Splunk Security Content for Threat Detection & Response: May 2026 Update
Security Splunk Threat Research TeamLooking for the latest Splunk security content? You’ve come to the right place! This page is updated quarterly with all the latest security content details.
This blog post covers security content developed February 2026 – April 2026. Jump straight to the updates below, or read on to learn more about:
- How Splunk develops security content
- The types of content we deliver
- How to access security content
See the latest Splunk Security Content >
Splunk continuously monitors the threat landscape to develop, test, and deliver security content to help identify and respond to vulnerabilities and cyber attacks within your environment.
Types of Security Content
Splunk provides a variety of security content, all of which is designed to help you make the most of your Splunk environment. This includes:
Detections
Splunk’s out-of-the-box detection searches are created to help identify patterns and alert you to threats and anomalous behavior.
Analytic Stories
All detection searches relevant to a particular threat are packaged in the form of analytic stories (also known as use cases).
SOAR Playbook Packs
A collection of pre-built automation playbooks that are designed to help users tackle specific use cases.
How to get Security Content
Take advantage of security content in two ways:
Both apps allow you to deploy thousands of out-of-the-box searches to start detecting, investigating, and responding to threats. You can also view the full security content repository by visiting research.splunk.com.
And with that information, we can move onto the latest content. Let's take a look!
Splunk Security Content: February 2026 – April 2026
Below you will find a brief table of contents, followed by an overview of the security content developed from February 2026 - April 2026.
Table of Contents
Adversary Tradecraft Analytic Stories
Emerging Threats Analytic Stories
Overview: Adversary Tradecraft Analytic Stories
The Splunk Threat Research Team (STRT) created several new analytic stories to help identify activity related to various malware threats:
Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. The team released expanded detection coverage for macOS environments with three new analytic stories—macOS Persistence Techniques, macOS Post-Exploitation, and macOS Privilege Escalation—delivering visibility across the full attack lifecycle. This release introduces detections for behaviors such as account creation, Gatekeeper bypass, keychain dumping, LoginHook persistence, kextload abuse, hidden files/directories, log removal, data chunking, network share discovery, and firewall rule enumeration, strengthening defense against stealthy macOS threats and improving monitoring of attacker activity on Apple endpoints.
Gh0st RAT is a long-running Windows remote access trojan family known for full interactive control, surveillance, and data theft. Variants implement a custom binary wire protocol over TCP (often high ports), peer-to-peer relaying, and modular features such as keylogging, screen and camera capture, audio recording, file management, and remote shell.
The Void Manticore analytic story contains detections that allow security analysts to detect and investigate activity associated with Void Manticore (aka Red Sandstorm, Banished Kitten, Handala Hack), an Iranian MOIS-affiliated threat actor. The story covers initial access via compromised VPN and supply-chain targets, credential dumping and AD reconnaissance, lateral movement over RDP and NetBird tunneling, and destructive operations including custom wipers, PowerShell-based wiping, VeraCrypt disk encryption, and manual data destruction. Use these analytics to hunt for hands-on-keyboard behavior, default hostnames and wiper or GPO-based execution.
Suspicious MCP Activities addresses the security challenge of detecting malicious activities within authorized Model Context Protocol (MCP) server deployments—identifying when legitimate MCP servers and AI tool integrations are being abused, exploited, or misused to conduct unauthorized activities, exfiltrate data, or bypass security controls.
Overview: Emerging Threats Analytic Stories
The STRT also released multiple analytic stories for emerging threats in the past few months. Here are the top five selected by the team based on relevance:
MuddyWater is an Iranian-linked APT group (also tracked as MERCURY, Static Kitten) attributed to Iran's Ministry of Intelligence and Security. It has been active since at least 2017 and uses script-based malware (PowerShell, VBScript, JavaScript), malicious documents (PDF, Word, Excel), living-off-the-land binaries, and RATs such as SloughRAT. Campaigns employ obfuscation, anti-sandbox techniques, and have leveraged Log4j exploits against SysAid Server. Targets include government, military, and private sector organizations across the Middle East, Turkey, South Asia, and elsewhere. Detection focuses on document-based initial access, script execution patterns, and post-exploitation behavior consistent with Talos and industry reporting.
The Cisco Catalyst SD-WAN Analytics story provides a suite of detections designed to analyze logs collected from Cisco Catalyst SD-WAN devices. The included analytics focus on identifying anomalous control connections, unexpected peer relationships, rare peer-type and system-IP combinations, suspicious public IP associations, and other deviations from established SD-WAN topology behavior. These detections help security teams surface unauthorized devices, misconfigurations, infrastructure drift, and potential exploitation attempts targeting SD-WAN components.
Axios Supply Chain Post Compromise leverage searches that help detect and investigate post-compromise activity that may follow installation of compromised axios npm releases (notably axios@1.14.1 and axios@0.30.4) and the phantom dependency plain-crypto-js@4.2.1 from the March 2026 supply chain incident documented by Huntress, Socket, Step Security, and others. The backdoored packages used a malicious postinstall script to drop a cross-platform remote access trojan with Windows, macOS, and Linux payloads, process staging, and command-and-control beaconing. Use these analytics alongside dependency audits and EDR data to scope impact, prioritize containment, and support recovery on hosts that resolved the malicious versions during the exposure window.
The team also released the analytic story Lotus Blossom Chrysalis Backdoor that enables teams to detect and investigate activities related to Lotus Blossom's Chrysalis backdoor supply chain attack. Monitor for DLL side-loading abuse of Bitdefender Submission Wizard, TinyCC shellcode execution with suspicious command-line flags, BluetoothService persistence in user directories, and system information collection via whoami/systeminfo commands.
The Telnetd CVE-2026-24061 story addresses the vulnerability where an attacker can supply a specifically crafted USER environment variable that is passed to login. Because this input isn't sanitized, an attacker can force the system to skip authentication and login directly as root. Impacting GNU telnetd, this is tracked as CVE-2026-24061 and has a CVSS v3 score of 9.8 (critical). While Telnet is considered an outdated protocol for remote access and command execution, it continues to be used in certain Unix/Linux environments, embedded systems, network devices, and operational technology infrastructure.
The team also published the following blogs:
Previous Security Content Roundups
Looking for previous security content updates? Check out the previous quarters of security content roundups from the Spunk Threat Research Team. Stay tuned to that page and this one—we're updating them every quarter!
Related Articles
Splunk Security Content for Threat Detection & Response: November 2025 Update
Splunk SOAR Playbook of the Month: Cisco Umbrella DNS Denylisting
