Bump contentctl.yml to 5.22.0 (#3894)

patel-bhavin · research bot · ljstella · web-flow · commit d13e377a278a · 2026-02-10T10:27:49.000+05:30
* chore: bump contentctl.yml to 5.22.0

* remove detections

---------

Co-authored-by: research bot &lt;research@splunk.com&gt;
Co-authored-by: Lou Stella &lt;ljstella@gmail.com&gt;
diff --git a/contentctl.yml b/contentctl.yml
@@ -3,7 +3,7 @@ app:
   uid: 3449
   title: ES Content Updates
   appid: DA-ESS-ContentUpdate
-  version: 5.21.0
+  version: 5.22.0
   description: Explore the Analytic Stories included with ES Content Updates.
   prefix: ESCU
   label: ESCU
diff --git a/removed/detections/cobalt_strike_named_pipes.yml b/removed/detections/cobalt_strike_named_pipes.yml
@@ -3,7 +3,7 @@ id: 5876d429-0240-4709-8b93-ea8330b411b5
 version: 13
 date: '2025-12-04'
 author: Michael Haag, Splunk
-status: deprecated
+status: removed
 type: TTP
 description: The following analytic detects the use of default or publicly known named
   pipes associated with Cobalt Strike. It leverages Sysmon EventID 17 and 18 to identify
diff --git a/removed/detections/http_suspicious_tool_user_agent.yml b/removed/detections/http_suspicious_tool_user_agent.yml
@@ -3,7 +3,7 @@ id: 1ca76190-4997-4d19-b5bc-9e220b70c7d3
 version: 2
 date: '2025-10-09'
 author: Raven Tait, Splunk
-status: deprecated
+status: removed
 type: Anomaly
 description: This Splunk query analyzes web access logs to identify and categorize 
   non-browser user agents, detecting various types of security tools, scripting languages,
