Data Connector (WithSecureElementsCCF)
Ingestion Mechanism
The new WithSecureElementsCCF solution (v3.0.0 in the CCF solution namespace) uses the Codeless Connector Framework with OAuth2 authentication against the WithSecure Elements security-events API. Events land in the custom table WsSecurityEvents_CL via a DCR (stream: Custom-WsSecurityEventsRaw_CL). No Azure Function, Storage Account, or Key Vault is required.
Authentication: OAuth2 (client credentials) — client ID and client secret entered directly in the connector UI.
DCR Transform Logic
The transformKql enriches raw events with engine-specific activity labels and extracts malware name / infected object fields via case() expressions covering 23 engine types including fileScanning, deepGuard, webTrafficScanning, edr, amsi, teamsScan, oneDriveScan, sharePointScan, emailBreach, and tamperProtection.
Mapped fields include: Engine, Action, Severity, Message, UserName, PersistenceTimestamp, DeviceName, DeviceOsType, MalwareName, InfectedObject, Activity.
Detection Surface
WsSecurityEvents_CL exposes endpoint protection events across all WithSecure Elements engines. Detection-relevant event classes include EDR alerts, DeepGuard blocks, web content control, AMSI detections, tamper protection events, and Microsoft 365 scanning (Teams, OneDrive, SharePoint, inbox rules).
Deprecated Solution (WithSecureElementsViaFunction)
The existing Function App-based solution is bumped to v3.0.3 and marked deprecated in ReleaseNotes.md: customers are directed to migrate to WithSecureElementsCCF. The Function App connector definition JSON is unchanged, providing a transition window. No hard cutoff date is specified in this PR.
Workbook
The existing Top Computers by Infections workbook is ported into the new CCF solution package (WithSecureTopComputersByInfections.json). WorkbooksMetadata.json updated to reference WithSecureElementsCCF as the dependency.
Migration Guidance
Existing Function App deployments should install the WithSecureElementsCCF solution from Content Hub and configure OAuth2 credentials, then verify data flow in WsSecurityEvents_CL before decommissioning the Function App, Storage Account, and Key Vault resources. Both solutions ingest to the same WsSecurityEvents_CL table, so detection content referencing that table does not require updates.
Affected Files
Solutions/WithSecureElementsCCF/Data Connectors/WithSecureElementsCCP/WithSecureElements_ConnectorDefinition.json
Solutions/WithSecureElementsCCF/Data Connectors/WithSecureElementsCCP/WithSecureElements_DCR.json
Solutions/WithSecureElementsCCF/Data Connectors/WithSecureElementsCCP/WithSecureElements_PollerConfig.json
Solutions/WithSecureElementsCCF/Data Connectors/WithSecureElementsCCP/WithSecureElements_Table.json
Solutions/WithSecureElementsCCF/Package/testParameters.json
Solutions/WithSecureElementsCCF/Workbooks/WithSecureTopComputersByInfections.json
Solutions/WithSecureElementsCCF/Workbooks/images/preview/WithSecureTopComputersByInfectionsBlack.png
Solutions/WithSecureElementsCCF/Workbooks/images/preview/WithSecureTopComputersByInfectionsWhite.png
Solutions/WithSecureElementsViaFunction/Data Connectors/WithSecureElementsViaFunction.json
Workbooks/WorkbooksMetadata.json
(packaging artefacts: 3.0.0.zip, 3.0.3.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_WithSecureElementsCCF.json, Solution_WithSecureElementsViaFunction.json, createUiDefinition.json, mainTemplate.json)