What's new

Enterprise Security Content Updates version 5.4.0 was released on April 23, 2025 and includes the following enhancements:

Key highlights

Splunk Enterprise Security Content Update version 5.5.0 releases new analytic stories and detections to strengthen the visibility and defense of your security environment.

Here's a summary of the latest updates:

SAP NetWeaver Exploitation: A new analytic story targeting CVE-2025-31324 in SAP NetWeaver, including a dedicated hunting detection for "SAP NetWeaver Visual Composer Exploitation Attempt" to catch early signs of exploitation. For more information about this vulnerability, see Critical vulnerability in SAP NetWeaver enables malicious file uploads.

AMOS Stealer Analytics: Added a new analytic story for AMOS Stealer and introduced the "MacOS AMOS Stealer – Virtual Machine Check Activity" detection which looks for the execution of the "osascript" command along with specific commandline strings.

Additional Windows Detections: Shipped three new Windows-focused detections to improve visibility into post-compromise activity. The first identifies reconnaissance by monitoring built-in log query utilities against the Windows Event Log, the second alerts when an adversary clears the Event Log via Wevtutil, and a third that detects malicious file downloads executed through the CertUtil utility.

These additions strengthen security teams' ability to detect and respond to emerging threats across critical enterprise platforms.

New analytic stories

New analytics

Other updates

Updated the is_nirsoft_software lookup with additional nirsoft tooling.
Updated the attack_data links for several detections.

Related answers from Splunk Community

What's new

Key highlights

New analytic stories

New analytics

Other updates

Comments

What's new

Was this topic useful?