QualysVM 3.0.9 - fix Defender portal CCF data connector page client-side KQL parse error

Root cause: When a dataConnectorDefinition (kind: Customizable) is created using API version 2024-01-01-preview or later, the graphQueriesTableName field in connectorUiConfig is dropped during storage by the internal model. This causes {{graphQueriesTableName}} to appear as literal text in the portal instead of the resolved table name, resulting in a 'Query could not be parsed' KQL error when the connector page is opened from security.microsoft.com.

Fix (Option A per the unified connectors team): Remove graphQueriesTableName property and inline the literal table name 'QualysHostDetectionV3_CL' directly into baseQuery, sampleQueries[].query, dataTypes[].name, and dataTypes[].lastDataReceivedQuery.

Customers must reinstall the solution from Content Hub for the corrected definition model to be re-applied; existing connector instances should be deleted and recreated.

Validated via .script/local-validation/build-and-validate.ps1: 13/13 applicable validators passed (TS x10, KQL, ARM-TTK 48 tests, Field Types, Classic App Insights, Hyperlink). 5 skipped due to local runtime gaps (.NET 3.1, trufflehog) - will run in CI.

Author: v-krishnachi

Solutions/QualysVM/Data Connectors/QualysVMHostLogs_ccp/QualysVMHostLogs_ConnectorDefinition.json

@@ -10,24 +10,23 @@
       "title": "Qualys Vulnerability Management (via Codeless Connector Framework)",
       "publisher": "Microsoft",
       "descriptionMarkdown": "The [Qualys Vulnerability Management (VM)](https://www.qualys.com/apps/vulnerability-management/) data connector provides the capability to ingest vulnerability host detection data into Microsoft Sentinel through the Qualys API. The connector provides visibility into host detection data from vulerability scans.",
-      "graphQueriesTableName": "QualysHostDetectionV3_CL",
       "graphQueries": [
         {
           "metricName": "Total events received",
           "legend": "Qualys Host Detection Logs",
-          "baseQuery": "{{graphQueriesTableName}}"
+          "baseQuery": "QualysHostDetectionV3_CL"
         }
       ],
       "sampleQueries": [
         {
           "description": "Get Sample of Qualys Host Detection logs",
-          "query": "{{graphQueriesTableName}}\n | take 10"
+          "query": "QualysHostDetectionV3_CL\n | take 10"
         }
       ],
       "dataTypes": [
         {
-          "name": "{{graphQueriesTableName}}",
-          "lastDataReceivedQuery": "{{graphQueriesTableName}}\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+          "name": "QualysHostDetectionV3_CL",
+          "lastDataReceivedQuery": "QualysHostDetectionV3_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
         }
       ],
       "connectivityCriteria": [

Solutions/QualysVM/Package/3.0.9.zip

@@ -55,11 +55,11 @@
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
     "_solutionName": "QualysVM",
-    "_solutionVersion": "3.0.8",
+    "_solutionVersion": "3.0.9",
     "solutionId": "azuresentinel.azure-sentinel-qualysvm",
     "_solutionId": "[variables('solutionId')]",
     "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
-    "dataConnectorCCPVersion": "3.0.8",
+    "dataConnectorCCPVersion": "3.0.9",
     "_dataConnectorContentIdConnectorDefinition1": "QualysVMLogsCCPDefinition",
     "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]",
     "_dataConnectorContentIdConnections1": "QualysVMLogsCCPDefinitionConnections",
@@ -156,7 +156,7 @@
           "resources": [
             {
               "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
-              "apiVersion": "2025-09-01",
+              "apiVersion": "2022-09-01-preview",
               "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
               "location": "[parameters('workspace-location')]",
               "kind": "Customizable",
@@ -166,24 +166,23 @@
                   "title": "Qualys Vulnerability Management (via Codeless Connector Framework)",
                   "publisher": "Microsoft",
                   "descriptionMarkdown": "The [Qualys Vulnerability Management (VM)](https://www.qualys.com/apps/vulnerability-management/) data connector provides the capability to ingest vulnerability host detection data into Microsoft Sentinel through the Qualys API. The connector provides visibility into host detection data from vulerability scans.",
-                  "graphQueriesTableName": "QualysHostDetectionV3_CL",
                   "graphQueries": [
                     {
                       "metricName": "Total events received",
                       "legend": "Qualys Host Detection Logs",
-                      "baseQuery": "{{graphQueriesTableName}}"
+                      "baseQuery": "QualysHostDetectionV3_CL"
                     }
                   ],
                   "sampleQueries": [
                     {
                       "description": "Get Sample of Qualys Host Detection logs",
-                      "query": "{{graphQueriesTableName}}\n | take 10"
+                      "query": "QualysHostDetectionV3_CL\n | take 10"
                     }
                   ],
                   "dataTypes": [
                     {
-                      "name": "{{graphQueriesTableName}}",
-                      "lastDataReceivedQuery": "{{graphQueriesTableName}}\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+                      "name": "QualysHostDetectionV3_CL",
+                      "lastDataReceivedQuery": "QualysHostDetectionV3_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
                     }
                   ],
                   "connectivityCriteria": [
@@ -368,7 +367,7 @@
             },
             {
               "name": "QualysVMDCR",
-              "apiVersion": "2024-03-11",
+              "apiVersion": "2022-06-01",
               "type": "Microsoft.Insights/dataCollectionRules",
               "location": "[parameters('workspace-location')]",
               "kind": "[variables('blanks')]",
@@ -448,7 +447,7 @@
             },
             {
               "name": "QualysHostDetectionV3_CL",
-              "apiVersion": "2025-07-01",
+              "apiVersion": "2022-10-01",
               "type": "Microsoft.OperationalInsights/workspaces/tables",
               "location": "[parameters('workspace-location')]",
               "kind": null,
@@ -521,7 +520,7 @@
     },
     {
       "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
-      "apiVersion": "2025-09-01",
+      "apiVersion": "2022-09-01-preview",
       "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
       "location": "[parameters('workspace-location')]",
       "kind": "Customizable",
@@ -531,24 +530,23 @@
           "title": "Qualys Vulnerability Management (via Codeless Connector Framework)",
           "publisher": "Microsoft",
           "descriptionMarkdown": "The [Qualys Vulnerability Management (VM)](https://www.qualys.com/apps/vulnerability-management/) data connector provides the capability to ingest vulnerability host detection data into Microsoft Sentinel through the Qualys API. The connector provides visibility into host detection data from vulerability scans.",
-          "graphQueriesTableName": "QualysHostDetectionV3_CL",
           "graphQueries": [
             {
               "metricName": "Total events received",
               "legend": "Qualys Host Detection Logs",
-              "baseQuery": "{{graphQueriesTableName}}"
+              "baseQuery": "QualysHostDetectionV3_CL"
             }
           ],
           "sampleQueries": [
             {
               "description": "Get Sample of Qualys Host Detection logs",
-              "query": "{{graphQueriesTableName}}\n | take 10"
+              "query": "QualysHostDetectionV3_CL\n | take 10"
             }
           ],
           "dataTypes": [
             {
-              "name": "{{graphQueriesTableName}}",
-              "lastDataReceivedQuery": "{{graphQueriesTableName}}\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+              "name": "QualysHostDetectionV3_CL",
+              "lastDataReceivedQuery": "QualysHostDetectionV3_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
             }
           ],
           "connectivityCriteria": [
@@ -823,7 +821,7 @@
             },
             {
               "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'QualysVMLogsCCP', parameters('guidValue'))]",
-              "apiVersion": "2025-09-01",
+              "apiVersion": "2023-02-01-preview",
               "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
               "location": "[parameters('workspace-location')]",
               "kind": "RestApiPoller",
@@ -890,7 +888,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "QualysHostDetection Data Parser with template version 3.0.8",
+        "description": "QualysHostDetection Data Parser with template version 3.0.9",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -1022,7 +1020,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "QualysVMv2 Workbook with template version 3.0.8",
+        "description": "QualysVMv2 Workbook with template version 3.0.9",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -1110,7 +1108,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "HighNumberofVulnDetectedV2_AnalyticalRules Analytics Rule with template version 3.0.8",
+        "description": "HighNumberofVulnDetectedV2_AnalyticalRules Analytics Rule with template version 3.0.9",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -1154,17 +1152,17 @@
                   {
                     "fieldMappings": [
                       {
-                        "identifier": "FullName",
-                        "columnName": "NetBios"
+                        "columnName": "NetBios",
+                        "identifier": "FullName"
                       }
                     ],
                     "entityType": "Host"
                   },
                   {
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "IPAddress"
+                        "columnName": "IPAddress",
+                        "identifier": "Address"
                       }
                     ],
                     "entityType": "IP"
@@ -1223,7 +1221,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "NewHighSeverityVulnDetectedAcrossMulitpleHostsV2_AnalyticalRules Analytics Rule with template version 3.0.8",
+        "description": "NewHighSeverityVulnDetectedAcrossMulitpleHostsV2_AnalyticalRules Analytics Rule with template version 3.0.9",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -1316,7 +1314,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "QualysCustomConnector Playbook with template version 3.0.8",
+        "description": "QualysCustomConnector Playbook with template version 3.0.9",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion1')]",
@@ -2966,7 +2964,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "QualysVM-GetAssetDetails Playbook with template version 3.0.8",
+        "description": "QualysVM-GetAssetDetails Playbook with template version 3.0.9",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion2')]",
@@ -3479,7 +3477,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "QualysVM-GetAssets-ByCVEID Playbook with template version 3.0.8",
+        "description": "QualysVM-GetAssets-ByCVEID Playbook with template version 3.0.9",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion3')]",
@@ -4563,7 +4561,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "QualysVM-GetAssets-ByOpenPort Playbook with template version 3.0.8",
+        "description": "QualysVM-GetAssets-ByOpenPort Playbook with template version 3.0.9",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion4')]",
@@ -5522,7 +5520,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "QualysVM-LaunchVMScan-GenerateReport Playbook with template version 3.0.8",
+        "description": "QualysVM-LaunchVMScan-GenerateReport Playbook with template version 3.0.9",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion5')]",
@@ -8175,7 +8173,7 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.8",
+        "version": "3.0.9",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "QualysVM",
@@ -8258,7 +8256,7 @@
           ]
         },
         "firstPublishDate": "2020-12-14",
-        "lastPublishDate": "2025-11-18",
+        "lastPublishDate": "2026-06-12",
         "providers": [
           "Qualys"
         ],

Solutions/QualysVM/Package/mainTemplate.json

@@ -1,5 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                            	|
 |-------------|--------------------------------|----------------------------------------------------------------|
+| 3.0.9       | 12-06-2026                     | Removed `graphQueriesTableName` placeholder substitution from **Data Connector** definition; inlined `QualysHostDetectionV3_CL` directly in `graphQueries`, `sampleQueries`, and `dataTypes` to fix client-side KQL parse error in Defender portal connector page. |
 | 3.0.8       | 14-05-2026                     | Bumping API version                                            |
 | 3.0.7       | 18-11-2025                     | Adding adjustable API partition limit & rate limit protection. |
 | 3.0.6       | 18-09-2025                     | Updated Analytic rules, Parsers, and Workbooks in Sentinel solution content for **CCF connector** compatibility.     |

Solutions/QualysVM/ReleaseNotes.md

@@ -2,7 +2,7 @@
   "publisherId": "azuresentinel",
   "offerId": "azure-sentinel-qualysvm",
   "firstPublishDate": "2020-12-14",
-  "lastPublishDate": "2025-11-18",
+  "lastPublishDate": "2026-06-12",
   "providers": ["Qualys"],
   "categories": {
       "domains": ["Security - Vulnerability Management","Security - Automation (SOAR)"]

Solutions/QualysVM/SolutionMetadata.json

@@ -25,7 +25,7 @@
   ],
   "Metadata": "SolutionMetadata.json",
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\QualysVM",
-  "Version": "3.0.8",
+  "Version": "3.0.9",
   "TemplateSpec": true,
   "Is1PConnector": false
-}
+}