Splunk Security Content for Threat Detection & Response: January Recap
Security Splunk Threat Research TeamIn January, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security Content Update (ESCU) app (v5.20). With this release, there are 5 new analytic stories and 25 new analytics now available in Splunk Enterprise Security via the ESCU application update process.
Content Highlights Include:
- Browser Hijacking: Introduced a new set of detections focused on browser hijacking techniques that manipulate Chrome configurations, registry settings, and command-line behaviors to persist malicious control, disable updates, and load unauthorized extensions. These detections surface suspicious actions such as disabling Chrome auto-updates, allowlisting or force-loading extensions, and abusing command-line flags to bypass browser security controls.
- Cisco Isovalent Suspicious Activity: Expanded detection coverage leveraging Cisco Isovalent’s kernel-level eBPF telemetry to identify advanced threats targeting Kubernetes and cloud-native environments. New detections focus on high-risk behaviors such as access to cloud metadata services, suspicious process execution, container escape techniques, offensive tooling in pods, anomalous kprobe activity, and unexpected shell or network behavior.
- Suspicious User Agents: Introduced enhanced detection coverage to identify suspicious and default user agent strings commonly used by malware, command-and-control frameworks, remote monitoring and management (RMM) tools, and other potentially unwanted applications. These detections focus on uncovering overlooked or hard-coded user agents frequently left unchanged by adversaries, providing network-level visibility into malicious tooling that blends into normal HTTP traffic.
- SesameOp & PromptFlux: Expanded analytic coverage for emerging malware families that abuse legitimate AI service APIs as command-and-control channels, allowing adversaries to hide malicious activity within trusted cloud traffic. This update tags relevant existing detections and introduces a new detection for Windows Potential AppDomainManager Hijack Artifacts Creation, addressing key persistence and injection techniques leveraged by SesameOp and PromptFlux.
- Cisco IOS & Secure Firewall Privileged Activity: Added new detections and risk-based correlation searches to identify high-risk administrative activity targeting Cisco IOS and Cisco Secure Firewall devices. The new detections focus on privileged command execution over HTTP and anomalous SSH behavior, including connections to non-standard ports and suspicious SSH services.
Watch a Demo: Defending Against npm Supply Chain Attacks: A Practical Guide to Detection, Emulation, and Analysis
For all our tools and security content, please visit research.splunk.com.
Title
Related Articles
Filter
Category
Blog Limit
3
Category
security
Sort Category Shuffle Order
true
Related Articles

“Are We Secure?” Lessons Learned From The CISO Of A Leading Saudi Bank
A Splunk customer's presentation at Gartner’s 2018 Security Risk and Management Summit

Detecting SeriousSAM CVE-2021-36934 With Splunk
SeriousSAM or CVE-2021-36934 is a Privilege Escalation Vulnerability. The Splunk Threat Research team recommends performing an assessment to better understand the impact of this vulnerability in corporate environments.

Splunk Ranked Number 1 in the 2024 Gartner® Critical Capabilities for Security Information and Event Management
Splunk was ranked as the #1 SIEM solution in all three Use Cases in the 2024 Gartner® Critical Capabilities for Security Information and Event Management report.