Streaming API Broken in XDR

The Streaming API configuration in Microsoft Defender XDR is expected to support forwarding Advanced Hunting events to either Azure Event Hubs or an Azure storage account. The documented configuration flow for Event Hubs requires providing an Event Hubs namespace resource ID that uses the Microsoft.EventHub provider.

From the documented behavior:

• For Microsoft Defender XDR Streaming API to Event Hubs, the configuration requires:
  • Creating an Event Hubs namespace and event hub.
  • Supplying the Event Hubs namespace resource ID when configuring streaming.
  • The resource ID format is explicitly based on the Event Hubs provider (Microsoft.EventHub).
• The same pattern is described for Defender for Endpoint raw data export, where the Event Hubs resource ID is taken from the Event Hubs namespace properties in Azure and used directly in the Defender portal configuration.

Given this, the UI-side validation error that enforces a Microsoft.OperationalInsights/workspaces/{workspaceName} pattern when the option Forward events to Azure Event Hub is selected is inconsistent with the documented requirement to use an Event Hubs namespace resource ID (Microsoft.EventHub/namespaces/{name}). This behavior matches a portal-side bug rather than intended configuration logic.

Workarounds and next steps based on the documentation:

1. Confirm prerequisites and correct Event Hubs resource ID
   • Ensure an Event Hubs namespace and event hub are created as described in the Event Hubs setup guidance.
   • Copy the Resource ID from the Event Hubs namespace Properties blade in the Azure portal and use that value; this is the documented and supported format.
2. Use the documented Streaming API / raw data export entry points
   • For Defender XDR streaming, use the Streaming API configuration described in the “Configure Microsoft Defender XDR to stream Advanced Hunting events to your Azure event hub” and “Streaming API” documentation.
   • For Defender for Endpoint, use the Data export settings page and follow the documented steps to provide the Event Hubs resource ID.
3. Escalate as a service issue
   • Because the documentation clearly specifies Microsoft.EventHub resource IDs for Event Hubs streaming, but the portal is enforcing a Microsoft.OperationalInsights pattern, this is a service-side defect.
   • The appropriate action is to open a support case with Microsoft (for Microsoft Defender XDR / Security) and provide:
     • The exact portal path (Streaming API configuration page).
     • The Event Hubs namespace resource ID being used.
     • A screenshot or copy of the validation error message.
   • This allows the product team to correct the validator logic so that it accepts Microsoft.EventHub/namespaces/{name} when Forward events to Event Hub is selected.

Until the validator is fixed, configuring Event Hub–based streaming via the documented UI path may not be possible in affected tenants, and support engagement is required to resolve or work around the issue.

References:

• Configure Microsoft Defender XDR to stream Advanced Hunting events to your Azure event hub
• Configure Microsoft Defender for Endpoint to stream Advanced Hunting events to your Azure Event Hubs
• Streaming API
• Raw Data Streaming API
• Troubleshoot Microsoft Defender XDR service issues
• Common Microsoft Defender XDR REST API error codes
• event grid topic subscriptions stuck in Deleting state - Microsoft Q&A
• How do I work around this Exchange Online Rule error? - Microsoft Q&A
• Failed to run resource validation using @microsoft/azure-data-factory-utilities on Github - Microsoft Q&A
• We could not get pass this error message on the Surface Hub3 - Microsoft Q&A
• Azure Deployment Takes 70 Minutes to Fail with Obscure Error - Microsoft Q&A