This release includes 2 breaking changes for platform teams planning a safe upgrade.
✓ No known CVEs patched in this version
Topics
+1 more
Affected surfaces
ReleasePort's take
Moderate signalESC U v6.1.0 removes five detection capabilities and deprecates the contentctl tool while adding metadata timestamps to detections.
Why it matters: If your security workflows rely on CHCP, Sc exe, netsh, Ivanti Sentry, or certificate‑store detections, they will no longer generate alerts; migrate logic before upgrading. Contentctl usage must be replaced with Detection Studio prior to the next release cycle.
Summary
AI summaryUpdates https://research.splunk.com/deprecated/b8e0d1cf-e6a8-4d46-a5ae-aebe18ead8f8/, https://research.splunk.com/deprecated/6bc5243e-ef36-45dc-9b12-f4a6be131159/, and https://research.splunk.com/deprecated/f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d/ across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Breaking | High |
Removes CHCP Command Execution detection in ESCU v6.1.0. Removes CHCP Command Execution detection in ESCU v6.1.0. Source: llm_adapter@2026-06-02 Confidence: high |
— |
| Breaking | High |
Removes Sc exe Manipulating Windows Services detection in ESCU v6.1.0. Removes Sc exe Manipulating Windows Services detection in ESCU v6.1.0. Source: llm_adapter@2026-06-02 Confidence: high |
— |
| Breaking | High |
Removes Processes launching netsh detection in ESCU v6.1.0. Removes Processes launching netsh detection in ESCU v6.1.0. Source: llm_adapter@2026-06-02 Confidence: high |
— |
| Breaking | High |
Removes Ivanti Sentry Authentication Bypass detection in ESCU v6.1.0. Removes Ivanti Sentry Authentication Bypass detection in ESCU v6.1.0. Source: llm_adapter@2026-06-02 Confidence: high |
— |
| Breaking | High |
Removes Attempt To Add Certificate To Untrusted Store detection in ESCU v6.1.0. Removes Attempt To Add Certificate To Untrusted Store detection in ESCU v6.1.0. Source: llm_adapter@2026-06-02 Confidence: high |
— |
| Feature | Medium |
Adds creation and modification dates to detections, analytic stories, and related content. Adds creation and modification dates to detections, analytic stories, and related content. Source: llm_adapter@2026-06-02 Confidence: high |
— |
| Feature | Medium |
Changes detection workflow: notable events now create tagged Findings instead of separate Intermediate Findings for every entity. Changes detection workflow: notable events now create tagged Findings instead of separate Intermediate Findings for every entity. Source: llm_adapter@2026-06-02 Confidence: high |
— |
| Refactor | Low |
Deprecates contentctl tool; future investment shifts to Detection Studio. Deprecates contentctl tool; future investment shifts to Detection Studio. Source: llm_adapter@2026-06-02 Confidence: high |
— |
Full changelog
🚀 Key Highlights
ESCU 6.0.0 is a major release that includes a number of changes for better alignment with Enterprise Security v8.x+ features.
Please note that all content has been updated in this release, resulting in cleaner, more readable .conf files.
🔍Expanded Finding and Intermediate Finding Support 🔎
Detections that previously created Notable Events, and then Findings with a 0 score “N/A” entity will now create a Finding with an appropriately tagged entity from the search results, with the score that previously would have been used for a risk event/Intermediate Finding for that entity.
Because of the shift to tagging entities to Findings, fewer total Intermediate Findings may be created for some detections, as we won’t be separately creating Intermediate Findings for every entity.
🗓️ Increased Clarity on Content Creation Date vs Modification Date 🗓️
Detections, Analytic Stories, and other things, depending on where you view them now have both creation and modification dates indicating when we first created them and when we’ve last modified them.
🛠️ Repository Tooling Updates 🛠️
ESCU v6.0 marks the transition away from contentctl. We are shifting future investment from contentctl to Detection Studio as we work to bring this functionality into Splunk as an officially supported capability. The contentctl repository will remain publicly available for reference, forking, and customization, but continued use may require customer-managed customization. For more information, see https://github.com/splunk/contentctl/blob/main/README.md
Future Breaking Changes
As previously communicated in ESCU v5.27.0, a number of detections will be removed in v6.1.0. For details on detections scheduled for removal in ESCU version v6.1.0, see the List of Detections Scheduled for Removal.
List of detections scheduled for removal in ESCU version 6.1.0
| Deprecated Detection | Replacement Detection |
|---|---|
| CHCP Command Execution | Not Available |
| Sc exe Manipulating Windows Services | Not Available |
| Processes launching netsh | Not Available |
| Ivanti Sentry Authentication Bypass | Not Available |
| Attempt To Add Certificate To Untrusted Store | Not Available |
List of detections deprecated in ESCU version 6.0.0
| Deprecated Detection | Replacement Detection |
|---|---|
Breaking Changes
- Detections CHCP Command Execution, Sc exe Manipulating Windows Services, Processes launching netsh, Ivanti Sentry Authentication Bypass, and Attempt To Add Certificate To Untrusted Store are deprecated and will be removed in ESCU v6.1.0.
- Transition away from contentctl tooling; future investment shifts to Detection Studio.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Beta — feedback welcome: [email protected]