What Changed

Two blocking defects in WithSecureElements_PollerConfig.json have been corrected:

1. OAuth2 token request – broken Authorization header

The previous Authorization header value was a literal CCF template placeholder that CCF does not evaluate, and IsClientSecretInHeader was not honoured to build the header automatically. Every token request resulted in HTTP 400 (“Invalid Credential”) from the WithSecure token endpoint. The fix replaces the placeholder with an ARM expression that constructs the correct Basic credential at deployment time using parameters(ClientId) and parameters(ClientSecret).

2. security-events poll – invalid queryParametersTemplate

The V3 packaging tool auto-generates nested-template parameter defaults from connector textbox names. When the optional engine/engineGroup field was left empty or still held its packaging placeholder, the request body produced invalid values (such as “engineGroup”:[""] or [“engineGroup”]) rejected by the Elements API with HTTP 400. The fix introduces an ARM if(empty(…)) expression that falls back to the default engine group (epp,edr,ecp,xm) when the optional parameter is blank, and enforces mutual exclusivity between engine and engineGroup.

Security Impact (Visibility and Fidelity)

Deployments running the initial v3.0.0 release of this connector have had complete ingestion failure for this data source since installation. The token endpoint rejected every authentication attempt before a single event could be polled. No WithSecure Elements security events – endpoint detections, malware alerts, EDR telemetry – have reached Sentinel.

Per PR description: the connector was validated end-to-end after these fixes; the token endpoint now authenticates and the security-events poll returns HTTP 200 with events ingested into the custom table.

Note on ARM expression syntax: Copilot inline review flagged the double-bracket prefix on both ARM expressions as potentially preventing ARM evaluation. The PR author validated end-to-end and arm-ttk passes, but operators deploying this fix should verify the connector connectivity check succeeds in their environment and confirm events are flowing before relying on this data source for detection.

Affected Files

Solutions/WithSecureElementsCCF/Data Connectors/WithSecureElementsCCP/WithSecureElements_PollerConfig.json
(packaging artefacts: 3.0.0.zip, Solution_WithSecureElementsCCF.json, mainTemplate.json)