Splunk Security Content for Threat Detection & Response: May Recap

In May, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security Content Update (ESCU) app (v5.5.0 and v5.6.0). With these releases, there are 13 new analytics and 4 new analytic stories now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

SAP NetWeaver Exploitation: New analytic story targeting CVE-2025-31324 in SAP NetWeaver, including a dedicated hunting detection for “SAP NetWeaver Visual Composer Exploitation Attempt” to catch early signs of exploitation. Read more about this vulnerability here.
AMOS Stealer Analytics: New analytic story for AMOS Stealer and introduced the “MacOS AMOS Stealer – Virtual Machine Check Activity” detection which looks for the execution of the "osascript" command along with specific commandline strings.
Cisco Secure Firewall Intrusion Analytics: Six new analytic rules using the Intrusion logs to detect high-priority intrusion events, group alerts by threat activity, identify Lumma stealer behaviors (download and outbound attempts), and monitor Veeam CVE-2023-27532 exploitation via combining the presence of specific snort IDs that are triggered in a short period of time.
Threat Activity by Snort IDs Dashboard: A new dashboard utilizing the Cisco Firewall logs from Estreamer and a carefully crafted lookup that enables the correlation of Snort intrusion identifiers with specific threat-actor, the visualization of device-wide activity and file trends trends, and explores the overall risk profile of the host with events from Splunk Enterprise Security.
New Analytic Story and Threat Mappings: A new analytic story on Fake CAPTCHA campaigns — mapping existing detections to observed TTPs and introducing a Windows PowerShell FakeCAPTCHA Clipboard Execution detection — and completed comprehensive Xworm RAT threat mapping to ensure good detection coverage.

For all our tools and security content, please visit research.splunk.com.

Splunk Threat Research Team

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository.

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.

Detecting CVE-2020-0601 Exploitation Attempts With Wire & Log Data

Learn two simple techniques for detecting CVE-2020-0601 exploitation attempts using Splunk

Security 4 Min Read

Introducing the PEAK Threat Hunting Framework

Introducing the PEAK Threat Hunting Framework, bringing a fresh perspective to threat hunting and incorporating three distinct types of hunts.

Security 3 Min Read

Staff Picks for Splunk Security Reading September 2023

Our Splunk security experts curated their September 2023 list of presentations, whitepapers, and customer case studies that we feel are worth a read.

About Splunk

The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.

Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.

Learn more about Splunk

Subscribe to our blog

Get the latest articles from Splunk straight to your inbox.

Connect with Splunk on X

Follow @Splunk

Connect with Splunk on Instagram