Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Enrichment Functions, Device Discovery 'invoke SeenBy()' doesn't work...

Brass Contributor

In the Device Discovery article,

By invoking the SeenBy function, in your advanced hunting query, you can get detail on which onboarded device a discovered device was seen by. This information can help determine the network location of each discovered device and subsequently, help to identify it in the network."


But when I try to run it



| where OnboardingStatus != "Onboarded"
| summarize arg_max(Timestamp, *) by DeviceId 
| where isempty(MergedToDeviceId) 
| limit 100
| invoke SeenBy()
| project DeviceId, DeviceName, DeviceType, SeenBy



I get - 
'Unknown function: 'SeenBy'.


I guess these are 'Enrichment Functions'... so, how do we turn these on so they're available?





1 Reply
Apparently, a GCC thing... closing out.