Splunk Security Content for Threat Detection & Response: May Recap

Security Splunk Threat Research Team

In May, the Splunk Threat Research Team (STRT) had 2 releases of new security content via the Enterprise Security Content Update (ESCU) app (v5.27 and v6.0.0). With this release, there are 2 analytic stories and 67 new analytics now available in Splunk Enterprise Security via the ESCU application update process.

We are excited to announce exciting updates on how we deliver security content. While much of the work is behind the scenes, the result is a more reliable ESCU experience and a stronger platform for STRT to deliver high-quality detection content faster and more consistently in future releases. In V6.0.0 we delivered the next generation of security content by establishing a stronger foundation for Enterprise Security 8.x workflows and improving how detections create actionable Findings.

Content Highlights Include:

Linux Copy Fail Privilege Escalation (CVE-2026-31431): Added a new detection: Linux Auditd Copy Fail Privilege Escalation to identify exploitation of the Copy Fail vulnerability, a Linux kernel flaw that enables unprivileged users to perform controlled writes to file page cache and escalate privileges to root.

Cisco Secure Access Analytics: Introduced a new analytic story for Cisco Secure Access, leveraging firewall telemetry to detect suspicious access patterns. This release includes updates to existing detections: Large ICMP Traffic, Outbound SMB Traffic, Outbound LDAP Traffic, and Windows RDP Network Brute Force Attempts enabling them to operate with Cisco Secure Access Firewall data, validated through simulated attack scenarios to improve visibility into adversary activity traversing modern cloud-delivered security controls.

• Windows Threat Detection Expansion: Expanded coverage across multiple analytic stories with the addition of a broad set of new detections targeting modern Windows attack techniques, including PowerShell abuse, process injection, privilege escalation, registry manipulation, cloud and Azure activity, RMM tool usage, and C2 frameworks such as Cobalt Strike, Metasploit, and custom agents. .

VIP Keylogger (.NET Stealer) Detection Coverage: Introduced new analytics to strengthen detection of VIP Keylogger and related .NET-based infostealers by focusing on behavioral indicators of stealthy execution and persistence.

For all our tools and security content, please visit research.splunk.com.

Related Articles

Announcing General Availability of Cisco Talos Intelligence in Splunk Attack Analyzer
Security
2 Minute Read

Announcing General Availability of Cisco Talos Intelligence in Splunk Attack Analyzer

We are pleased to announce the general availability of Cisco Talos threat intelligence to all Splunk Attack Analyzer customers globally.
Woken by Ransomware, Are We Hypnotized by Tunnel Vision?
Security
4 Minute Read

Woken by Ransomware, Are We Hypnotized by Tunnel Vision?

Splunker Ronald Beiboer examines if ransomware has blinded us to the more invisible attacks and how cybersecurity can help.
Staff Picks for Splunk Security Reading February 2023
Security
3 Minute Read

Staff Picks for Splunk Security Reading February 2023

Explore the latest list of presentations, whitepapers, and customer case studies that our Splunk security experts feel are worth a read.