splunk
diff --git a/‎removed/deprecation_mapping.YML
+89-62 b/‎removed/deprecation_mapping.YML
+89-62
diff --git a/‎detections/deprecated/aws_cross_account_activity_from_previously_unseen_account.yml renamed to ‎removed/detections/aws_cross_account_activity_from_previously_unseen_account.yml b/‎detections/deprecated/aws_cross_account_activity_from_previously_unseen_account.yml renamed to ‎removed/detections/aws_cross_account_activity_from_previously_unseen_account.yml
diff --git a/‎detections/deprecated/aws_detect_attach_to_role_policy.yml renamed to ‎removed/detections/aws_detect_attach_to_role_policy.yml b/‎detections/deprecated/aws_detect_attach_to_role_policy.yml renamed to ‎removed/detections/aws_detect_attach_to_role_policy.yml
diff --git a/‎detections/deprecated/aws_detect_permanent_key_creation.yml renamed to ‎removed/detections/aws_detect_permanent_key_creation.yml b/‎detections/deprecated/aws_detect_permanent_key_creation.yml renamed to ‎removed/detections/aws_detect_permanent_key_creation.yml
diff --git a/‎detections/deprecated/aws_detect_role_creation.yml renamed to ‎removed/detections/aws_detect_role_creation.yml b/‎detections/deprecated/aws_detect_role_creation.yml renamed to ‎removed/detections/aws_detect_role_creation.yml
diff --git a/‎detections/deprecated/aws_detect_sts_assume_role_abuse.yml renamed to ‎removed/detections/aws_detect_sts_assume_role_abuse.yml b/‎detections/deprecated/aws_detect_sts_assume_role_abuse.yml renamed to ‎removed/detections/aws_detect_sts_assume_role_abuse.yml
diff --git a/‎detections/deprecated/aws_detect_sts_get_session_token_abuse.yml renamed to ‎removed/detections/aws_detect_sts_get_session_token_abuse.yml b/‎detections/deprecated/aws_detect_sts_get_session_token_abuse.yml renamed to ‎removed/detections/aws_detect_sts_get_session_token_abuse.yml
diff --git a/‎detections/deprecated/aws_saml_access_by_provider_user_and_principal.yml renamed to ‎removed/detections/aws_saml_access_by_provider_user_and_principal.yml b/‎detections/deprecated/aws_saml_access_by_provider_user_and_principal.yml renamed to ‎removed/detections/aws_saml_access_by_provider_user_and_principal.yml
diff --git a/‎detections/deprecated/github_actions_disable_security_workflow.yml renamed to ‎removed/detections/github_actions_disable_security_workflow.yml b/‎detections/deprecated/github_actions_disable_security_workflow.yml renamed to ‎removed/detections/github_actions_disable_security_workflow.yml
diff --git a/‎detections/deprecated/github_commit_changes_in_master.yml renamed to ‎removed/detections/github_commit_changes_in_master.yml b/‎detections/deprecated/github_commit_changes_in_master.yml renamed to ‎removed/detections/github_commit_changes_in_master.yml
diff --git a/‎detections/deprecated/github_commit_in_develop.yml renamed to ‎removed/detections/github_commit_in_develop.yml b/‎detections/deprecated/github_commit_in_develop.yml renamed to ‎removed/detections/github_commit_in_develop.yml
diff --git a/‎detections/deprecated/github_dependabot_alert.yml renamed to ‎removed/detections/github_dependabot_alert.yml b/‎detections/deprecated/github_dependabot_alert.yml renamed to ‎removed/detections/github_dependabot_alert.yml
diff --git a/‎detections/deprecated/github_pull_request_from_unknown_user.yml renamed to ‎removed/detections/github_pull_request_from_unknown_user.yml b/‎detections/deprecated/github_pull_request_from_unknown_user.yml renamed to ‎removed/detections/github_pull_request_from_unknown_user.yml
diff --git a/‎detections/deprecated/known_services_killed_by_ransomware.yml renamed to ‎removed/detections/known_services_killed_by_ransomware.yml b/‎detections/deprecated/known_services_killed_by_ransomware.yml renamed to ‎removed/detections/known_services_killed_by_ransomware.yml
diff --git a/‎detections/deprecated/remote_desktop_network_bruteforce.yml renamed to ‎removed/detections/remote_desktop_network_bruteforce.yml b/‎detections/deprecated/remote_desktop_network_bruteforce.yml renamed to ‎removed/detections/remote_desktop_network_bruteforce.yml
diff --git a/‎detections/deprecated/suspicious_driver_loaded_path.yml renamed to ‎removed/detections/suspicious_driver_loaded_path.yml b/‎detections/deprecated/suspicious_driver_loaded_path.yml renamed to ‎removed/detections/suspicious_driver_loaded_path.yml
diff --git a/‎detections/deprecated/suspicious_event_log_service_behavior.yml renamed to ‎removed/detections/suspicious_event_log_service_behavior.yml b/‎detections/deprecated/suspicious_event_log_service_behavior.yml renamed to ‎removed/detections/suspicious_event_log_service_behavior.yml
diff --git a/‎detections/deprecated/suspicious_process_file_path.yml renamed to ‎removed/detections/suspicious_process_file_path.yml b/‎detections/deprecated/suspicious_process_file_path.yml renamed to ‎removed/detections/suspicious_process_file_path.yml
diff --git a/‎stories/deprecated/earth_estries.yml renamed to ‎removed/stories/earth_estries.yml b/‎stories/deprecated/earth_estries.yml renamed to ‎removed/stories/earth_estries.yml
diff --git a/‎stories/deprecated/nexus_apt_threat_activity.yml renamed to ‎removed/stories/nexus_apt_threat_activity.yml b/‎stories/deprecated/nexus_apt_threat_activity.yml renamed to ‎removed/stories/nexus_apt_threat_activity.yml
@@ -1,4 +1,81 @@
 detections:
+  - content: Detect Large Outbound ICMP Packets
+    removed_in_version: 5.6.0
+    reason: Detection has been replaced by a new detection with a more specific name
+    replacement_content:
+    - Detect Large ICMP Traffic
+  - content: Windows Service Created Within Public Path
+    removed_in_version: 5.6.0
+    reason: Detection has been replaced by a new detection with a more specific name
+    replacement_content:
+    - Windows Service Created with Suspicious Service Path
+  - content: GitHub Actions Disable Security Workflow
+    removed_in_version: 5.4.0
+    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
+    replacement_content:
+    - GitHub Organizations Disable Classic Branch Protection Rule
+  - content: Github Commit Changes In Master
+    removed_in_version: 5.4.0
+    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
+  - content: Github Commit In Develop
+    removed_in_version: 5.4.0
+    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
+  - content: GitHub Dependabot Alert
+    removed_in_version: 5.4.0
+    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
+    replacement_content:
+    - GitHub Enterprise Disable Dependabot
+  - content: GitHub Pull Request from Unknown User
+    removed_in_version: 5.4.0
+    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
+  - content: Known Services Killed by Ransomware
+    removed_in_version: 5.4.0
+    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
+    replacement_content:
+    - Windows Security And Backup Services Stop
+  - content: Remote Desktop Network Bruteforce
+    removed_in_version: 5.4.0
+    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
+    replacement_content:
+    - Windows Remote Desktop Network Bruteforce Attempt
+  - content: Suspicious Driver Loaded Path
+    removed_in_version: 5.4.0
+    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
+    replacement_content:
+    - Windows Suspicious Driver Loaded Path
+  - content: Suspicious Event Log Service Behavior
+    removed_in_version: 5.4.0
+    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
+    replacement_content:
+    - Windows Event Logging Service Has Shutdown
+  - content: Suspicious Process File Path
+    removed_in_version: 5.4.0
+    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
+    replacement_content:
+    - Windows Suspicious Process File Path
+  - content: AWS Cross Account Activity From Previously Unseen Account
+    removed_in_version: 5.4.0
+    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
+    replacement_content:
+    - AWS Cross Account Activity From Previously Unseen Account
+  - content: aws detect attach to role policy
+    removed_in_version: 5.4.0
+    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
+  - content: aws detect permanent key creation
+    removed_in_version: 5.4.0
+    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
+  - content: aws detect role creation
+    removed_in_version: 5.4.0
+    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
+  - content: aws detect sts assume role abuse
+    removed_in_version: 5.4.0
+    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
+  - content: aws detect sts get session token abuse
+    removed_in_version: 5.4.0
+    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
+  - content: AWS SAML Access by Provider User and Principal
+    removed_in_version: 5.4.0
+    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
   - content: Open Redirect in Splunk Web
     removed_in_version: 5.2.0
     reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
@@ -250,11 +327,7 @@ detections:
       have their specific analytics.
     replacement_content:
     - Microsoft Defender ATP Alerts
-  - content: Detect Critical Alerts from Security Tools
-    removed_in_version: 5.2.0
-    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
-    replacement_content:
-    - Microsoft Defender Incident Alerts
+    - Microsoft Defender Incident Alerts   
   - content: Excel Spawning PowerShell
     removed_in_version: 5.2.0
     reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
@@ -694,57 +767,6 @@ detections:
   - content: Excel Spawning Windows Script Host
     removed_in_version: 5.2.0
     reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
-  - content: GitHub Actions Disable Security Workflow
-    removed_in_version: 5.4.0
-    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
-  - content: Github Commit Changes In Master
-    removed_in_version: 5.4.0
-    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
-  - content: Github Commit In Develop
-    removed_in_version: 5.4.0
-    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
-  - content: GitHub Dependabot Alert
-    removed_in_version: 5.4.0
-    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
-  - content: GitHub Pull Request from Unknown User
-    removed_in_version: 5.4.0
-    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
-  - content: Known Services Killed by Ransomware
-    removed_in_version: 5.4.0
-    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
-  - content: Remote Desktop Network Bruteforce
-    removed_in_version: 5.4.0
-    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
-  - content: Suspicious Driver Loaded Path
-    removed_in_version: 5.4.0
-    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
-  - content: Suspicious Event Log Service Behavior
-    removed_in_version: 5.4.0
-    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
-  - content: Suspicious Process File Path
-    removed_in_version: 5.4.0
-    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
-  - content: AWS Cross Account Activity From Previously Unseen Account
-    removed_in_version: 5.4.0
-    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
-  - content: aws detect attach to role policy
-    removed_in_version: 5.4.0
-    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
-  - content: aws detect permanent key creation
-    removed_in_version: 5.4.0
-    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
-  - content: aws detect role creation
-    removed_in_version: 5.4.0
-    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
-  - content: aws detect sts assume role abuse
-    removed_in_version: 5.4.0
-    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
-  - content: aws detect sts get session token abuse
-    removed_in_version: 5.4.0
-    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
-  - content: AWS SAML Access by Provider User and Principal
-    removed_in_version: 5.4.0
-    reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
 baselines:
   - content: Add Prohibited Processes to Enterprise Security
     removed_in_version: 5.2.0
@@ -943,6 +965,16 @@ investigations:
     removed_in_version: 5.2.0
     reason: 'As of Splunk Enterprise Security version 8.0, Splunk Enterprise Security no longer supports Investigations. As such, all Investigations have been deprecated in ES Content Update.'
 stories:
+  - content: Nexus APT Threat Activity
+    removed_in_version: 5.4.0
+    reason: Analytic Story has been replaced by a new analytic story with a more specific name
+    replacement_content:
+    - China-Nexus Threat Activity
+  - content: Earth Estries
+    removed_in_version: 5.4.0
+    reason: Analytic Story has been replaced by a new analytic story with a more specific name
+    replacement_content:
+    - Salt Typhoon
   - content: AWS Cryptomining
     removed_in_version: 5.2.0
     reason: Analytic Story deprecated as it no longer effectively identifies the intended malicious activity
@@ -1000,9 +1032,4 @@ stories:
     - Suspicious Cloud Instance Activities
   - content: Web Fraud Detection
     removed_in_version: 5.2.0
-    reason: Analytic Story deprecated as it no longer effectively identifies the intended malicious activity
-  - content: Nexus APT Threat Activity
-    removed_in_version: 5.4.0
-    reason: Analytic Story deprecated as it no longer effectively identifies the intended malicious activity
-    replacement_content:
-    - China-Nexus Threat Activity
+    reason: Analytic Story deprecated as it no longer effectively identifies the intended malicious activity