Graph API Error – BadRequest on runHuntingQuery with DeviceProcessEvents

We are encountering a BadRequest error when invoking the /security/runHuntingQuery endpoint via the Microsoft Graph API SDK (Java). The query references DeviceProcessEvents, but the API

response indicates a semantic error.com.catonetworks.cas.common.SdkException: 
  com.microsoft.graph.http.GraphServiceException: 
    Error code: BadRequest
    Error message: 'where' operator: Failed to resolve table or column expression named 'DeviceProcessEvents'. 
    Fix semantic errors in your query.
    
POST https://graph.microsoft.com/v1.0/security/runHuntingQuery
SdkVersion : graph-java/v5.62.0
HTTP Status: 400 Bad Request

Additional Details:

• Graph API version: v1.0
• Endpoint called: https://graph.microsoft.com/v1.0/security/runHuntingQuery
• SDK version: graph-java/v5.62.0
• Query used: (attached below)
• Tenant ID / App ID: [-]
• Timestamp of request: [-]

Troubleshooting Steps Taken:

• Verified permissions: App has SecurityEvents.Read.All and AdvancedQuery.Read.All.
• Tested query in Microsoft 365 Defender Advanced Hunting – works there.
• Enabled debug logging; stack trace confirms query fails to parse DeviceProcessEvents.

Expected Behavior:

The query should execute successfully and return hunting results, just as it does in the Defender portal.

Actual Behavior:

The API throws a semantic error, failing to recognize the DeviceProcessEvents table, resulting in a 400 Bad Request.

Request:

Please help identify why DeviceProcessEvents isn't recognized in the Graph API call for some requests, but , even though it works in the Defender portal for another tenant. We are also observing inconsistent behavior: some runHuntingQuery calls succeed, while others — particularly those referencing DeviceProcessEvents — fail with a semantic error for the same tenant. We would like assistance in understanding:

• Why certain hunting queries work while others (e.g., those involving DeviceProcessEvents) do not.
• Whether this is related to data availability, schema limitations, or another configuration.
• If there are any known issues or undocumented constraints with the /security/runHuntingQuery endpoint regarding specific tables.
• Is there a limitation or required configuration not documented?

union(DeviceProcessEvents | where Timestamp <= datetime(2025-04-19T16:28:50.880Z) | where DeviceId in ("dbebbb123dc7a123c5ea04b4c759d27d220c19123") and ProcessId in ("1111") | extend ResourceKey = strcat(DeviceId,"::",ProcessId,"::",ProcessCreationTime) | extend ResourceActionType = ActionType | where ResourceKey in ("iehkjd123dc7a123c5ea04b4c759d27d110c11234::1234::2025-04-19T15:37:42.2847257Z") | join kind = leftouter DeviceProcessEvents on $left.InitiatingProcessParentId == $right.ProcessId and $left.InitiatingProcessParentCreationTime == $right.ProcessCreationTime and $left.DeviceId == $right.DeviceId | join kind = leftouter DeviceProcessEvents on $left.InitiatingProcessParentId1 == $right.ProcessId and $left.InitiatingProcessParentCreationTime1 == $right.ProcessCreationTime and $left.DeviceId == $right.DeviceId | join kind = leftouter DeviceProcessEvents on $left.InitiatingProcessParentId2 == $right.ProcessId and $left.InitiatingProcessParentCreationTime2 == $right.ProcessCreationTime and $left.DeviceId == $right.DeviceId | join kind = leftouter DeviceProcessEvents on $left.InitiatingProcessParentId3 == $right.ProcessId and $left.InitiatingProcessParentCreationTime3 == $right.ProcessCreationTime and $left.DeviceId == $right.DeviceId | join kind = leftouter DeviceProcessEvents on $left.InitiatingProcessParentId4 == $right.ProcessId and $left.InitiatingProcessParentCreationTime4 == $right.ProcessCreationTime and $left.DeviceId == $right.DeviceId | extend ResourceType = "com.microsoft.graph.security.models.ProcessEvidence", ProcessTreePath = strcat(ProcessId,"/",InitiatingProcessId,"/",ProcessId1,"/",InitiatingProcessId1,"/",ProcessId2,"/",InitiatingProcessId2,"/",ProcessId3,"/",InitiatingProcessId3,"/",ProcessId4,"/",InitiatingProcessId4) | project Timestamp,ResourceKey,ResourceType,ResourceActionType,ProcessTreePath,ProcessDetailsArray = pack_array( bag_pack_columns(Timestamp,ActionType,ProcessId,ProcessCreationTime,ProcessCommandLine,FileName,FolderPath,FileSize,SHA1,SHA256,InitiatingProcessId,InitiatingProcessCommandLine,InitiatingProcessCreationTime,InitiatingProcessFileName,InitiatingProcessFolderPath,InitiatingProcessFileSize,InitiatingProcessSHA1,InitiatingProcessSHA256),bag_pack_columns(Timestamp1,ActionType1,ProcessId1,ProcessCreationTime1,ProcessCommandLine1,FileName1,FolderPath1,FileSize1,SHA11,SHA2561,InitiatingProcessId1,InitiatingProcessCommandLine1,InitiatingProcessCreationTime1,InitiatingProcessFileName1,InitiatingProcessFolderPath1,InitiatingProcessFileSize1,InitiatingProcessSHA11,InitiatingProcessSHA2561),bag_pack_columns(Timestamp2,ActionType2,ProcessId2,ProcessCreationTime2,ProcessCommandLine2,FileName2,FolderPath2,FileSize2,SHA12,SHA2562,InitiatingProcessId2,InitiatingProcessCommandLine2,InitiatingProcessCreationTime2,InitiatingProcessFileName2,InitiatingProcessFolderPath2,InitiatingProcessFileSize2,InitiatingProcessSHA12,InitiatingProcessSHA2562),bag_pack_columns(Timestamp3,ActionType3,ProcessId3,ProcessCreationTime3,ProcessCommandLine3,FileName3,FolderPath3,FileSize3,SHA13,SHA2563,InitiatingProcessId3,InitiatingProcessCommandLine3,InitiatingProcessCreationTime3,InitiatingProcessFileName3,InitiatingProcessFolderPath3,InitiatingProcessFileSize3,InitiatingProcessSHA13,InitiatingProcessSHA2563),bag_pack_columns(Timestamp4,ActionType4,ProcessId4,ProcessCreationTime4,ProcessCommandLine4,FileName4,FolderPath4,FileSize4,SHA14,SHA2564,InitiatingProcessId4,InitiatingProcessCommandLine4,InitiatingProcessCreationTime4,InitiatingProcessFileName4,InitiatingProcessFolderPath4,InitiatingProcessFileSize4,InitiatingProcessSHA14,InitiatingProcessSHA2564),bag_pack_columns(Timestamp5,ActionType5,ProcessId5,ProcessCreationTime5,ProcessCommandLine5,FileName5,FolderPath5,FileSize5,SHA15,SHA2565,InitiatingProcessId5,InitiatingProcessCommandLine5,InitiatingProcessCreationTime5,InitiatingProcessFileName5,InitiatingProcessFolderPath5,InitiatingProcessFileSize5,InitiatingProcessSHA15,InitiatingProcessSHA2565)))