What's new
Enterprise Security Content Updates version 5.9.0 was released on July 8th, 2025 and includes the following enhancements:
Key highlights
We released new analytic stories and detections to strengthen visibility and defense.
Following is a summary of the latest updates:
Cisco Network Visibility Module Analytics: Introduced a new analytic story leveraging Cisco NVM telemetry to detect suspicious endpoint network behavior. This release includes 14 analytics and mapped existing detections covering threats such as insecure curl usage, typosquatted Python packages, abuse of native Windows tools such as
rundll32andmshta, and anomalous network connections from uncommon or argument-less processes.Disk Wiper: Released a new analytic story focused on identifying destructive malware that irreversibly erases disk data, with tagged detections targeting recursive file deletion and raw access to disk volumes and the primary boot record.
CrowdStrike EDR Playbook pack for Splunk SOAR:Shipped a new playbook pack that turns on automated investigation, enrichment, and response using CrowdStrike Falcon, helping security teams streamline endpoint operations with playbooks for actions such as device isolation, process termination, file handling, and denylisting executables.
Huge shoutout to the fellow Splunker Christian Cloutier, Bryan Pluta and our Github contributors (sventec, 0xC0FFEEEE ) for contributing to this release. These additions strengthen security teams' ability to detect and respond to emerging threats across critical enterprise platforms.
New analytic stories
New analytics
- Cisco NVM - Curl Execution With Insecure Flags
- Cisco NVM - Installation of Typosquatted Python Package
- https://research.splunk.com/endpoint/65224d8b-b95d-44ec-bb44-408d830c1258
- Cisco NVM - Non-Network Binary Making Network Connection
- Cisco NVM - Outbound Connection to Suspicious Port
- Cisco NVM - Rclone Execution With Network Activity
- Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download
- Cisco NVM - Susp Script From Archive Triggering Network Activity
- Cisco NVM - Suspicious Download From File Sharing Website
- Cisco NVM - Suspicious File Download via Headless Browser
- Cisco NVM - Suspicious Network Connection From Process With No Args
- Cisco NVM - Suspicious Network Connection Initiated via MsXsl
- Cisco NVM - Suspicious Network Connection to IP Lookup Service API
- Cisco NVM - Webserver Download From File Sharing Website
- CrowdStrike Falcon Stream Alerts (Internal Contributor : Bryan Pluta)
- Linux Auditd Auditd Daemon Abort
- Linux Auditd Auditd Daemon Shutdown
- Linux Auditd Auditd Daemon Start
- Windows File Download Via PowerShell
Updated analytics
The following analytics are updated:
Attacker Tools On Endpoint(External Contributor: @sventec)
O365 BEC Email Hiding Rule Created(External Contributor: @0xC0FFEEEE)
Other updates
Updated all content to use the latest links for Splunk Documentation: https://help.splunk.com/
Lookups added
suspicious_ports_listtypo_squatted_python_packages
Playbooks added
(Internal Contributor : Christian Cloutier)
- CrowdStrike OAuth API Endpoint Analysis
- CrowdStrike OAuth API Executable Denylisting
- CrowdStrike OAuth API File Collection
- CrowdStrike OAuth API File Eviction
- CrowdStrike OAuth API File Restore
- CrowdStrike OAuth API Get Device Info
- CrowdStrike OAuth API Network Isolation
- CrowdStrike OAuth API Network Restore
- CrowdStrike OAuth API Process Termination