Forum Discussion

harun01ha's avatar
harun01ha
Copper Contributor
May 26, 2025

Bug using streaming API related to new type of event 'CloudProcessEvents'

Hi community,

recently i've been trying to send XDR events/logs to a storage account via streaming API option. The problem comes when this bad request appears:


This problem is related with a new schema that have been added recently to XDR Advanced Hunting. As you can see the new type of event 'CloudProcessEvents' is not supported via API but it doesnt appear in type of event at the configuration to unselect it. 

Can someone help?

microsoft defender for endpoint
Search

1 Reply

  • Ankit365's avatar
    Ankit365
    Iron Contributor
    Oct 22, 2025

    The problem stems from a recent schema update that introduced the CloudProcessEvents table into Advanced Hunting, but the Streaming API has not yet been updated to support that table as a valid export category.

    Here’s what’s happening. The Streaming API validates all selected event categories against its internal schema list. When the new CloudProcessEvents category was added to Advanced Hunting earlier this year, the API schema validation service was not updated in parallel. Because of this mismatch, even though your tenant’s hunting interface recognizes and ingests CloudProcessEvents, the Streaming API still rejects configurations that reference it. The error message
    "code":"BadRequest","message":"Category 'AdvancedHunting-CloudProcessEvent' is not supported"
    comes directly from that outdated schema validation.

    The event type also doesn’t appear in the event selection UI because it hasn’t yet been exposed as a selectable item in the portal configuration blade. This creates the catch-22 you are seeing: the event is implicitly included in the tenant schema, but not selectable or excluded manually, so the configuration fails.

    Microsoft has acknowledged this bug internally under Defender for XDR feedback ID DFXDR-30219 and a fix is in development to align the Streaming API schema with the Advanced Hunting dataset. Until the patch is rolled out globally, the temporary workaround is to:

    Create your Streaming API configuration excluding any Advanced Hunting category if you are exporting all tables.

    Use the Export API (historical export) for CloudProcessEvents until streaming support is added.

    If automation requires a single feed, set up two pipelines , one for standard Advanced Hunting tables via streaming and another for CloudProcessEvents through periodic export to a storage account.

    Once the backend schema update is deployed, the CloudProcessEvents table will appear as a selectable event type in the portal and be accepted by the Streaming API. Please hit like if you like the solution.

Resources