Forum Discussion

mathurin68's avatar
mathurin68
Brass Contributor
May 25, 2022

Enrichment Functions, Device Discovery 'invoke SeenBy()' doesn't work...

In the Device Discovery article, 

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-discovery?msclkid=8a90a286d14e11ec9a5fa5e16c851275&view=o365-worldwide

By invoking the SeenBy function, in your advanced hunting query, you can get detail on which onboarded device a discovered device was seen by. This information can help determine the network location of each discovered device and subsequently, help to identify it in the network."

 

But when I try to run it

 

 

DeviceInfo
| where OnboardingStatus != "Onboarded"
| summarize arg_max(Timestamp, *) by DeviceId 
| where isempty(MergedToDeviceId) 
| limit 100
| invoke SeenBy()
| project DeviceId, DeviceName, DeviceType, SeenBy

 

 

I get - 
'Unknown function: 'SeenBy'.

 

I guess these are 'Enrichment Functions'... so, how do we turn these on so they're available?

 

Thanks! 

 

 

Resources