Data Source

Gambit Security is a cloud security posture management (CSPM) platform. This connector ingests policy issues from Gambit posture evaluation into Microsoft Sentinel. Each record is fully denormalized with resource context, affected systems, policy metadata, severity, business impact, and remediation steps.

Data lands in the custom table GambitPoliciesIssues_CL (18 columns). The table is append-only: each issue state change generates a new row.

Ingestion Mechanism

CCF Push model using the Azure Monitor Logs Ingestion API (DCE + DCR). Gambit Security authenticates via an Entra app registration (Monitoring Metrics Publisher role on the DCR) and POSTs records to stream Custom-GambitPoliciesIssues. The DCR uses a passthrough transform (source) since field mapping is performed by Gambit before the push.

Deployment provisions:

  • GambitPoliciesIssues_CL table schema (18 columns)
  • Data Collection Rule (GambitSecurityCustomDCR) and Data Collection Endpoint
  • Entra app registration with Monitoring Metrics Publisher RBAC on the DCR

Five credentials are surfaced in the connector UI post-deploy: Tenant ID, Application ID, Application Secret, DCE URI, DCR Immutable ID, and stream name Custom-GambitPoliciesIssues.

Parser

GambitPoliciesIssues (KQL workspace function) deduplicates the append-only table to the latest state per issue using arg_max(TimeGenerated, *) by IssueId. Always query through this parser, not the raw _CL table, to avoid stale/duplicate-state results.

Detection Surface Unlocked

One bundled Analytic Rule: Gambit Security - Critical Policy Issue Promotion (Scheduled, 1d frequency/period)

Query: GambitPoliciesIssues | where State == “Active” and Severity == “High”

  • Fires AlertPerResult
  • Entity mappings: ResourceDisplayId to Host (HostName) and AzureResource (ResourceId)
  • Custom incident details: PolicyName, PolicyCategories, IssueStatus, AffectedSystems, Environment, RemediationSteps
  • MITRE tactic: Impact / T1490

MITRE Coverage

TechniqueTactic
T1490 - Inhibit System RecoveryImpact

Affected Files

.script/tests/KqlvalidationsTests/CustomFunctions/GambitPoliciesIssues.json
.script/tests/KqlvalidationsTests/CustomTables/GambitPoliciesIssues_CL.json
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Logos/GambitSecurity.svg
Sample Data/Custom/GambitPoliciesIssues_CL.json
Solutions/GambitSecurity/Analytic Rules/GambitCriticalIssuePromotion.yaml
Solutions/GambitSecurity/Data Connectors/GambitSecurity_ccf/GambitSecurity_ConnectorDefinition.json
Solutions/GambitSecurity/Data Connectors/GambitSecurity_ccf/GambitSecurity_DCR.json
Solutions/GambitSecurity/Data Connectors/GambitSecurity_ccf/GambitSecurity_Table.json
Solutions/GambitSecurity/Data Connectors/GambitSecurity_ccf/GambitSecurity_dataConnector.json
Solutions/GambitSecurity/Package/testParameters.json
Solutions/GambitSecurity/Parsers/GambitPoliciesIssues.yaml
Solutions/GambitSecurity/README.md
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_GambitSecurity.json, createUiDefinition.json, mainTemplate.json)