What Changed
Fixed ARM template deployment failure in the Cyren-SentinelOne threat intelligence connector that was preventing successful installation from Content Hub. The inner Logic App template had an invalid variable reference causing InvalidTemplate errors during deployment.
Security Impact
Deployments running version 3.0.0 have had a complete deployment failure since installation — the connector could not be deployed at all from Content Hub, resulting in zero threat intelligence data ingestion. The ARM template error occurred during the initial deployment phase, meaning affected organizations had no Cyren threat intelligence visibility in their Sentinel workspace.
The fix ensures the Logic App playbook can properly reference the target Log Analytics workspace during ARM template evaluation, restoring the ability to:
- Ingest Cyren threat intelligence indicators via CCF polling
- Push IOCs to SentinelOne via their Threat Intelligence API
- Maintain 6-hour recurrence for fresh threat data
Technical Details
The root cause was an ARM template variable evaluation scope issue in the inner Logic App template. The workspaceResourceId variable used parameters workspace directly inside double-bracket expressions, which failed to resolve the parameter value at deployment time and inlined it as a bare identifier.
The fix adopts the same pattern used in the verified TacitRed-SentinelOne connector: using variables workspace-name where workspace-name equals parameters workspace is evaluated at outer scope.
Affected Files
Solutions/Cyren-SentinelOne-ThreatIntelligence/Playbooks/CyrenToSentinelOne_Playbook.json
(packaging artefacts: 3.0.1.zip, ReleaseNotes.md, Solution_CyrenSentinelOne.json, mainTemplate.json)