What's new

Here's a summary of the major changes:

• Better alignment with the features of Splunk Enterprise Security v8.x and higher.

• Detections that created notable events, and then findings with a 0 score "N/A" entity can now create a finding with an appropriately tagged entity from the search results, with the score that previously would have been used.

• Fewer total intermediate findings might be created for some detections due to the shift from tagging entities to findings due to which intermediate findings won't be created for every entity.

• Detections, analytic stories, and so on, depending on where you view them have both creation and modification dates that indicate when we first created them and when we've last modified them.

• ESCU v6.0 marks the transition away from contentctl. We are shifting future investment from contentctl to Detection Studio as we work to bring this functionality into Splunk as an officially supported capability. The contentctl repository remains publicly available for reference, forking, and customization, but continued use might require customer-managed customization. For more information, see https://github.com/splunk/contentctl/blob/main/README.md