Splunk Security Content for Threat Detection & Response: June Recap
Security Splunk Threat Research TeamIn June, the Splunk Threat Research Team (STRT) had 1 release of new security content via the Enterprise Security Content Update (ESCU) app (v6.1.0). With this release, there are 5 analytic stories and 34 new analytics now available in Splunk Enterprise Security via the ESCU application update process.
Content highlights include:
- Cisco Secure Access Threat Detection: New analytics for Cisco Secure Access to identify access to anonymizer and privacy-focused services as well as automated web reconnaissance activity. New detections — Cisco Secure Access Access to Anonymizer Services and Cisco Secure Access Automated Web Reconnaissance via HTTP Access Errors — help uncover attempts to obscure attacker infrastructure, evade attribution, and perform large-scale web application discovery through patterns of abnormal HTTP error responses and suspicious outbound connectivity.
- BlueHammer & RedSun: Added new analytic stories and detections covering the BlueHammer and RedSun exploit families, which abuse Microsoft Defender functionality to achieve privilege escalation and credential access. New analytics detect suspicious Defender engine and signature update activity, non-administrative password changes, abnormal password reset bursts, unauthorized Defender file modifications, and processes interacting with Defender update components, while also introducing support for Windows Security Event ID 4723 (password change attempts) to improve visibility into credential theft and privilege escalation tradecraft associated with these emerging attack techniques.
- Linux Copy Fail Analytics: Expanded Linux detection coverage for Copy Fail (CVE-2026-31431) and related post-exploitation activity with new analytics targeting malformed authentication entries, PF_ALG registration outside normal boot windows, suspicious namespace creation, and process execution with null argv values—behaviors associated with privilege escalation, stealthy execution, and kernel abuse. This release also introduces support for Linux kern.log telemetry through a new data source, providing deeper visibility into low-level system activity and emerging Linux exploitation techniques.
- Salt Typhoon Tradecraft on Cisco IOS XE: Added a new set of analytics focused on Salt Typhoon-style activity targeting Cisco IOS XE devices, providing coverage for reconnaissance, persistence, defense evasion, and unauthorized remote access techniques observed in network infrastructure compromises. New detections identify behaviors such as Guestshell activation and destruction, log clearing sequences, VTY access control tampering, tunnel interface creation, WebUI abuse, remote access probing, and suspicious platform package shell interactions, helping defenders detect adversaries attempting to establish persistence, evade logging, and manipulate Cisco networking infrastructure.
- Cisco SD-WAN Authentication Analytics: New analytics to identify suspicious authentication patterns in Cisco SD-WAN environments, including multiple source IPs authenticating to vManage via SSH and repeated SSH key-based authentications from a single source, helping detect potential credential sharing, unauthorized administrative access, and distributed brute-force or persistence activity targeting SD-WAN management infrastructure.
- PTC Windchill Exploitation Detection Coverage: New analytic story for PTC Windchill Exploitation along with detections for gateway command execution and GW READY/OK probing activity, providing visibility into exploitation attempts targeting Windchill environments. This release also introduces a new Windchill Log4j data source and supporting macro to help defenders identify reconnaissance, command execution, and post-exploitation behaviors against enterprise product lifecycle management (PLM) infrastructure.
For all our tools and security content, please visit research.splunk.com.
Title
Related Articles
Filter
Category
Blog Limit
3
Category
security
Sort Category Shuffle Order
true
Related Articles

Infostealer Campaign against ISPs
The Splunk Threat Research Team observed actors performing minimal intrusive operations to avoid detection, with the exception of artifacts created by accounts already compromised.

Asset & Identity for Splunk Enterprise Security - Part 1: Contextualizing Systems
This is part one in a three part series on the Asset & Identity framework in Splunk Enterprise Security, focusing on gaining context on systems being monitored.

Defending Against npm Supply Chain Attacks: A Practical Guide to Detection, Emulation, and Analysis
Protect your software supply chain from npm attacks. Learn to use Package-Inferno and npm-threat-emulation for deep analysis and detection with Splunk SPL.