SeenBy()
Applies to:
- Microsoft Defender XDR
The SeenBy() function is invoked to see a list of onboarded devices that have seen a certain device using the device discovery feature.
This function returns a table that has the following column:
| Column | Data type | Description |
|---|---|---|
DeviceId |
string |
Unique identifier for the device in the service |
Syntax
invoke SeenBy(x)
- where x is the device ID of interest
Tip
Enrichment functions will show supplemental information only when they are available. Availability of information is varied and depends on a lot of factors. Make sure to consider this when using SeenBy() in your queries or in creating custom detections. For best results, we recommend using the SeenBy() function with the DeviceInfo table.
Example: Obtain list of onboarded devices that have seen a device
DeviceInfo
| where OnboardingStatus <> "Onboarded"
| limit 100 | invoke SeenBy()
Related topics
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.