Splunk® Enterprise Security Content Update

Release Notes

What's new

Enterprise Security Content Updates version 5.4.0 was released on April 23, 2025 and includes the following enhancements:

Key highlights

The Splunk Threat Research Team has partnered with Cisco Talos to release new analytic stories and detections that significantly improve TDIR efforts for Cisco Secure Firewall alerts. These new ESCU detections go beyond basic alert forwarding and simple string matching to enable advanced detection logic and richer story creation by integrating Snort-based and non-Snort telemetry. Additionally, this content strengthens the ability to detect vulnerability exploitation and track threat actor follow-up activity. This release marks the first in a series focused on expanding ESCU's network detection coverage for Cisco products, driven through continued collaboration between the Splunk Threat Research Team and Cisco Talos team.

Here's a summary of the latest updates:

Cisco Secure Firewall Threat Defense Analytics: We published a new analytic story and added new detections for Cisco Secure Firewall focusing on three primary event types—file events, network connections, and intrusion alerts. These detections identify activity such as malicious or uncommon file downloads, connections over suspicious ports or to file-sharing domains, and Snort rule-based intrusion events across multiple hosts. This enables broader visibility into network-based threats and host-level indicators of compromise.

AWS Bedrock Security: Released a new analytic story to monitor for adversary techniques targeting AWS Bedrock, a managed service used to build and scale generative AI applications. This includes detections for the deletion of security guardrails, knowledge bases, and logging configurations, as well as high volumes of model invocation failures.

Mapping Threat Campaigns: Several detections have been mapped to known threat actors and malware campaigns, including Cactus Ransomware, Earth Alux, Storm-2460 CLFS Zero Day Exploitation and Water Gamayun, to improve attribution to TTPs and provide insights into observed behaviors.

New Detections: Introduced additional detections for tactics such as directory path manipulation via MSC files, IP address collection using PowerShell Invoke-RestMethod, process spawning from CrushFTP, and deletion of Volume Shadow Copies via WMIC. These detections target adversary behavior related to discovery, lateral movement, and anti-forensics.

These additions strengthen security teams' ability to detect and respond to emerging threats across critical enterprise platforms.


New analytic stories

  1. AWS Bedrock Security
  2. Cactus Ransomware
  3. Cisco Secure Firewall Threat Defense Analytics
  4. Earth Alux
  5. Storm-2460 CLFS Zero Day Exploitation
  6. Water Gamayun

New analytics

  1. AWS Bedrock Delete GuardRails
  2. AWS Bedrock Delete Knowledge Base
  3. AWS Bedrock Delete Model Invocation Logging Configuration
  4. AWS Bedrock High Number List Foundation Model Failures
  5. AWS Bedrock Invoke Model Access Denied
  6. Cisco Secure Firewall - Binary File Type Download
  7. Cisco Secure Firewall - Bits Network Activity
  8. Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint
  9. Cisco Secure Firewall - Blocked Connection
  10. Cisco Secure Firewall - Communication Over Suspicious Ports
  11. Cisco Secure Firewall - Connection to File Sharing Domain
  12. Cisco Secure Firewall - File Download Over Uncommon Port
  13. Cisco Secure Firewall - High EVE Threat Confidence
  14. Cisco Secure Firewall - High Volume of Intrusion Events Per Host
  15. Cisco Secure Firewall - Malware File Downloaded
  16. Cisco Secure Firewall - Potential Data Exfiltration
  17. Cisco Secure Firewall - Rare Snort Rule Triggered
  18. Cisco Secure Firewall - Repeated Blocked Connections
  19. Cisco Secure Firewall - Repeated Malware Downloads
  20. Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts
  21. Cisco Secure Firewall - Wget or Curl Download
  22. CrushFTP Authentication Bypass Exploitation
  23. CrushFTP Max Simultaneous Users From IP
  24. Windows MSC EvilTwin Directory Path Manipulation
  25. Windows PowerShell Invoke-RestMethod IP Information Collection
  26. Windows Shell Process from CrushFTP
  27. Windows WMIC Shadowcopy Delete

Other updates

  • Reverted several searches to use | join instead of prestats = t due to bugs encountered in the search logic.
  • Removed Detections - As notified in the ESCU v5.2.0 release, we have removed some detections and you must use the replacements, where appropriate. We have also deprecated a new set of detections that are scheduled to be removed from the ESCU v5.6.0.
  • Updated deprecation_info lookup to have the latest information about the deprecated and removed detections.
Last modified on 23 April, 2025
 

This documentation applies to the following versions of Splunk® Enterprise Security Content Update: 5.4.0

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters