Looking for the latest Splunk security content? You’ve come to the right place! This page is updated quarterly with all the latest security content details.
This blog post covers all the security content developed February - April 2024. Jump straight to the updates below, or read on to learn more about:
See the latest Splunk Security Content >
Splunk continuously monitors the threat landscape to develop, test, and deliver security content to help identify and respond to vulnerabilities and cyber attacks within your environment.
Splunk provides a variety of security content, all of which is designed to help you make the most of your Splunk environment. This includes:
Splunk’s out-of-the-box detection searches are created to help identify patterns and alert you to threats and anomalous behavior.
All detection searches relevant to a particular threat are packaged in the form of analytic stories (also known as use cases).
A collection of pre-built automation playbooks that are designed to help users tackle specific use cases.
Take advantage of security content in two ways:
Both apps allow you to deploy the over 1,600 out-of-the-box searches to start detecting, investigating and responding to threats. You can also view the full security content repository by visiting research.splunk.com.
And with that information, we can move onto the latest content. Let's take a look!
Below you will find a brief table of contents, followed by an overview of all the security content developed from February - April 2024.
Snake Keylogger is a malware that secretly records infected devices’ keystrokes. You can read the Splunk Threat Research Team’s analysis of Snake Keylogger and find detections in the Snake Keylogger analytic story to search for activities related to:
The Office 365 Collection Techniques analytic story includes detections to monitor for activities and anomalies indicative of potential collection techniques within Office 365 environments. To learn more, check out:
Administrators use Windows AppLocker to specify who is allowed to run particular applications in their organization. This analytic story contains detections for events related to monitoring and managing AppLocker policies, including:
Lastly, the Okta Account Takeover analytic story contains detections designed to identify unauthorized access and potential takeover attempts of Okta accounts. The Zscaler Browser Proxy Threats analytic story helps you detect and investigate unusual activities related to Zscaler.
The Phemedrone Stealer analytic story helps detect activity related to Phemedrone, a sophisticated malware used to steal sensitive data. Check out Unveiling Phemedrone Stealer: Threat Analysis and Detections to learn more.
The JetBrains TeamCity Vulnerabilities analytic story provides content to help defenders detect and respond to activities related to CVE-2024-27198 and CVE-2024-27199, which make it possible for unauthenticated attackers to gain administrative control or execute code remotely on affected TeamCity servers.
For more information on these vulnerabilities and the analytic story created by the Splunk Threat Research Team, read Security Insights: JetBrains TeamCity CVE-2024-27198 and CVE-2024-27199.
In February 2024, Mandiant identified that APT29 was using a backdoor called WINELOADER to target German political parties. To help defenders detect and respond to this threat, the Splunk Threat Research Team created this analytic story. For additional details, check out From Water to Wine: An Analysis of WINELOADER.
The Outlook RCE CVE-2024-21378 analytic story contains security content to help detect activity potentially related to the CVE-2024-21378 vulnerability, which allows attackers to execute code remotely upon successful authentication.
Lastly, this analytic story provides detections related ConnectWise ScreenConnect vulnerabilities, while this analytic story includes detections to help address known vulnerabilities in WordPress plugins and themes.
Looking for previous security content updates? Check out the previous quarters of security content roundups from the Spunk Threat Research Team. Stay tuned to that page and this one — we're updating them every quarter!
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.