This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 46%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJC%3C/text%3E%3C/svg%3E)
We're currently migrating our Defender XDR custom detection rules over to Sentinel.
We've found some rules leverage the built-in Defender XDR enrichment functions such as FileProfile() and SeenBy().
I was hoping I could just copy the function over to Sentinel but can't see the underlying KQL used for those functions.
Is there a work around if this isn't possible?
Apologies, I kept getting errors when submitting question so ended up with multiple submissions.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@Jonathan Canlas Apologies for misunderstanding your ask, let me check on this and revert back.
@Jonathan Canlas Apologies for the delay, I am checking with my team internally on this ask.
@Jonathan Canlas Thank you for reaching out to us, came across this blog where they have used KQL to query and leverage the SeenBy() enrichment function - https://www.linkedin.com/posts/0x534c_defenderxdr-mde-devicediscovery-activity-7233857632300580865-_jAj/
Checking for the other function if I can find any KQL query for the same.
@Givary-MSFT - thanks for your response. My question was about the use of that specific function within Sentinel Log Analytics workspace as opposed to the Advanced Hunting space within Defender XDR. Apologies if I hadn't made that clear.
The SeenBy and FileProfile() functions work perfectly fine within Advanced Hunting but our Analytics Rules work within Sentinel so if I run these functions it fails as they are not present within Sentinel.
@Jonathan Canlas As per the info which I got, above mentioned ask is not possible, however would like to understand why are you migrating all rules into sentinel? especially given the shift towards a unified SOC platform that integrates Sentinel within Defender.
Apologies for the delayed response. Here's the latest update from my team regarding your query:
We are currently working on consolidating Analytic rules and Custom detections into a unified platform for writing rules. As such, we do not recommend migrating rules to Analytic rules in Microsoft Sentinel at this stage, as the aim is to unify all rules under this new experience. Sentinel's Analytic rules will eventually be treated as part of the legacy system.
These special XDR functions are limited to the Defender XDR advanced hunting. I don't expect support for these functions will be added to Sentinel.
They should be accessible from a logic app using the Microsoft Defender ATP connector or API.
The new unified XDR portal brings Sentinel tables into XDR. You may be able to use these functions in XDR-AH with Sentinel tables. Though the functions are mostly based on entities predominantly found in the XDR data. File hashes for example are rarely seen in other Sentinel tables.
You may want to hold off on that migration. I assume the Sentinel and XDR rules may merge at some point. It just seems like an obvious progression as Sentinel merges with XDR.