Skip to content

Add gambit security solution#14610

Open
nadavv169 wants to merge 10 commits into
Azure:masterfrom
gambit-security:add-gambit-security-solution
Open

Add gambit security solution#14610
nadavv169 wants to merge 10 commits into
Azure:masterfrom
gambit-security:add-gambit-security-solution

Conversation

@nadavv169

@nadavv169 nadavv169 commented Jul 2, 2026

Copy link
Copy Markdown

Change(s)

Adds a new Gambit Security solution with a single Codeless Connector Framework (CCF) Push data connector.

  • Data connector GambitSecurityPush — Gambit pushes security-posture policy issues into the customer's Sentinel workspace via the Azure Monitor Logs Ingestion API (DCE + DCR).
  • Table GambitPoliciesIssues_CL (18 columns) — issue identity/state, affected resource + systems, policy metadata, severity, business impact, remediation steps, and timestamps.
  • Parser GambitPoliciesIssuesarg_max(TimeGenerated, *) by IssueId returns the latest state per issue (the _CL table is append-only).
  • Analytic rule Gambit Security - Critical Policy Issue Promotion — scheduled rule that raises an incident on Active, High-severity issues.
  • Logo and sample data included.

Reason for Change(s)

New third-party solution. It lets Gambit Security customers ingest their posture / policy-issue findings into Microsoft Sentinel for correlation, hunting, and incident creation.

How was the Solution/Change tested?

  • Packaged with the V3 tool (createSolutionV3). arm-ttk passes 48/49 — the single failure is the known/expected CCF Push case.
  • Deployed the generated mainTemplate.json to a test Sentinel workspace: the DCE, DCR, and app registration provision successfully.
  • Pushed live sample records through the Logs Ingestion API (HTTP 204) and confirmed ingestion into GambitPoliciesIssues_CL and correct parser output via KQL.

Checklist

  • Solution packaged with the V3 tool
  • Deployed and validated end-to-end in a test workspace
  • Version consistent across manifest, release notes, and package (3.0.0)
  • Partner Center publisher identity finalized (publisherId / support contact) — in progress

nadavv169 added 3 commits July 2, 2026 11:44
Single-table CCF Push connector: GambitPoliciesIssues_CL (18 cols), the
Custom-GambitPoliciesIssues stream (passthrough DCR), Deploy button + credential
surfacing, an arg_max parser, and a High/Active issue-promotion analytic rule.
Modeled on the Jamf Protect Push connector.
Logos/GambitSecurity.svg (Gambit logomark) + Sample Data/Custom/GambitPoliciesIssues_CL.json
(4 representative issue rows in the 18-column _CL shape) for the connector-page preview.
Generated Package/ via createSolutionV3 (mainTemplate.json/createUiDefinition/testParameters/zip);
parser + analytic rule now included (powershell-yaml). Swap logo to the black logomark for
Content Hub's light background.
@nadavv169 nadavv169 requested review from a team as code owners July 2, 2026 09:42
@nadavv169 nadavv169 marked this pull request as draft July 2, 2026 09:43
@nadavv169 nadavv169 force-pushed the add-gambit-security-solution branch from d7c9a6d to a184b3d Compare July 2, 2026 09:45
Replace invented policy names/descriptions with real ones from the product catalog
(Backup Coverage / Backup Reliability / Compliance / Cost); categories, business
impacts, and severities were already real enum values.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds a new Microsoft Sentinel Content Hub solution for Gambit Security, including a Push (CCF) data connector, parser, analytic rule, packaging templates, and sample data.

Changes:

  • Introduces solution metadata, documentation, release notes, and sample data for Gambit Security.
  • Adds parser + analytic rule templates and a CCF Push connector (DCR + custom table + connector artifacts).
  • Adds solution packaging artifacts (ARM mainTemplate, createUiDefinition, testParameters, and solution data manifest).

Reviewed changes

Copilot reviewed 14 out of 16 changed files in this pull request and generated 9 comments.

Show a summary per file
File Description
Solutions/GambitSecurity/SolutionMetadata.json Adds solution metadata (publisher/offer/support/categories).
Solutions/GambitSecurity/ReleaseNotes.md Adds initial release notes entry.
Solutions/GambitSecurity/README.md Documents ingestion model, parser usage, rule behavior, and deployment.
Solutions/GambitSecurity/Parsers/GambitPoliciesIssues.yaml Adds parser template to deduplicate to latest issue state.
Solutions/GambitSecurity/Package/testParameters.json Adds ARM test parameters for validation/TTK.
Solutions/GambitSecurity/Package/mainTemplate.json Adds solution ARM packaging template (connector, parser, rule, content package).
Solutions/GambitSecurity/Package/createUiDefinition.json Adds solution deployment UI definition.
Solutions/GambitSecurity/Data/Solution_GambitSecurity.json Adds solution manifest (content inventory + metadata pointer).
Solutions/GambitSecurity/Data Connectors/GambitSecurity_ccf/table_GambitPoliciesIssues.json Adds custom table schema artifact.
Solutions/GambitSecurity/Data Connectors/GambitSecurity_ccf/dataConnector.json Adds Push dataConnector resource artifact.
Solutions/GambitSecurity/Data Connectors/GambitSecurity_ccf/connectorDefinition.json Adds dataConnectorDefinition artifact for UI + deploy button experience.
Solutions/GambitSecurity/Data Connectors/GambitSecurity_ccf/DCR.json Adds Data Collection Rule artifact for the custom stream/table.
Solutions/GambitSecurity/Analytic Rules/GambitCriticalIssuePromotion.yaml Adds scheduled analytic rule template promoting high-severity active issues.
Sample Data/Custom/GambitPoliciesIssues_CL.json Adds sample events for the custom log table.

Comment thread Solutions/GambitSecurity/SolutionMetadata.json
Comment thread Solutions/GambitSecurity/Package/mainTemplate.json
Comment thread Solutions/GambitSecurity/ReleaseNotes.md Outdated
Comment thread Solutions/GambitSecurity/Data/Solution_GambitSecurity.json
Comment thread Solutions/GambitSecurity/Package/mainTemplate.json
Comment thread Solutions/GambitSecurity/Package/mainTemplate.json
Comment on lines +9 to +17
"streamName": "Custom-GambitPoliciesIssues",
"dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
"dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
},
"auth": {
"type": "Push",
"AppId": "[[parameters('auth').appId]",
"ServicePrincipalId": "[[parameters('auth').servicePrincipalId]"
},

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks — same as the mainTemplate note: these [[parameters('dcrConfig')... expressions use the CCF Push double-bracket escaping and are evaluated by the Codeless Connector Framework at runtime, not during ARM deployment (mirrors the merged Jamf Protect Push connector). Verified end-to-end — the generated template deploys and provisions the DCE/DCR/app registration successfully.

Comment thread Solutions/GambitSecurity/Analytic Rules/GambitCriticalIssuePromotion.yaml Outdated
Comment thread Solutions/GambitSecurity/SolutionMetadata.json
Azure deploy validates support.email format; set support@gambit.security and a clean
publisherId (both interim placeholders pending real Partner Center identity). Repackaged.
@nadavv169

Copy link
Copy Markdown
Author

@microsoft-github-policy-service agree company="Gambit Security"

nadavv169 added 4 commits July 2, 2026 18:11
…lytic-rule fields

- Reconcile solution version to 3.0.0 across manifest, release notes, and package
- Remove empty tactics/relevantTechniques from the analytic rule (posture issues
  do not map to MITRE; empty keys fail schema validation)
@nadavv169 nadavv169 marked this pull request as ready for review July 2, 2026 15:58
@v-maheshbh

v-maheshbh commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Hi @nadavv169

Kindly ensure all CCF files follow the naming convention:
SolutionName_ConnectorDefinition, SolutionName_dataConnector, SolutionName_DCR and that the file name prefix matches the solution name consistently.

Thanks!

Per reviewer request — connectorDefinition/dataConnector/DCR/table files now
carry the GambitSecurity_ prefix (GambitSecurity_ConnectorDefinition,
GambitSecurity_dataConnector, GambitSecurity_DCR, GambitSecurity_Table).
Manifest reference + package regenerated; package content unchanged.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants