Splunk Enterprise Security Content Update version 5.5.0 releases new analytic stories and detections to strengthen the visibility and defense of your security environment.

Here's a summary of the latest updates:

• SAP NetWeaver Exploitation: A new analytic story targeting CVE-2025-31324 in SAP NetWeaver, including a dedicated hunting detection for "SAP NetWeaver Visual Composer Exploitation Attempt" to catch early signs of exploitation. For more information about this vulnerability, see Critical vulnerability in SAP NetWeaver enables malicious file uploads.

• AMOS Stealer Analytics: Added a new analytic story for AMOS Stealer and introduced the "MacOS AMOS Stealer – Virtual Machine Check Activity" detection which looks for the execution of the "osascript" command along with specific commandline strings.

• Additional Windows Detections: Shipped three new Windows-focused detections to improve visibility into post-compromise activity. The first identifies reconnaissance by monitoring built-in log query utilities against the Windows Event Log, the second alerts when an adversary clears the Event Log via Wevtutil, and a third that detects malicious file downloads executed through the CertUtil utility.

These additions strengthen security teams' ability to detect and respond to emerging threats across critical enterprise platforms.

1. AMOS Stealer
2. SAP NetWeaver Exploitation

1. MacOS AMOS Stealer - Virtual Machine Check Activity
2. SAP NetWeaver Visual Composer Exploitation Attempt
3. Windows EventLog Recon Activity Using Log Query Utilities
4. Windows Eventlog Cleared Via Wevtutil
5. Windows File Download Via CertUtil

• Updated the is_nirsoft_software lookup with additional nirsoft tooling.
• Updated the attack_data links for several detections.