Security: Splunk Threat Research Team - Security Content AMA

Community Office Hours
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Security: Splunk Threat Research Team - Security Content AMA

Security: Splunk Threat Research Team - Security Content AMA

1 Comment
Cover Images - Office Hours (27).png
Published on ‎11-19-2025 07:32 AM by Splunk Employee | Updated on ‎03-23-2026 02:25 PM

[Register Here]  This thread is for the Community Office Hours session on  Security: Splunk Threat Research Team - Security Content AMA on Wednesday, Jan 21, 2026 at 11 am PT / 2 pm ET

 

Ask the experts at Community Office Hours! An ongoing series where technical Splunk experts answer questions and provide how-to guidance on various Splunk product and use case topics.

 

What can I ask in this AMA?

  • What are the latest security content updates from the Splunk Threat Research Team? 
  • What are the best practices for implementing the Splunk Technology Add-on for Ollama? 
  • What tips and tricks can help leverage Splunk Attack Range, Contentctl, and other resources developed by the Splunk Threat Research Team? 
  • What new analytic stories and detections can surface AI-enabled workflows to help you detect and respond to emerging threats across critical enterprise platforms? 
  • How do the detections work across the integration between Cisco Talos and Splunk? 
  • Any specific questions you have when you leverage the out-of-box-detections?  
  • Any other questions about the team’s content and resources! 

  

Please submit your questions at registration. You can also head to the #office-hours user Slack channel to ask questions (sign in with SSO here). 

 

Pre-submitted questions will be prioritized. After that, we will open the floor up to live Q&A with meeting participants.

 

Look forward to connecting!


Labels (3)
0 Karma
ArifV
Splunk Employee
Splunk Employee
‎02-20-2026 07:10 AM
‎02-20-2026 07:10 AM

Hi everyone! Here are a few questions from the session (get the full Q&A deck and live recording in the #office-hours Slack channel) 

 

Q1: What are the latest security content updates from the Splunk Threat Research Team?

A:

 
  • Technical research & blogs:
    In the last quarter, we published 5+ deep-dive blogs and community updates covering emerging threats such as Castle RATPromptFlux / SesameOpReact2Shell RCE, LLM-driven malware concepts, and quarterly/monthly security content recaps.

 

Q2: What new analytic stories and detections are AI-enabled workflows that detect and respond to emerging threats across critical enterprise platforms?

A:

  • AI & GenAI abuse detection
     New analytic stories for Shadow AI (local LLMs like     Ollama) and Microsoft 365 Copilot to detect unauthorized AI usage, prompt injection, anomalous API activity, data/model exfiltration, and compromised identities.
 
  • Malware leveraging AI
    Expanded detections for     LokiBot and new coverage for PromptLock, a GenAI-driven ransomware PoC, detecting malicious AI model usage, suspicious DNS activity, automated script generation, and encryption behavior.

  •  AI-accelerated detection development
    Building an AI-assisted workflow to speed up creation, testing, and validation of detection YAMLs for faster response to emerging threats.

 

Q3. I'd like to know how to detect an active incursion or other C2C communications

A: 

Analytic stories around Shadow IT and Usage of AI

-Remote Monitoring and Management Software
-Scattered Lapsus$ Hunters
-Suspicious User Agents
-NetSupport RMM Tool Abuse
 
 
-Suspicious Local LLM Frameworks
0 Karma