Splunk Security Content for Threat Detection & Response: May Recap

In May, the Splunk Threat Research Team (STRT) had 2 releases of new security content via the Enterprise Security Content Update (ESCU) app (v5.27 and v6.0.0). With this release, there are 2 analytic stories and 67 new analytics now available in Splunk Enterprise Security via the ESCU application update process.

We are excited to announce exciting updates on how we deliver security content. While much of the work is behind the scenes, the result is a more reliable ESCU experience and a stronger platform for STRT to deliver high-quality detection content faster and more consistently in future releases. In V6.0.0 we delivered the next generation of security content by establishing a stronger foundation for Enterprise Security 8.x workflows and improving how detections create actionable Findings.

• Cleaner entity tagging, more accurate scoring, clearer creation and modification metadata, and a modernized internal tooling pipeline for validating, packaging, and publishing content, this release enables more consistent, transparent, and scalable security content delivery.
• Detections that previously created Notable Events, and then Findings with a 0 score “N/A” entity will now create a Finding with an appropriately tagged entity from the search results, with the score that previously would have been used for a risk event/Intermediate Finding for that entity.
• Because of the shift to tagging entities to Findings, fewer total Intermediate Findings may be created for some detections, as we won’t be separately creating Intermediate Findings for every entity.
• Detections, Analytic Stories, and other things, depending on where you view them now have both creation and modification dates indicating when we first created them and when we’ve last modified them.
• ESCU v6.0 marks the transition away from contentctl. We are shifting future investment from contentctl to Detection Studio as we work to bring this functionality into Splunk as an officially supported capability. The contentctl repository will remain publicly available for reference, forking, and customization, but continued use may require customer-managed customization. Click here for more information.

Content Highlights Include:

• Linux Copy Fail Privilege Escalation (CVE-2026-31431): Added a new detection: Linux Auditd Copy Fail Privilege Escalation to identify exploitation of the Copy Fail vulnerability, a Linux kernel flaw that enables unprivileged users to perform controlled writes to file page cache and escalate privileges to root.

• Cisco Secure Access Analytics: Introduced a new analytic story for Cisco Secure Access, leveraging firewall telemetry to detect suspicious access patterns. This release includes updates to existing detections: Large ICMP Traffic, Outbound SMB Traffic, Outbound LDAP Traffic, and Windows RDP Network Brute Force Attempts enabling them to operate with Cisco Secure Access Firewall data, validated through simulated attack scenarios to improve visibility into adversary activity traversing modern cloud-delivered security controls.

• Windows Threat Detection Expansion: Expanded coverage across multiple analytic stories with the addition of a broad set of new detections targeting modern Windows attack techniques, including PowerShell abuse, process injection, privilege escalation, registry manipulation, cloud and Azure activity, RMM tool usage, and C2 frameworks such as Cobalt Strike, Metasploit, and custom agents. .

• VIP Keylogger (.NET Stealer) Detection Coverage: Introduced new analytics to strengthen detection of VIP Keylogger and related .NET-based infostealers by focusing on behavioral indicators of stealthy execution and persistence.

For all our tools and security content, please visit research.splunk.com.