Splunk Security Content for Threat Detection & Response: May Recap

In May, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security Content Update (ESCU) app (v5.5.0 and v5.6.0). With these releases, there are 13 new analytics and 4 new analytic stories now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

• SAP NetWeaver Exploitation: New analytic story targeting CVE-2025-31324 in SAP NetWeaver, including a dedicated hunting detection for “SAP NetWeaver Visual Composer Exploitation Attempt” to catch early signs of exploitation. Read more about this vulnerability here.

• AMOS Stealer Analytics: New analytic story for AMOS Stealer and introduced the “MacOS AMOS Stealer – Virtual Machine Check Activity” detection which looks for the execution of the "osascript" command along with specific commandline strings.

• Cisco Secure Firewall Intrusion Analytics: Six new analytic rules using the Intrusion logs to detect high-priority intrusion events, group alerts by threat activity, identify Lumma stealer behaviors (download and outbound attempts), and monitor Veeam CVE-2023-27532 exploitation via combining the presence of specific snort IDs that are triggered in a short period of time.

• Threat Activity by Snort IDs Dashboard: A new dashboard utilizing the Cisco Firewall logs from Estreamer and a carefully crafted lookup that enables the correlation of Snort intrusion identifiers with specific threat-actor, the visualization of device-wide activity and file trends trends, and explores the overall risk profile of the host with events from Splunk Enterprise Security.

  Video
  https://www.youtube.com/embed/ZaKxfvqViSQ?si=5-Eh20fn0OOuyLF-

• New Analytic Story and Threat Mappings: A new analytic story on Fake CAPTCHA campaigns — mapping existing detections to observed TTPs and introducing a Windows PowerShell FakeCAPTCHA Clipboard Execution detection — and completed comprehensive Xworm RAT threat mapping to ensure good detection coverage.

For all our tools and security content, please visit research.splunk.com.