Splunk Security Content for Threat Detection & Response: May Recap

In May, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security Content Update (ESCU) app (v5.5.0 and v5.6.0). With these releases, there are 13 new analytics and 4 new analytic stories now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

SAP NetWeaver Exploitation: New analytic story targeting CVE-2025-31324 in SAP NetWeaver, including a dedicated hunting detection for “SAP NetWeaver Visual Composer Exploitation Attempt” to catch early signs of exploitation. Read more about this vulnerability here.
AMOS Stealer Analytics: New analytic story for AMOS Stealer and introduced the “MacOS AMOS Stealer – Virtual Machine Check Activity” detection which looks for the execution of the "osascript" command along with specific commandline strings.
Cisco Secure Firewall Intrusion Analytics: Six new analytic rules using the Intrusion logs to detect high-priority intrusion events, group alerts by threat activity, identify Lumma stealer behaviors (download and outbound attempts), and monitor Veeam CVE-2023-27532 exploitation via combining the presence of specific snort IDs that are triggered in a short period of time.

Threat Activity by Snort IDs Dashboard: A new dashboard utilizing the Cisco Firewall logs from Estreamer and a carefully crafted lookup that enables the correlation of Snort intrusion identifiers with specific threat-actor, the visualization of device-wide activity and file trends trends, and explores the overall risk profile of the host with events from Splunk Enterprise Security.

Video
https://www.youtube.com/embed/ZaKxfvqViSQ?si=5-Eh20fn0OOuyLF-

New Analytic Story and Threat Mappings: A new analytic story on Fake CAPTCHA campaigns — mapping existing detections to observed TTPs and introducing a Windows PowerShell FakeCAPTCHA Clipboard Execution detection — and completed comprehensive Xworm RAT threat mapping to ensure good detection coverage.

For all our tools and security content, please visit research.splunk.com.

Style

two-column

Security

7 Minute Read

Overcome Cybersecurity Challenges to Improve Digital Resilience

Discover how embracing automation, unifying security operations and tackling security as a data problem helps organizations overcome the challenges posed to cybersecurity effectiveness and digital resilience.

Answered: Your Most Burning Questions About Planning And Operationalizing MITRE ATT&CK

Security

4 Minute Read

Answered: Your Most Burning Questions About Planning And Operationalizing MITRE ATT&CK

You asked, we answered. Splunker Matthias Maier compiled all of your most burning questions about planning and operationalizing MITRE ATT&CK in a blog post. Read all about it here.

Security

12 Minute Read

Previous Security Content Roundups from the Splunk Threat Research Team (STRT)

Recap: Learn about the last four quarters of security content from the Splunk Threat Research Team.

/en_us/blog/fragments/about-splunk

/en_us/blog/fragments/subscribe-footer

Splunk Security Content for Threat Detection &#x26; Response: May Recap

Related Articles

Overcome Cybersecurity Challenges to Improve Digital Resilience

Answered: Your Most Burning Questions About Planning And Operationalizing MITRE ATT&CK

Previous Security Content Roundups from the Splunk Threat Research Team (STRT)

Splunk Security Content for Threat Detection & Response: May Recap