| title | SeenBy() function in advanced hunting for Microsoft Defender XDR | ||
|---|---|---|---|
| description | Learn how to use the SeenBy() function to look for which onboarded devices discovered a certain device. | ||
| search.appverid | met150 | ||
| ms.service | defender-xdr | ||
| ms.subservice | adv-hunting | ||
| f1.keywords |
|
||
| ms.author | pauloliveria | ||
| author | poliveria | ||
| ms.localizationpriority | medium | ||
| manager | orspodek | ||
| audience | ITPro | ||
| ms.collection |
|
||
| ms.custom |
|
||
| appliesto |
|
||
| ms.topic | reference | ||
| ms.date | 08/05/2025 |
[!INCLUDE Microsoft Defender XDR rebranding]
The SeenBy() function is invoked to see a list of onboarded devices that have seen a certain device using the device discovery feature.
This function returns a table that has the following column:
| Column | Data type | Description |
|---|---|---|
DeviceId |
string |
Unique identifier for the device in the service |
You can enter up to 1,000 devices in this function.
invoke SeenBy(x)- where x is the device ID of interest
Tip
Enrichment functions show supplemental information only when they're available. Availability of information is varied and depends on many factors. Make sure to consider this when using SeenBy() in your queries or in creating custom detections. For best results, we recommend using the SeenBy() function with the DeviceInfo table.
DeviceInfo
| where OnboardingStatus <> "Onboarded"
| limit 100 | invoke SeenBy()[!INCLUDE Microsoft Defender XDR rebranding]