Threat Research Team.- Security2 Minute Read
Staff Picks for Splunk Security Reading June 2022
Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read. To check out our previous staff security picks, take a peek here. We hope you enjoy. 
Security4 Minute ReadSecurity Advisories for Splunk 9.0
On June 14, 2022 Splunk published eight Security Advisories regarding vulnerabilities related to Splunk Enterprise and Splunk Cloud Platform. To help you leverage the available resources we’ve gathered a number of resources in this post.
Security4 Minute ReadSANS 2022 SOC Survey: A Look Inside
Check out this detailed summary of the SANS 2022 SOC Survey sponsored by Splunk to explore the latest trends in security operations.
Security11 Minute ReadThreat Update: Industroyer2
The Splunk Threat Research Team offers an analysis of relevant detection opportunities of one of the new malicious payloads found by the Ukranian CERT named 'Industroyer2.'
Security7 Minute ReadAtlassian Confluence Vulnerability CVE-2022-26134
Get a closer look at the Atlassian Confluence Vulnerability CVE-2022-26134, including a breakdown of what happened, how to detect it, and MITRE ATT&CK mappings.
Security8 Minute ReadTruth in Malvertising?
The Splunk SURGe team tests the veracity of the findings from LockBit's February 2021 study on ransomware encryption speeds.
Security7 Minute ReadRCE à La Follina (CVE-2022-30190)
The Splunk SURGe team offers a closer look into the Follina MS Office RCE, including a breakdown of what happened, how to detect it, and MITRE ATT&CK mappings.- Security2 Minute Read
Publish Your Splunk SOAR Apps Faster
The process for our technology partners to publish their SOAR Apps to Splunkbase just got faster and simpler. - Security3 Minute Read
Staff Picks for Splunk Security Reading May 2022
Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read. We hope you enjoy. 
Security10 Minute ReadThreat Update: AcidRain Wiper
The Splunk Threat Research Team shares the details on the new malicious payload named AcidRain, designed to wipe modem or router devices (CPEs).- Security5 Minute Read
How Playbook Packs Drive Scalable Automation
See how pre-built Playbook Packs from Splunk can help augment your security analysts with automation that scales with your organization’s maturity. 
Security10 Minute ReadSpringing 4 Shells: The Tale of Two Spring CVEs
The Splunk Threat Research Team (STRT) shares detection opportunities in different stages of successful Spring4Shell exploitation.- Security14 Minute Read
Detecting Active Directory Kerberos Attacks: Threat Research Release, March 2022
Learn more about the Splunk Threat Research Team's new analytic story to help SOC analysts detect adversaries abusing the Kerberos protocol to attack Windows Active Directory environments 
Security3 Minute ReadSplunk SOAR Recognized in Forrester Now Tech: SOAR, Q2 2022 Report
Splunk SOAR recognized within Forrester’s report Now Tech: Security Orchestration, Automation, And Response (SOAR), Q2 2022.
Security3 Minute ReadBringing Data-Centric Security to RSAC 2022
Check out what Splunk has in store at RSA Conference 2022, including theater sessions, demos and a keynote presentation from Splunk CEO Gary Steele.
Security6 Minute ReadThreat Update: Cyclops Blink
The Splunk Threat Research Team shares the latest on the payload named Cyclops Blink, which seems to target Customer Premise Equipment devices (CPE) generally prevalent in commercial and residential locations enabling internet connectivity.
Security9 Minute ReadCI/CD Detection Engineering: Dockerizing for Scale, Part 4
Get the latest from the Splunk Threat Research Team on CI/CD Detection Engineering.
Security4 Minute ReadAnswered: Your Most Burning Questions About Planning And Operationalizing MITRE ATT&CK
You asked, we answered. Splunker Matthias Maier compiled all of your most burning questions about planning and operationalizing MITRE ATT&CK in a blog post. Read all about it here.- Security2 Minute Read
Staff Picks for Splunk Security Reading April 2022
Check out our Splunk security experts' curated list of presentations, white papers, and customer case studies that we feel are worth a read in the month of April. 
Security2 Minute ReadThe Upsurge in Ransomware Attacks in Australia and Opportunities to Protect Data
Splunk's Mark Troselj explores the findings of Splunk SURGe's recent ransomware report and explains the importance of making risk mitigation a proactive and strategic focus.
Security5 Minute ReadSTRT-TA03 CPE - Destructive Software
The Splunk Threat Research Team is monitoring several malicious payloads targeting Customer Premise Equipment (CPE) devices. These are defined as devices that are at customer (Commercial, Residential) premises and that provide connectivity and services to the internet backbone
Security2 Minute ReadPlay Now with BOTS Partner Experiences: Dragos
We are pleased to announce a new Partner Experience – capture the flag (CTF) on-demand challenges, built by Splunk technology partner Dragos, running in Splunk, hosted on the BOTS platform and available for free!
Security3 Minute ReadState of Security Research Details Essential Strategies for the Year Ahead
Splunk's new research report, The State of Security 2022, shares a closer look into the challenges that security organizations face and the strategies they're relying on.
Security13 Minute ReadYou Bet Your Lsass: Hunting LSASS Access
Dive in as the Splunk Threat Research Team shares how Mimikatz, and a few other tools found in Atomic Red Team, access credentials via LSASS memory.
Security7 Minute ReadRisk-Based Alerting: The New Frontier for SIEM
Risk-Based Alerting (RBA) is an intelligent alerting method with SIEM for security operations to operationalize cyber security frameworks like MITRE ATT&CK, Lockheed Martin's Killchain, or CIS20.
Security4 Minute ReadThreat Update: CaddyWiper
Get a breakdown of the features of the new malicious payload used against Ukraine, CaddyWiper.
Security6 Minute ReadLiving Off The Land: Threat Research February 2022 Release
In this February 2022 release, the Splunk Threat Research Team (STRT) focused on comparing currently created living off the land security content with Sigma and the LOLBas project.
Security5 Minute ReadThreat Update DoubleZero Destructor
The Splunk Threat Research Team shares a closer look at a new malicious payload named DoubleZero Destructor (CERT-UA #4243).- Security2 Minute Read
Staff Picks for Splunk Security Reading March 2022
Check out our Splunk security experts' curated list of presentations, white papers, and customer case studies that we feel are worth a read in the month of March. 
Security4 Minute ReadGone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed
With the release of SURGe's new ransomware research, Splunker Shannon Davis shares a closer look into measuring how fast ransomware encrypts files.
Security3 Minute ReadRansomware Encrypts Nearly 100,000 Files in Under 45 Minutes
Splunk SURGe Report reveals the need for ransomware prevention over response and mitigation.
Security9 Minute ReadDetecting HermeticWiper
Detecting HermeticWiper destructive software and ransomware decoy with Splunk.
Security10 Minute ReadDeep Dive on Persistence, Privilege Escalation Technique and Detection in Linux Platform
Deep dive with the Splunk Threat Research Team on Linux Privilege Escalation and Linux Persistence Techniques.
Security6 Minute ReadLinux Persistence and Privilege Escalation: Threat Research January 2022 Release
In this January 2022 release, The Splunk Threat Research (STRT) team focused on the recently released Sysmon for Linux technology addition to Splunk.- Security2 Minute Read
Staff Picks for Splunk Security Reading February 2022
Each month, Splunk security experts curate a list of news articles, research, white papers, and customer case studies that we feel are worth a read. We hope you enjoy! 
Security2 Minute ReadIntroducing Synthetic Adversarial Log Objects (SALO)
Synthetic Adversarial Log Objects (SALO) is a framework for the generation of log events without the need for infrastructure or actions to initiate the event that causes a log event. Learn more about its purpose and how you can utilize it.- Security2 Minute Read
Staff Picks for Splunk Security Reading January 2022
Welcome to the Splunk staff picks blog. Each month, Splunk security experts select presentations, white papers, and customer case studies that we feel are worth a read. We hope you enjoy. 
Security11 Minute ReadThreat Advisory: STRT-TA02 - Destructive Software
The focus of this threat advisory is on a recently reported destructive payload by Microsoft MSTIC under the name of WhisperGate. We break down the different components and functions of how this payload works and provide a series of detections to mitigate and defend against this threat.
Security7 Minute ReadApproaching Linux Post-Exploitation with Splunk Attack Range
An introduction to linux post exploitation simulation and threat detection using Splunk Attack Range and linux Sysmon.
Security3 Minute ReadRefined User Experience, New Executive Visibility, and Enhanced Cloud Monitoring with Splunk Enterprise Security 7.0
Check out the latest Security Analytics enhancements to Splunk Enterprise Security with our latest 7.0 release.
Security9 Minute ReadDetecting Malware Script Loaders using Remcos: Threat Research Release December 2021
Start detection against behaviors and TTPs from a Remcos loader that utilizes DynamicWrapperX (dynwrapx.dll) to execute shellcode and inject Remcos RAT into the target process.
Security2 Minute ReadIntroducing ATT&CK Detections Collector
Automate and simplify finding detections against ATT&CK techniques used by adversaries with Splunk SURGe's open-sourced project, ATT&CK Detections Collector (ADA).- Security2 Minute Read
Staff Picks for Splunk Security Reading December 2021
Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, white papers, and customer case studies that we feel are worth a read. 
Security13 Minute ReadSimulating, Detecting, and Responding to Log4Shell with Splunk
Splunk Threat Research Team simulated the Log4j vulnerabilities in the Splunk Attack Range. Using the data collected, we developed 13 new detections and 9 playbooks to help Splunk SOAR customers investigate and respond to this threat.
Security9 Minute ReadLog4Shell - Detecting Log4j Vulnerability (CVE-2021-44228) Continued
Good news, you can use Splunk to proactively hunt using Network Traffic and DNS query logs data sources to detect potential Log4Shell exploit. From Splunk SURGe, learn even more detections against CVE-2021-44228.
Security12 Minute ReadActive Directory Lateral Movement Detection: Threat Research Release, November 2021
The Splunk Threat Research Team recently updated the Active Directory Lateral Movement analytic story to help security operations center (SOC) analysts detect adversaries executing these techniques within Windows Active Directory (AD) environments.
Security9 Minute ReadLog4Shell - Detecting Log4j 2 RCE Using Splunk
A serious remote code execution (RCE) vulnerability (CVE-2021-44228) in the popular open source Apache Log4j logging library poses a threat to thousands of applications and third-party services that leverage this library. From Splunk SURGe, learn how you can detect Log4j 2 RCE using Splunk.
Security6 Minute ReadSplunk For OT Security: Perimeter And Vulnerability Evolution
This blog focuses on the latest enhancements made to Splunk's OT Security Add-on, including highlighting key features and improvements that have been made in version 2.1- Security2 Minute Read
Staff Picks for Splunk Security Reading November 2021
Hello everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, white papers, and customer case studies that we feel are worth a read. We hope you enjoy. 
Security3 Minute ReadHyperledger Fabric Security Monitoring with Splunk
In this post, we demonstrate how to set up effective security monitoring of your Hyperledger Fabric infrastructure. We identify some common threats, recognize key data sources to monitor, and walk through using Splunk to ingest and visualize your data.
Security5 Minute ReadSecuring DevSecOps - Threat Research Release October 2021
Learn how you can secure your development security operations with pre-built and tested Splunk detections and automated playbooks.
Security7 Minute ReadDetecting Remcos Tool Used by FIN7 with Splunk
The following is a walkthrough of Remcos executed via Attack Range Local. We will go over some of the multiple and intrusive operations this remote access tool can execute at compromised hosts.
Security8 Minute ReadFIN7 Tools Resurface in the Field – Splinter or Copycat?
The Splunk Threat Research team addresses the two tools used by the well-organized and highly-skilled criminal group FIN7 — JSS Loader and Remcos.- Security2 Minute Read
Play Now with BOTS Partner Experiences: Corelight
With the official launch of bots.splunk.com, we're pleased to announce Partner Experiences – capture the flag (CTF) on-demand challenges, built by a Splunk technology partner, running in Splunk, hosted on the BOTS platform and available for free. 
Security12 Minute ReadDetecting IcedID... Could It Be A Trickbot Copycat?
IcedID is a trojan that has been used in recent malicious campaigns and with new defense bypass methods.
Security4 Minute ReadCISA’s Known Exploited Vulnerabilities Catalog and Splunk
Accompanying today’s announcement from CISA (BOD 22-01) and their new Known Exploited Vulnerabilities Catalog, SURGe and Splunk Threat Research Team (STRT) have coordinated to add functionality into Enterprise Security Content Updates (ESCU). This added functionality will help network defenders understand vulnerability context alongside relevant ESCU detections.- Security4 Minute Read
Staff Picks for Splunk Security Reading October 2021
Hi everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, white papers, and customer case studies that we feel are worth a read. This month we decided to switch things up and include some of our favorite .conf21 presentations. We hope you enjoy. 
Security3 Minute ReadSplunk Partners with Singapore To Help Companies Enhance Cybersecurity
Raen Lim, Group Vice President, South Asia & Korea, shares how Splunk partners with the Singapore government to help the nation's small and medium-sized enterprises take a proactive stance toward addressing cyber threats.
Security3 Minute ReadLift Your Spirits With Splunk SOAR
Halloween is just around the corner and we’re looking forward to trick-or-treating, donning our best costumes, and watching [scary] movies. Read on to learn how a few of our favorite Halloween movies remind us of our most recent Splunk SOAR updates.
Security4 Minute ReadHigh(er) Fidelity Software Supply Chain Attack Detection
Software supply chain attacks are not going away. As our network defenses improve, adversaries must move up the chain to stay a step ahead of our defenses.
Security2 Minute ReadNo Regrets Using Autoregress
The autoregression command, which is a centralized streaming command, is used to calculate a moving average. Learn how to use this command to gather information, just in time for Boss of the SOC v6!
Security15 Minute ReadActive Directory Discovery Detection: Threat Research Release, September 2021
In this blog post, we’ll walk you through this analytic story, demonstrate how we can simulate these attacks using PoshC2 & PurpleSharp to then collect and analyze the resulting telemetry to test our detections.
Security6 Minute ReadInvestigating GSuite Phishing Attacks with Splunk
Splunk Threat Research Team (STRT) recently observed a phishing campaign using GSuite Drive file-sharing as a phishing vector. Learn more and deploy detections to prevent them in your environment.
Security3 Minute ReadSplunk and DTEX Systems Leverage Human Telemetry and Zero Trust to Mitigate Insider Risks and Account Compromise
Splunk and DTEX Systems have partnered to offer an integrated solution that captures, analyzes and streams a single, noise-free endpoint data signal.- Security6 Minute Read
Hunting for Malicious PowerShell using Script Block Logging
The Splunk Threat Research Team recently began evaluating ways to generate security content using native Windows event logging regarding PowerShell Script Block Logging to assist enterprise defenders in finding malicious PowerShell scripts. 
Security3 Minute ReadPartner Spotlight: Texas Bankers Association Operationalize Data Across Teams and Tools
TruSTAR, acquired by Splunk, recently spoke with Alvin Mills, TBA’s Vice President of Information Technology and Security to learn why the organization selected TruSTAR as its intelligence management platform for data-centric security automation.- Security4 Minute Read
PowerShell Detections — Threat Research Release, August 2021
Adversaries are using PowerShell attacks, but luckily the Splunk Threat Research Team (STRT) has developed PowerShell analytics for Splunk by using the Splunk Attack Range to collect the generated logs, and hunt for suspicious PowerShell. - Security3 Minute Read
Staff Picks for Splunk Security Reading August 2021
These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk (or not) security world that WE think everyone should read. If you would like to read other months, please take a peek at previous posts in the "Staff Picks" series! 
Security4 Minute ReadPartner Spotlight: NCU-ISAO Members Gain Actionable Intelligence with TruSTAR
We recently spoke with Brian Hinze, NCU-ISAO Vice President, Member Services and Operations, to learn more about why NCU-ISAO chose TruSTAR for intelligence management, and how member organizations are using TruSTAR for information sharing and collaboration.
Security4 Minute ReadIs Your Cyber Team Overwhelmed by System Alerts?
Wondering how to prevent alert fatigue and turnover within your cyber team? Learn how Splunk can help Cyber professionals with a more efficient way to view, assess, and prioritize system alerts before devoting time to investigations.
Security4 Minute ReadSolving User Monitoring Use Cases With Splunk Enterprise Security
We all know Splunk’s data platform is capable of delivering incredible analytics and insights at scale, but how do we tie that power with all of the security content and premium solutions for security that Splunk provides? I thought it would be a good idea to jot some thoughts down about some common high level security use cases becauseI get asked this question so much.
Security2 Minute ReadWhat Do Organizations Value Most in a SIEM/Security Analytics Provider? In a Word: Actionability
According to 451 Research’s Voice of the Enterprise survey data, 64% say integration and correlation of threat intelligence is very important when selecting a SIEM vendor. Learn where Splunk Enterprise Security can give you actionable insights.
Security3 Minute ReadHunting for Detections in Attack Data with Machine Learning
Learn how to leverage the real-world and simulated attack data that Splunk's Threat Research team collected to use machine learning to discover attack activity and identify how to transform insights into detections.
Security2 Minute ReadSplunk SOAR: Anyone Can Automate
If you haven’t heard the news, Splunk Phantom is now Splunk SOAR – available both on-prem and in the cloud. Read on to find out what that means for you.
Security6 Minute ReadThreat Advisory: Telegram Crypto Botnet STRT-TA01
The Splunk Threat Research Team (STRT) has detected the resurface of a Crypto Botnet using Telegram, a widely used messaging application that can create bots and execute code remotely. Learn more about the indicators of the botnet operation and use our pre-built and tested detections to find them in your environment.
Security4 Minute ReadTrickbot Detections: Threat Research Release, July 2021
The Splunk Threat Research Team (STRT) addressed Trickbot in the July release. Trickbot is a very popular crimeware carrier (Trojan) associated with current campaigns.- Security2 Minute Read
Staff Picks for Splunk Security Reading July 2021
These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk (or not) security world that WE think everyone should read. If you would like to read other months, please take a peek at previous posts in the "Staff Picks" series! - Security5 Minute Read
Conti Threat Research Update and Detections
In this blog, the Splunk Threat Research team will show you how to use Splunk Attack Range to simulate cyber attacks from the Conti Ransomware group. It will also have pre-built detections that you can use to detect them in your environment. 
Security4 Minute ReadDetecting SeriousSAM CVE-2021-36934 With Splunk
SeriousSAM or CVE-2021-36934 is a Privilege Escalation Vulnerability. The Splunk Threat Research team recommends performing an assessment to better understand the impact of this vulnerability in corporate environments.
Security2 Minute ReadSecurity Modernization Starts with Data and Splunk at Black Hat 2021
It’s time to take that breach vacation and get the inside scoop at what Splunk has happening at Black Hat 2021.
Security2 Minute ReadGet Started with Splunk for Security: Splunk Security Essentials
Splunk Security Essentials (SSE) is now part of the Splunk security portfolio and fully supported with an active Splunk Cloud or Splunk Enterprise license. Start using SSE and apply prescriptive guidance and deploy pre-built security detections in your Splunk environment.
Security6 Minute ReadDetecting Trickbot with Splunk
The Splunk Threat Research Team has assessed several samples of Trickbot, a popular crimeware carrier that allows malicious actors to deliver multiple types of payloads. Use our pre-built Splunk detections to detect Trickbots.
Security3 Minute ReadAPI 2.0: TruSTAR Operationalizes Data Orchestration and Normalization for a New Era in Intelligence Management
TruSTAR announces new features making intelligence more actionable by simplifying intelligence ingestion, automating data flows and better informing SIEM, SOAR and Vulnerability Management programs.
Security5 Minute ReadData Exfiltration Detections: Threat Research Release, June 2021
Check out detections from the Splunk Threat Research team to detect data exfiltration – also known as data extrusion, data exportation, and data theft – in your environment.- Security5 Minute Read
Five Questions Your Organization Must Ask to Prepare For a Ransomware Attack
What questions should organizations be asking themselves and what steps should they take to prevent or mitigate the next ransomware threat? Splunk's Yassir Abousselham has put together a quick set of questions we’re asking at Splunk that can help you. 
Security3 Minute ReadWhat's New with Splunk Enterprise Security 6.6?
Learn about the latest and greatest features of Splunk Enterprise Security 6.6.
Security1 Minute ReadI Scream, You Scream, We All Scream For BOTS!
We are excited to announce our August Boss of the SOC (BOTS) V event! What’s new in BOTS V? I’m glad you asked. This year, we find our favorite brewery, Frothly, converting to a remote model and embracing the cloud for ‘all the things.'
Security3 Minute ReadRansomware Groundhog Day: Elevating Your Program in a High-Threat Environment
REvil attackers exploited Kaseya, a highly trusted management software. Here's how security leaders can take actionable steps to improve your business's defenses.
Security8 Minute ReadREvil Ransomware Threat Research Update and Detections
On July 2, 2021, REvil group used Kaseya to distribute malware to its on-premises customers. Splunk has pushed out guidance to help understand and detect REvil. Learn more about the REvil ransomeware group, their tactics, and how to detect them using Splunk.
Security19 Minute ReadKaseya, Sera. What REvil Shall Encrypt, Shall Encrypt
Kaseya VSA, remote monitoring management (RMM) software heavily used by managed service providers (MSP), was compromised by REvil, and is being used to distribute ransomware to its on-premises customers. Find out more on how to detect REvil in your environment.
Security3 Minute ReadFashionably Late: The Zero Trust Trend is Here to Stay
Whether you were hip to the zero trust trend before it started being cool, or are arriving fashionably late, learn how to leverage a data-driven approach to achieve zero trust outcomes and improve the overall security capabilities of the organization in the process.
Security7 Minute ReadI Pity the Spool: Detecting PrintNightmare CVE-2021-34527
Read on for details around Detect PrintNightmare (CVE-2021-34527), a critical vulnerability that affects the Print Spooler service and can perform remote code execution.
Security2 Minute ReadSOARing to the Clouds with Splunk SOAR
Now available as part of Splunk Cloud, Splunk SOAR further delivers on our promise to modernize security operations – read on to learn more.
Security3 Minute ReadIntroducing the World’s First Modern Cloud-Based SecOps Platform: Splunk Security Cloud
Announcing the new Splunk Security Cloud – the only data-centric modern security operations platform that delivers enterprise-grade advanced security analytics, automated security operations, and threat intelligence with an open, unparalleled ecosystem.
Security4 Minute ReadSplunk SOAR Playbooks: GCP Unusual Service Account Usage
In this new Splunk SOAR Playbook, we'll show how a Splunk Enterprise search can trigger automated enrichment, an analyst prompt, and rapid response actions to prevent damage caused by malicious account access.
Security2 Minute ReadSuper Speed with Phantom Slash Commands
Splunker Olivia Courtney shares a walkthrough of what you can do with the power of Phantom Slash Commands to investigate Splunk Phantom events.
Security5 Minute ReadDetecting Password Spraying Attacks: Threat Research Release May 2021
The Splunk Threat Research team walks you through a new analytic story to help SOC analysts detect adversaries executing password spraying attacks, and highlights a few detections from the May 2021 releases.- Security4 Minute Read
A Deeper Dive into TruSTAR Intel Workflows
Learn about TruSTAR's API 2.0, featuring TruSTAR Intel Workflows. This blog post provides a look at some technical aspects of the Indicator Prioritization Intel Workflow. 
Security3 Minute ReadTales of a Principal Threat Intelligence Analyst
Discover how threat intelligence can offer valuable insights to help fend off future attacks, no matter how covert or cunning they appear to be.
Security10 Minute ReadEO, EO, It’s Off to Work We Go! (Protecting Against the Threat of Ransomware with Splunk)
We read the 'What We Urge You To Do To Protect Against The Threat of Ransomware' memo and Executive Order (EO14028) in-depth, and this blog is designed to provide you with the information and takeaways to start acting immediately.
Security1 Minute ReadUnderstanding Splunk Phantom’s Join Logic
Have you ever built complex playbooks and tested them, only to find that they halted execution mid-stream? That’s probably because of your ‘join’ settings – read on to learn more.
Security2 Minute ReadEasily Automate Across Your AWS Environments with Splunk Phantom
Splunk Phantom now has the flexibility to let you easily manage your AWS environment across hundreds or thousands of accounts – read on to learn more.
Security5 Minute ReadPartner Spotlight: IT-ISAC Members Automate and Simplify Intelligence Sharing with TruSTAR
We recently interviewed IT-ISAC Executive Director Scott Algeier to discuss why the organization chose to partner with TruSTAR, and the benefits its members are experiencing using TruSTAR to simplify integrations, automate data flows and make intel more actionable.- Security2 Minute Read
Staff Picks for Splunk Security Reading May 2021
Check out the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk (or not) security world that WE think everyone should read. 
Security8 Minute ReadAdvanced Link Analysis, Part 3 - Visualizing Trillion Events, One Insight at a Time
Learn how to get actionable insights from large datasets using link analysis in the third installment of our Advanced Link Analysis series, showcasing the interactive visualization of advanced link analysis with Splunk partner, SigBay.
Security2 Minute ReadSOAR in Seconds with Splunk Feature Overviews
Get a quick overview of Splunk's SOAR tool, Splunk Phantom, and the main features within.- Security4 Minute Read
TruSTAR Intel Workflows Series: 3 Stages of the Prioritized Indicator Intel Workflow
This blog series explains our motivations for building this feature, how it works, and how users can better inform security operations. In this section, we dive into the three stages of the Prioritized Indicator Intel Workflow. 
Security1 Minute ReadLittle Code, Big Impact: Easily Scale your Security Automation with Splunk SOAR
Discover how our latest revision of Splunk Phantom’s 'custom functions' make playbook creation and execution faster and easier than ever with the ability to create shareable custom code across playbooks while introducing complex data objects into the playbook execution path.
Security6 Minute ReadDarkSide Ransomware: Splunk Threat Update and Detections
Splunk Threat Research Team (STRT) replicated the DarkSide Ransomware Attack and has released an Analytic Story with several detection searches directed at community shared IOCs.- Security3 Minute Read
Presidential Executive Order: “Collect and Preserve” Incident Data. Is this the Catalyst for Cybersecurity’s Black Box?
President Biden’s Executive Order (EO) on Improving the Nation’s Cybersecurity defines a solid path forward for the Federal government and its suppliers to address systemic problems in defending cyberspace. 
Security3 Minute ReadA Threat As Old As The Internet: Why We Still Care About Malware (And Why You Should Too)
Splunk's CISO Yassir Abousselham dives into why — as IT and security leaders — we need to come up with comprehensive strategies to specifically mitigate malware attacks.
Security1 Minute ReadThreat Hunter Intelligence Report
Welcome to Splunk’s Threat Hunter Intelligence Report, a monthly series brought to you by Splunk’s threat hunting and intelligence (THI) team sharing the latest cybersecurity threats and trends to help organizations stay one step ahead of adversaries, one report at a time.
Security8 Minute ReadThe DarkSide of the Ransomware Pipeline
Learn about the Colonial Pipeline ransomware attack and how you can start detecting and remediating DarkSide's activities and attack using Splunk.- Security3 Minute Read
TruSTAR Intel Workflows Series: Automating Data Workflows to Unlock Investments in SIEM, SOAR and XDR
We recently introduced TruSTAR Intel Workflows.This blog series explains our motivations for building this feature, how it works, and how users can better inform security operations. This is Part 2: How TruSTAR Intel Workflows Work. 
Security3 Minute ReadFind the Fingerprints and Traces of Threats with Splunk at RSAC 2021
Splunk's heading to RSAC 2021, are you? Take a peak at our upcoming sessions and don't forget to tune into our CEO Doug Merritt's keynote when he takes the RSAC main stage.
Security2 Minute ReadSplunk SOAR Playbooks: Suspicious Email Domain Enrichment
This playbook focuses specifically on domain names contained in the ingested email, and it uses Cisco Umbrella Investigate to add the risk score, risk status, and domain category to the event in Splunk SOAR.- Security3 Minute Read
Cybersecurity’s Moneyball Transformation
What do baseball and cybersecurity have in common? Nothing, at first glance. But, take a deeper look and you can see the glaring similarities. That's because cybersecurity is going through its Moneyball transformation right now. Read this blog post to learn more. - Security4 Minute Read
Clop Ransomware Detection: Threat Research Release, April 2021
Discover how the Splunk Threat Research Team focused their research efforts on Clop Ransomware detections to help organizations detect abnormal behavior faster before it becomes detrimental. - Security4 Minute Read
TruSTAR Intel Workflows Series: Shifting from App-Centric to Data-Centric Security Operations
TruSTAR recently introduced API 2.O featuring TruSTAR Intel Workflows. This blog series will explain our motivations for building this feature, how it works, and how users can better inform security operations. 
Security3 Minute ReadSplunk and Zscaler Utilize Data and Zero Trust to Eradicate Threats
Splunk and Zscaler have partnered to deliver a superior approach to security. Our tightly integrated, best-of-breed cloud security and security analytics platforms deliver a cloud experience for the modern, cloud-first enterprise.
Security2 Minute ReadStreamlining Vulnerability Management with Splunk Phantom
Manage the entire lifecycle of vulnerability management with automation and orchestration using Splunk’s SOAR technology, Splunk Phantom, to automate actions and reduce the time spent on patch management by 40%.
Security10 Minute ReadSUPERNOVA Redux, with a Generous Portion of Masquerading
A review of the Pulse Secure attack where the threat actor connected to the network via a the Pulse Secure virtual private network (VPN), moved laterally to its SolarWinds Orion server, installed the SUPERNOVA malware, and collected credentials, all while masquerading the procdump.exe file and renamed it as splunklogger.exe.
Security11 Minute ReadMonitoring Pulse Connect Secure With Splunk (CISA Emergency Directive 21-03)
Our Splunk security experts share a closer look at the Pulse Connect Secure attack, including a breakdown of what happened, how to detect it, and MITRE ATT&CK mappings.
Security8 Minute ReadElevate Your Cloud Security Posture with Splunk and Google Cloud
It’s more critical than ever to secure your company data and protect your workloads in the cloud. This blog post is a roundup of latest technical resources and product capabilities by both Google Cloud & Splunk to enhance your threat prevention, detection, and response techniques, regardless of where you are in your business-transforming cloud journey.
Security7 Minute ReadThe Data-Centric Revolution: Restoring Sanity to Enterprise Security Operations
TruSTAR CEO and Co-Founder, Patrick Coughlin, recently sat down with Dave McComb, President of Semantic Arts, to talk through what it means to be Data-Centric in a Data-Driven world.
Security3 Minute ReadIntroducing Splunk Attack Range v1.0
The Splunk Attack Range project has officially reached the v1.0 release – read on to learn how we got here, what features we’ve built for v1.0 and what the future looks like for Splunk Attack Range.
Security5 Minute ReadDetecting Clop Ransomware
As ransomware campaigns continue, malicious actors introduce different modus operandi to target their victims. In this blog, we’ll be taking a look at the Clop ransomware. This crimeware was discovered in 2019 and is said to be used for an attack that demanded one of the highest ransom amounts in recorded history.
Security4 Minute ReadEndpoint Security Data Collection Strategy: Splunk UF, uberAgent, or Sysmon?
Many threats originate from the endpoint and detecting them requires insights into what happens on the endpoint. In this post we look at different endpoint activity data sources, comparing the benefits and capabilities of Splunk Universal Forwarder with vast limits uberAgent and homegrown solutions.
Security2 Minute ReadTaking Automation Beyond the SOC With Advanced Network Access Control
Learn how you can scale IT operational processes and enhance network performance by leveraging security orchestration, automation and response (SOAR) tools such as Splunk Phantom.
Security4 Minute ReadAdvanced Link Analysis: Part 2 - Implementing Link Analysis
Learn how to step-by-step process to building the dashboard with Sigbay Link Analysis visualization app from scratch.
Security3 Minute ReadDetecting AWS IAM Privilege Escalation
The Splunk Threat Research team develops security research to help SOC analysts detect adversaries attempting to escalate their privileges and gain elevated access to AWS resources. Learn how we simulate these attacks using Atomic Red Team, collect and analyze the AWS cloudtrail logs, and utilize pre-packaged Splunk detections to detect these threats.- Security3 Minute Read
Splunk SOAR Playbooks: Conducting an Azure New User Census
Learn how to use automated playbooks to monitor new user accounts to ensure that threat actors like Hafnium cannot leverage the Active Directory system to exploit vulnerabilities. 
Security2 Minute ReadTop In-Demand Cybersecurity Skills in the Upcoming Years
Automation is optimizing SOC workflows but also shaking up the cybersecurity workspace. Skills that were once in high demand are decreasing in value. Splunker Matthias Maier took a closer look into cybersecurity developments and shares which cybersecurity skills professionals should be focussing on in the upcoming years.- Security3 Minute Read
Staff Picks for Splunk Security Reading March 2021
These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk (or not) security world that WE think everyone should read. If you would like to read other months, please take a peek at previous posts in the "Staff Picks" series! 
Security5 Minute ReadAutomated Clean-up of HAFNIUM Shells and Processes with Splunk Phantom
Implement security playbooks to automatically delete Microsoft Exchange Webshells and terminate W3WP spawned processes with Splunk Phantom.
Security2 Minute ReadAnalytics-Based Investigation and Automated Response with AWS + Splunk Security Solutions
Learn how AWS and these Splunk products work together to help you strengthen your security posture and defend against threats to your environment.
Security2 Minute ReadOrchestrate Framework Controls to Support Security Operations with Splunk SOAR
Learn more about how to identify use cases for automation and dive deeper into the five steps of designing security workflows around framework regulations
Security3 Minute ReadHow to Marie Kondo Your Incident Response with Case Management & Foundational Security Procedures
Learn how successful security teams “Marie Kondo” their security operations, cleaning up their “visible mess” to identify the true source of “disorder” (the cyber attack itself).- Security4 Minute Read
Only the Paranoid Survive, Recast for Cybersecurity
At TruSTAR, we want to highlight stories of success in defending cyberspace that can propagate as best practices. Read more about human dependencies, technical challenges and defining data to be shared. 
Security13 Minute ReadDetecting Microsoft Exchange Vulnerabilities - 0 + 8 Days Later…
Even if you haven’t uncovered Microsoft Exchange Vulnerabilities and malicious behavior, it is important to continue monitoring, particularly as more actors look to leverage these vulnerabilities for their own purposes.
Security3 Minute ReadVisual Link Analysis with Splunk: Part 4 - How is this Pudding Connected?
Starting with a single piece of data, use Splunk link analysis functionality to find related links going multiple levels down.
Security3 Minute ReadSplunk for OT Security V2: SOAR and More
OT attacks are on the rise, as we've seen from the Oldsmar water facility attack. the Splunk IoT, Manufacturing and Energy team has been hard at work improving Splunk for OT Security to help secure your environment.
Security4 Minute ReadCloud Federated Credential Abuse & Cobalt Strike: Threat Research February 2021
Learn about the latest emerging threats, such as Cloud Federated Credential Abuse and Cobalt Strike, where bad actors are abusing credential privileges in cloud environments to gain unauthorized access.
Security2 Minute ReadBuilding a Superstar SOC with Automation and Standardization
Splunker Kelly Huang explains the how and why of standardizing your team's security processes to build a superstar SOC.
Security9 Minute ReadDetecting HAFNIUM Exchange Server Zero-Day Activity in Splunk
This blog discusses how to detect HAFNIUM activity around the recent CVEs released affecting Exchange Server using Splunk and Splunk Enterprise Security.
Security2 Minute ReadFrom the SecOps Kitchen: Why Operators of Essentials Services Need to Prepare Now
How can you be agile and map technical security activities back to the overall goal to reduce the business risk and become cyber resilient while being sensitive to costs and FTE needs at the same time? Find out more in this article.- Security4 Minute Read
Stories of Cyber Defense Collaboration: Trustworthy Accountability Group (TAG)
Nicole Perloth’s new book, This is How They Tell Me the World Ends, details our past and troubling trajectory in cyberspace. It is a terrific and sobering read for both the initiated and uninitiated in information security. This doom and gloom title prompts the need for a blog series focusing on slivers of success in defending cyberspace that can propagate as best practices. 
Security2 Minute ReadAutomating With Splunk Phantom: How Norlys Does It
Learn why Denmark’s largest power, utility and telecommunications company turned to Splunk Phantom, Splunk’s security orchestration, automation and response (SOAR) technology, to automate manual workflows, repetitive tasks and difficult-to-maintain processes.- Security4 Minute Read
Splunk SOAR Playbooks: Crowdstrike Malware Triage
Splunk Phantom and Crowdstrike together allows you to have a smooth operational flow from detecting endpoint security alerts to operationalizing threat intelligence and automatically taking the first few response steps – all in a matter of seconds. 
Security4 Minute ReadMSHTA and MSBuild Cat Jam: Threat Research Release January 2021
Splunk's Security Research team was busy this past quarter generating attack data for 80% of all our detections. A step forward in validating and testing our security content and ensuring we can continually test detections via continuous integration and continuous delivery (CI/CD).- Security3 Minute Read
Staff Picks for Splunk Security Reading February 2021
These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk (or not) security world that WE think everyone should read. If you would like to read other months, please take a peek at previous posts in the "Staff Picks" series! 
Security2 Minute ReadA Path to Proactive Security Through Automation
The sheer number of cyberattacks launched against organizations every year is massive and growing. Learn how automation can help your security team chart a new path forward.
Security5 Minute ReadAdvanced Link Analysis: Part 1 - Solving the Challenge of Information Density
Leverage Sigbay's link analysis visualization to solve the challenge of information density.
Security6 Minute ReadBox Automates Intelligence and Workflows While Reducing Manual Work Hours with TruSTAR
Box is the market leader for Cloud Content Management. Read on for more in this Q&A with Box's Kyle Bailey, Manager, Threat Operations.- Security3 Minute Read
Top 3 Market Trends for SOAR Solutions
Lear more about the general market trends for SOAR, investment recommendations, and how Splunk Phantom aligns with Gartner’s vision for SOAR. 
Security5 Minute ReadVisual Link Analysis with Splunk: Part 3 - Tying Up Loose Ends
Using Splunk for Link Analysis part 3, addressing loose ends with visual link analysis.- Security3 Minute Read
Staff Picks for Splunk Security Reading January 2021
These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk (or not) security world that WE think everyone should read. If you would like to read other months, please take a peek at previous posts in the "Staff Picks" series! 
Security1 Minute ReadNext Level Automation: What’s New with Splunk Phantom
With the release of Splunk Phantom 4.10.1, we now allow you to configure the number of playbook runners using Python 2 and Python 3. Learn more right here.
Security4 Minute ReadVisual Link Analysis with Splunk: Part 2 - The Visual Part
Using Splunk for link analysis - part 2 covering visualizations of linked data.- Security3 Minute Read
Cybersecurity Today: Alice in Wonderland Meets the Matrix & Total Recall
The scale of cyber attacks and the complexity of networks exacerbate the situation. Operators face three significant challenges: an IT security ecosystem that is fragmented and in flux, users that are both human and machine, and multiple threats with varying levels of severity and sophistication. 
Security3 Minute ReadDetecting the Sudo Baron Samedit Vulnerability and Attack
Looking for ways to detect and protect against the SUDO Baron Samedit vulnerability (CVE-2021-3156)? Look no further. In this blog we tell you how to proactively detect vulnerable servers using Splunk and also to detect malicious folks who are attempting to exploit this vulnerability for nefarious outcomes!- Security4 Minute Read
TruSTAR Enclave: Not Your Grandpa’s 'Trusted Circle'
TruSTAR’s Enclave technology is the most advanced cloud-based governance engine for enterprise cyber intelligence – read on to discover how it has evolved to meet the needs of integration, automation and intelligence sharing. 
Security3 Minute ReadVisual Link Analysis with Splunk: Part 1 - Data Reduction
Part 1 of a multi-part series exploring ways to use Splunk for link analysis. This blog focuses on data reduction.- Security6 Minute Read
Splunk SOAR Playbooks: Finding and Disabling Inactive Users on AWS
Discover how to add an additional layer of security in AWS with Splunk Phantom by scheduling a playbook to search for inactive users and activating another playbook to disable problem user accounts. 
Security3 Minute ReadMacros, We Don’t Need No Stinking Macros! — Featuring the New Microsoft O365 Email Add-On
Using Microsoft O365 for your emails? Take a look at the new Microsoft O365 Email Add-on for Splunk to start getting in-depth security and non security data from your emails today.
Security2 Minute ReadThe 10 Essential Capabilities of a Best-of-Breed SOAR
Security orchestration, automation and response (SOAR) tools are here to stay, do you have the best-of-breed SOAR in your security stack?
Security4 Minute ReadYes, Virginia, There is a -Santa Claus- Way to Detect Unemployment Fraud
Fraud rates for Unemployment Insurance Benefits (UIB) and Pandemic Unemployment Assistance (PUA) are out of control. Use these detections to start detecting unemployment fraud now.
Security9 Minute ReadA Golden SAML Journey: SolarWinds Continued
The SolarWinds Orion compromise resulted in the first recorded use of Golden SAML in the wild. Learn how you can start detecting this in Splunk now.
Security2 Minute ReadAutomation Made Easy: What’s New with Splunk Phantom
Security automation is now easier than ever. Learn what's new with Splunk Phantom now.
Security2 Minute ReadSplunk’s Response to the SolarWinds Cyberattacks
Although Splunk was not directly affected by the SolarWinds cyberattacks, as a leader in security we want to help the industry by providing tools, guidance and support to those impacted. Splunk's CISO Yassir Abousselham shares relevant information for customers and examples of how Splunk has taken action to better protect its business.
Security7 Minute ReadDetecting Supernova Malware: SolarWinds Continued
Supernova exposes SolarWinds Orion to attack via an in-memory web shell. It needs to be patched and detections below can help identify adversary actions.- Security3 Minute Read
Staff Picks for Splunk Security Reading December 2020
These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk (or not) security world that WE think everyone should read. If you would like to read other months, please take a peek at previous posts in the "Staff Picks" series! 
Security8 Minute ReadUsing Splunk to Detect Sunburst Backdoor
The Sunburst Backdoor threat truly burst on the scene as a send off for 2020. The good news is that the Splunk Security team has produced detections you can run in Splunk Enterprise Security to help you protect your environment from this sophisticated threat.
Security4 Minute ReadCI/CD Detection Engineering: Failing, Part 3
In part 3 of our now 4-part series, we walk you through how we failed to use CircleCI to continually test detentions!
Security5 Minute Read7 High-Risk Events to Monitor Under GDPR: Lessons Learned from the ICO’s BA Penalty Notice
British Airways made the headlines when they were hacked, customer details stolen and were issued a Penalty Notice by the UK ICO. Matthias Maier took a closer look at the document and recapitulated the key takeaways any IT security person can learn from.- Security6 Minute Read
Detecting Ryuk Using Splunk Attack Range
A new alert, Ransomware Activity Targeting the Healthcare and Public Health Sector, issued by the CISA poses ongoing and possible imminent attacks against the healthcare sector. Learn how you can detect the Ryuk ransomware as payload with Splunk Attack Range. 
Security5 Minute ReadDetecting Google Cloud Platform OAuth Token Abuse Using Splunk
Google Cloud Platform's Identity Access Management (IAM) permissions can be used to move laterally and escalate privileges. Learn how to detect GCP OAuth token abuse and remediate these events with Splunk.
Security5 Minute ReadDetecting CVE-2020-1472 (CISA ED 20-04) Using Splunk Attack Range
Microsoft's recent security disclosure of CVE-2020-1472 is extremely harmful to systems that have not been patched or lack mitigations in place. Learn how to prevent and detect CVE-2020-1472 using Splunk Attack Range.
Security5 Minute ReadAdaptable Incident Response With Splunk Phantom Modular Workbooks
Modular Workbooks allow you to effortlessly adapt your security operations workflow. Learn how Splunk Phantom SOAR can help divide tasks into phases, assign responsibilities to team members, and document your work.
Security2 Minute ReadIntroducing a New Splunk Add-On for OT Security
The Splunk Add-on for OT Security expands existing Splunk Enterprise Security frameworks to improve security visibility in OT environments for our customers, partners and community members.
Security7 Minute ReadUsing Splunk to Detect Abuse of AWS Permanent and Temporary Credentials
In this blog, the Splunk threat research team shows how to detect suspicious activity and possible abuse of AWS Permanent and Temporary credentials.
Security7 Minute ReadCI/CD Detection Engineering: Splunk's Attack Range, Part 2
In part 2 of our 3-part series, we walk you through how to use Splunk Security-Content, Attack Range and CircleCI to do detection development, continuous testing and deployment as a workflow in your SOC.
Security8 Minute ReadCI/CD Detection Engineering: Splunk's Security Content, Part 1
This blog is part 1 of a 3 part series that includes a step-by-step walk-through of how to use Splunk Security-Content, Attack Range and CircleCI to do detection development, continuous testing, and deployment as a workflow in your security operation center.
Security2 Minute ReadNation-State Espionage Targeting COVID-19 Vaccine Development Firms - The Actions Security Teams Need To Take Now!
The UK NCSC published an advisory report that threat group APT29 most recently targeted organizations which are involved in COVID-19 vaccines development and testing. Find out if your organization is affected and which actions you need to take now.
Security1 Minute ReadThe Next 12 Months - Where IT Leaders Anticipate Spending More Time On
IDG’s recent “State of the CIO” survey across IT leaders has revealed the impact of COVID-19 on IT organizations and the sudden and unforeseen shifts of their initial 2020 plans.
Security6 Minute ReadApproaching Kubernetes Security — Detecting Kubernetes Scan with Splunk
Approaching Kubernetes security. Detect and investigate Kubernetes cluster scan and fingerprinting using Splunk.
Security3 Minute ReadSplunk Attack Range Now With Caldera and Kali Linux
An overview of the updates the Splunk Security Research Team has been working on for Splunk Attack Range, now with Caldera adversarial simulation framework and Kali Linux
Security5 Minute ReadIntegrating COVID (or Any) Threat Indicators with MISP and Splunk Enterprise Security
Integrating MISP servers with Enterprise Security's Threat Intelligence framework- Security2 Minute Read
Asset & Identity for Splunk Enterprise Security - Part 3: Empowering Analysts with More Attributes in Notables
This is part three in a three part series on the Asset & Identity framework in Splunk Enterprise Security, focusing providing additional visibility and context to analysts with a notable event. - Security4 Minute Read
Asset & Identity for Splunk Enterprise Security - Part 2: Adding Additional Attributes to Assets
This is part two in a three part series on the Asset & Identity framework in Splunk Enterprise Security, focusing on adding additional field or attributes to further contextualize systems being monitored. 
Security3 Minute ReadBetween Two Alerts: Easy VPN Security Monitoring with Splunk Enterprise Security
It’s a whole new world we’re living in, at least for now. This little tutorial will help you stay on top of your security game while in the world of Enterprise Security.- Security4 Minute Read
Asset & Identity for Splunk Enterprise Security - Part 1: Contextualizing Systems
This is part one in a three part series on the Asset & Identity framework in Splunk Enterprise Security, focusing on gaining context on systems being monitored. 
Security7 Minute ReadUse Cloud Infrastructure Data Model to Detect Container Implantation (MITRE T1525)
Using cloud infrastructure data model to detect possible container implantation (Mitre Cloud Matrix technique T1525)
Security2 Minute ReadBoss of the SOC v3 Dataset Released!
The tradition continues! We are happy to announce that the Boss of the SOC (BOTS) v3 dataset has been released under an open-source license and is available for download.
Security2 Minute ReadWorld Economic Forum In Davos - Growth in Global Technology Risk
Taking a look at the World Economic Forum (WEF) in Davos 2020 from a cybersecurity angle. What technology risks should we be prepared for according to the WEF?
Security4 Minute ReadDetecting CVE-2020-0601 Exploitation Attempts With Wire & Log Data
Learn two simple techniques for detecting CVE-2020-0601 exploitation attempts using Splunk
Security4 Minute ReadCVE-2020-0601 - How to operationalize the handling of vulnerabilities in your SOC
Recently the CVE-2020-0601 vulnerability was discovered by the NSA. Find out everything you need to know and how you can tackle it in this blog post.
Security2 Minute ReadQ&A Follow-Up: How Datev uses MITRE ATT&CK & Splunk in its SOC
Following our webinar with Datev on how they use MITRE ATT&CK & Splunk in its SOC, we compiled all of the questions left unanswered in this blog post. Read all of it here,
Security2 Minute ReadUsing Splunk Attack Range to Test and Detect Data Destruction (ATT&CK 1485)
Using Splunk Attack Range to test and detect Data Destruction techniques- Security5 Minute Read
Stitching Notables Together with Event Sequencing
Event Sequencing can take multiple notable events that are created from correlation searches and present them to the analysts as a set of linked notable events and help prioritize response when these chain of events occur. - Security1 Minute Read
it-sa 2019 - Germany on alert at Europe’s leading trade fair for IT security
Splunk went to it-sa 2019 - Europe's leading trade fair for IT security. We share our highlights of the event. 
Security3 Minute ReadSplunk BOTS 4.0: A New Hope
From the basics, to new data, to registration information, discover all you need to know about Splunk BOTS 4.0 at .conf19.- Security3 Minute Read
Which of Gartner’s 2019 Top 7 Security and Risk Management Trends Are Impacting Your Business? - Part II
Part 2 of our 3-part blog series, in which we take a closer look into Gartner Security and Risk Trends 2019 and give you suggestions on how to address them. - Security2 Minute Read
Which of Gartner’s 2019 Top 7 Security and Risk Management Trends Are Impacting Your Business? - Part III
Last and final part of our 3-part blog series in which we review Gartner's Security and Risk Trends 2019 and give advise on how to tackle them. - Security2 Minute Read
Which of Gartner’s 2019 Top 7 Security and Risk Management Trends Are Impacting Your Business?
In this 3-part series, we take a closer look into Gartner's trends and share how you can address these issues. 
Security3 Minute ReadNew: Machine Learning in Splunk Enterprise Security Content Update
Use machine learning techniques to identify outliers in security-related data with a new probability-density function algorithm in Splunk's Machine Learning Toolkit (MLTK)
Security4 Minute ReadMonitor for, Investigate, and Respond to Phishing Payloads with Splunk Enterprise Security Content Update
Detect, investigate, and defend signs of phishing payloads in your environment with Splunk Enterprise Security Content Update (ESCU)
Security3 Minute ReadBoss of the SOC (BOTS) Advanced APT Hunting Companion App: Now Available on Splunkbase
If you want to learn more about threat hunting with Splunk, this app in conjunction with the BOTSv2 data set is just the answer!
Security4 Minute ReadThreat Intel and Splunk Enterprise Security Part 2 - Adding Local Intel to Enterprise Security
Splunker John Stoner shares a walkthrough for how to add local threat intelligence into Splunk Enterprise Security- Security2 Minute Read
Boss of the SOC 2.0 Dataset, Questions and Answers Open-Sourced and Ready for Download
You asked, we delivered – Boss of the SOC 2.0 has been open sourced, including dataset, questions, answers and even a scoring server update! 
Security2 Minute ReadSIEM: The Steps Before "The First Steps"
Laying the groundwork before taking those first crucial steps towards the best SIEM for your business
Security4 Minute ReadWire Data, Huh! What Is It Good For? Absolutely Everything, Say It Again Now!
A brief overview of wire data, its uses and sources, and the new Splunk Essentials for Wire Data app- Security5 Minute Read
Modifying the Incident Review Page
How to modify the Incident Review page and add information to Notable Events in Splunk Enterprise Security 
Security4 Minute ReadATT&CK-ing the Adversary: Episode 3 – Operationalizing ATT&CK with Splunk
In the final episode in the MITRE ATT&CK trilogy, we focus on applying what we learned and operationalizing it with ATT&CK to assist our security operations- Security5 Minute Read
ATT&CK-ing the Adversary: Episode 2 - Hunting with ATT&CK in Splunk
Using MITRE ATT&CK to focus your threat hunting in Splunk 
Security4 Minute Read| datamodel Endpoint
Discover what's new in Splunk Common Information Model (CIM) 4.12
Security1 Minute ReadShifting Mindsets: Modernizing the Security Operations Center
How to go from an 'old school' to a 'new school' defender
Security2 Minute Read“Are We Secure?” Lessons Learned From The CISO Of A Leading Saudi Bank
A Splunk customer's presentation at Gartner’s 2018 Security Risk and Management Summit
Security1 Minute ReadThree Questions For Empowering Security: From Gartner’s Risk and Security Management Summit Europe
Key takeaways from this year's Gartner Risk and Security Management Summit Europe- Security3 Minute Read
I Azure You, This Will Be Useful
This blog post describes how to use Azure Active directory for basic hunting and discovery 
Security2 Minute ReadWhat Keeps the CISO Awake at Night? Four Dreaded Security Headlines
Would your organization's security team be prepared if these headlines appear in tomorrow's news?- Security3 Minute Read
Domestic Intelligence Service of the Federal Republic of Germany Warns About Cyber Attacks
What's happened, how to investigate if you've been affected and what you should do next. - Security2 Minute Read
Knowledge is Power: Guidance from ICO and NCSC on GDPR Security Outcomes
The GDPR learnings are ongoing - are you keeping up? - Security3 Minute Read
Boss of the SOC (BOTS) Investigation Workshop for Splunk
You've played BOTS with Splunk, now learn the how it all happened? This post discusses a new tutorial app that you can run on the BOTS v1 dataset to learn more about BOTS and have an educational workshop at home (or office) 
Security2 Minute ReadBoss of the SOC Scoring Server, Questions and Answers, and Dataset! Open-Sourced and Ready for Download
We have open-sourced the Boss of the SOC dataset (ver1.0) and BOT(S|N) scoring server. They can be used to run your own CTF, perform research, or train your internal users!
Security1 Minute ReadStrengthen Your SIEM And Be Ready For The GDPR
When facing the GDPR, your SIEM solution can be a great support for your organisation's compliance strategy, but if not strengthened - it can also be your downfall.
Security2 Minute ReadUse Investigation Workbench to Reduce Time to Contain and Time to Remediate
The latest version of Splunk Enterprise Security v 5.0 introduces Investigation Workbench, which streamlines investigations and accelerates incident response
Security3 Minute ReadDetecting Typosquatting, Phishing, and Corporate Espionage with Enterprise Security Content Update
Splunk’s Enterprise Security Content Update (ESCU) app can provide you with early warnings and situational awareness—powerful elements of an effective defense against adversaries
Security8 Minute ReadEnsuring Success with Splunk ITSI - Part 1: Thresholding Basics
Practical step-by-step guidance to configure ITSI to produce accurate and trusted alerts
Security2 Minute ReadSplunk Named a Leader in Gartner SIEM Magic Quadrant for the Fifth Straight Year
Gartner's 2017 Magic Quadrant for Security Information and Event Management names Splunk a leader for the fifth straight year
Security1 Minute ReadWhat’s Cyber Security Week like for Splunk? it-sa gold!
Two gold awards and a successful it-sa event - that's how Splunk does Cyber Security Week!
Security3 Minute ReadWhat You Need to Know About Boss of the SOC
We introduced a new security activity at .conf2016 called “Boss of the SOC” (or BOTS), born from our belief that learning can be both realistic and fun.
Security1 Minute ReadThe GDPR: Ready for the wakeup call from your Data Privacy Officer?
How machine data can help organisations prepare for GDPR and support their compliance programmes
Security2 Minute ReadWhat hygiene has to do with security: Infosec17 Recap
In a wrap up of Infosecurity Europe 2017, Matthias Maier shares the topics, trends and big win of the week.- Security8 Minute Read
Splunk and Tensorflow for Security: Catching the Fraudster with Behavior Biometrics
Raising the barrier for fraudsters and attackers: how to leverage Splunk and Deep Learning frameworks to discover Behavior Biometrics patterns within user activities - Security2 Minute Read
Punycode phishers - All you need to know
Unicode domains can be used for homograph attacks. Learn what they are and how users can be tricked. - Security2 Minute Read
Assigning Role Based Permissions in Splunk Enterprise Security
Learn how to add a new role in Enterprise Security and apply capabilities to it - Security1 Minute Read
Playbook: Triage Reconnaissance Alerts
Security2 Minute ReadRecap: Splunk @ Blackhat Europe 2016
Splunk at Blackhat Europe, a recap of schedule. Sharing latest tech on data analytics security, machine learning and threat intelligence gathering.- Security2 Minute Read
Playbook Series: Phishing: Automate and Orchestrate Your Investigation and Response
Respond with machine speed when a malicious phishing attack threatens your organization. Automation makes it possible. - Security1 Minute Read
Playbook: Investigate IP Address Performing Reconnaissance Activity
Phantom can receive reconnaissance alerts and automate key investigation steps to increase efficiency and speed decision making. 
Security4 Minute ReadRandom Words on Entropy and DNS
Security3 Minute ReadDetecting dynamic DNS domains in Splunk
While useful legitimately, hackers can use dynamic DNS domains to change IP address rapidly & exploit via malware-evil.duckdns[.]org; how to protect against?
Security2 Minute ReadPhishing hits a new level of quality
Security1 Minute ReadUpdated Keyword App
Security1 Minute ReadCisco Security Suite 3.0.1 – Now with ISE
Security2 Minute ReadIntroducing: The Splunk App for Okta
- Security5 Minute Read
Detecting Fraud
Security1 Minute ReadNew Keyword App
Security2 Minute ReadIdentifying Phishing Sites in Your Events
Security5 Minute ReadVulnerability Scanners and Splunk
- Security3 Minute Read
Storing encrypted credentials
Security1 Minute ReadLocating IP Addresses
