Azure · oshezaf · Jan 15, 2026 · Jan 7, 2026 · Jan 7, 2026 · Jan 8, 2026
@@ -59,12 +59,6 @@ pip install requests json5 azure-kusto-data azure-kusto-ingest azure-identity
 | **Tables Index** | [View Tables](https://github.com/oshezaf/sentinelninja/blob/main/Solutions%20Docs/tables-index.md) |
 | **Content Index** | [View Content Items](https://github.com/oshezaf/sentinelninja/blob/main/Solutions%20Docs/content-index.md) |
 
-The documentation includes:
-- **485 Solutions** with connector and content item details
-- **524 Connectors** with collection methods and table mappings
-- **1,927 Tables** with schema from Azure Monitor documentation
-- **4,930+ Content Items** (analytic rules, hunting queries, playbooks, workbooks, parsers, watchlists)
-
 You can also generate documentation locally using the `--output-dir` parameter (see below).
 
 The documentation includes AI-rendered setup instructions extracted from connector UI definitions.
@@ -178,6 +172,13 @@ See [Override System documentation](script-docs/map_solutions_connectors_tables.
 
 ## Version History
 
+### v5.2 - Bug Fixes and Improvements
+
+- Fixed `sanitize_filename()` to handle Windows-invalid characters (`: * ? " < > |`), enabling ~20 previously-missing content files
+- Fixed content item filename collisions by including solution name and adding collision detection
+- Fixed table page case-insensitive filename collisions on Windows
+- Improved index page statistics with accurate table counts and content item metrics
+
 ### v5.1 - Documentation Overrides and Additional Information
 
 **Documentation-Only Overrides:**

@@ -3661,10 +3661,20 @@
 "","SamsungKnoxAssetIntelligence","workbook","","SamsungKnoxAssetIntelligence.json","","","","","","","","has_query","","","Samsung Knox Asset Intelligence","Samsung Knox Asset Intelligence"
 "","workflow","playbook","< 🏡home","Basic-SAPLockUser-STD/workflow.json","Basic-SAPLockUser-STD/readme.md","","","","","","","no_query","","","SAP","SAP"
 "","workflow","playbook","< 🏡home","SAPCollectorRemediate-STD/workflow.json","SAPCollectorRemediate-STD/readme.md","","","","","","","has_query","","","SAP","SAP"
+"8a3b5c7d-9e1f-4a2b-8c6d-3e5f7a9b1c2d","BTP - Audit log service unavailable","analytic_rule","Identifies SAP BTP subaccounts that have not reported audit logs for an unusual period. This could indicate that the audit log service has been disabled or tampered with, potentially by an attacker attempting to hide malicious activity. It may also indicate service key expiry or SAP BTP service availability problems.","BTP - Audit log service unavailable.yaml","","High","Available","Scheduled","DefenseEvasion","T1562.008","SAPBTPAuditEvents","has_query","","","SAP BTP","SAP BTP"
+"8e5f3a2c-9d1b-4c6e-a7f8-3b2d1e0c9a5f","BTP - Build Work Zone unauthorized access and role tampering","analytic_rule","Identifies unauthorized OData access attempts and mass role/user deletions in SAP Build Work Zone  Standard Edition. These events may indicate an attacker accessing restricted resources or  removing access controls to cover their tracks.","BTP - Build Work Zone unauthorized access and role tampering.yaml","","High","Available","Scheduled","InitialAccess,Persistence,DefenseEvasion,Impact","T1078,T1531,T1070","SAPBTPAuditEvents","has_query","","","SAP BTP","SAP BTP"
+"3f8a2c5e-7b9d-4e1a-8f6c-2d4b9a1e3c7f","BTP - Cloud Identity Service application configuration monitor","analytic_rule","Identifies CRUD operations on Application (SSO Domain/Service Provider) configurations within SAP Cloud Identity Service. This includes both SAML 2.0 and OpenID Connect applications. Unauthorized application creation could indicate an attacker establishing persistent access through a rogue federated application.","BTP - Cloud Identity Service application configuration monitor.yaml","","Medium","Available","Scheduled","CredentialAccess,PrivilegeEscalation","T1606,T1556,T1134","SAPBTPAuditEvents","has_query","","","SAP BTP","SAP BTP"
+"9e6f4b2c-0d3e-5a8f-c9b7-2f5d8a1e4c6b","BTP - Cloud Integration access policy tampering","analytic_rule","Identifies changes to access policies in SAP Cloud Integration. Access policies control authorization for integration artifacts, defining which users and roles can access specific integration flows and related content.  Unauthorized access policy manipulation could indicate: - Attacker granting themselves access to sensitive integration artifacts - Removal of security controls to enable further malicious activity - Defense evasion by modifying artifact references to hide unauthorized access","BTP - Cloud Integration access policy tampering.yaml","","High","Available","Scheduled","DefenseEvasion,PrivilegeEscalation","T1548,T1222","SAPBTPAuditEvents","has_query","","","SAP BTP","SAP BTP"
+"a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d","BTP - Cloud Integration artifact deployment","analytic_rule","Identifies deployment and undeployment of integration artifacts in SAP Cloud Integration. Integration flows are executable code that can process, transform, and route data between systems.  Unauthorized artifact deployment could indicate: - Attacker deploying malicious integration flows for data exfiltration - Deployment of rogue code for persistent access - Undeployment of critical integrations causing denial of service","BTP - Cloud Integration artifact deployment.yaml","","High","Available","Scheduled","Execution,Persistence","T1059,T1546","SAPBTPAuditEvents","has_query","","","SAP BTP","SAP BTP"
+"b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e","BTP - Cloud Integration JDBC data source changes","analytic_rule","Identifies deployment and undeployment of JDBC data source configurations in SAP Cloud Integration. JDBC data sources contain database connection credentials and configuration that enable integration flows to access backend databases.  Unauthorized JDBC data source manipulation could indicate: - Attacker adding rogue database connections for data exfiltration - Credential theft by accessing stored database passwords - Modification of connection strings to redirect traffic to attacker-controlled ","BTP - Cloud Integration JDBC data source changes.yaml","","High","Available","Scheduled","CredentialAccess,LateralMovement","T1552,T1021","SAPBTPAuditEvents","has_query","","","SAP BTP","SAP BTP"
+"c3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f","BTP - Cloud Integration package import or transport","analytic_rule","Identifies import and transport operations for integration packages and artifacts in SAP Cloud Integration. Packages contain integration flows, mappings, scripts, and other artifacts that can be imported from external sources or transported between tenants.  Unauthorized package operations could indicate: - Supply chain attack through malicious package import - Lateral movement between environments via artifact transport - Introduction of backdoors or rogue integration logic","BTP - Cloud Integration package import or transport.yaml","","Medium","Available","Scheduled","InitialAccess,Persistence","T1195,T1546","SAPBTPAuditEvents","has_query","","","SAP BTP","SAP BTP"
+"8d5f3a1b-9c2e-4f7d-b8a6-1e4c7f9d2b5a","BTP - Cloud Integration tampering with security material","analytic_rule","Identifies operations on security material (credentials, certificates, and keys) within SAP Cloud Integration. This includes credentials (passwords/secrets), X.509 certificates and key pairs, and PGP keys. Unauthorized manipulation of security material could indicate an attacker attempting to: - Gain access to external systems using stored credentials - Intercept or tamper with encrypted communications - Establish persistence through certificate manipulation - Cover tracks by deleting security a","BTP - Cloud Integration tampering with security material.yaml","","Medium","Available","Scheduled","CredentialAccess,DefenseEvasion","T1552,T1070","SAPBTPAuditEvents","has_query","","","SAP BTP","SAP BTP"
 "74b243a6-3046-48aa-8b03-e43b3c529cc1","BTP - Failed access attempts across multiple BAS subaccounts","analytic_rule","Identifies failed Business Application Studio access attempts over a predefined number of subaccounts.","BTP - Failed access attempts across multiple BAS subaccounts.yaml","","Medium","Available","Scheduled","Reconnaissance,Discovery","T1595,T1526","SAPBTPAuditEvents","has_query","","","SAP BTP","SAP BTP"
 "31997e9a-7447-47f3-8208-4f5d7efe497c","BTP - Malware detected in BAS dev space","analytic_rule","Identifies instances of malware detected using SAP internal malware agent within Business Application Studio dev spaces.","BTP - Malware detected in BAS dev space.yaml","","Medium","Available","Scheduled","ResourceDevelopment,Execution,Persistence","T1584,T1072,T0873","SAPBTPAuditEvents","has_query","","","SAP BTP","SAP BTP"
 "6f1e58bd-cd95-4dfb-8883-94207f30929a","BTP - Mass user deletion in a sub account","analytic_rule","Identifies user account deletion activity where the amount of deleted users exceeds a predefined threshold.","BTP - Mass user deletion in a sub account.yaml","","Medium","Available","Scheduled","Impact","T1531,T1485,T1489,T0813,T0826,T0827","SAPBTPAuditEvents","has_query","","","SAP BTP","SAP BTP"
+"a3b8e7c4-5f2d-4a1e-9c6b-8d7f3e2a1b0c","BTP - Mass user deletion in SAP Cloud Identity Service","analytic_rule","Identifies mass user deletion activity in SAP Cloud Identity Service where the amount of deleted users exceeds a predefined threshold.","BTP - Mass user deletion in Cloud Identity Service.yaml","","Medium","Available","Scheduled","Impact","T1531,T1485,T1489,T0813,T0826,T0827","SAPBTPAuditEvents","has_query","","","SAP BTP","SAP BTP"
 "62357c23-ecdc-4edc-9349-8338063af1ef","BTP - Trust and authorization Identity Provider monitor","analytic_rule","Identifies CRUD operations on Identity Provider settings within a sub account.","BTP - Trust and authorization Identity Provider monitor.yaml","","Medium","Available","Scheduled","CredentialAccess,PrivilegeEscalation","T1606,T1556,T1134","SAPBTPAuditEvents","has_query","","","SAP BTP","SAP BTP"
+"7d4e9f2a-8b1c-4a5d-9e3f-6c2b1a0d8e7f","BTP - User added to Cloud Identity Service privileged Administrators list","analytic_rule","Identifies when a user is granted privileged administrator permissions in SAP Cloud Identity Service. These permissions include managing Identity Providers, Service Providers, Users, Groups, and Access controls.","BTP - User added to privileged Administrators list.yaml","","High","Available","Scheduled","LateralMovement,PrivilegeEscalation","T0859,T1078","SAPBTPAuditEvents","has_query","","","SAP BTP","SAP BTP"
 "5acbe4cb-a379-4acc-9ad3-28dc48ad33d3","BTP - User added to sensitive privileged role collection","analytic_rule","Identifies identity management actions whereby a user is added to a set of monitored privileged role collections.","BTP - User added to sensitive privileged role collection.yaml","","Low","Available","Scheduled","LateralMovement,PrivilegeEscalation","T0859,T1078","SAPBTPAuditEvents","has_query","","","SAP BTP","SAP BTP"
 "","SAPBTPActivity","workbook","","SAPBTPActivity.json","","","","","","","","has_query","","","SAP BTP","SAP BTP"
 "c6111e06-11e2-45eb-86ef-28313a06db35","SAP ETD - Execution of Sensitive Function Module","analytic_rule","Identifies execution of a sensitive ABAP Function Module using the watchlists provided by the Microsoft Sentinel Solution for SAP  Source Action: Execute a sensitive function module directly using SE37.  *Data Sources: SAP Enterprise Thread Detection Solution -  Alerts*","SAPETD-ExecutionofSensitiveFunctionModule.yaml","","Medium","Available","Scheduled","Discovery","","SAPETDAlerts","has_query","","","SAP ETD Cloud","SAP ETD Cloud"