Splunk Security Content for Threat Detection & Response: May Recap

Security June 20, 2025 Splunk Threat Research Team

In May, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security Content Update (ESCU) app (v5.5.0 and v5.6.0). With these releases, there are 13 new analytics and 4 new analytic stories now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

SAP NetWeaver Exploitation: New analytic story targeting CVE-2025-31324 in SAP NetWeaver, including a dedicated hunting detection for “SAP NetWeaver Visual Composer Exploitation Attempt” to catch early signs of exploitation. Read more about this vulnerability here.
AMOS Stealer Analytics: New analytic story for AMOS Stealer and introduced the “MacOS AMOS Stealer – Virtual Machine Check Activity” detection which looks for the execution of the "osascript" command along with specific commandline strings.
Cisco Secure Firewall Intrusion Analytics: Six new analytic rules using the Intrusion logs to detect high-priority intrusion events, group alerts by threat activity, identify Lumma stealer behaviors (download and outbound attempts), and monitor Veeam CVE-2023-27532 exploitation via combining the presence of specific snort IDs that are triggered in a short period of time.

Threat Activity by Snort IDs Dashboard: A new dashboard utilizing the Cisco Firewall logs from Estreamer and a carefully crafted lookup that enables the correlation of Snort intrusion identifiers with specific threat-actor, the visualization of device-wide activity and file trends trends, and explores the overall risk profile of the host with events from Splunk Enterprise Security.

Video
https://www.youtube.com/embed/ZaKxfvqViSQ?si=5-Eh20fn0OOuyLF-

New Analytic Story and Threat Mappings: A new analytic story on Fake CAPTCHA campaigns — mapping existing detections to observed TTPs and introducing a Windows PowerShell FakeCAPTCHA Clipboard Execution detection — and completed comprehensive Xworm RAT threat mapping to ensure good detection coverage.

For all our tools and security content, please visit research.splunk.com.

Style

two-column

CI/CD Detection Engineering: Splunk's Attack Range, Part 2

Security

7 Minute Read

CI/CD Detection Engineering: Splunk's Attack Range, Part 2

In part 2 of our 3-part series, we walk you through how to use Splunk Security-Content, Attack Range and CircleCI to do detection development, continuous testing and deployment as a workflow in your SOC.

Security

2 Minute Read

Splunk Gets the Hat Trick!

Splunk Enterprise Security was named a leader in SIEM and security analytics by three analyst firms - Forrester, IDC and a third analyst firm. In fact, Splunk is the only SIEM provider to be named a “Leader” in SIEM by all three top analyst reports.

Threat Hunting with Splunk: Hands-on Tutorials for the Active Hunter

Security

4 Minute Read

Threat Hunting with Splunk: Hands-on Tutorials for the Active Hunter

Curious about threat hunting in Splunk? Wanna brush up on your baddie-finding skills? Here's the place to find every one of our expert articles for hunting with Splunk.

/en_us/blog/fragments/about-splunk

/en_us/blog/fragments/subscribe-footer

Splunk Security Content for Threat Detection &#x26; Response: May Recap

Related Articles

CI/CD Detection Engineering: Splunk's Attack Range, Part 2

Splunk Gets the Hat Trick!

Threat Hunting with Splunk: Hands-on Tutorials for the Active Hunter

Splunk Security Content for Threat Detection & Response: May Recap