Add gambit security solution#14610
Conversation
Single-table CCF Push connector: GambitPoliciesIssues_CL (18 cols), the Custom-GambitPoliciesIssues stream (passthrough DCR), Deploy button + credential surfacing, an arg_max parser, and a High/Active issue-promotion analytic rule. Modeled on the Jamf Protect Push connector.
Logos/GambitSecurity.svg (Gambit logomark) + Sample Data/Custom/GambitPoliciesIssues_CL.json (4 representative issue rows in the 18-column _CL shape) for the connector-page preview.
Generated Package/ via createSolutionV3 (mainTemplate.json/createUiDefinition/testParameters/zip); parser + analytic rule now included (powershell-yaml). Swap logo to the black logomark for Content Hub's light background.
d7c9a6d to
a184b3d
Compare
Replace invented policy names/descriptions with real ones from the product catalog (Backup Coverage / Backup Reliability / Compliance / Cost); categories, business impacts, and severities were already real enum values.
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a new Microsoft Sentinel Content Hub solution for Gambit Security, including a Push (CCF) data connector, parser, analytic rule, packaging templates, and sample data.
Changes:
- Introduces solution metadata, documentation, release notes, and sample data for Gambit Security.
- Adds parser + analytic rule templates and a CCF Push connector (DCR + custom table + connector artifacts).
- Adds solution packaging artifacts (ARM mainTemplate, createUiDefinition, testParameters, and solution data manifest).
Reviewed changes
Copilot reviewed 14 out of 16 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| Solutions/GambitSecurity/SolutionMetadata.json | Adds solution metadata (publisher/offer/support/categories). |
| Solutions/GambitSecurity/ReleaseNotes.md | Adds initial release notes entry. |
| Solutions/GambitSecurity/README.md | Documents ingestion model, parser usage, rule behavior, and deployment. |
| Solutions/GambitSecurity/Parsers/GambitPoliciesIssues.yaml | Adds parser template to deduplicate to latest issue state. |
| Solutions/GambitSecurity/Package/testParameters.json | Adds ARM test parameters for validation/TTK. |
| Solutions/GambitSecurity/Package/mainTemplate.json | Adds solution ARM packaging template (connector, parser, rule, content package). |
| Solutions/GambitSecurity/Package/createUiDefinition.json | Adds solution deployment UI definition. |
| Solutions/GambitSecurity/Data/Solution_GambitSecurity.json | Adds solution manifest (content inventory + metadata pointer). |
| Solutions/GambitSecurity/Data Connectors/GambitSecurity_ccf/table_GambitPoliciesIssues.json | Adds custom table schema artifact. |
| Solutions/GambitSecurity/Data Connectors/GambitSecurity_ccf/dataConnector.json | Adds Push dataConnector resource artifact. |
| Solutions/GambitSecurity/Data Connectors/GambitSecurity_ccf/connectorDefinition.json | Adds dataConnectorDefinition artifact for UI + deploy button experience. |
| Solutions/GambitSecurity/Data Connectors/GambitSecurity_ccf/DCR.json | Adds Data Collection Rule artifact for the custom stream/table. |
| Solutions/GambitSecurity/Analytic Rules/GambitCriticalIssuePromotion.yaml | Adds scheduled analytic rule template promoting high-severity active issues. |
| Sample Data/Custom/GambitPoliciesIssues_CL.json | Adds sample events for the custom log table. |
| "streamName": "Custom-GambitPoliciesIssues", | ||
| "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", | ||
| "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" | ||
| }, | ||
| "auth": { | ||
| "type": "Push", | ||
| "AppId": "[[parameters('auth').appId]", | ||
| "ServicePrincipalId": "[[parameters('auth').servicePrincipalId]" | ||
| }, |
There was a problem hiding this comment.
Thanks — same as the mainTemplate note: these [[parameters('dcrConfig')... expressions use the CCF Push double-bracket escaping and are evaluated by the Codeless Connector Framework at runtime, not during ARM deployment (mirrors the merged Jamf Protect Push connector). Verified end-to-end — the generated template deploys and provisions the DCE/DCR/app registration successfully.
Azure deploy validates support.email format; set support@gambit.security and a clean publisherId (both interim placeholders pending real Partner Center identity). Repackaged.
|
@microsoft-github-policy-service agree company="Gambit Security" |
…lytic-rule fields - Reconcile solution version to 3.0.0 across manifest, release notes, and package - Remove empty tactics/relevantTechniques from the analytic rule (posture issues do not map to MITRE; empty keys fail schema validation)
|
Hi @nadavv169 Kindly ensure all CCF files follow the naming convention: Thanks! |
Per reviewer request — connectorDefinition/dataConnector/DCR/table files now carry the GambitSecurity_ prefix (GambitSecurity_ConnectorDefinition, GambitSecurity_dataConnector, GambitSecurity_DCR, GambitSecurity_Table). Manifest reference + package regenerated; package content unchanged.
Change(s)
Adds a new Gambit Security solution with a single Codeless Connector Framework (CCF) Push data connector.
GambitSecurityPush— Gambit pushes security-posture policy issues into the customer's Sentinel workspace via the Azure Monitor Logs Ingestion API (DCE + DCR).GambitPoliciesIssues_CL(18 columns) — issue identity/state, affected resource + systems, policy metadata, severity, business impact, remediation steps, and timestamps.GambitPoliciesIssues—arg_max(TimeGenerated, *) by IssueIdreturns the latest state per issue (the_CLtable is append-only).Gambit Security - Critical Policy Issue Promotion— scheduled rule that raises an incident on Active, High-severity issues.Reason for Change(s)
New third-party solution. It lets Gambit Security customers ingest their posture / policy-issue findings into Microsoft Sentinel for correlation, hunting, and incident creation.
How was the Solution/Change tested?
createSolutionV3). arm-ttk passes 48/49 — the single failure is the known/expected CCF Push case.mainTemplate.jsonto a test Sentinel workspace: the DCE, DCR, and app registration provision successfully.GambitPoliciesIssues_CLand correct parser output via KQL.Checklist
publisherId/ support contact) — in progress