Splunk® Enterprise Security Content Update

Release Notes

What's new

Enterprise Security Content Updates version 5.6.0 was released on May 21, 2025 and includes the following enhancements:

Key highlights

Splunk Enterprise Security Content Update version 5.6.0 releases new analytics, dashboard, and threat mappings to strengthen security teams' ability to detect and respond to emerging threats across critical enterprise platforms.

Here's a summary of the latest updates:

  • Cisco Secure Firewall Intrusion Analytics: We developed six new analytic rules using the Intrusion logs to detect high-priority intrusion events, group alerts by threat activity, identify Lumma stealer behaviors (download and outbound attempts), and monitor Veeam CVE-2023-27532 exploitation by combining the presence of specific snort IDs that are triggered in a short period of time.
  • Threat Activity by Snort IDs Dashboard: A new dashboard utilizing the Cisco Firewall logs from Estreamer and a carefully crafted lookup that enables the correlation of Snort intrusion identifiers with specific threat-actor, the visualization of device-wide activity and file trends trends, and explores the overall risk profile of the host with events from Splunk Enterprise Security.
  • New Analytic Story and Threat Mappings: We published a new analytic story on Fake CAPTCHA campaigns—mapping existing detections to observed TTPs and introducing a Windows PowerShell FakeCAPTCHA Clipboard Execution detection—and completed comprehensive Xworm RAT threat mapping to ensure good detection coverage.

New analytic stories

  1. Fake CAPTCHA Campaigns
  2. XWorm

New analytics

  1. Cisco Secure Firewall - High Priority Intrusion Classification
  2. Cisco Secure Firewall - Intrusion Events by Threat Activity
  3. Cisco Secure Firewall - Lumma Stealer Activity
  4. Cisco Secure Firewall - Lumma Stealer Download Attempt
  5. Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt
  6. Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
  7. Windows PowerShell FakeCAPTCHA Clipboard Execution
  8. Windows Renamed Powershell Execution

New dashboard

Threat Activity by Snort IDs

Other updates

  • Added two new lookups cisco_snort_ids_to_threat_mapping and threat_snort_count that contain information about snort Ids that are mapped to specific threat actors.
  • Updated several detections based on customer feedback and bug reports on Github issues.
  • Removed Detections: We removed some detection as notified in the ESCU v5.4.0 release. For a full list of removed detections in 5.6.0, see List of removed detections in 5.6.0. You must use the replacements, where appropriate. We have also deprecated a new set of detections. For a list of detections that are scheduled to be removed from the ESCU version 5.8.0, see List of detections scheduled for removal in ESCU version 5.8.0.
Last modified on 21 May, 2025
 

This documentation applies to the following versions of Splunk® Enterprise Security Content Update: 5.6.0


Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters