Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Enrichment Functions, Device Discovery 'invoke SeenBy()' doesn't work...

Brass Contributor

In the Device Discovery article, 

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-discovery?msclkid=8...

By invoking the SeenBy function, in your advanced hunting query, you can get detail on which onboarded device a discovered device was seen by. This information can help determine the network location of each discovered device and subsequently, help to identify it in the network."

 

But when I try to run it

 

 

DeviceInfo
| where OnboardingStatus != "Onboarded"
| summarize arg_max(Timestamp, *) by DeviceId 
| where isempty(MergedToDeviceId) 
| limit 100
| invoke SeenBy()
| project DeviceId, DeviceName, DeviceType, SeenBy

 

 

I get - 
'Unknown function: 'SeenBy'.

 

I guess these are 'Enrichment Functions'... so, how do we turn these on so they're available?

 

Thanks! 

 

 

1 Reply
Apparently, a GCC thing... closing out.